[Freeipa-devel] IPAv2 on SL6.2 using NIS fails with "Failed password" error
Joshua Dotson
josh at knoesis.org
Fri Mar 9 00:49:24 UTC 2012
Well....
I think I can now answer my own question.
The following is from:
http://fedoraproject.org/wiki/QA:Testcase_freeipav2_nis
Password Hashes
You may notice that password hashes are not available, even when you
attempt to retrieve entries as root. As this is the default behavior, a
prospective client system would need to also be configured to use either
Kerberos or LDAP to check user passwords.
I'm sorry for the spam.. :-)... And also, my inconsistent hosts and IP's
below are the result of a failed obfuscation, rather than actual
inconsistencies in my config.
Cheers and thanks for FreeIPA!
-Joshua
P.S. I guess I'll go some other route to authenticate these ancient Ubuntu
9.04 boxes to IPA. lol
On Thu, Mar 8, 2012 at 7:29 PM, <freeipa-devel-request at redhat.com> wrote:
> Send Freeipa-devel mailing list submissions to
> freeipa-devel at redhat.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> or, via email, send a message with subject or body 'help' to
> freeipa-devel-request at redhat.com
>
> You can reach the person managing the list at
> freeipa-devel-owner at redhat.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeipa-devel digest..."
>
>
> Today's Topics:
>
> 1. IPAv2 on SL6.2 using NIS fails with "Failed password" error
> (Joshua Dotson)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 8 Mar 2012 19:29:10 -0500
> From: Joshua Dotson <josh at knoesis.org>
> To: freeipa-devel at redhat.com
> Subject: [Freeipa-devel] IPAv2 on SL6.2 using NIS fails with "Failed
> password" error
> Message-ID:
> <CANLzmLhi99Zk986F4Mh0pcYkrRhx3wgdK7CrW+34Q3EofBmnPg at mail.gmail.com
> >
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi All,
>
> I'm having a problem with my IPA installs; I can't seem to get the NIS mode
> to work. I tried it with and without 'Migration Mode' enabled.
>
> I bind to it and 'getent passwd' and 'getent group' just fine, but when I
> type my password (post initial kinit password change) in for ssh, I get
> permission denied and the following in my client-side /var/log/secure log:
>
> Mar 8 18:15:07 bastion sshd[18480]: Failed password for bob from
> 192.168.5.68 port 50788 ssh2
> Mar 8 18:15:22 bastion sshd[18480]: Failed password for bob from
> 192.168.5.68 port 50788 ssh2
> Mar 8 18:46:13 bastion sshd[18556]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.6.68 user=bob
> Mar 8 18:46:16 bastion sshd[18556]: Failed password for bob from
> 192.168.5.68 port 50839 ssh2
>
> On the server, I can find no error on the server side, matching the
> timestamp of when I attempt login from a third host to the bastion host
> (see below).
>
> Am I mistaken that IPAv2 provides backwards compatible NIS, without
> client-side SSSD, KRB5 and the like? Am I missing a service or something?
>
> Thanks very much! Please excuse the long email. Perhaps I'm too eager.
> lol :-)
>
> -Joshua.
>
> ========BACKGROUND INFO FOLLOWS=========
>
> Here are the details of my install, which is my fourth IPA install, so far.
> As a side note, however, I've not been able to get the NIS mode working,
> yet.
>
>
> - 2 nearly identical KVM's to test this. (1 for server and 1 for NIS
> client)
> - x86_64
> - ext4 over LVM over qcow2 over NFSv3
> - using virtio
> - Scientific Linux 6.2 minimal install from GUI of Install DVD
> - all available yum updates applied
> - iptables off
> - ipv4 only
> - added self FQDN to both /etc/hosts files
> - NetworkManager off in favor of network
> - static public IP's
> - Used the following commands to install my IPA server:
>
> # yum -y install \
> ipa-server \
> bind \
> bind-dyndb-ldap
>
> # ipa-server-install \
> -a 'admin_pass_example' \
> --hostname=ipa.example.com \
> -p 'dir_man_password_example' \
> -n exampledom.com \
> -r EXAMPLE.COM \
> --setup-dns \
> --forwarder=192.168.2.10 \
> --forwarder=192.168.1.20
>
>
> - After a reboot, logging in with Firefox works well... kinit works well
> after I create an initial user in the UI... Everything is cool..even
> enrolling other machine with the ipa-client-install tool works well.. No
> other changes were made inside the UI
> - Here are the commands I ran on the server outside the UI, per
> instructions (here:
>
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/migrating-from-nis.html
> )
>
>
> [root at ipa ~]# ipa-compat-manage enable
> Directory Manager password:
>
> Plugin already Enabled
> [root at ipa ~]# rpcinfo
> program version netid address service owner
> 100000 4 tcp6 ::.0.111 portmapper superuser
> 100000 3 tcp6 ::.0.111 portmapper superuser
> 100000 4 udp6 ::.0.111 portmapper superuser
> 100000 3 udp6 ::.0.111 portmapper superuser
> 100000 4 tcp 0.0.0.0.0.111 portmapper superuser
> 100000 3 tcp 0.0.0.0.0.111 portmapper superuser
> 100000 2 tcp 0.0.0.0.0.111 portmapper superuser
> 100000 4 udp 0.0.0.0.0.111 portmapper superuser
> 100000 3 udp 0.0.0.0.0.111 portmapper superuser
> 100000 2 udp 0.0.0.0.0.111 portmapper superuser
> 100000 4 local /var/run/rpcbind.sock portmapper superuser
> 100000 3 local /var/run/rpcbind.sock portmapper superuser
> [root at ipa ~]# ipa-nis-manage enable
> Directory Manager password:
>
> Enabling plugin
> Restarting IPA to initialize updates before performing deletes:
> [1/2]: stopping directory server
> [2/2]: starting directory server
> done configuring dirsrv.
> This setting will not take effect until you restart Directory Server.
> The rpcbind service may need to be started.
> [root at ipa ~]# reboot
>
> The system is going down for reboot NOW!
>
>
> sam at bastion:~$ ssh 192.168.5.25
> Last login: Thu Mar 8 17:58:58 2012 from 192.168.5.99
> [sam at ipa ~]$ su -
> Password:
> [root at ipa ~]# rpcinfo
> program version netid address service owner
> 100000 4 tcp6 ::.0.111 portmapper superuser
> 100000 3 tcp6 ::.0.111 portmapper superuser
> 100000 4 udp6 ::.0.111 portmapper superuser
> 100000 3 udp6 ::.0.111 portmapper superuser
> 100000 4 tcp 0.0.0.0.0.111 portmapper superuser
> 100000 3 tcp 0.0.0.0.0.111 portmapper superuser
> 100000 2 tcp 0.0.0.0.0.111 portmapper superuser
> 100000 4 udp 0.0.0.0.0.111 portmapper superuser
> 100000 3 udp 0.0.0.0.0.111 portmapper superuser
> 100000 2 udp 0.0.0.0.0.111 portmapper superuser
> 100000 4 local /var/run/rpcbind.sock portmapper superuser
> 100000 3 local /var/run/rpcbind.sock portmapper superuser
> 100004 2 udp6 ::.2.84 ypserv superuser
> 100004 2 udp 0.0.0.0.2.84 ypserv superuser
> 100004 2 tcp6 ::.2.84 ypserv superuser
> 100004 2 tcp 0.0.0.0.2.84 ypserv superuser
> [root at ipa ~]#
>
>
> - Here is chkconfig for the server (iptables/ip6tables are disabled by
> the service command when debugging)
>
> chkconfig --list|grep ':on'
> atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
> auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> certmonger 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> ipa 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off
> messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> portreserve 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> qpidd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> rpcbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> sssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
> udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off
>
>
>
>
> - On the client, it's the same OS... SL6.2 x86_64, no firewall, minimal
> install, ipv4 only
> - I used authconfig to setup NIS, and am able to 'getent passwd' on the
> directory.
>
> # authconfig --enablenis --nisdomain=knoesis.org --nisserver=192.168.5.82
> --enablemkhomedir --update
>
> - resolv.conf points to the IPA address for dns
> - client is same domain on the same 24-bit subnet
> - here are the packages I installed for NIS:
>
> Mar 08 16:05:19 Installed: libgssglue-0.1-11.el6.x86_64
> Mar 08 16:05:19 Installed: libtirpc-0.2.1-5.el6.x86_64
> Mar 08 16:05:19 Installed: rpcbind-0.2.0-8.el6.x86_64
> Mar 08 16:05:56 Installed: 3:ypbind-1.20.4-29.el6.x86_64
> Mar 08 16:05:56 Installed: yp-tools-2.9-12.el6.x86_64
>
>
> - Here is chkconfig on the client:
>
> chkconfig --list|grep ':on' (iptables/ip6tables are disabled by the
> service command when debugging)
> auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off
> messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> qpidd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> rpcbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off
> ypbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off
>
>
> - /etc/yp.conf (client) (I tried it with the server domain syntax, as
> well)
>
> ypserver 192.168.6.82
> #domain example.com server 192.168.6.82
>
>
> - rpcinfo (client)
>
> program version netid address service owner
> 100000 4 tcp6 ::.0.111 portmapper superuser
> 100000 3 tcp6 ::.0.111 portmapper superuser
> 100000 4 udp6 ::.0.111 portmapper superuser
> 100000 3 udp6 ::.0.111 portmapper superuser
> 100000 4 tcp 0.0.0.0.0.111 portmapper superuser
> 100000 3 tcp 0.0.0.0.0.111 portmapper superuser
> 100000 2 tcp 0.0.0.0.0.111 portmapper superuser
> 100000 4 udp 0.0.0.0.0.111 portmapper superuser
> 100000 3 udp 0.0.0.0.0.111 portmapper superuser
> 100000 2 udp 0.0.0.0.0.111 portmapper superuser
> 100000 4 local /var/run/rpcbind.sock portmapper superuser
> 100000 3 local /var/run/rpcbind.sock portmapper superuser
> 100007 2 udp 0.0.0.0.3.46 ypbind superuser
> 100007 1 udp 0.0.0.0.3.46 ypbind superuser
> 100007 2 tcp 0.0.0.0.3.49 ypbind superuser
> 100007 1 tcp 0.0.0.0.3.49 ypbind superuser
>
> --
> Joshua M. Dotson
> Systems Administrator
> Kno.e.sis Center
> Wright State University - Dayton, OH
> josh at knoesis.org
> 937-350-1563
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://www.redhat.com/archives/freeipa-devel/attachments/20120308/f63089e2/attachment.html
> >
>
> ------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
> End of Freeipa-devel Digest, Vol 58, Issue 32
> *********************************************
>
--
Joshua M. Dotson
Systems Administrator
Kno.e.sis Center
Wright State University - Dayton, OH
josh at knoesis.org
937-350-1563
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120308/c78d26d1/attachment.htm>
More information about the Freeipa-devel
mailing list