I've had some similar issues with logins and netgroups on Solaris with IPA, I don't recall the details, sorry. We moved to AllowGroups in sshd instead.

You don't need sssd to use AllowGroups with sshd. Have a look at the sshd_config manpage for how to set it up.




Regards,
Siggi


On 03/04/2013 04:39 PM, Eli J. Elliott wrote:
I don't see being able to install sssd on the solaris hosts due to
security restrictions. I had read about using the hosts.allow file to
restrict to netgroups but was concerned about logging in with local
accounts. Wish I could wrap my head around what is changing when I add
the passwd_compat to nsswitch. Why would it suddenly stop
authenticating? It still sees the ldap users.

-E

On Fri, Mar 1, 2013 at 4:48 PM, Sigbjorn Lie <sigbj...@nixtra.com
<mailto:sigbj...@nixtra.com>> wrote:

    Have you considered using allowgroups in sshd_config for restricting
    ssh logins instead?

    By using allowgroups you could use the same user group for ssh
    access to Solaris and for Linux hosts using sssd and hbac.


    Regards
    Siggi

    "Eli J. Elliott" <eli.elli...@moser-inc.com
    <mailto:eli.elli...@moser-inc.com>> wrote:

        I have a problem with Solaris 10 and netgroups with IPA.

        I am able to login to the Solaris 10 server with IPA users as
        long as I am not using netgroups. As soon as I add a netgroup I
        can no longer authenticate.

        I have updated nsswitch.conf:

        #passwd:     files ldap____

        passwd: compat____

        passwd_compat:  files ldap____

        group:  files ldap


        And then added the netgroup to /etc/passwd:

        +@MYHOST:x:::::____


        And used pwconv to get the netgroup into /etc/shadow:

        +@MYHOST:x:15765::::::____


        I am able to see the user in getent (and none of the users I
        want restricted show up, only the user I want which is great):

        -bash-3.2# getent passwd testuser____

        testuser:x:3713:3713:Test User:/export/home/testuser:/bin/bash____

        __ __

        I am also able to su to testuser as root:

        -bash-3.2# su - testuser____

        Oracle Corporation      SunOS 5.10      Generic Patch   January
        2005____

        -bash-3.2$ id____

        uid=3713(testuser) gid=3713(testgroup)


        I cannot su to the user from another user, it appears to be the
        password that is the problem. I can successfully change
        passwords using kpasswd from the Solaris 10 host.


        I've enabled Pam debugging:


        Mar  1 12:54:04 MYHOST sshd[3928]: [ID 228857 auth.debug]
        PAM[3928]: pam_start(sshd-kbdint,testuser,80a98a8:80c8b18) -
        debug = 1____

        Mar  1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug]
        PAM[3928]: pam_set_item(80c8b18:service)____

        Mar  1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug]
        PAM[3928]: pam_set_item(80c8b18:user)____

        Mar  1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug]
        PAM[3928]: pam_set_item(80c8b18:conv)____

        Mar  1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug]
        PAM[3928]: pam_set_item(80c8b18:rhost)____

        Mar  1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug]
        PAM[3928]: pam_set_item(80c8b18:tty)____

        Mar  1 12:54:04 MYHOST sshd[3928]: [ID 122435 auth.debug]
        PAM[3928]: pam_authenticate(80c8b18, 1)____

        Mar  1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug]
        PAM[3928]: load_modules(80c8b18,
        pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1____

        Mar  1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug]
        PAM[3928]: load_function: successful load of pam_sm_authenticate____

        Mar  1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug]
        PAM[3928]: load_modules(80c8b18,
        pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1____

        Mar  1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug]
        PAM[3928]: load_function: successful load of pam_sm_authenticate____

        Mar  1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug]
        PAM[3928]: load_modules(80c8b18,
        pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1____

        Mar  1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug]
        PAM[3928]: load_function: successful load of pam_sm_authenticate____

        Mar  1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug]
        PAM[3928]: load_modules(80c8b18,
        pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1____

        Mar  1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug]
        PAM[3928]: load_function: successful load of pam_sm_authenticate____

        Mar  1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug]
        PAM[3928]: load_modules(80c8b18,
        pam_sm_authenticate)=/usr/lib/security/pam_ldap.so.1____

        Mar  1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug]
        PAM[3928]: load_function: successful load of pam_sm_authenticate____

        Mar  1 12:54:04 MYHOST sshd[3928]: [ID 425581 auth.debug]
        PAM[3928]: pam_get_user(80c8b18, 80c8b18, NULL)____

        Mar  1 12:54:07 MYHOST sshd[3928]: [ID 224148 auth.debug]
        PAM[3928]: pam_set_item(80c8b18:authtok)____

        Mar  1 12:54:07 MYHOST last message repeated 1 time____

        Mar  1 12:54:07 MYHOST sshd[3928]: [ID 117705 auth.debug]
        PAM[3928]: pam_authenticate(80c8b18, 1): error Authentication
        failed____

        Mar  1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
        PAM[3928]: pam_set_item(80c8b18:authtok)____

        Mar  1 12:54:08 MYHOST sshd[3928]: [ID 800047 auth.info
        <http://auth.info>] Keyboard-interactive (PAM) userauth
        failed[9] while authenticating: Authentication failed____

        Mar  1 12:54:08 MYHOST sshd[3928]: [ID 800047 auth.notice]
        Failed keyboard-interactive for testuser from 30.241.208.21
        <tel:30.241.208.21> port 4469 ssh2____

        Mar  1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
        PAM[3928]: pam_set_item(80c8b18:conv)____

        Mar  1 12:54:08 MYHOST sshd[3928]: [ID 185624 auth.debug]
        PAM[3928]: pam_end(80c8b18): status = Authentication failed____

        Mar  1 12:54:08 MYHOST sshd[3928]: [ID 228857 auth.debug]
        PAM[3928]: pam_start(sshd-kbdint,testuser,80a98a8:80c8b18) -
        debug = 1____

        Mar  1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
        PAM[3928]: pam_set_item(80c8b18:service)____

        Mar  1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
        PAM[3928]: pam_set_item(80c8b18:user)____

        Mar  1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
        PAM[3928]: pam_set_item(80c8b18:conv)____

        Mar  1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
        PAM[3928]: pam_set_item(80c8b18:rhost)____

        Mar  1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug]
        PAM[3928]: pam_set_item(80c8b18:tty)____

        Mar  1 12:54:08 MYHOST sshd[3928]: [ID 122435 auth.debug]
        PAM[3928]: pam_authenticate(80c8b18, 1)____

        Mar  1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug]
        PAM[3928]: load_modules(80c8b18,
        pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1____

        Mar  1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug]
        PAM[3928]: load_function: successful load of pam_sm_authenticate____

        Mar  1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug]
        PAM[3928]: load_modules(80c8b18,
        pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1____

        Mar  1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug]
        PAM[3928]: load_function: successful load of pam_sm_authenticate____

        Mar  1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug]
        PAM[3928]: load_modules(80c8b18,
        pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1____

        Mar  1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug]
        PAM[3928]: load_function: successful load of pam_sm_authenticate____

        Mar  1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug]
        PAM[3928]: load_modules(80c8b18,
        pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1____

        Mar  1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug]
        PAM[3928]: load_function: successful load of pam_sm_authenticate____

        Mar  1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug]
        PAM[3928]: load_modules(80c8b18,
        pam_sm_authenticate)=/usr/lib/security/pam_ldap.so.1____

        Mar  1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug]
        PAM[3928]: load_function: successful load of pam_sm_authenticate____

        Mar  1 12:54:08 MYHOST sshd[3928]: [ID 425581 auth.debug]
        PAM[3928]: pam_get_user(80c8b18, 80c8b18, NULL)____

        Mar  1 12:54:09 MYHOST sshd[3928]: [ID 800047 auth.info
        <http://auth.info>] Received disconnect from 30.241.208.21
        <tel:30.241.208.21>: 13: Unable to authenticate____

        Mar  1 12:54:09 MYHOST sshd[3928]: [ID 224148 auth.debug]
        PAM[3928]: pam_set_item(80c8b18:conv)____

        Mar  1 12:54:09 MYHOST sshd[3928]: [ID 185624 auth.debug]
        PAM[3928]: pam_end(80c8b18): status = General PAM failure____

        Mar  1 12:54:11 MYHOST sshd[3906]: [ID 800047 auth.info
        <http://auth.info>] Received disconnect from 30.241.208.21
        <tel:30.241.208.21>: 13: Unable to authenticate____

        Mar  1 12:54:11 MYHOST sshd[3906]: [ID 583457 auth.debug]
        PAM[3906]: pam_set_item(80c8b18:conv)____

        Mar  1 12:54:11 MYHOST sshd[3906]: [ID 278145 auth.debug]
        PAM[3906]: pam_end(80c8b18): status = General PAM failure____

        __

        I'm at a loss at this point. I can't seem to determine how
        simply adding a netgroup causes authentication to fail. Every
        other aspect of the netgroup works and the system without the
        netgroup works.


        Any ideas?

        -Eli


        ------------------------------------------------------------------------

        Freeipa-users mailing list

        Freeipa-users@redhat.com  <mailto:Freeipa-users@redhat.com>
        https://www.redhat.com/mailman/listinfo/freeipa-users


    --
    Sent from my Android phone with K-9 Mail. Please excuse my brevity.




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to