LDAP user can log in from tty but not login manager

Posted on

LDAP user can log in from tty but not login manager – A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about LDAP user can log in from tty but not login manager was one problem in server stack that need for a solution. Below are some tips in manage your linux server when you find problem about linux, centos, ldap, desktop, kde.

Configuration

  • CentOS 7.5.1804
  • GDM, LightDM, SDDM tested
  • yum group “KDE Plasma Workspaces” as desktop environment, GNOME also tested
  • LDAP logins provided by sssd, /home/* mounted via autofs over NFS

Problem

Login as the root user works, as well as any other local user. Bypassing the login screen by switching to TTY2, logging into an ldap user via the terminal, and doing startx also works, but logins from the display manager itself pause for a half second and then bounce back to the display manager.

output of systemctl status gdm

Jun 18 15:04:55 hpcl1-1.salisbury.edu systemd[1]: Starting GNOME Display Manager...
Jun 18 15:04:55 hpcl1-1.salisbury.edu systemd[1]: Started GNOME Display Manager.
Jun 18 15:05:12 hpcl1-1.salisbury.edu gdm-password][4421]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=rquackenbush1
Jun 18 15:05:15 hpcl1-1.salisbury.edu gdm[4144]: Failed to remove greeter program access to the display. Trying to proceed.

The issue was the user’s login shell was a wrapper (inherited from a legacy system), and we were in the middle of an upgrade of the OS, which had selinux enabled by default. Switching to selinux permissive fixed it, but our permanent fix was to remove the wrapper and restrict SSH into our servers via PAM.

Leave a Reply

Your email address will not be published.