Ask Your Question
2

Why have my enterprise users lost the ability to Login

asked 2017-12-09 13:52:39 -0500

Huwmungous gravatar image

updated 2018-03-06 17:21:18 -0500

ssieb gravatar image

I added five enterprise users on my Fedora 27 workstation, and for a while we could all connect and authenticate on AD. We still can, in fact,but only on our Windows workstations.

What is strange is that, if logged in as a pure unix user, I can 'su' to my AD identity.

The graphical user manager will not allow me to delete these accounts so I can recreate them. Every attempt to login as one of these identities results in the message 'Sorry that did not work, please try again' and the logs show :

Dec 09 18:02:55 zen accounts-daemon[1099]: request by system-bus-name::1.349 [gnome-control-center user-accounts pid:11327 uid:1000]: cache user 'myaccount@mydomain.co.uk'
Dec 09 19:25:29 zen gdm-password][12789]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=myaccount
Dec 09 19:25:29 zen gdm-password][12789]: pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=myaccount
Dec 09 19:25:29 zen gdm-password][12789]: pam_sss(gdm-password:auth): received for user myaccount: 10 (User not known to the underlying authentication module)
Dec 09 19:25:29 zen audit[12789]: USER_AUTH pid=12789 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="myaccount" exe="/usr/libexec/gdm-session-worker" hostname=zen addr=? terminal=/dev/tty1 res=failed'

Why would gdm fail to authenticate when everything else appears to work?

I have made some progress since my original post; by editing /etc/realmd.conf I am now in a position where 3 of 5 users are able to login successfully and the 'users' GUI app now permits deletion and recreation. However, the recreated users are no better off.

[active-directory] default-client = sssd

'su' to one of the 'good' user accounts is successful, but to the 2 that cannot login I see the following

Dec 10 12:05:40 zen dbus-daemon[939]: [system] Activating via systemd: service name='net.reactivated.Fprint' unit='fprintd.service' requested by ':1.1667' (uid=0 pid=15829 comm="su MYDOMAIN\auser " label="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023")
Dec 10 12:05:47 zen su[15829]: pam_sss(su:auth): authentication failure; logname=hjadmin uid=1000 euid=0 tty=pts/0 ruser=hjadmin rhost= user=auser@mydomain.co.uk
Dec 10 12:05:47 zen audit[15829]: USER_AUTH pid=15829 uid=1000 auid=1000 ses=21 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="auser@mydomain.co.uk" exe="/usr/bin/su" hostname=zen addr=? terminal=pts/0 res=failed'
Dec 10 12:05:47 zen su[15829]: pam_sss(su:auth): received for user auser@mydomain.co.uk: 6 (Permission denied)
Dec 10 12:05:49 zen su[15829]: FAILED SU (to auser@mydomain.co.uk) hjadmin on pts/0

[root@zen ~]# id baduser
uid=11129(baduser) gid=10513(domain users) groups=10513(domain users), 11129(baduser),11112(children),3001(BUILTIN\users)

[root@zen ...
(more)
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2017-12-12 17:31:13 -0500

ssieb gravatar image

I'm somewhat confused about what you're doing. Why did you create the users on the local machine if you want them to authenticate using AD? If you have it setup correctly, SSSD authenticates against the AD and gets the user info from there. If you have the user in both places, there are going to be conflicts. If you want home directories to be automatically created on login, then you can install oddjob and oddjob-mkhomedir.

edit flag offensive delete link more

Comments

Perhaps my description of what I have attempted was not quite clear; the users - both 'good' and 'Bad' have been created in Active directory. (I will break cover on that and say that it is a Samba 4 server)

The Users GUI dialog on the Fedora Workstation allows you to 'Add User' and then select 'Enterprise User'. This adds to the permitted logins on the workstation.

Huwmungous gravatar imageHuwmungous ( 2017-12-18 04:31:43 -0500 )edit

@SamuelSieb I have edited the question to remove that confusion

Huwmungous gravatar imageHuwmungous ( 2017-12-18 04:34:57 -0500 )edit

I think you are still getting it mixed up. On Windows, you don't add individual users, right? Any of the AD users can just login directly? That's how I have it setup for my Fedora computers using FreeIPA.

If you are only adding individual users, I think you should not be adding anything to realmd.conf because that tells sssd to get users from the AD which you don't want. If you want to switch to the direct AD login, then you might need to manually edit the /etc/passwd, /etc/shadow, and /etc/group files to remove the local users.

ssieb gravatar imagessieb ( 2017-12-18 14:30:56 -0500 )edit

@samuelsieb the password/shadow/group files do not contain any reference to any of my AD users. When I realmd list I have 5 users listed as permitted logins - 3 of whom can login, 2 of whom cannot. As far as I am aware I have not done anything different for any of the 2 failed users.

On the samba server the ad users all exist as unix users + AD

I am now wondering if the uid's are foobar. That might just explain why windows is happy (using sids) but the linux workstation is not ...

Huwmungous gravatar imageHuwmungous ( 2018-02-03 05:24:55 -0500 )edit

It might be helpful to see the corresponding log lines for a successful gdm login and su to compare the difference.

What do id gooduser, getent passwd gooduser, id baduser, and getent passwd baduser show?

I'm not familiar with this setup. I use freeipa as the LDAP authentication source and any users can login, there's no need to add them individually.

ssieb gravatar imagessieb ( 2018-02-04 00:42:08 -0500 )edit

Question Tools

1 follower

Stats

Asked: 2017-12-09 13:52:39 -0500

Seen: 717 times

Last updated: Mar 06 '18