<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 03/08/2012 07:49 PM, Joshua Dotson wrote:
<blockquote
cite="mid:CANLzmLg+4ZwiwTQsAonqyWhHYoc7YEo0rxp2M+u8n_cPyTMqew@mail.gmail.com"
type="cite">Well....
<div><br>
</div>
<div>I think I can now answer my own question.</div>
<div><br>
</div>
<div>The following is from: <a moz-do-not-send="true"
href="http://fedoraproject.org/wiki/QA:Testcase_freeipav2_nis">http://fedoraproject.org/wiki/QA:Testcase_freeipav2_nis</a></div>
<div><br>
</div>
<div>
<blockquote style="margin: 0pt 0pt 0pt 40px; border: medium
none; padding: 0px;">
<div>
<div>Password Hashes</div>
<div>You may notice that password hashes are not available,
even when you attempt to retrieve entries as root. As this
is the default behavior, a prospective client system would
need to also be configured to use either Kerberos or LDAP
to check user passwords.</div>
</div>
<div><br>
</div>
</blockquote>
I'm sorry for the spam.. :-)... And also, my inconsistent hosts
and IP's below are the result of a failed obfuscation, rather
than actual inconsistencies in my config.</div>
<div><br>
</div>
<div>Cheers and thanks for FreeIPA!</div>
<div><br>
</div>
</blockquote>
<br>
Joshua is this just test of waters or you actually plan to use NIS
on 6.2?<br>
It seams odd as 6.2 has much more superior solution (SSSD configured
with ipa-client) then NIS. <br>
NIS support is mostly for legacy systems that can't do the LDAP.<br>
<br>
As far as I understand underlying DS can also be configured to
create weak hashes needed for NIS but it is not recommended. But
this is something that gurus should confirm.<br>
<br>
<br>
<blockquote
cite="mid:CANLzmLg+4ZwiwTQsAonqyWhHYoc7YEo0rxp2M+u8n_cPyTMqew@mail.gmail.com"
type="cite">
<div>-Joshua</div>
<div><br>
</div>
<div>P.S. I guess I'll go some other route to authenticate these
ancient Ubuntu 9.04 boxes to IPA. lol</div>
<div><br>
</div>
<div><br>
<div class="gmail_quote">On Thu, Mar 8, 2012 at 7:29 PM, <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:freeipa-devel-request@redhat.com">freeipa-devel-request@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
Send Freeipa-devel mailing list submissions to<br>
<a moz-do-not-send="true"
href="mailto:freeipa-devel@redhat.com">freeipa-devel@redhat.com</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-devel"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a moz-do-not-send="true"
href="mailto:freeipa-devel-request@redhat.com">freeipa-devel-request@redhat.com</a><br>
<br>
You can reach the person managing the list at<br>
<a moz-do-not-send="true"
href="mailto:freeipa-devel-owner@redhat.com">freeipa-devel-owner@redhat.com</a><br>
<br>
When replying, please edit your Subject line so it is more
specific<br>
than "Re: Contents of Freeipa-devel digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. IPAv2 on SL6.2 using NIS fails with "Failed
password" error<br>
(Joshua Dotson)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Thu, 8 Mar 2012 19:29:10 -0500<br>
From: Joshua Dotson <<a moz-do-not-send="true"
href="mailto:josh@knoesis.org">josh@knoesis.org</a>><br>
To: <a moz-do-not-send="true"
href="mailto:freeipa-devel@redhat.com">freeipa-devel@redhat.com</a><br>
Subject: [Freeipa-devel] IPAv2 on SL6.2 using NIS fails with
"Failed<br>
password" error<br>
Message-ID:<br>
<<a moz-do-not-send="true"
href="mailto:CANLzmLhi99Zk986F4Mh0pcYkrRhx3wgdK7CrW%2B34Q3EofBmnPg@mail.gmail.com">CANLzmLhi99Zk986F4Mh0pcYkrRhx3wgdK7CrW+34Q3EofBmnPg@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
Hi All,<br>
<br>
I'm having a problem with my IPA installs; I can't seem to
get the NIS mode<br>
to work. I tried it with and without 'Migration Mode'
enabled.<br>
<br>
I bind to it and 'getent passwd' and 'getent group' just
fine, but when I<br>
type my password (post initial kinit password change) in for
ssh, I get<br>
permission denied and the following in my client-side
/var/log/secure log:<br>
<br>
Mar 8 18:15:07 bastion sshd[18480]: Failed password for bob
from<br>
192.168.5.68 port 50788 ssh2<br>
Mar 8 18:15:22 bastion sshd[18480]: Failed password for bob
from<br>
192.168.5.68 port 50788 ssh2<br>
Mar 8 18:46:13 bastion sshd[18556]: pam_unix(sshd:auth):
authentication<br>
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=192.168.6.68 user=bob<br>
Mar 8 18:46:16 bastion sshd[18556]: Failed password for bob
from<br>
192.168.5.68 port 50839 ssh2<br>
<br>
On the server, I can find no error on the server side,
matching the<br>
timestamp of when I attempt login from a third host to the
bastion host<br>
(see below).<br>
<br>
Am I mistaken that IPAv2 provides backwards compatible NIS,
without<br>
client-side SSSD, KRB5 and the like? Am I missing a service
or something?<br>
<br>
Thanks very much! Please excuse the long email. Perhaps
I'm too eager.<br>
lol :-)<br>
<br>
-Joshua.<br>
<br>
========BACKGROUND INFO FOLLOWS=========<br>
<br>
Here are the details of my install, which is my fourth IPA
install, so far.<br>
As a side note, however, I've not been able to get the NIS
mode working,<br>
yet.<br>
<br>
<br>
- 2 nearly identical KVM's to test this. (1 for server and
1 for NIS<br>
client)<br>
- x86_64<br>
- ext4 over LVM over qcow2 over NFSv3<br>
- using virtio<br>
- Scientific Linux 6.2 minimal install from GUI of Install
DVD<br>
- all available yum updates applied<br>
- iptables off<br>
- ipv4 only<br>
- added self FQDN to both /etc/hosts files<br>
- NetworkManager off in favor of network<br>
- static public IP's<br>
- Used the following commands to install my IPA server:<br>
<br>
# yum -y install \<br>
ipa-server \<br>
bind \<br>
bind-dyndb-ldap<br>
<br>
# ipa-server-install \<br>
-a 'admin_pass_example' \<br>
--hostname=<a moz-do-not-send="true"
href="http://ipa.example.com" target="_blank">ipa.example.com</a>
\<br>
-p 'dir_man_password_example' \<br>
-n <a moz-do-not-send="true" href="http://exampledom.com"
target="_blank">exampledom.com</a> \<br>
-r <a moz-do-not-send="true" href="http://EXAMPLE.COM"
target="_blank">EXAMPLE.COM</a> \<br>
--setup-dns \<br>
--forwarder=192.168.2.10 \<br>
--forwarder=192.168.1.20<br>
<br>
<br>
- After a reboot, logging in with Firefox works well...
kinit works well<br>
after I create an initial user in the UI... Everything is
cool..even<br>
enrolling other machine with the ipa-client-install tool
works well.. No<br>
other changes were made inside the UI<br>
- Here are the commands I ran on the server outside the
UI, per<br>
instructions (here:<br>
<a moz-do-not-send="true"
href="http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/migrating-from-nis.html"
target="_blank">http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/migrating-from-nis.html</a><br>
)<br>
<br>
<br>
[root@ipa ~]# ipa-compat-manage enable<br>
Directory Manager password:<br>
<br>
Plugin already Enabled<br>
[root@ipa ~]# rpcinfo<br>
program version netid address service
owner<br>
100000 4 tcp6 ::.0.111
portmapper superuser<br>
100000 3 tcp6 ::.0.111
portmapper superuser<br>
100000 4 udp6 ::.0.111
portmapper superuser<br>
100000 3 udp6 ::.0.111
portmapper superuser<br>
100000 4 tcp 0.0.0.0.0.111
portmapper superuser<br>
100000 3 tcp 0.0.0.0.0.111
portmapper superuser<br>
100000 2 tcp 0.0.0.0.0.111
portmapper superuser<br>
100000 4 udp 0.0.0.0.0.111
portmapper superuser<br>
100000 3 udp 0.0.0.0.0.111
portmapper superuser<br>
100000 2 udp 0.0.0.0.0.111
portmapper superuser<br>
100000 4 local /var/run/rpcbind.sock
portmapper superuser<br>
100000 3 local /var/run/rpcbind.sock
portmapper superuser<br>
[root@ipa ~]# ipa-nis-manage enable<br>
Directory Manager password:<br>
<br>
Enabling plugin<br>
Restarting IPA to initialize updates before performing
deletes:<br>
[1/2]: stopping directory server<br>
[2/2]: starting directory server<br>
done configuring dirsrv.<br>
This setting will not take effect until you restart
Directory Server.<br>
The rpcbind service may need to be started.<br>
[root@ipa ~]# reboot<br>
<br>
The system is going down for reboot NOW!<br>
<br>
<br>
sam@bastion:~$ ssh 192.168.5.25<br>
Last login: Thu Mar 8 17:58:58 2012 from 192.168.5.99<br>
[sam@ipa ~]$ su -<br>
Password:<br>
[root@ipa ~]# rpcinfo<br>
program version netid address service
owner<br>
100000 4 tcp6 ::.0.111
portmapper superuser<br>
100000 3 tcp6 ::.0.111
portmapper superuser<br>
100000 4 udp6 ::.0.111
portmapper superuser<br>
100000 3 udp6 ::.0.111
portmapper superuser<br>
100000 4 tcp 0.0.0.0.0.111
portmapper superuser<br>
100000 3 tcp 0.0.0.0.0.111
portmapper superuser<br>
100000 2 tcp 0.0.0.0.0.111
portmapper superuser<br>
100000 4 udp 0.0.0.0.0.111
portmapper superuser<br>
100000 3 udp 0.0.0.0.0.111
portmapper superuser<br>
100000 2 udp 0.0.0.0.0.111
portmapper superuser<br>
100000 4 local /var/run/rpcbind.sock
portmapper superuser<br>
100000 3 local /var/run/rpcbind.sock
portmapper superuser<br>
100004 2 udp6 ::.2.84 ypserv
superuser<br>
100004 2 udp 0.0.0.0.2.84 ypserv
superuser<br>
100004 2 tcp6 ::.2.84 ypserv
superuser<br>
100004 2 tcp 0.0.0.0.2.84 ypserv
superuser<br>
[root@ipa ~]#<br>
<br>
<br>
- Here is chkconfig for the server (iptables/ip6tables are
disabled by<br>
the service command when debugging)<br>
<br>
chkconfig --list|grep ':on'<br>
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off<br>
auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
certmonger 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
ipa 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off<br>
messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
portreserve 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
qpidd 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
rpcbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
sssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off<br>
udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off<br>
<br>
<br>
<br>
<br>
- On the client, it's the same OS... SL6.2 x86_64, no
firewall, minimal<br>
install, ipv4 only<br>
- I used authconfig to setup NIS, and am able to 'getent
passwd' on the<br>
directory.<br>
<br>
# authconfig --enablenis --nisdomain=<a
moz-do-not-send="true" href="http://knoesis.org"
target="_blank">knoesis.org</a> --nisserver=192.168.5.82<br>
--enablemkhomedir --update<br>
<br>
- resolv.conf points to the IPA address for dns<br>
- client is same domain on the same 24-bit subnet<br>
- here are the packages I installed for NIS:<br>
<br>
Mar 08 16:05:19 Installed: libgssglue-0.1-11.el6.x86_64<br>
Mar 08 16:05:19 Installed: libtirpc-0.2.1-5.el6.x86_64<br>
Mar 08 16:05:19 Installed: rpcbind-0.2.0-8.el6.x86_64<br>
Mar 08 16:05:56 Installed: 3:ypbind-1.20.4-29.el6.x86_64<br>
Mar 08 16:05:56 Installed: yp-tools-2.9-12.el6.x86_64<br>
<br>
<br>
- Here is chkconfig on the client:<br>
<br>
chkconfig --list|grep ':on' (iptables/ip6tables are
disabled by the<br>
service command when debugging)<br>
auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off<br>
messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
qpidd 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
rpcbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off<br>
ypbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br>
<br>
<br>
- /etc/yp.conf (client) (I tried it with the server domain
syntax, as<br>
well)<br>
<br>
ypserver 192.168.6.82<br>
#domain <a moz-do-not-send="true" href="http://example.com"
target="_blank">example.com</a> server 192.168.6.82<br>
<br>
<br>
- rpcinfo (client)<br>
<br>
program version netid address service
owner<br>
100000 4 tcp6 ::.0.111
portmapper superuser<br>
100000 3 tcp6 ::.0.111
portmapper superuser<br>
100000 4 udp6 ::.0.111
portmapper superuser<br>
100000 3 udp6 ::.0.111
portmapper superuser<br>
100000 4 tcp 0.0.0.0.0.111
portmapper superuser<br>
100000 3 tcp 0.0.0.0.0.111
portmapper superuser<br>
100000 2 tcp 0.0.0.0.0.111
portmapper superuser<br>
100000 4 udp 0.0.0.0.0.111
portmapper superuser<br>
100000 3 udp 0.0.0.0.0.111
portmapper superuser<br>
100000 2 udp 0.0.0.0.0.111
portmapper superuser<br>
100000 4 local /var/run/rpcbind.sock
portmapper superuser<br>
100000 3 local /var/run/rpcbind.sock
portmapper superuser<br>
100007 2 udp 0.0.0.0.3.46 ypbind
superuser<br>
100007 1 udp 0.0.0.0.3.46 ypbind
superuser<br>
100007 2 tcp 0.0.0.0.3.49 ypbind
superuser<br>
100007 1 tcp 0.0.0.0.3.49 ypbind
superuser<br>
<br>
--<br>
Joshua M. Dotson<br>
Systems Administrator<br>
Kno.e.sis Center<br>
Wright State University - Dayton, OH<br>
<a moz-do-not-send="true" href="mailto:josh@knoesis.org">josh@knoesis.org</a><br>
<a moz-do-not-send="true" href="tel:937-350-1563"
value="+19373501563">937-350-1563</a><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a moz-do-not-send="true"
href="https://www.redhat.com/archives/freeipa-devel/attachments/20120308/f63089e2/attachment.html"
target="_blank">https://www.redhat.com/archives/freeipa-devel/attachments/20120308/f63089e2/attachment.html</a>><br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
Freeipa-devel mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-devel"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a><br>
<br>
End of Freeipa-devel Digest, Vol 58, Issue 32<br>
*********************************************<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Joshua M. Dotson<br>
Systems Administrator<br>
Kno.e.sis Center<br>
Wright State University - Dayton, OH<br>
<a moz-do-not-send="true" href="mailto:josh@knoesis.org"
target="_blank">josh@knoesis.org</a><br>
937-350-1563<br>
</div>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>