Using Leap 15.4 on several computers. In the Gnome Greeter the SAMBA4 domain users don’t show up in the list of users. Computers that were upgraded from 15.3 show the SAMBA4 users in the greeter.
SAMBA4 is 4.15.13+git.636.53d93c5b9d6-150400.3.23.1 on working and non-working machines. I checked the installed software and the same packages are installed on working and non-working machine.
Gnome is not set to hid users. Local users show up in the list.
This looks like a configuration issue but I’ve not been able to find it. Can you help me to get the domain users to show up in the greeter list?
A Firewall issue perhaps? Check by disabling the firewall temporarily if applicable.
There is no firewall between the domain member and DC machines.
realmd wasn’t installed. After installing it running realm list found the correct realm.
int.linxco-inc.com
type: kerberos
realm-name: INT.LINXCO-INC.COM
domain-name: int.linxco-inc.com
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: samba-winbind
required-package: samba-client
login-formats: INT%U
login-policy: allow-any-login
I don’t have a domain environment, but is this not applicable?
Use enterprise credentials during Welcome screens
If you have not yet configured the machine for enterprise credentials, you can do so at the Welcome screens that are part of the GNOME Initial Setup program.
Configure enterprise credentials
- At the Login welcome screen, choose Set Up Enterprise Login.
- Type the name of your domain in the Domain field if it is not already prefilled.
- Type your domain account user and password in the relevant fields.
- Click Next.
Depending on how the domain is configured, a prompt may show up asking for the domain administrator’s name and password in order to proceed.
Change to use enterprise credentials to log into GNOME
If you have already completed initial setup, and wish to start a domain account to log into GNOME, then you can accomplish this from the Users panel in the GNOME Settings.
Configure enterprise credentials
- Open the Activities overview and start typing Users.
- Click on Users to open the panel.
- Click the Unlock button and type the computer administrator’s password.
- Click the [+] button in the lower left of the window.
- Click the Enterprise Login button.
- Enter the domain, user, and password for your Enterprise account, and click Add.
Depending on how your domain is configured, a prompt may show up asking for the domain administrator’s name and password in order to proceed.
I don’t believe that applies. There is nothing in the Gnome greeter regarding enterprise logins. There’s nothing in the Users settings with respect to enterprise logins. I believe the information you provided is for SUSE Enterprise Linux.
I noticed that saving the domain settings presented a message stating “Cannot write PAM settings”. Found this link and performed the steps but no change. Cannot write PAM settings (is it abug or configuration?) I put the original file back.
The system log has these entries.
2023-04-17T17:00:17.083806-06:00 linx11 gnomesu-pam-backend: The gnome keyring socket is not owned with the same credentials as the user login: /run/user/21104/keyring/control
2023-04-17T17:00:17.083864-06:00 linx11 gnomesu-pam-backend: gkr-pam: couldn’t unlock the login keyring.
2023-04-17T17:00:17.088904-06:00 linx11 gnomesu-pam-backend: pam_unix(gnomesu-pam:session): session opened for user root by (uid=21104)
On a working machine the keyring is opened by uid 0.
On a working installation the package typelib-1_0-GnomeKeyring-1_0 wasn’t installed. Installing it made no difference.
Looked at the link. The issue described is not part of the issue I’m having. The Samba AC-DC is working correctly and it’s on an Ubuntu box.
Leap 15 is SUSE Enterprise Linux.
OpenSuSE Leap is not SUSE Enterpeize Linux. My apologies, I didn’t specify OpenSuSE in my original post.
No, it came from the Gnome reference I linked to prior to that.
Please mark this thread as closed. I finally gave up and changed the setting to show a username entry control. That’s easier to click in than the small text for selecting an unlisted user.
I guess the current philosophy is that domain user names no longer show up so a hacker can guess at domain passwords.