[Freeipa-devel] IPAv2 on SL6.2 using NIS fails with "Failed password" error
Dmitri Pal
dpal at redhat.com
Fri Mar 9 21:06:33 UTC 2012
On 03/08/2012 07:49 PM, Joshua Dotson wrote:
> Well....
>
> I think I can now answer my own question.
>
> The following is
> from: http://fedoraproject.org/wiki/QA:Testcase_freeipav2_nis
>
> Password Hashes
> You may notice that password hashes are not available, even when
> you attempt to retrieve entries as root. As this is the default
> behavior, a prospective client system would need to also be
> configured to use either Kerberos or LDAP to check user passwords.
>
> I'm sorry for the spam.. :-)... And also, my inconsistent hosts and
> IP's below are the result of a failed obfuscation, rather than actual
> inconsistencies in my config.
>
> Cheers and thanks for FreeIPA!
>
Joshua is this just test of waters or you actually plan to use NIS on 6.2?
It seams odd as 6.2 has much more superior solution (SSSD configured
with ipa-client) then NIS.
NIS support is mostly for legacy systems that can't do the LDAP.
As far as I understand underlying DS can also be configured to create
weak hashes needed for NIS but it is not recommended. But this is
something that gurus should confirm.
> -Joshua
>
> P.S. I guess I'll go some other route to authenticate these ancient
> Ubuntu 9.04 boxes to IPA. lol
>
>
> On Thu, Mar 8, 2012 at 7:29 PM, <freeipa-devel-request at redhat.com
> <mailto:freeipa-devel-request at redhat.com>> wrote:
>
> Send Freeipa-devel mailing list submissions to
> freeipa-devel at redhat.com <mailto:freeipa-devel at redhat.com>
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> or, via email, send a message with subject or body 'help' to
> freeipa-devel-request at redhat.com
> <mailto:freeipa-devel-request at redhat.com>
>
> You can reach the person managing the list at
> freeipa-devel-owner at redhat.com
> <mailto:freeipa-devel-owner at redhat.com>
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeipa-devel digest..."
>
>
> Today's Topics:
>
> 1. IPAv2 on SL6.2 using NIS fails with "Failed password" error
> (Joshua Dotson)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 8 Mar 2012 19:29:10 -0500
> From: Joshua Dotson <josh at knoesis.org <mailto:josh at knoesis.org>>
> To: freeipa-devel at redhat.com <mailto:freeipa-devel at redhat.com>
> Subject: [Freeipa-devel] IPAv2 on SL6.2 using NIS fails with "Failed
> password" error
> Message-ID:
>
> <CANLzmLhi99Zk986F4Mh0pcYkrRhx3wgdK7CrW+34Q3EofBmnPg at mail.gmail.com
> <mailto:CANLzmLhi99Zk986F4Mh0pcYkrRhx3wgdK7CrW%2B34Q3EofBmnPg at mail.gmail.com>>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi All,
>
> I'm having a problem with my IPA installs; I can't seem to get the
> NIS mode
> to work. I tried it with and without 'Migration Mode' enabled.
>
> I bind to it and 'getent passwd' and 'getent group' just fine, but
> when I
> type my password (post initial kinit password change) in for ssh,
> I get
> permission denied and the following in my client-side
> /var/log/secure log:
>
> Mar 8 18:15:07 bastion sshd[18480]: Failed password for bob from
> 192.168.5.68 port 50788 ssh2
> Mar 8 18:15:22 bastion sshd[18480]: Failed password for bob from
> 192.168.5.68 port 50788 ssh2
> Mar 8 18:46:13 bastion sshd[18556]: pam_unix(sshd:auth):
> authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.6.68
> user=bob
> Mar 8 18:46:16 bastion sshd[18556]: Failed password for bob from
> 192.168.5.68 port 50839 ssh2
>
> On the server, I can find no error on the server side, matching the
> timestamp of when I attempt login from a third host to the bastion
> host
> (see below).
>
> Am I mistaken that IPAv2 provides backwards compatible NIS, without
> client-side SSSD, KRB5 and the like? Am I missing a service or
> something?
>
> Thanks very much! Please excuse the long email. Perhaps I'm too
> eager.
> lol :-)
>
> -Joshua.
>
> ========BACKGROUND INFO FOLLOWS=========
>
> Here are the details of my install, which is my fourth IPA
> install, so far.
> As a side note, however, I've not been able to get the NIS mode
> working,
> yet.
>
>
> - 2 nearly identical KVM's to test this. (1 for server and 1 for NIS
> client)
> - x86_64
> - ext4 over LVM over qcow2 over NFSv3
> - using virtio
> - Scientific Linux 6.2 minimal install from GUI of Install DVD
> - all available yum updates applied
> - iptables off
> - ipv4 only
> - added self FQDN to both /etc/hosts files
> - NetworkManager off in favor of network
> - static public IP's
> - Used the following commands to install my IPA server:
>
> # yum -y install \
> ipa-server \
> bind \
> bind-dyndb-ldap
>
> # ipa-server-install \
> -a 'admin_pass_example' \
> --hostname=ipa.example.com <http://ipa.example.com> \
> -p 'dir_man_password_example' \
> -n exampledom.com <http://exampledom.com> \
> -r EXAMPLE.COM <http://EXAMPLE.COM> \
> --setup-dns \
> --forwarder=192.168.2.10 \
> --forwarder=192.168.1.20
>
>
> - After a reboot, logging in with Firefox works well... kinit
> works well
> after I create an initial user in the UI... Everything is cool..even
> enrolling other machine with the ipa-client-install tool works
> well.. No
> other changes were made inside the UI
> - Here are the commands I ran on the server outside the UI, per
> instructions (here:
>
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/migrating-from-nis.html
> )
>
>
> [root at ipa ~]# ipa-compat-manage enable
> Directory Manager password:
>
> Plugin already Enabled
> [root at ipa ~]# rpcinfo
> program version netid address service owner
> 100000 4 tcp6 ::.0.111 portmapper
> superuser
> 100000 3 tcp6 ::.0.111 portmapper
> superuser
> 100000 4 udp6 ::.0.111 portmapper
> superuser
> 100000 3 udp6 ::.0.111 portmapper
> superuser
> 100000 4 tcp 0.0.0.0.0.111 portmapper
> superuser
> 100000 3 tcp 0.0.0.0.0.111 portmapper
> superuser
> 100000 2 tcp 0.0.0.0.0.111 portmapper
> superuser
> 100000 4 udp 0.0.0.0.0.111 portmapper
> superuser
> 100000 3 udp 0.0.0.0.0.111 portmapper
> superuser
> 100000 2 udp 0.0.0.0.0.111 portmapper
> superuser
> 100000 4 local /var/run/rpcbind.sock portmapper
> superuser
> 100000 3 local /var/run/rpcbind.sock portmapper
> superuser
> [root at ipa ~]# ipa-nis-manage enable
> Directory Manager password:
>
> Enabling plugin
> Restarting IPA to initialize updates before performing deletes:
> [1/2]: stopping directory server
> [2/2]: starting directory server
> done configuring dirsrv.
> This setting will not take effect until you restart Directory Server.
> The rpcbind service may need to be started.
> [root at ipa ~]# reboot
>
> The system is going down for reboot NOW!
>
>
> sam at bastion:~$ ssh 192.168.5.25
> Last login: Thu Mar 8 17:58:58 2012 from 192.168.5.99
> [sam at ipa ~]$ su -
> Password:
> [root at ipa ~]# rpcinfo
> program version netid address service owner
> 100000 4 tcp6 ::.0.111 portmapper
> superuser
> 100000 3 tcp6 ::.0.111 portmapper
> superuser
> 100000 4 udp6 ::.0.111 portmapper
> superuser
> 100000 3 udp6 ::.0.111 portmapper
> superuser
> 100000 4 tcp 0.0.0.0.0.111 portmapper
> superuser
> 100000 3 tcp 0.0.0.0.0.111 portmapper
> superuser
> 100000 2 tcp 0.0.0.0.0.111 portmapper
> superuser
> 100000 4 udp 0.0.0.0.0.111 portmapper
> superuser
> 100000 3 udp 0.0.0.0.0.111 portmapper
> superuser
> 100000 2 udp 0.0.0.0.0.111 portmapper
> superuser
> 100000 4 local /var/run/rpcbind.sock portmapper
> superuser
> 100000 3 local /var/run/rpcbind.sock portmapper
> superuser
> 100004 2 udp6 ::.2.84 ypserv
> superuser
> 100004 2 udp 0.0.0.0.2.84 ypserv
> superuser
> 100004 2 tcp6 ::.2.84 ypserv
> superuser
> 100004 2 tcp 0.0.0.0.2.84 ypserv
> superuser
> [root at ipa ~]#
>
>
> - Here is chkconfig for the server (iptables/ip6tables are
> disabled by
> the service command when debugging)
>
> chkconfig --list|grep ':on'
> atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
> auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> certmonger 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> ipa 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off
> messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> portreserve 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> qpidd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> rpcbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> sssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
> udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off
>
>
>
>
> - On the client, it's the same OS... SL6.2 x86_64, no firewall,
> minimal
> install, ipv4 only
> - I used authconfig to setup NIS, and am able to 'getent passwd'
> on the
> directory.
>
> # authconfig --enablenis --nisdomain=knoesis.org
> <http://knoesis.org> --nisserver=192.168.5.82
> --enablemkhomedir --update
>
> - resolv.conf points to the IPA address for dns
> - client is same domain on the same 24-bit subnet
> - here are the packages I installed for NIS:
>
> Mar 08 16:05:19 Installed: libgssglue-0.1-11.el6.x86_64
> Mar 08 16:05:19 Installed: libtirpc-0.2.1-5.el6.x86_64
> Mar 08 16:05:19 Installed: rpcbind-0.2.0-8.el6.x86_64
> Mar 08 16:05:56 Installed: 3:ypbind-1.20.4-29.el6.x86_64
> Mar 08 16:05:56 Installed: yp-tools-2.9-12.el6.x86_64
>
>
> - Here is chkconfig on the client:
>
> chkconfig --list|grep ':on' (iptables/ip6tables are disabled by the
> service command when debugging)
> auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off
> messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> qpidd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> rpcbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off
> ypbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off
>
>
> - /etc/yp.conf (client) (I tried it with the server domain
> syntax, as
> well)
>
> ypserver 192.168.6.82
> #domain example.com <http://example.com> server 192.168.6.82
>
>
> - rpcinfo (client)
>
> program version netid address service owner
> 100000 4 tcp6 ::.0.111 portmapper
> superuser
> 100000 3 tcp6 ::.0.111 portmapper
> superuser
> 100000 4 udp6 ::.0.111 portmapper
> superuser
> 100000 3 udp6 ::.0.111 portmapper
> superuser
> 100000 4 tcp 0.0.0.0.0.111 portmapper
> superuser
> 100000 3 tcp 0.0.0.0.0.111 portmapper
> superuser
> 100000 2 tcp 0.0.0.0.0.111 portmapper
> superuser
> 100000 4 udp 0.0.0.0.0.111 portmapper
> superuser
> 100000 3 udp 0.0.0.0.0.111 portmapper
> superuser
> 100000 2 udp 0.0.0.0.0.111 portmapper
> superuser
> 100000 4 local /var/run/rpcbind.sock portmapper
> superuser
> 100000 3 local /var/run/rpcbind.sock portmapper
> superuser
> 100007 2 udp 0.0.0.0.3.46 ypbind
> superuser
> 100007 1 udp 0.0.0.0.3.46 ypbind
> superuser
> 100007 2 tcp 0.0.0.0.3.49 ypbind
> superuser
> 100007 1 tcp 0.0.0.0.3.49 ypbind
> superuser
>
> --
> Joshua M. Dotson
> Systems Administrator
> Kno.e.sis Center
> Wright State University - Dayton, OH
> josh at knoesis.org <mailto:josh at knoesis.org>
> 937-350-1563 <tel:937-350-1563>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <https://www.redhat.com/archives/freeipa-devel/attachments/20120308/f63089e2/attachment.html>
>
> ------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com <mailto:Freeipa-devel at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
> End of Freeipa-devel Digest, Vol 58, Issue 32
> *********************************************
>
>
>
>
> --
> Joshua M. Dotson
> Systems Administrator
> Kno.e.sis Center
> Wright State University - Dayton, OH
> josh at knoesis.org <mailto:josh at knoesis.org>
> 937-350-1563
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120309/c27b092f/attachment.htm>
More information about the Freeipa-devel
mailing list