On 11/18/19 12:05 PM, Carson Chittom wrote: > When I set up a machine with CentOS 8, I used the "Enterprise Login" in > the initial setup wizard to authenticate against my FreeIPA server. > This worked fine, and I have no issues logging in with that initial user. > > However, I am unable to use GDM or the console to login as any *other* > valid user from FreeIPA. From GDM I get something like "Sorry, that > didn't work" and "Permission denied" on the console. I've verified that > the credentials are correct, and that I am able to manually get a ticket > via kinit for one of those other users from this machine. With > CentOS 7, I didn't have to do any additional configuration in this > regard after the initial wizard. > > Not sure whether this is a CentOS configuration issue or a FreeIPA one, > but I figured I'd start here. I'm also not terribly familiar with > FreeIPA, so I could be missing something obvious; but this worked > without issue when the machine in question ran CentOS 7. > > Can somebody point me in the right direction? Check out the pam* errors in the journal and bump debugging in sssd.conf and check out /var/log/sss/sssd_pam.log and sssd_<DOMAIN>.log. Hopefully that will get you pointed in the right direction. Did your initial user get added to /etc/passwd? -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion at nwra.com Boulder, CO 80301 https://www.nwra.com/