[OpenAFS] Re: Moving Magic Trio to another domain

Jukka Tuominen jukka.tuominen@finndesign.fi
Wed, 2 Oct 2013 14:32:00 +0300 (EEST) 

I decided to reduce complexity and remove ldap from the equation, since it
wasn't really utilized. I then updated the nsswitch.conf and pam.d confs
accordingly.

Now, I have a single client machine (VM) that works as intended using gdm
gui login. Strangely enough, I cannot make other clients to work, not even
running the very same VM under another host. AFAIU, it's the authorization
through gdm, that doesn't work. Logging in as a local user + kinit;aklog
works fine.

In the client that's successful,
auth.log:

Oct  2 12:21:51 hostname gdm-session-worker[1208]:
pam_succeed_if(gdm:auth): requirement "user ingroup nopasswdlogin" not met
by user "username"
Oct  2 12:21:55 hostname gdm-session-worker[1208]: pam_unix(gdm:auth):
authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
user=username
Oct  2 12:21:55 hostname gdm-session-worker[1208]: pam_krb5(gdm:auth):
user username authenticated as username@NEW.DOMAIN
Oct  2 12:21:55 hostname gdm-session-worker[1208]:
pam_unix(gdm:session): session opened for user username by (uid=0)


Other clients pass authentication, but not authorization through gdm, and
the login screen is returned.

/gdm/:0-slave.log.1:

gdm-session-worker[1135]: pam_succeed_if(gdm:auth): requirement "user
ingroup nopasswdlogin" not met by user "username"
gdm-session-worker[1135]: pam_unix(gdm:auth): authentication failure;
logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=username
gdm-session-worker[1135]: pam_krb5(gdm:auth): user username authenticated as
username@NEW.DOMAIN
gdm-session-worker[1135]: pam_unix(gdm:session): session opened for user
username by (uid=0)
gdm-simple-slave[749]: WARNING: Failed to add user authorization: could
not find user "username" on system
**
ERROR:gdm-simple-slave.c:397:start_session_timeout: assertion failed:
(auth_file != NULL)

The working client machine is much faster than the others, so it can be a
timeout issue, but then again, I never had that issue in the old-domain
setup. The rejection happens in just about 1-2 seconds.

Any ideas what could be the cause and how to fix it?


br, jukka