Hi, On Fri, Sep 23, 2011 at 13:57, Stephen Gallagher <sgall...@redhat.com> wrote: > On Fri, 2011-09-23 at 13:38 -0400, Dan Scott wrote: >> Hi, >> >> I've recently upgraded from FreeIPA 1.2 to 2.1. Most things are >> working OK, but I have a few problems: >> >> 1. I'm unable to login to a new client machine via GDM with my >> existing credentials. i.e. I can login on the command line and my home >> directory is created correctly, but GDM logins hang, with the fields >> greyed out until I press escape, when it returns to the login screen. >> The /var/log/gdm files contain: >> >> Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message >> with a timestamp of 0 for 0x1400007 (Login Wind) >> Window manager warning: meta_window_activate called by a pager with a >> 0 timestamp; the pager needs to be fixed. >> Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message >> with a timestamp of 0 for 0x1400007 (Login Wind) >> Window manager warning: meta_window_activate called by a pager with a >> 0 timestamp; the pager needs to be fixed. >> >> ==> /var/log/gdm/:0-slave.log <== >> pam: gdm-password[2484]: pam_unix(gdm-password:auth): authentication >> failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=djscott >> pam: gdm-password[2484]: pam_sss(gdm-password:auth): authentication >> success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=djscott >> >> ==> /var/log/gdm/:0-greeter.log <== >> Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message >> with a timestamp of 0 for 0x1400007 (Login Wind) >> Window manager warning: meta_window_activate called by a pager with a >> 0 timestamp; the pager needs to be fixed. >> Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message >> with a timestamp of 0 for 0x1400007 (Login Wind) >> Window manager warning: meta_window_activate called by a pager with a >> 0 timestamp; the pager needs to be fixed. >> Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message >> with a timestamp of 0 for 0x1400007 (Login Wind) >> Window manager warning: meta_window_activate called by a pager with a >> 0 timestamp; the pager needs to be fixed. >> >> Any idea what's going on here? > > Could you check /var/log/secure?
Sorry, I should have included this originally, but I checked it already and I don't think it contains anything useful: Sep 23 12:35:38 pc37 pam: gdm-password[2484]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=djscott Sep 23 12:35:40 pc37 pam: gdm-password[2484]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=djscott > Also, what version of the sssd and gdm packages are installed on the > system? [root@pc37 ~]# rpm -qa|grep sssd sssd-1.5.13-1.fc15.2.x86_64 sssd-client-1.5.13-1.fc15.2.x86_64 [root@pc37 ~]# rpm -qa|grep gdm gdm-3.0.4-1.fc15.x86_64 gdm-plugin-fingerprint-3.0.4-1.fc15.x86_64 pulseaudio-gdm-hooks-0.9.22-5.fc15.x86_64 [root@pc37 ~]# >> 2. I'm having trouble migrating the user passwords. The >> /ipa/migration/ webpage doesn't work: >> >> "There was a problem with your request. Please, try again later." >> >> The only way I have been able to migrate user passwords is by getting >> them to ssh into one of the FreeIPA masters. I've read through >> manpages for sssd, sssd.conf, sssd-ldap, sssd-krb5 and pam_sss, and >> the FreeIPA and SSSD websites, but I can't find the documentation for >> getting SSSD to migrate passwords. Can someone point me in the correct >> direction? >> > > There's no special configuration required for getting SSSD to migrate > passwords. As long as password migration mode is configured on the > FreeIPA server (and SSSD has been set up with ipa-client-install), we > will detect whether migration mode is active and behave appropriately. > This is exactly why migration by connecting to the FreeIPA masters by > SSH works; it's authenticating through the SSSD client on the master and > performing the migration quietly behind the scenes. > > If this isn't working when SSHing into FreeIPA clients other than the > server, then there's probably something wrong with your SSHD config. Ahh, OK. Is there anything particular I need to check for? Logins to non-server machines give: Sep 23 13:04:23 fw sshd[31652]: pam_krb5[31652]: authentication fails for 'qiaoli' (qia...@example.com): Authentication failure (Preauthentication failed) Sep 23 13:04:25 fw sshd[31652]: Failed password for qiaoli from IP_ADDR_REMOVED port 35238 ssh2 in /var/log/secure Having just looked at this, I see that it's not using sssd by the look of things. Strange, I enabled it and started it running. I can probably fix this by getting the config sorted properly. > Otherwise, whatever's causing the failure in step 1) is probably causing > the migration to not work (since authentication isn't completing). > >> 3. The migration appears to have created a group for each user, i.e. >> there is a group called 'djscott' along with my user, visible via an >> LDAP browser. Should they exist? Is there an easy way to remove them - >> they don't show up in the web interface or command line, just the LDAP >> browser. > > These are private groups and they are a security feature. The idea is > that each user is by default a member only of a special group consisting > only of themselves. This way, when a user creates a file with default > permissions, it isn't vulnerable to leaking to other members of the > user's primary group. Ahh, OK, that's fine then. Thanks. >> 4. The old ipausers group had ID 1002, which now does not exist, >> resulting in an annoying "id: cannot find name for group ID 1002" >> whenever I ssh to another system. Is there a simple way to change the >> GID for all users who have the old ID to have the new ID? I've created >> a temporary ipausers-legacy group with ID 1002 to eliminate the error >> temporarily. > > I'll leave this for the core FreeIPA team to discuss, but the removal of > ipausers was intentional, in favor of using private groups as I > described above. So I should change each user's GID to the GID which is the same as their username? Is there a script to do this, to save having to do it manually? Thanks, Dan _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
