[Freeipa-users] Solaris 10 problem using netgroups

Eli J. Elliott eli.elliott at moser-inc.com
Mon Mar 4 15:39:59 UTC 2013 

I don't see being able to install sssd on the solaris hosts due to security
restrictions. I had read about using the hosts.allow file to restrict to
netgroups but was concerned about logging in with local accounts. Wish I
could wrap my head around what is changing when I add the passwd_compat to
nsswitch. Why would it suddenly stop authenticating? It still sees the ldap
users.

-E

On Fri, Mar 1, 2013 at 4:48 PM, Sigbjorn Lie <sigbjorn at nixtra.com> wrote:

> Have you considered using allowgroups in sshd_config for restricting ssh
> logins instead?
>
> By using allowgroups you could use the same user group for ssh access to
> Solaris and for Linux hosts using sssd and hbac.
>
>
> Regards
> Siggi
>
> "Eli J. Elliott" <eli.elliott at moser-inc.com> wrote:
>
>> I have a problem with Solaris 10 and netgroups with IPA.
>>
>> I am able to login to the Solaris 10 server with IPA users as long as I
>> am not using netgroups. As soon as I add a netgroup I can no longer
>> authenticate.
>>
>> I have updated nsswitch.conf:
>>
>> #passwd:     files ldap****
>>
>> passwd: compat****
>>
>> passwd_compat:  files ldap****
>>
>> group:  files ldap
>>
>>
>> And then added the netgroup to /etc/passwd:
>>
>> + at MYHOST:x:::::****
>>
>> And used pwconv to get the netgroup into /etc/shadow:
>>
>> + at MYHOST:x:15765::::::****
>>
>> I am able to see the user in getent (and none of the users I want
>> restricted show up, only the user I want which is great):
>>
>> -bash-3.2# getent passwd testuser****
>>
>> testuser:x:3713:3713:Test User:/export/home/testuser:/bin/bash****
>>
>> ** **
>>
>> I am also able to su to testuser as root:
>>
>> -bash-3.2# su - testuser****
>>
>> Oracle Corporation      SunOS 5.10      Generic Patch   January 2005****
>>
>> -bash-3.2$ id****
>>
>> uid=3713(testuser) gid=3713(testgroup)
>>
>>
>> I cannot su to the user from another user, it appears to be the password
>> that is the problem. I can successfully change passwords using kpasswd from
>> the Solaris 10 host.
>>
>>
>> I've enabled Pam debugging:
>>
>>
>> Mar  1 12:54:04 MYHOST sshd[3928]: [ID 228857 auth.debug] PAM[3928]:
>> pam_start(sshd-kbdint,testuser,80a98a8:80c8b18) - debug = 1****
>>
>> Mar  1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>> pam_set_item(80c8b18:service)****
>>
>> Mar  1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>> pam_set_item(80c8b18:user)****
>>
>> Mar  1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>> pam_set_item(80c8b18:conv)****
>>
>> Mar  1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>> pam_set_item(80c8b18:rhost)****
>>
>> Mar  1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>> pam_set_item(80c8b18:tty)****
>>
>> Mar  1 12:54:04 MYHOST sshd[3928]: [ID 122435 auth.debug] PAM[3928]:
>> pam_authenticate(80c8b18, 1)****
>>
>> Mar  1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
>> load_modules(80c8b18,
>> pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1****
>>
>> Mar  1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
>> load_function: successful load of pam_sm_authenticate****
>>
>> Mar  1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
>> load_modules(80c8b18, pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1
>> ****
>>
>> Mar  1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
>> load_function: successful load of pam_sm_authenticate****
>>
>> Mar  1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
>> load_modules(80c8b18,
>> pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1****
>>
>> Mar  1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
>> load_function: successful load of pam_sm_authenticate****
>>
>> Mar  1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
>> load_modules(80c8b18,
>> pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1****
>>
>> Mar  1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
>> load_function: successful load of pam_sm_authenticate****
>>
>> Mar  1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
>> load_modules(80c8b18, pam_sm_authenticate)=/usr/lib/security/pam_ldap.so.1
>> ****
>>
>> Mar  1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
>> load_function: successful load of pam_sm_authenticate****
>>
>> Mar  1 12:54:04 MYHOST sshd[3928]: [ID 425581 auth.debug] PAM[3928]:
>> pam_get_user(80c8b18, 80c8b18, NULL)****
>>
>> Mar  1 12:54:07 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>> pam_set_item(80c8b18:authtok)****
>>
>> Mar  1 12:54:07 MYHOST last message repeated 1 time****
>>
>> Mar  1 12:54:07 MYHOST sshd[3928]: [ID 117705 auth.debug] PAM[3928]:
>> pam_authenticate(80c8b18, 1): error Authentication failed****
>>
>> Mar  1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>> pam_set_item(80c8b18:authtok)****
>>
>> Mar  1 12:54:08 MYHOST sshd[3928]: [ID 800047 auth.info]
>> Keyboard-interactive (PAM) userauth failed[9] while authenticating:
>> Authentication failed****
>>
>> Mar  1 12:54:08 MYHOST sshd[3928]: [ID 800047 auth.notice] Failed
>> keyboard-interactive for testuser from 30.241.208.21 port 4469 ssh2****
>>
>> Mar  1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>> pam_set_item(80c8b18:conv)****
>>
>> Mar  1 12:54:08 MYHOST sshd[3928]: [ID 185624 auth.debug] PAM[3928]:
>> pam_end(80c8b18): status = Authentication failed****
>>
>> Mar  1 12:54:08 MYHOST sshd[3928]: [ID 228857 auth.debug] PAM[3928]:
>> pam_start(sshd-kbdint,testuser,80a98a8:80c8b18) - debug = 1****
>>
>> Mar  1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>> pam_set_item(80c8b18:service)****
>>
>> Mar  1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>> pam_set_item(80c8b18:user)****
>>
>> Mar  1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>> pam_set_item(80c8b18:conv)****
>>
>> Mar  1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>> pam_set_item(80c8b18:rhost)****
>>
>> Mar  1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>> pam_set_item(80c8b18:tty)****
>>
>> Mar  1 12:54:08 MYHOST sshd[3928]: [ID 122435 auth.debug] PAM[3928]:
>> pam_authenticate(80c8b18, 1)****
>>
>> Mar  1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
>> load_modules(80c8b18,
>> pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1****
>>
>> Mar  1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
>> load_function: successful load of pam_sm_authenticate****
>>
>> Mar  1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
>> load_modules(80c8b18, pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1
>> ****
>>
>> Mar  1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
>> load_function: successful load of pam_sm_authenticate****
>>
>> Mar  1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
>> load_modules(80c8b18,
>> pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1****
>>
>> Mar  1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
>> load_function: successful load of pam_sm_authenticate****
>>
>> Mar  1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
>> load_modules(80c8b18,
>> pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1****
>>
>> Mar  1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
>> load_function: successful load of pam_sm_authenticate****
>>
>> Mar  1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
>> load_modules(80c8b18, pam_sm_authenticate)=/usr/lib/security/pam_ldap.so.1
>> ****
>>
>> Mar  1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
>> load_function: successful load of pam_sm_authenticate****
>>
>> Mar  1 12:54:08 MYHOST sshd[3928]: [ID 425581 auth.debug] PAM[3928]:
>> pam_get_user(80c8b18, 80c8b18, NULL)****
>>
>> Mar  1 12:54:09 MYHOST sshd[3928]: [ID 800047 auth.info] Received
>> disconnect from 30.241.208.21: 13: Unable to authenticate****
>>
>> Mar  1 12:54:09 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
>> pam_set_item(80c8b18:conv)****
>>
>> Mar  1 12:54:09 MYHOST sshd[3928]: [ID 185624 auth.debug] PAM[3928]:
>> pam_end(80c8b18): status = General PAM failure****
>>
>> Mar  1 12:54:11 MYHOST sshd[3906]: [ID 800047 auth.info] Received
>> disconnect from 30.241.208.21: 13: Unable to authenticate****
>>
>> Mar  1 12:54:11 MYHOST sshd[3906]: [ID 583457 auth.debug] PAM[3906]:
>> pam_set_item(80c8b18:conv)****
>>
>> Mar  1 12:54:11 MYHOST sshd[3906]: [ID 278145 auth.debug] PAM[3906]:
>> pam_end(80c8b18): status = General PAM failure****
>>
>> **
>>
>> I'm at a loss at this point. I can't seem to determine how simply adding
>> a netgroup causes authentication to fail. Every other aspect of the
>> netgroup works and the system without the netgroup works.
>>
>>
>> Any ideas?
>>
>> -Eli
>>
>> ------------------------------
>>
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
> --
> Sent from my Android phone with K-9 Mail. Please excuse my brevity.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130304/b9f17dea/attachment.htm>

More information about the Freeipa-users mailing list