It seems that gdm3 is trying to start xserver using user, which was passed to pam-ovirt plugin rights. It fails due lack of permissions on some devices. After changing permissions a bit, I'm getting following errors:
Jul 29 14:56:01 jessie gdm3: GdmManager: trying to register new display Jul 29 14:56:01 jessie gdm3: GdmManager: Error while retrieving session id for sender: Error getting session id from systemd: No such device or address Jul 29 14:56:01 jessie gdm-x-session: Could not register display: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: No display available Okay, after poking around a bit, i've found solution: On Debian based distros you need this kind of /etc/pam.d/gdm-ovirtcred #%PAM-1.0 auth required pam_ovirt_cred.so auth include passwd account include passwd password include passwd session required pam_systemd.so open session include passwd Now it seems, that login works just fine. THank you for your help. On Fri, 2016-07-29 at 14:41 +0300, Tadas wrote: > Okay, now its different story. ovirt-agent finally passes through all > login steps: > > Dummy-1::INFO::2016-07-29 > 14:37:38,088::OVirtAgentLogic::294::root::Received an external > command: > login... > Dummy-1::DEBUG::2016-07-29 > 14:37:38,088::OVirtAgentLogic::328::root::User log-in (credentials = > '\x00\x00\x00\x04test********\x00') > Dummy-1::INFO::2016-07-29 14:37:38,088::CredServer::207::root::The > following users are allowed to connect: [0] > Dummy-1::DEBUG::2016-07-29 > 14:37:38,088::CredServer::272::root::Token: > 493871 > Dummy-1::INFO::2016-07-29 > 14:37:38,088::CredServer::273::root::Opening > credentials channel... > Dummy-1::INFO::2016-07-29 > 14:37:38,089::CredServer::132::root::Emitting > user authenticated signal (493871). > CredChannel::DEBUG::2016-07-29 > 14:37:38,159::CredServer::166::root::Receiving user's credential ret > = > 2 errno = 0 > CredChannel::DEBUG::2016-07-29 > 14:37:38,159::CredServer::177::root::cmsgp: len=28 level=1 type=2 > CredChannel::INFO::2016-07-29 > 14:37:38,159::CredServer::225::root::Incomming connection from user: > 0 > process: 4343 > CredChannel::INFO::2016-07-29 > 14:37:38,159::CredServer::232::root::Sending user's credential > (token: > 493871) > Dummy-1::INFO::2016-07-29 > 14:37:38,160::CredServer::277::root::Credentials channel was closed. > > > Though gdm3 fails to load session with following error: > > http://paste.ubuntu.com/21392715/ > > On Fri, 2016-07-29 at 13:25 +0200, Vinzenz Feenstra wrote: > > > > > > > > > > > On Jul 29, 2016, at 12:35 PM, Tadas <[email protected]> wrote: > > > > > > There's another interesting error thrown out from ovirt-guest > > > agent, > > > when you try to login: > > > > > > > > > Jul 29 13:30:24 jessie python[1969]: Exception in thread > > > CredChannel: > > > Ju > > > l 29 13:30:24 jessie python[1969]: Traceback (most recent call > > > last): > > > Ju > > > l 29 13:30:24 jessie python[1969]: File > > > "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner > > > Jul 29 > > > 13:30:24 jessie python[1969]: self.run() > > > Jul 29 13:30:24 jessie > > > python[1969]: File "/usr/share/ovirt-guest- > > > agent/CredServer.py", > > > line > > > 217, in run > > > Jul 29 13:30:24 jessie python[1969]: cred = > > > self._read_cred(conn) > > > Jul 29 13:30:24 jessie python[1969]: File > > > "/usr/share/ovirt-guest-agent/CredServer.py", line 146, in > > > _read_cred > > > Ju > > > l 29 13:30:24 jessie > > > python[1969]: conn.setsockopt(socket.SOL_SOCKET, > > > socket.SO_PASSCRED, 1) > > > Jul 29 13:30:24 jessie python[1969]: > > > AttributeError: 'module' object has no attribute ‘SO_PASSCRED' > > > > I knew I forgot about something, yes you’re right - I fixed that > > manually and continued and forgot about it. > > > > SO_PASSCRED seems not to be actually available by default on > > python. > > The systems we supported so far (excluding the debian based ones) > > had > > this constant available. > > Long story short: You can replace socket.SO_PASSCRED with the value > > 16 for now and it should work as expected. > > > > > > > > > > > > > > > > > > > > > > > > On Fri, 2016-07-29 at 13:13 +0300, Tadas wrote: > > > > > > > > > > > > Yes, it seems that authentication does not work in any of > > > > debian > > > > releases. Oh well. > > > > On Fri, 2016-07-29 at 09:37 +0200, Vinzenz Feenstra wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Jul 28, 2016, at 4:11 PM, Tadas <[email protected]> wrote: > > > > > > > > > > > > Thank you for your reply. > > > > > > Strange, but i do not see any errors in gdm debug log, just > > > > > > this: > > > > > > http://paste.ubuntu.com/21275558/ > > > > > > > > > > Well if it works for you, the better. It didn’t work for me > > > > > though > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I will try installing debian unstable and several ubuntu > > > > > > versions > > > > > > tomorrow. > > > > > > > > > > > > From: Vinzenz Feenstra > > > > > > Sent: Thursday, July 28, 2016 4:18 PM > > > > > > To: [email protected] > > > > > > Cc: users > > > > > > Subject: Re: [ovirt-users] Debian - based OS and SSO > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Jul 28, 2016, at 3:11 PM, Vinzenz Feenstra <vfeenstr@r > > > > > > > ed > > > > > > > hat. > > > > > > > co > > > > > > > m> wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Jul 28, 2016, at 11:53 AM, Tadas <[email protected]> > > > > > > > > wrote: > > > > > > > > > > > > > > > > Hello, > > > > > > > > still having issues with ovirt SSO and Debian OS. > > > > > > > > Other OSes (Windows/Fedora 24) works just fine. > > > > > > > > Some information: > > > > > > > > OS: Debian 8.5 (jessie) > > > > > > > > I've followed manual on https://www.ovirt.org/documenta > > > > > > > > ti > > > > > > > > on/h > > > > > > > > ow > > > > > > > > -to/gues > > > > > > > > t-agent/install-the-guest-agent-in-debian/ and > > > > > > > > installed > > > > > > > > ovirt- > > > > > > > > agent. > > > > > > > > I can get info via spice socket on hypervisor side, > > > > > > > > this > > > > > > > > means > > > > > > > > that > > > > > > > > agent works fine. > > > > > > > > I've compiled pam-ovirt-cred and copied it into > > > > > > > > /lib/x86_64- > > > > > > > > linux- > > > > > > > > gnu/security/ > > > > > > > > > > > > > > It should be in /lib/security afaik > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I've configured /etc/pamd/gdm-ovirtcred (just copied > > > > > > > > from > > > > > > > > working > > > > > > > > Fedora 24) > > > > > > > > > > > > > > replace in that file all occurences of password-auth with > > > > > > > passwd > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > But still login fails. I can see this in ovirt-agent > > > > > > > > log > > > > > > > > file: > > > > > > > > > > > > > > It some how fails for me in some cases with this now: > > > > > > > > > > > > > > > > > > > Correction its here: > > > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794064 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://bugs.freedesktop.org/show_bug.cgi?id=71525 > > > > > > > > > > > > > > There’s not much I can do about that though > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Dummy-2::INFO::2016-07-28 > > > > > > > > 12:49:51,046::OVirtAgentLogic::270::root::Received an > > > > > > > > external > > > > > > > > command: > > > > > > > > login... > > > > > > > > Dummy-2::DEBUG::2016-07-28 > > > > > > > > 12:49:51,047::OVirtAgentLogic::304::root::User log-in > > > > > > > > (credentials = > > > > > > > > '\x00\x00\x00\x04test********\x00') > > > > > > > > Dummy-2::INFO::2016-07-28 > > > > > > > > 12:49:51,047::CredServer::207::root::The > > > > > > > > following users are allowed to connect: [0] > > > > > > > > Dummy-2::DEBUG::2016-07-28 > > > > > > > > 12:49:51,047::CredServer::272::root::Token: > > > > > > > > 760258 > > > > > > > > Dummy-2::INFO::2016-07-28 > > > > > > > > 12:49:51,047::CredServer::273::root::Opening > > > > > > > > credentials channel... > > > > > > > > Dummy-2::INFO::2016-07-28 > > > > > > > > 12:49:51,047::CredServer::132::root::Emitting > > > > > > > > user authenticated signal (760258). > > > > > > > > Dummy-2::INFO::2016-07-28 > > > > > > > > 12:49:51,178::CredServer::277::root::Credentials > > > > > > > > channel > > > > > > > > was > > > > > > > > closed. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This looks okay. The error is on pam side (auth.log): > > > > > > > > > > > > > > > > Jul 28 12:49:39 desktop64 gdm-ovirtcred]: > > > > > > > > pam_succeed_if(gdm- > > > > > > > > ovirtcred:auth): error retrieving user name: > > > > > > > > Conversation > > > > > > > > error > > > > > > > > Jul 28 12:49:39 desktop64 gdm-ovirtcred]: > > > > > > > > pam_ovirt_cred(gdm- > > > > > > > > ovirtcred:auth): Failed to acquire user's credentials > > > > > > > > > > > > > > > > Have no idea, where it fails. > > > > > > > > Would appreciate, if you could help me here a bit. > > > > > > > > Thank you. > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > Users mailing list > > > > > > > > [email protected] > > > > > > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > Users mailing list > > > > > > [email protected] > > > > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > > > > > _______________________________________________ > > > > Users mailing list > > > > [email protected] > > > > http://lists.ovirt.org/mailman/listinfo/users > > > _______________________________________________ > > > Users mailing list > > > [email protected] > > > http://lists.ovirt.org/mailman/listinfo/users > > > _______________________________________________ > Users mailing list > [email protected] > http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
