[Freeipa-users] Solaris 10 problem using netgroups
Sigbjorn Lie
sigbjorn at nixtra.com
Fri Mar 1 21:48:49 UTC 2013
Have you considered using allowgroups in sshd_config for restricting ssh logins instead?
By using allowgroups you could use the same user group for ssh access to Solaris and for Linux hosts using sssd and hbac.
Regards
Siggi
"Eli J. Elliott" <eli.elliott at moser-inc.com> wrote:
>I have a problem with Solaris 10 and netgroups with IPA.
>
>I am able to login to the Solaris 10 server with IPA users as long as I
>am
>not using netgroups. As soon as I add a netgroup I can no longer
>authenticate.
>
>I have updated nsswitch.conf:
>
>#passwd: files ldap****
>
>passwd: compat****
>
>passwd_compat: files ldap****
>
>group: files ldap
>
>
>And then added the netgroup to /etc/passwd:
>
>+ at MYHOST:x:::::****
>
>And used pwconv to get the netgroup into /etc/shadow:
>
>+ at MYHOST:x:15765::::::****
>
>I am able to see the user in getent (and none of the users I want
>restricted show up, only the user I want which is great):
>
>-bash-3.2# getent passwd testuser****
>
>testuser:x:3713:3713:Test User:/export/home/testuser:/bin/bash****
>
>** **
>
>I am also able to su to testuser as root:
>
>-bash-3.2# su - testuser****
>
>Oracle Corporation SunOS 5.10 Generic Patch January
>2005****
>
>-bash-3.2$ id****
>
>uid=3713(testuser) gid=3713(testgroup)
>
>
>I cannot su to the user from another user, it appears to be the
>password
>that is the problem. I can successfully change passwords using kpasswd
>from
>the Solaris 10 host.
>
>
>I've enabled Pam debugging:
>
>
>Mar 1 12:54:04 MYHOST sshd[3928]: [ID 228857 auth.debug] PAM[3928]:
>pam_start(sshd-kbdint,testuser,80a98a8:80c8b18) - debug = 1****
>
>Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>pam_set_item(80c8b18:service)****
>
>Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>pam_set_item(80c8b18:user)****
>
>Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>pam_set_item(80c8b18:conv)****
>
>Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>pam_set_item(80c8b18:rhost)****
>
>Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>pam_set_item(80c8b18:tty)****
>
>Mar 1 12:54:04 MYHOST sshd[3928]: [ID 122435 auth.debug] PAM[3928]:
>pam_authenticate(80c8b18, 1)****
>
>Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
>load_modules(80c8b18,
>pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1****
>
>Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
>load_function: successful load of pam_sm_authenticate****
>
>Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
>load_modules(80c8b18,
>pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1
>****
>
>Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
>load_function: successful load of pam_sm_authenticate****
>
>Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
>load_modules(80c8b18,
>pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1****
>
>Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
>load_function: successful load of pam_sm_authenticate****
>
>Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
>load_modules(80c8b18,
>pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1****
>
>Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
>load_function: successful load of pam_sm_authenticate****
>
>Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
>load_modules(80c8b18,
>pam_sm_authenticate)=/usr/lib/security/pam_ldap.so.1**
>**
>
>Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
>load_function: successful load of pam_sm_authenticate****
>
>Mar 1 12:54:04 MYHOST sshd[3928]: [ID 425581 auth.debug] PAM[3928]:
>pam_get_user(80c8b18, 80c8b18, NULL)****
>
>Mar 1 12:54:07 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>pam_set_item(80c8b18:authtok)****
>
>Mar 1 12:54:07 MYHOST last message repeated 1 time****
>
>Mar 1 12:54:07 MYHOST sshd[3928]: [ID 117705 auth.debug] PAM[3928]:
>pam_authenticate(80c8b18, 1): error Authentication failed****
>
>Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>pam_set_item(80c8b18:authtok)****
>
>Mar 1 12:54:08 MYHOST sshd[3928]: [ID 800047 auth.info]
>Keyboard-interactive (PAM) userauth failed[9] while authenticating:
>Authentication failed****
>
>Mar 1 12:54:08 MYHOST sshd[3928]: [ID 800047 auth.notice] Failed
>keyboard-interactive for testuser from 30.241.208.21 port 4469 ssh2****
>
>Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>pam_set_item(80c8b18:conv)****
>
>Mar 1 12:54:08 MYHOST sshd[3928]: [ID 185624 auth.debug] PAM[3928]:
>pam_end(80c8b18): status = Authentication failed****
>
>Mar 1 12:54:08 MYHOST sshd[3928]: [ID 228857 auth.debug] PAM[3928]:
>pam_start(sshd-kbdint,testuser,80a98a8:80c8b18) - debug = 1****
>
>Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>pam_set_item(80c8b18:service)****
>
>Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>pam_set_item(80c8b18:user)****
>
>Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>pam_set_item(80c8b18:conv)****
>
>Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>pam_set_item(80c8b18:rhost)****
>
>Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>pam_set_item(80c8b18:tty)****
>
>Mar 1 12:54:08 MYHOST sshd[3928]: [ID 122435 auth.debug] PAM[3928]:
>pam_authenticate(80c8b18, 1)****
>
>Mar 1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
>load_modules(80c8b18,
>pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1****
>
>Mar 1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
>load_function: successful load of pam_sm_authenticate****
>
>Mar 1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
>load_modules(80c8b18,
>pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1
>****
>
>Mar 1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
>load_function: successful load of pam_sm_authenticate****
>
>Mar 1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
>load_modules(80c8b18,
>pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1****
>
>Mar 1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
>load_function: successful load of pam_sm_authenticate****
>
>Mar 1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
>load_modules(80c8b18,
>pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1****
>
>Mar 1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
>load_function: successful load of pam_sm_authenticate****
>
>Mar 1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
>load_modules(80c8b18,
>pam_sm_authenticate)=/usr/lib/security/pam_ldap.so.1**
>**
>
>Mar 1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
>load_function: successful load of pam_sm_authenticate****
>
>Mar 1 12:54:08 MYHOST sshd[3928]: [ID 425581 auth.debug] PAM[3928]:
>pam_get_user(80c8b18, 80c8b18, NULL)****
>
>Mar 1 12:54:09 MYHOST sshd[3928]: [ID 800047 auth.info] Received
>disconnect from 30.241.208.21: 13: Unable to authenticate****
>
>Mar 1 12:54:09 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>pam_set_item(80c8b18:conv)****
>
>Mar 1 12:54:09 MYHOST sshd[3928]: [ID 185624 auth.debug] PAM[3928]:
>pam_end(80c8b18): status = General PAM failure****
>
>Mar 1 12:54:11 MYHOST sshd[3906]: [ID 800047 auth.info] Received
>disconnect from 30.241.208.21: 13: Unable to authenticate****
>
>Mar 1 12:54:11 MYHOST sshd[3906]: [ID 583457 auth.debug] PAM[3906]:
>pam_set_item(80c8b18:conv)****
>
>Mar 1 12:54:11 MYHOST sshd[3906]: [ID 278145 auth.debug] PAM[3906]:
>pam_end(80c8b18): status = General PAM failure****
>
>**
>
>I'm at a loss at this point. I can't seem to determine how simply
>adding a
>netgroup causes authentication to fail. Every other aspect of the
>netgroup
>works and the system without the netgroup works.
>
>
>Any ideas?
>
>-Eli
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Freeipa-users mailing list
>Freeipa-users at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130301/31b5de3b/attachment.htm>
More information about the Freeipa-users
mailing list