thr3ads.net - LightDM - [LightDM] lightdm and kerberos on fedora 22 does not work [Dec 2015]

If this information is useful, please help other people find it:
Share via:

François Dagorn

2015-Dec-02 08:58 UTC

[LightDM] lightdm and kerberos on fedora 22 does not work

Hello all,

I'm currently migrating to kerberos authentication. Authentication runs well
using ssh, does not run for lightdm. I'have left things unchanged within
/etc/pam.d
for lightdm. Stuffs involved follows (/etc/pam.d/system-auth,
/etc/pam.d/lightdm,
login traces ...

*more system-auth*
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 100 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 100 quiet
account     sufficient    [default=bad success=ok user_unknown=ignore]
*pam_krb5.so*
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only
retry=3 authtok_typepassword    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session     required      pam_unix.so
session     optional      *pam_krb5.so*

*more lightdm*
#%PAM-1.0
auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth       required    pam_env.so
auth       include    *system-auth*
-auth       optional    pam_gnome_keyring.so
-auth       optional    pam_kwallet5.so
-auth       optional    pam_kwallet.so
auth       include     postlogin
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    required    pam_selinux.so close
session    required    pam_loginuid.so
session    optional    pam_console.so
-session    optional    pam_ck_connector.so
session    required    pam_selinux.so open
session    optional    pam_keyinit.so force revoke
session    required    pam_namespace.so
-session    optional    pam_gnome_keyring.so auto_start
-session    optional    pam_kwallet5.so
-session    optional    pam_kwallet.so
session    include     system-auth
session    optional    pam_lastlog.so silent
session    include     postlogin

systemctl start lightdm.service

Dec  2 09:51:08 localhost systemd: Starting Light Display Manager...
Dec  2 09:51:08 localhost systemd: Started Light Display Manager.
Dec  2 09:51:08 localhost audit: <audit-1130> pid=1 uid=0 auid=4294967295
ses=4294967295 msg='unit=lightdm comm="systemd"
exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'
Dec  2 09:51:08 localhost audit: <audit-1103> pid=2735 uid=0
auid=4294967295 ses=4294967295 msg='op=PAM:setcred
grantors=pam_env,pam_env,pam_fprintd
acct="lightdm" exe="/usr/sbin/lightdm" hostname=? addr=?
terminal=:0 res=success'
Dec  2 09:51:08 localhost systemd: Created slice user-987.slice.
Dec  2 09:51:08 localhost systemd: Starting user-987.slice.
Dec  2 09:51:08 localhost systemd: Starting User Manager for UID 987...
Dec  2 09:51:08 localhost systemd-logind: New session 17 of user lightdm.
Dec  2 09:51:08 localhost systemd: Started Session 17 of user lightdm.
Dec  2 09:51:08 localhost systemd: Starting Session 17 of user lightdm.
Dec  2 09:51:08 localhost audit: <audit-1101> pid=2740 uid=0
auid=4294967295 ses=4294967295 msg='op=PAM:accounting
grantors=pam_unix,pam_localuser
acct="lightdm" exe="/usr/lib/systemd/systemd" hostname=?
addr=? terminal=? res=success'
Dec  2 09:51:08 localhost audit: <audit-1105> pid=2740 uid=0
auid=4294967295 ses=4294967295 msg='op=PAM:session_open
*grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_krb5*
acct="lightdm" exe="/usr/lib/systemd/systemd" hostname=?
addr=? terminal=? res=success'
Dec  2 09:51:09 localhost systemd: Reached target Paths.
Dec  2 09:51:09 localhost systemd: Starting Paths.
Dec  2 09:51:09 localhost systemd: Reached target Sockets.
Dec  2 09:51:09 localhost systemd: Starting Sockets.
Dec  2 09:51:09 localhost systemd: Reached target Timers.
Dec  2 09:51:09 localhost systemd: Starting Timers.
Dec  2 09:51:09 localhost systemd: Reached target Basic System.
Dec  2 09:51:09 localhost systemd: Starting Basic System.
Dec  2 09:51:09 localhost systemd: Reached target Default.
Dec  2 09:51:09 localhost systemd: Startup finished in 13ms.
Dec  2 09:51:09 localhost systemd: Started User Manager for UID 987.
Dec  2 09:51:09 localhost audit: <audit-1130> pid=1 uid=0 auid=4294967295
ses=4294967295 msg='unit=user at 987 comm="systemd"
exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'
Dec  2 09:51:09 localhost audit: <audit-1105> pid=2735 uid=0 auid=987
ses=17 msg='op=PAM:session_open
grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_gnome_keyring,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_krb5,pam_lastlog,pam_lastlog
acct="lightdm" exe="/usr/sbin/lightdm" hostname=? addr=?
terminal=:0 res=success'
Dec  2 09:51:09 localhost systemd: Starting Default.

*login trace*

Dec  2 09:53:18 localhost xinetd[527]: START: x11vnc pid=2762 from=148.60.14.17
Dec  2 09:53:32 localhost dbus[474]: [system] Activating via systemd: service
name='net.reactivated.Fprint' unit='fprintd.service'
Dec  2 09:53:32 localhost systemd: Starting Fingerprint Authentication Daemon...
Dec  2 09:53:32 localhost dbus[474]: [system] Successfully activated service
'net.reactivated.Fprint'
Dec  2 09:53:32 localhost systemd: Started Fingerprint Authentication Daemon.
Dec  2 09:53:32 localhost audit: <audit-1130> pid=1 uid=0 auid=4294967295
ses=4294967295 msg='unit=fprintd comm="systemd"
exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'
Dec  2 09:53:36 localhost audit: <audit-1100> pid=2763 uid=0
auid=4294967295 ses=4294967295 msg='*op=PAM:authentication grantors=?*
acct="dagorn"
exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=failed'

Any help would be appreciated.
Cheers.

-- 
François
Université de Rennes 1

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.freedesktop.org/archives/lightdm/attachments/20151202/ddad188d/attachment.html>

Rex Dieter

2015-Dec-02 17:32 UTC

head link

[LightDM] lightdm and kerberos on fedora 22 does not work

François Dagorn wrote:
> Hello all,
> 
> I'm currently migrating to kerberos authentication. Authentication runs
> well using ssh, does not run for lightdm. I'have left things unchanged
> within /etc/pam.d for lightdm. Stuffs involved follows
> (/etc/pam.d/system-auth, /etc/pam.d/lightdm, login traces ...
...> Dec  2 09:53:32 localhost audit: <audit-1130> pid=1 uid=0
auid=4294967295
> ses=4294967295 msg='unit=fprintd comm="systemd"
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
> Dec  2 09:53:36 localhost audit: <audit-1100> pid=2763 uid=0
> auid=4294967295 ses=4294967295 msg='*op=PAM:authentication grantors=?*
> acct="dagorn" exe="/usr/sbin/lightdm" hostname=? addr=?
terminal=:0
> res=failed'
this appears to be a selinux denial, could you try running in permissive 
mode(*) to see if that helps?  If so, please file a bug @ 
bugzilla.redhat.com against selinux-policy

(*) Either (as root) run "setenforce 0", or set SELINUX=permissive in 
/etc/sysconfig/selinux (and reboot)

-- Rex

LightDM - Dec 2015 - lightdm and kerberos on fedora 22 does not work

[LightDM] lightdm and kerberos on fedora 22 does not work

[LightDM] lightdm and kerberos on fedora 22 does not work