[Freeipa-users] Solaris 10 problem using netgroups
Sigbjorn Lie
sigbjorn at nixtra.com
Mon Mar 4 16:55:25 UTC 2013
I've had some similar issues with logins and netgroups on Solaris with
IPA, I don't recall the details, sorry. We moved to AllowGroups in sshd
instead.
You don't need sssd to use AllowGroups with sshd. Have a look at the
sshd_config manpage for how to set it up.
Regards,
Siggi
On 03/04/2013 04:39 PM, Eli J. Elliott wrote:
> I don't see being able to install sssd on the solaris hosts due to
> security restrictions. I had read about using the hosts.allow file to
> restrict to netgroups but was concerned about logging in with local
> accounts. Wish I could wrap my head around what is changing when I add
> the passwd_compat to nsswitch. Why would it suddenly stop
> authenticating? It still sees the ldap users.
>
> -E
>
> On Fri, Mar 1, 2013 at 4:48 PM, Sigbjorn Lie <sigbjorn at nixtra.com
> <mailto:sigbjorn at nixtra.com>> wrote:
>
> Have you considered using allowgroups in sshd_config for restricting
> ssh logins instead?
>
> By using allowgroups you could use the same user group for ssh
> access to Solaris and for Linux hosts using sssd and hbac.
>
>
> Regards
> Siggi
>
> "Eli J. Elliott" <eli.elliott at moser-inc.com
> <mailto:eli.elliott at moser-inc.com>> wrote:
>
> I have a problem with Solaris 10 and netgroups with IPA.
>
> I am able to login to the Solaris 10 server with IPA users as
> long as I am not using netgroups. As soon as I add a netgroup I
> can no longer authenticate.
>
> I have updated nsswitch.conf:
>
> #passwd: files ldap____
>
> passwd: compat____
>
> passwd_compat: files ldap____
>
> group: files ldap
>
>
> And then added the netgroup to /etc/passwd:
>
> + at MYHOST:x:::::____
>
>
> And used pwconv to get the netgroup into /etc/shadow:
>
> + at MYHOST:x:15765::::::____
>
>
> I am able to see the user in getent (and none of the users I
> want restricted show up, only the user I want which is great):
>
> -bash-3.2# getent passwd testuser____
>
> testuser:x:3713:3713:Test User:/export/home/testuser:/bin/bash____
>
> __ __
>
> I am also able to su to testuser as root:
>
> -bash-3.2# su - testuser____
>
> Oracle Corporation SunOS 5.10 Generic Patch January
> 2005____
>
> -bash-3.2$ id____
>
> uid=3713(testuser) gid=3713(testgroup)
>
>
> I cannot su to the user from another user, it appears to be the
> password that is the problem. I can successfully change
> passwords using kpasswd from the Solaris 10 host.
>
>
> I've enabled Pam debugging:
>
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 228857 auth.debug]
> PAM[3928]: pam_start(sshd-kbdint,testuser,80a98a8:80c8b18) -
> debug = 1____
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:service)____
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:user)____
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:conv)____
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:rhost)____
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:tty)____
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 122435 auth.debug]
> PAM[3928]: pam_authenticate(80c8b18, 1)____
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug]
> PAM[3928]: load_modules(80c8b18,
> pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1____
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug]
> PAM[3928]: load_function: successful load of pam_sm_authenticate____
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug]
> PAM[3928]: load_modules(80c8b18,
> pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1____
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug]
> PAM[3928]: load_function: successful load of pam_sm_authenticate____
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug]
> PAM[3928]: load_modules(80c8b18,
> pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1____
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug]
> PAM[3928]: load_function: successful load of pam_sm_authenticate____
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug]
> PAM[3928]: load_modules(80c8b18,
> pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1____
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug]
> PAM[3928]: load_function: successful load of pam_sm_authenticate____
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug]
> PAM[3928]: load_modules(80c8b18,
> pam_sm_authenticate)=/usr/lib/security/pam_ldap.so.1____
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug]
> PAM[3928]: load_function: successful load of pam_sm_authenticate____
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 425581 auth.debug]
> PAM[3928]: pam_get_user(80c8b18, 80c8b18, NULL)____
>
> Mar 1 12:54:07 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:authtok)____
>
> Mar 1 12:54:07 MYHOST last message repeated 1 time____
>
> Mar 1 12:54:07 MYHOST sshd[3928]: [ID 117705 auth.debug]
> PAM[3928]: pam_authenticate(80c8b18, 1): error Authentication
> failed____
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:authtok)____
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 800047 auth.info
> <http://auth.info>] Keyboard-interactive (PAM) userauth
> failed[9] while authenticating: Authentication failed____
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 800047 auth.notice]
> Failed keyboard-interactive for testuser from 30.241.208.21
> <tel:30.241.208.21> port 4469 ssh2____
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:conv)____
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 185624 auth.debug]
> PAM[3928]: pam_end(80c8b18): status = Authentication failed____
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 228857 auth.debug]
> PAM[3928]: pam_start(sshd-kbdint,testuser,80a98a8:80c8b18) -
> debug = 1____
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:service)____
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:user)____
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:conv)____
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:rhost)____
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:tty)____
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 122435 auth.debug]
> PAM[3928]: pam_authenticate(80c8b18, 1)____
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug]
> PAM[3928]: load_modules(80c8b18,
> pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1____
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug]
> PAM[3928]: load_function: successful load of pam_sm_authenticate____
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug]
> PAM[3928]: load_modules(80c8b18,
> pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1____
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug]
> PAM[3928]: load_function: successful load of pam_sm_authenticate____
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug]
> PAM[3928]: load_modules(80c8b18,
> pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1____
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug]
> PAM[3928]: load_function: successful load of pam_sm_authenticate____
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug]
> PAM[3928]: load_modules(80c8b18,
> pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1____
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug]
> PAM[3928]: load_function: successful load of pam_sm_authenticate____
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug]
> PAM[3928]: load_modules(80c8b18,
> pam_sm_authenticate)=/usr/lib/security/pam_ldap.so.1____
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug]
> PAM[3928]: load_function: successful load of pam_sm_authenticate____
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 425581 auth.debug]
> PAM[3928]: pam_get_user(80c8b18, 80c8b18, NULL)____
>
> Mar 1 12:54:09 MYHOST sshd[3928]: [ID 800047 auth.info
> <http://auth.info>] Received disconnect from 30.241.208.21
> <tel:30.241.208.21>: 13: Unable to authenticate____
>
> Mar 1 12:54:09 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:conv)____
>
> Mar 1 12:54:09 MYHOST sshd[3928]: [ID 185624 auth.debug]
> PAM[3928]: pam_end(80c8b18): status = General PAM failure____
>
> Mar 1 12:54:11 MYHOST sshd[3906]: [ID 800047 auth.info
> <http://auth.info>] Received disconnect from 30.241.208.21
> <tel:30.241.208.21>: 13: Unable to authenticate____
>
> Mar 1 12:54:11 MYHOST sshd[3906]: [ID 583457 auth.debug]
> PAM[3906]: pam_set_item(80c8b18:conv)____
>
> Mar 1 12:54:11 MYHOST sshd[3906]: [ID 278145 auth.debug]
> PAM[3906]: pam_end(80c8b18): status = General PAM failure____
>
> __
>
> I'm at a loss at this point. I can't seem to determine how
> simply adding a netgroup causes authentication to fail. Every
> other aspect of the netgroup works and the system without the
> netgroup works.
>
>
> Any ideas?
>
> -Eli
>
>
> ------------------------------------------------------------------------
>
> Freeipa-users mailing list
>
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Sent from my Android phone with K-9 Mail. Please excuse my brevity.
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list