[CentOS] can't login as subsequent FreeIPA users

On 11/18/19 12:05 PM, Carson Chittom wrote:
> When I set up a machine with CentOS 8, I used the "Enterprise Login" in
> the initial setup wizard to authenticate against my FreeIPA server.
> This worked fine, and I have no issues logging in with that initial user.
> 
> However, I am unable to use GDM or the console to login as any *other*
> valid user from FreeIPA. From GDM I get something like "Sorry, that
> didn't work" and "Permission denied" on the console.  I've verified that
> the credentials are correct, and that I am able to manually get a ticket
> via kinit for one of those other users from this machine.  With
> CentOS 7, I didn't have to do any additional configuration in this
> regard after the initial wizard.
> 
> Not sure whether this is a CentOS configuration issue or a FreeIPA one,
> but I figured I'd start here.  I'm also not terribly familiar with
> FreeIPA, so I could be missing something obvious; but this worked
> without issue when the machine in question ran CentOS 7.
> 
> Can somebody point me in the right direction?

Check out the pam* errors in the journal and bump debugging in sssd.conf 
and check out /var/log/sss/sssd_pam.log and sssd_<DOMAIN>.log. 
Hopefully that will get you pointed in the right direction.  Did your 
initial user get added to /etc/passwd?


-- 
Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/