[Freeipa-users] Solaris 10 problem using netgroups
Dmitri Pal
dpal at redhat.com
Mon Mar 4 19:51:57 UTC 2013
On 03/04/2013 02:29 PM, Eli J. Elliott wrote:
> That does work. I will keep it as a backup to proper netgroups. Sadly
> that adds complexity in account management (numerous secondary groups)
> and throws up security concerns.
>
> I'm trying to find the syntax to turn on debugging from ipa. Anyone
> know that offhand?
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#server-debug
>
> -Eli
>
> On Mon, Mar 4, 2013 at 11:55 AM, Sigbjorn Lie <sigbjorn at nixtra.com
> <mailto:sigbjorn at nixtra.com>> wrote:
>
> I've had some similar issues with logins and netgroups on Solaris
> with IPA, I don't recall the details, sorry. We moved to
> AllowGroups in sshd instead.
>
> You don't need sssd to use AllowGroups with sshd. Have a look at
> the sshd_config manpage for how to set it up.
>
>
>
> Regards,
> Siggi
>
>
>
> On 03/04/2013 04:39 PM, Eli J. Elliott wrote:
>
> I don't see being able to install sssd on the solaris hosts due to
> security restrictions. I had read about using the hosts.allow
> file to
> restrict to netgroups but was concerned about logging in with
> local
> accounts. Wish I could wrap my head around what is changing
> when I add
> the passwd_compat to nsswitch. Why would it suddenly stop
> authenticating? It still sees the ldap users.
>
> -E
>
> On Fri, Mar 1, 2013 at 4:48 PM, Sigbjorn Lie
> <sigbjorn at nixtra.com <mailto:sigbjorn at nixtra.com>
> <mailto:sigbjorn at nixtra.com <mailto:sigbjorn at nixtra.com>>> wrote:
>
> Have you considered using allowgroups in sshd_config for
> restricting
> ssh logins instead?
>
> By using allowgroups you could use the same user group for ssh
> access to Solaris and for Linux hosts using sssd and hbac.
>
>
> Regards
> Siggi
>
> "Eli J. Elliott" <eli.elliott at moser-inc.com
> <mailto:eli.elliott at moser-inc.com>
> <mailto:eli.elliott at moser-inc.com
> <mailto:eli.elliott at moser-inc.com>>> wrote:
>
> I have a problem with Solaris 10 and netgroups with IPA.
>
> I am able to login to the Solaris 10 server with IPA
> users as
> long as I am not using netgroups. As soon as I add a
> netgroup I
> can no longer authenticate.
>
> I have updated nsswitch.conf:
>
> #passwd: files ldap____
>
> passwd: compat____
>
> passwd_compat: files ldap____
>
>
> group: files ldap
>
>
> And then added the netgroup to /etc/passwd:
>
> + at MYHOST:x:::::____
>
>
>
> And used pwconv to get the netgroup into /etc/shadow:
>
> + at MYHOST:x:15765::::::____
>
>
>
> I am able to see the user in getent (and none of the
> users I
> want restricted show up, only the user I want which is
> great):
>
> -bash-3.2# getent passwd testuser____
>
> testuser:x:3713:3713:Test
> User:/export/home/testuser:/bin/bash____
>
> __ __
>
>
> I am also able to su to testuser as root:
>
> -bash-3.2# su - testuser____
>
>
> Oracle Corporation SunOS 5.10 Generic Patch
> January
> 2005____
>
> -bash-3.2$ id____
>
>
> uid=3713(testuser) gid=3713(testgroup)
>
>
> I cannot su to the user from another user, it appears
> to be the
> password that is the problem. I can successfully change
> passwords using kpasswd from the Solaris 10 host.
>
>
> I've enabled Pam debugging:
>
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 228857 auth.debug]
> PAM[3928]:
> pam_start(sshd-kbdint,testuser,80a98a8:80c8b18) -
> debug = 1____
>
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:service)____
>
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:user)____
>
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:conv)____
>
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:rhost)____
>
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:tty)____
>
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 122435 auth.debug]
> PAM[3928]: pam_authenticate(80c8b18, 1)____
>
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug]
> PAM[3928]: load_modules(80c8b18,
>
> pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1____
>
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug]
> PAM[3928]: load_function: successful load of
> pam_sm_authenticate____
>
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug]
> PAM[3928]: load_modules(80c8b18,
>
> pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1____
>
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug]
> PAM[3928]: load_function: successful load of
> pam_sm_authenticate____
>
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug]
> PAM[3928]: load_modules(80c8b18,
>
> pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1____
>
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug]
> PAM[3928]: load_function: successful load of
> pam_sm_authenticate____
>
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug]
> PAM[3928]: load_modules(80c8b18,
>
> pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1____
>
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug]
> PAM[3928]: load_function: successful load of
> pam_sm_authenticate____
>
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug]
> PAM[3928]: load_modules(80c8b18,
> pam_sm_authenticate)=/usr/lib/security/pam_ldap.so.1____
>
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug]
> PAM[3928]: load_function: successful load of
> pam_sm_authenticate____
>
>
> Mar 1 12:54:04 MYHOST sshd[3928]: [ID 425581 auth.debug]
> PAM[3928]: pam_get_user(80c8b18, 80c8b18, NULL)____
>
>
> Mar 1 12:54:07 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:authtok)____
>
> Mar 1 12:54:07 MYHOST last message repeated 1 time____
>
>
> Mar 1 12:54:07 MYHOST sshd[3928]: [ID 117705 auth.debug]
> PAM[3928]: pam_authenticate(80c8b18, 1): error
> Authentication
> failed____
>
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:authtok)____
>
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 800047
> auth.info <http://auth.info>
> <http://auth.info>] Keyboard-interactive (PAM) userauth
> failed[9] while authenticating: Authentication failed____
>
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 800047 auth.notice]
> Failed keyboard-interactive for testuser from
> 30.241.208.21 <tel:30.241.208.21>
> <tel:30.241.208.21 <tel:30.241.208.21>> port 4469
> ssh2____
>
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:conv)____
>
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 185624 auth.debug]
> PAM[3928]: pam_end(80c8b18): status = Authentication
> failed____
>
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 228857 auth.debug]
> PAM[3928]:
> pam_start(sshd-kbdint,testuser,80a98a8:80c8b18) -
> debug = 1____
>
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:service)____
>
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:user)____
>
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:conv)____
>
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:rhost)____
>
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:tty)____
>
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 122435 auth.debug]
> PAM[3928]: pam_authenticate(80c8b18, 1)____
>
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug]
> PAM[3928]: load_modules(80c8b18,
>
> pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1____
>
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug]
> PAM[3928]: load_function: successful load of
> pam_sm_authenticate____
>
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug]
> PAM[3928]: load_modules(80c8b18,
>
> pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1____
>
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug]
> PAM[3928]: load_function: successful load of
> pam_sm_authenticate____
>
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug]
> PAM[3928]: load_modules(80c8b18,
>
> pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1____
>
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug]
> PAM[3928]: load_function: successful load of
> pam_sm_authenticate____
>
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug]
> PAM[3928]: load_modules(80c8b18,
>
> pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1____
>
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug]
> PAM[3928]: load_function: successful load of
> pam_sm_authenticate____
>
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug]
> PAM[3928]: load_modules(80c8b18,
> pam_sm_authenticate)=/usr/lib/security/pam_ldap.so.1____
>
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug]
> PAM[3928]: load_function: successful load of
> pam_sm_authenticate____
>
>
> Mar 1 12:54:08 MYHOST sshd[3928]: [ID 425581 auth.debug]
> PAM[3928]: pam_get_user(80c8b18, 80c8b18, NULL)____
>
>
> Mar 1 12:54:09 MYHOST sshd[3928]: [ID 800047
> auth.info <http://auth.info>
> <http://auth.info>] Received disconnect from
> 30.241.208.21 <tel:30.241.208.21>
> <tel:30.241.208.21 <tel:30.241.208.21>>: 13: Unable to
> authenticate____
>
>
> Mar 1 12:54:09 MYHOST sshd[3928]: [ID 224148 auth.debug]
> PAM[3928]: pam_set_item(80c8b18:conv)____
>
>
> Mar 1 12:54:09 MYHOST sshd[3928]: [ID 185624 auth.debug]
> PAM[3928]: pam_end(80c8b18): status = General PAM
> failure____
>
>
> Mar 1 12:54:11 MYHOST sshd[3906]: [ID 800047
> auth.info <http://auth.info>
> <http://auth.info>] Received disconnect from
> 30.241.208.21 <tel:30.241.208.21>
> <tel:30.241.208.21 <tel:30.241.208.21>>: 13: Unable to
> authenticate____
>
>
> Mar 1 12:54:11 MYHOST sshd[3906]: [ID 583457 auth.debug]
> PAM[3906]: pam_set_item(80c8b18:conv)____
>
>
> Mar 1 12:54:11 MYHOST sshd[3906]: [ID 278145 auth.debug]
> PAM[3906]: pam_end(80c8b18): status = General PAM
> failure____
>
> __
>
>
> I'm at a loss at this point. I can't seem to determine how
> simply adding a netgroup causes authentication to
> fail. Every
> other aspect of the netgroup works and the system
> without the
> netgroup works.
>
>
> Any ideas?
>
> -Eli
>
>
>
> ------------------------------------------------------------------------
>
> Freeipa-users mailing list
>
> Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Sent from my Android phone with K-9 Mail. Please excuse my
> brevity.
>
>
>
>
> _______________________________________________
>
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
>
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130304/edfd6e06/attachment.htm>
More information about the Freeipa-users
mailing list