Eu configurei o Winbind & Kerberos no meu servidor CentOS 7 para permitir que os usuários da rede façam o login. Os usuários da rede podem fazer login com o SSH, mas não através do gerenciador de exibição. Eu experimentei o mesmo problema se usando LightDM ou GDM.
Os usuários locais podem fazer login com facilidade. Para os usuários da rede, quando eles fizerem login, aceitarão suas senhas, mas as retrocederão na tela de login.
Eu tenho coçado a cabeça sobre isso durante todo o dia, ajustando as configurações de pam para ver se posso fazê-lo funcionar. Eu também desativei o SELinux e reiniciei o servidor para descartar essa possibilidade. Alguém sabe o que poderia estar errado aqui?
Aqui estão os registros para um login de usuário da rede:
Logs do sistema:
Jul 03 16:15:01 iisfyblabetl001.incite.local lightdm[10471]: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=mmoyles
Jul 03 16:15:01 iisfyblabetl001.incite.local lightdm[10471]: pam_krb5[10471]: TGT verified using key for 'host/[email protected]'
Jul 03 16:15:01 iisfyblabetl001.incite.local lightdm[10471]: pam_krb5[10471]: authentication succeeds for 'mmoyles' ([email protected])
Jul 03 16:15:01 iisfyblabetl001.incite.local lightdm[10471]: pam_winbind(lightdm:account): user 'mmoyles' granted access
Jul 03 16:15:01 iisfyblabetl001.incite.local lightdm[9639]: pam_unix(lightdm-greeter:session): session closed for user lightdm
Jul 03 16:15:01 iisfyblabetl001.incite.local systemd-logind[679]: New session 29 of user mmoyles.
-- Subject: A new session 29 has been created for user mmoyles
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
--
-- A new session with the ID 29 has been created for the user mmoyles.
--
-- The leading process of the session is 10471.
Jul 03 16:15:01 iisfyblabetl001.incite.local systemd[1]: Started Session 29 of user mmoyles.
-- Subject: Unit session-29.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit session-29.scope has finished starting up.
--
-- The start-up result is done.
Jul 03 16:15:01 iisfyblabetl001.incite.local systemd[1]: Starting Session 29 of user mmoyles.
-- Subject: Unit session-29.scope has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit session-29.scope has begun starting up.
Jul 03 16:15:01 iisfyblabetl001.incite.local lightdm[10471]: pam_unix(lightdm:session): session opened for user mmoyles by (uid=0)
Jul 03 16:15:01 iisfyblabetl001.incite.local lightdm[10471]: pam_unix(lightdm:session): session closed for user mmoyles
Jul 03 16:15:01 iisfyblabetl001.incite.local systemd-logind[679]: Removed session 29.
-- Subject: Session 29 has been terminated
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
--
-- A session with the ID 29 has been terminated.
Jul 03 16:15:01 iisfyblabetl001.incite.local lightdm[10517]: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
Jul 03 16:15:01 iisfyblabetl001.incite.local systemd-logind[679]: New session c19 of user lightdm.
-- Subject: A new session c19 has been created for user lightdm
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
--
-- A new session with the ID c19 has been created for the user lightdm.
lightdm.log:
+1215.10s] DEBUG: Seat: Greeter stopped, running session
[+1215.10s] DEBUG: Registering session with bus path /org/freedesktop/DisplayManager/Session6
[+1215.10s] DEBUG: Session pid=10471: Running command /etc/X11/xinit/Xsession mate-session
[+1215.10s] DEBUG: Creating shared data directory /var/lib/lightdm-data/mmoyles
[+1215.10s] DEBUG: Session pid=10471: Logging to .xsession-errors
[+1215.14s] DEBUG: Activating VT 1
[+1215.14s] DEBUG: Activating login1 session 29
[+1215.17s] DEBUG: Session pid=10471: Exited with return value 0
[+1215.17s] DEBUG: Seat: Session stopped
[+1215.17s] DEBUG: Seat: Stopping display server, no sessions require it
[+1215.17s] DEBUG: Sending signal 15 to process 9627
[+1215.24s] DEBUG: Process 9627 exited with return value 0
[+1215.24s] DEBUG: DisplayServer x-0: X server stopped
[+1215.24s] DEBUG: Releasing VT 1
[+1215.24s] DEBUG: DisplayServer x-0: Removing X server authority /var/run/lightdm/root/:0
[+1215.24s] DEBUG: Seat: Display server stopped
[+1215.24s] DEBUG: Seat: Active display server stopped, starting greeter
[+1215.24s] DEBUG: Seat: Creating greeter session
[+1215.24s] DEBUG: Seat: Creating display server of type x
[+1215.24s] DEBUG: Using VT 1
[+1215.24s] DEBUG: Seat: Starting local X display on VT 1
[+1215.24s] DEBUG: DisplayServer x-0: Logging to /var/log/lightdm/x-0.log
[+1215.24s] DEBUG: DisplayServer x-0: Writing X server authority to /var/run/lightdm/root/:0
[+1215.24s] DEBUG: DisplayServer x-0: Launching X Server
[+1215.24s] DEBUG: Launching process 10509: /usr/bin/X -background none :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt1 -novtswitch
[+1215.24s] DEBUG: DisplayServer x-0: Waiting for ready signal from X server :0
[+1215.42s] DEBUG: Got signal 10 from process 10509
[+1215.43s] DEBUG: DisplayServer x-0: Got signal from X server :0
[+1215.43s] DEBUG: DisplayServer x-0: Connecting to XServer :0
[+1215.43s] DEBUG: Seat: Display server ready, starting session authentication
[+1215.43s] DEBUG: Session pid=10517: Started with service 'lightdm-greeter', username 'lightdm'
[+1215.44s] DEBUG: Session pid=10517: Authentication complete with return value 0: Success
[+1215.44s] DEBUG: Seat: Session authenticated, running command
[+1215.44s] DEBUG: Session pid=10517: Running command /usr/sbin/lightdm-gtk-greeter
[+1215.44s] DEBUG: Creating shared data directory /var/lib/lightdm-data/lightdm
[+1215.44s] DEBUG: Session pid=10517: Logging to /var/log/lightdm/x-0-greeter.log
[+1215.44s] DEBUG: Activating VT 1
[+1215.44s] DEBUG: Activating login1 session c19
[+1215.46s] DEBUG: Session pid=10517: Greeter connected version=1.10.6
[+1215.69s] DEBUG: Session pid=10517: Greeter start authentication
[+1215.69s] DEBUG: Session pid=10535: Started with service 'lightdm', username '(null)'
[+1215.70s] DEBUG: Session pid=10535: Got 1 message(s) from PAM
[+1215.70s] DEBUG: Session pid=10517: Prompt greeter with 1 message(s)
[+1215.73s] DEBUG: User /org/freedesktop/Accounts/User1000 changed
[+1215.74s] DEBUG: User /org/freedesktop/Accounts/User11092 changed
[+1215.74s] DEBUG: User /org/freedesktop/Accounts/User1001 changed
pam.d / system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
#auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so krb5_auth krb5_ccache_type=KEYRING use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
#account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so krb5_auth krb5_ccache_type=KEYRING use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
session optional pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
pam.d / lightdm
#%PAM-1.0
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth required pam_env.so
auth substack system-auth
-auth optional pam_gnome_keyring.so
-auth optional pam_kwallet5.so
-auth optional pam_kwallet.so
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_selinux.so close
session optional pam_loginuid.so
session optional pam_console.so
-session optional pam_ck_connector.so
session optional pam_selinux.so open
session optional pam_keyinit.so force revoke
session optional pam_namespace.so
-session optional pam_gnome_keyring.so auto_start
-session optional pam_kwallet5.so
-session optional pam_kwallet.so
session include system-auth
session optional pam_lastlog.so silent
session include postlogin
O arquivo .xsession-errors no diretório pessoal do usuário da rede está vazio e parece criar um arquivo .Xauthority no diretório pessoal.
Bem, eu me sinto idiota ... Depois de ter lutado com esse problema por 3 dias, o motivo era que eu tinha um .profile em / etc / skel que estava definindo SHELL = / bin / bash então pam_mkhomedir estava adicionando este arquivo para novo usuários de domínio, mas não estava na minha conta local.