When I set up a machine with CentOS 8, I used the "Enterprise Login" in the initial setup wizard to authenticate against my FreeIPA server. This worked fine, and I have no issues logging in with that initial user. However, I am unable to use GDM or the console to login as any *other* valid user from FreeIPA. From GDM I get something like "Sorry, that didn't work" and "Permission denied" on the console. I've verified that the credentials are correct, and that I am able to manually get a ticket via kinit for one of those other users from this machine. With CentOS 7, I didn't have to do any additional configuration in this regard after the initial wizard. Not sure whether this is a CentOS configuration issue or a FreeIPA one, but I figured I'd start here. I'm also not terribly familiar with FreeIPA, so I could be missing something obvious; but this worked without issue when the machine in question ran CentOS 7. Can somebody point me in the right direction?
On 11/18/19 12:05 PM, Carson Chittom wrote:> When I set up a machine with CentOS 8, I used the "Enterprise Login" in > the initial setup wizard to authenticate against my FreeIPA server. > This worked fine, and I have no issues logging in with that initial user. > > However, I am unable to use GDM or the console to login as any *other* > valid user from FreeIPA. From GDM I get something like "Sorry, that > didn't work" and "Permission denied" on the console. I've verified that > the credentials are correct, and that I am able to manually get a ticket > via kinit for one of those other users from this machine. With > CentOS 7, I didn't have to do any additional configuration in this > regard after the initial wizard. > > Not sure whether this is a CentOS configuration issue or a FreeIPA one, > but I figured I'd start here. I'm also not terribly familiar with > FreeIPA, so I could be missing something obvious; but this worked > without issue when the machine in question ran CentOS 7. > > Can somebody point me in the right direction?Check out the pam* errors in the journal and bump debugging in sssd.conf and check out /var/log/sss/sssd_pam.log and sssd_<DOMAIN>.log. Hopefully that will get you pointed in the right direction. Did your initial user get added to /etc/passwd? -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion at nwra.com Boulder, CO 80301 https://www.nwra.com/
On Mon, 2019-11-18 at 13:05 -0600, Carson Chittom wrote:> When I set up a machine with CentOS 8, I used the "Enterprise Login" > in > the initial setup wizard to authenticate against my FreeIPA server. > This worked fine, and I have no issues logging in with that initial > user. > > However, I am unable to use GDM or the console to login as any > *other* > valid user from FreeIPA. From GDM I get something like "Sorry, that > didn't work" and "Permission denied" on the console. I've verified > that > the credentials are correct, and that I am able to manually get a > ticket > via kinit for one of those other users from this machine. With > CentOS 7, I didn't have to do any additional configuration in this > regard after the initial wizard. > > Not sure whether this is a CentOS configuration issue or a FreeIPA > one, > but I figured I'd start here. I'm also not terribly familiar with > FreeIPA, so I could be missing something obvious; but this worked > without issue when the machine in question ran CentOS 7. > > Can somebody point me in the right direction?This could be home directory related. Are the home directories local or remote (NFS?). Are the home directories for the users accessible? Can the users login over ssh?
Carson Chittom <carson at wistly.net> writes:> When I set up a machine with CentOS 8, I used the "Enterprise Login" in > the initial setup wizard to authenticate against my FreeIPA server. > This worked fine, and I have no issues logging in with that initial user. > > However, I am unable to use GDM or the console to login as any *other* > valid user from FreeIPA. From GDM I get something like "Sorry, that > didn't work" and "Permission denied" on the console. I've verified that > the credentials are correct, and that I am able to manually get a ticket > via kinit for one of those other users from this machine. With > CentOS 7, I didn't have to do any additional configuration in this > regard after the initial wizard.I discovered that /etc/sssd/sssd.conf contains the line: simple_allow_users = $, initialuser Adding other users to this line allows them to log in. This is a very small deployment (8 users, 4 machines), so this addresses my immediate need, but clearly isn't really the solution. I'll dig into it some more when I have some leisure.