[Freeipa-users] Solaris 10 problem using netgroups
Eli J. Elliott
eli.elliott at moser-inc.com
Mon Mar 4 19:29:32 UTC 2013
That does work. I will keep it as a backup to proper netgroups. Sadly that
adds complexity in account management (numerous secondary groups) and
throws up security concerns.
I'm trying to find the syntax to turn on debugging from ipa. Anyone know
that offhand?
-Eli
On Mon, Mar 4, 2013 at 11:55 AM, Sigbjorn Lie <sigbjorn at nixtra.com> wrote:
> I've had some similar issues with logins and netgroups on Solaris with
> IPA, I don't recall the details, sorry. We moved to AllowGroups in sshd
> instead.
>
> You don't need sssd to use AllowGroups with sshd. Have a look at the
> sshd_config manpage for how to set it up.
>
>
>
> Regards,
> Siggi
>
>
>
> On 03/04/2013 04:39 PM, Eli J. Elliott wrote:
>
>> I don't see being able to install sssd on the solaris hosts due to
>> security restrictions. I had read about using the hosts.allow file to
>> restrict to netgroups but was concerned about logging in with local
>> accounts. Wish I could wrap my head around what is changing when I add
>> the passwd_compat to nsswitch. Why would it suddenly stop
>> authenticating? It still sees the ldap users.
>>
>> -E
>>
>> On Fri, Mar 1, 2013 at 4:48 PM, Sigbjorn Lie <sigbjorn at nixtra.com
>> <mailto:sigbjorn at nixtra.com>> wrote:
>>
>> Have you considered using allowgroups in sshd_config for restricting
>> ssh logins instead?
>>
>> By using allowgroups you could use the same user group for ssh
>> access to Solaris and for Linux hosts using sssd and hbac.
>>
>>
>> Regards
>> Siggi
>>
>> "Eli J. Elliott" <eli.elliott at moser-inc.com
>> <mailto:eli.elliott at moser-inc.**com <eli.elliott at moser-inc.com>>>
>> wrote:
>>
>> I have a problem with Solaris 10 and netgroups with IPA.
>>
>> I am able to login to the Solaris 10 server with IPA users as
>> long as I am not using netgroups. As soon as I add a netgroup I
>> can no longer authenticate.
>>
>> I have updated nsswitch.conf:
>>
>> #passwd: files ldap____
>>
>> passwd: compat____
>>
>> passwd_compat: files ldap____
>>
>>
>> group: files ldap
>>
>>
>> And then added the netgroup to /etc/passwd:
>>
>> + at MYHOST:x:::::____
>>
>>
>>
>> And used pwconv to get the netgroup into /etc/shadow:
>>
>> + at MYHOST:x:15765::::::____
>>
>>
>>
>> I am able to see the user in getent (and none of the users I
>> want restricted show up, only the user I want which is great):
>>
>> -bash-3.2# getent passwd testuser____
>>
>> testuser:x:3713:3713:Test User:/export/home/testuser:/**
>> bin/bash____
>>
>> __ __
>>
>>
>> I am also able to su to testuser as root:
>>
>> -bash-3.2# su - testuser____
>>
>>
>> Oracle Corporation SunOS 5.10 Generic Patch January
>> 2005____
>>
>> -bash-3.2$ id____
>>
>>
>> uid=3713(testuser) gid=3713(testgroup)
>>
>>
>> I cannot su to the user from another user, it appears to be the
>> password that is the problem. I can successfully change
>> passwords using kpasswd from the Solaris 10 host.
>>
>>
>> I've enabled Pam debugging:
>>
>>
>> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 228857 auth.debug]
>> PAM[3928]: pam_start(sshd-kbdint,**testuser,80a98a8:80c8b18) -
>> debug = 1____
>>
>>
>> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug]
>> PAM[3928]: pam_set_item(80c8b18:service)_**___
>>
>>
>> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug]
>> PAM[3928]: pam_set_item(80c8b18:user)____
>>
>>
>> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug]
>> PAM[3928]: pam_set_item(80c8b18:conv)____
>>
>>
>> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug]
>> PAM[3928]: pam_set_item(80c8b18:rhost)___**_
>>
>>
>> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug]
>> PAM[3928]: pam_set_item(80c8b18:tty)____
>>
>>
>> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 122435 auth.debug]
>> PAM[3928]: pam_authenticate(80c8b18, 1)____
>>
>>
>> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug]
>> PAM[3928]: load_modules(80c8b18,
>> pam_sm_authenticate)=/usr/lib/**security/pam_authtok_get.so.1_**
>> ___
>>
>>
>> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug]
>> PAM[3928]: load_function: successful load of
>> pam_sm_authenticate____
>>
>>
>> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug]
>> PAM[3928]: load_modules(80c8b18,
>> pam_sm_authenticate)=/usr/lib/**security/pam_dhkeys.so.1____
>>
>>
>> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug]
>> PAM[3928]: load_function: successful load of
>> pam_sm_authenticate____
>>
>>
>> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug]
>> PAM[3928]: load_modules(80c8b18,
>> pam_sm_authenticate)=/usr/lib/**security/pam_unix_cred.so.1___**_
>>
>>
>> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug]
>> PAM[3928]: load_function: successful load of
>> pam_sm_authenticate____
>>
>>
>> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug]
>> PAM[3928]: load_modules(80c8b18,
>> pam_sm_authenticate)=/usr/lib/**security/pam_unix_auth.so.1___**_
>>
>>
>> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug]
>> PAM[3928]: load_function: successful load of
>> pam_sm_authenticate____
>>
>>
>> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug]
>> PAM[3928]: load_modules(80c8b18,
>> pam_sm_authenticate)=/usr/lib/**security/pam_ldap.so.1____
>>
>>
>> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug]
>> PAM[3928]: load_function: successful load of
>> pam_sm_authenticate____
>>
>>
>> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 425581 auth.debug]
>> PAM[3928]: pam_get_user(80c8b18, 80c8b18, NULL)____
>>
>>
>> Mar 1 12:54:07 MYHOST sshd[3928]: [ID 224148 auth.debug]
>> PAM[3928]: pam_set_item(80c8b18:authtok)_**___
>>
>> Mar 1 12:54:07 MYHOST last message repeated 1 time____
>>
>>
>> Mar 1 12:54:07 MYHOST sshd[3928]: [ID 117705 auth.debug]
>> PAM[3928]: pam_authenticate(80c8b18, 1): error Authentication
>> failed____
>>
>>
>> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
>> PAM[3928]: pam_set_item(80c8b18:authtok)_**___
>>
>>
>> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 800047 auth.info
>> <http://auth.info>] Keyboard-interactive (PAM) userauth
>> failed[9] while authenticating: Authentication failed____
>>
>>
>> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 800047 auth.notice]
>> Failed keyboard-interactive for testuser from 30.241.208.21
>> <tel:30.241.208.21> port 4469 ssh2____
>>
>>
>> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
>> PAM[3928]: pam_set_item(80c8b18:conv)____
>>
>>
>> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 185624 auth.debug]
>> PAM[3928]: pam_end(80c8b18): status = Authentication failed____
>>
>>
>> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 228857 auth.debug]
>> PAM[3928]: pam_start(sshd-kbdint,**testuser,80a98a8:80c8b18) -
>> debug = 1____
>>
>>
>> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
>> PAM[3928]: pam_set_item(80c8b18:service)_**___
>>
>>
>> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
>> PAM[3928]: pam_set_item(80c8b18:user)____
>>
>>
>> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
>> PAM[3928]: pam_set_item(80c8b18:conv)____
>>
>>
>> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
>> PAM[3928]: pam_set_item(80c8b18:rhost)___**_
>>
>>
>> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
>> PAM[3928]: pam_set_item(80c8b18:tty)____
>>
>>
>> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 122435 auth.debug]
>> PAM[3928]: pam_authenticate(80c8b18, 1)____
>>
>>
>> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug]
>> PAM[3928]: load_modules(80c8b18,
>> pam_sm_authenticate)=/usr/lib/**security/pam_authtok_get.so.1_**
>> ___
>>
>>
>> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug]
>> PAM[3928]: load_function: successful load of
>> pam_sm_authenticate____
>>
>>
>> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug]
>> PAM[3928]: load_modules(80c8b18,
>> pam_sm_authenticate)=/usr/lib/**security/pam_dhkeys.so.1____
>>
>>
>> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug]
>> PAM[3928]: load_function: successful load of
>> pam_sm_authenticate____
>>
>>
>> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug]
>> PAM[3928]: load_modules(80c8b18,
>> pam_sm_authenticate)=/usr/lib/**security/pam_unix_cred.so.1___**_
>>
>>
>> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug]
>> PAM[3928]: load_function: successful load of
>> pam_sm_authenticate____
>>
>>
>> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug]
>> PAM[3928]: load_modules(80c8b18,
>> pam_sm_authenticate)=/usr/lib/**security/pam_unix_auth.so.1___**_
>>
>>
>> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug]
>> PAM[3928]: load_function: successful load of
>> pam_sm_authenticate____
>>
>>
>> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug]
>> PAM[3928]: load_modules(80c8b18,
>> pam_sm_authenticate)=/usr/lib/**security/pam_ldap.so.1____
>>
>>
>> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug]
>> PAM[3928]: load_function: successful load of
>> pam_sm_authenticate____
>>
>>
>> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 425581 auth.debug]
>> PAM[3928]: pam_get_user(80c8b18, 80c8b18, NULL)____
>>
>>
>> Mar 1 12:54:09 MYHOST sshd[3928]: [ID 800047 auth.info
>> <http://auth.info>] Received disconnect from 30.241.208.21
>> <tel:30.241.208.21>: 13: Unable to authenticate____
>>
>>
>> Mar 1 12:54:09 MYHOST sshd[3928]: [ID 224148 auth.debug]
>> PAM[3928]: pam_set_item(80c8b18:conv)____
>>
>>
>> Mar 1 12:54:09 MYHOST sshd[3928]: [ID 185624 auth.debug]
>> PAM[3928]: pam_end(80c8b18): status = General PAM failure____
>>
>>
>> Mar 1 12:54:11 MYHOST sshd[3906]: [ID 800047 auth.info
>> <http://auth.info>] Received disconnect from 30.241.208.21
>> <tel:30.241.208.21>: 13: Unable to authenticate____
>>
>>
>> Mar 1 12:54:11 MYHOST sshd[3906]: [ID 583457 auth.debug]
>> PAM[3906]: pam_set_item(80c8b18:conv)____
>>
>>
>> Mar 1 12:54:11 MYHOST sshd[3906]: [ID 278145 auth.debug]
>> PAM[3906]: pam_end(80c8b18): status = General PAM failure____
>>
>> __
>>
>>
>> I'm at a loss at this point. I can't seem to determine how
>> simply adding a netgroup causes authentication to fail. Every
>> other aspect of the netgroup works and the system without the
>> netgroup works.
>>
>>
>> Any ideas?
>>
>> -Eli
>>
>>
>> ------------------------------**------------------------------**
>> ------------
>>
>> Freeipa-users mailing list
>>
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.**com<Freeipa-users at redhat.com>
>> >
>>
>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>
>>
>> --
>> Sent from my Android phone with K-9 Mail. Please excuse my brevity.
>>
>>
>>
>>
>> ______________________________**_________________
>>
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>
>>
> ______________________________**_________________
>
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130304/512c23a9/attachment.htm>
More information about the Freeipa-users
mailing list