GDM doesn't setup session with SSSD user

I’ve set up SSSD to authenticate (against a MF edirectory server). I can log in via console, but not via GDM.
Looking at logs, it appears that pam OKs me through login:
Aug 23 10:50:30 joe gdm-password][1974]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty7 ruser= rhost= user=fortier
Aug 23 10:50:30 joe gdm-password][1974]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=/dev/tty7 ruser= rhost= user=fortier
(I interpret this as, failed local login, but passed sssd)
But things hang at this point (which I suspect is where sessions should be set up).
I can login with GDM with my created account account with no issue.
I’m rebuilding my desktop (bad disk) and had seen this issue last build. But last time I avoided SSSD and set up nslcd.
Should this work (does GDM have issues with SSSD?)
Should I switch (back) to nslcd?
Any troubleshooting help?
Thanks :slight_smile:

I’ve switched back to nslcd. This allows me to log into GDM from LDAP

The process (in case this is useful to someone else)

zypper install nss-pam-ldapd (this will uninstall pam_ldap)
edit /etc/nslcd.conf (add ldap URI and base)
disabled sssd
enable nslcd

Could you post your sssd.conf ?

– lawrence


config_file_version = 2
services = pam
domains =



id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307bis
enumerate = true
cache_credentials = true
case_sensitive = true
ldap_use_tokengroups = false
ldap_uri = ldap://XXXXXXXXXXXXXX
ldap_search_base = XXXXXXXXXXXXX
ldap_tls_reqcert = never

I see the nss responder is not present in the “services” directive. “systemctl status sssd.service” should show if it’s running. If not add it to the directive and restart the daemon.

services = pam,nss

Also, shut down and disable the nscd if it is running as well.

Also the default for the LDAP providers is “ldap_id_mapping = false” so I’m assuming you are reading the POPSIX attributes from the directory (seeing as nslcd was configured previously). If they are, I’m also assuming the attributes are accessible anonymously to the system given the absence of a configured bind user or the GSSAPI method to access them?

Let’s go from there,

– lawrence

I’m making another stab…
I’ve explicitly added nss to the services directive. It shows in the systemctl output

└─1288 /usr/lib/sssd/sssd_nss --uid 0 --gid 0 --logger=files

I have POSIX attributes (at least UID/GUID) in ldap and the attributes are available anonymously.
To be clear, I can log in via the shell (Virtual Terminal) with no issue, with sssd and with nslcd.
But GDM doesn’t seem to see me.

What identity back-end is being used (AD, eDir, openLDAP, etc.) and what is the response to an “id” commend for a user that the GDM cannot see?

– lawrence

… and now I see from your initial post the back end is eDir :slight_smile: .

– lawrence