On Mon, Feb 06, 2017 at 01:56:06PM +0000, Tommy Nikjoo wrote: > Hi, > > I'm having some issues with 2FA PAM config's on Ubuntu clients. > Currently, I'm guessing that the PAM module doesn't know how to talk to > the 2FA protocol. Is anyone able to give an in site into how to get > this working correctly?
In general you have to make sure the pam_sss is the pam modules which does the conversation with the user and not e.g. pam_unix because pam_unix will only ask for a password. E.g. on Fedora/RHEL a general auth part of the PAM configuration might look like: auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so The pam_localuser module checks if the user trying to log in is a local user, i.e. listed in /etc/passwd, and if it is a local user (success=ok) the next module pam_unix is called. For non-local user the next module is skipped (default=1) and after the uid check pam_sss is call which now can prompt the user according to the authentication methods available for the user on the IPA server. HTH bye, Sumit > > Thanks > > ** > > // > > > > On 14/12/16 22:48, Fraser Tweedale wrote: > > On Wed, Dec 14, 2016 at 05:35:35PM +0000, Tommy Nikjoo wrote: > >> Hi, > >> > >> I'm trying to install FreeIPA on CentOS 7 using the yum package, but I > >> keep getting an error when it tries to restart DogTag > >> > >> [26/31]: restarting certificate server > >> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart > >> the Dogtag instance.See the installation log for details. > >> [27/31]: migrating certificate profiles to LDAP > >> [error] NetworkError: cannot connect to > >> 'https://ldap2.armourcomms.com:8443/ca/rest/account/login': '' > >> ipa.ipapython.install.cli.install_tool(Server): ERROR cannot connect > >> to 'https://ldap2.armourcomms.com:8443/ca/rest/account/login': '' > >> ipa.ipapython.install.cli.install_tool(Server): ERROR The > >> ipa-server-install command failed. See /var/log/ipaserver-install.log > >> for more information > >> > >> > >> The log shows the following error > >> > >> 2016-12-14T16:53:05Z DEBUG NSSConnection init ldap.example.com > >> 2016-12-14T16:53:05Z DEBUG Connecting: x.x.x.x:0 > >> 2016-12-14T16:53:05Z DEBUG approved_usage = SSL Server intended_usage = > >> SSL Server > >> 2016-12-14T16:53:05Z DEBUG cert valid True for > >> "CN=ldap.example.com,O=EXAMPLE.COM" > >> 2016-12-14T16:53:05Z DEBUG handshake complete, peer = x.x.x.x:8443 > >> 2016-12-14T16:53:05Z DEBUG Protocol: TLS1.2 > >> 2016-12-14T16:53:05Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA > >> 2016-12-14T16:53:05Z DEBUG response status 200 > >> 2016-12-14T16:53:05Z DEBUG response headers {'content-length': '205', > >> 'set-cookie': 'JSESSIONID=9B6C767CDBED07088646235E68E831E0; Path=/ca/; > >> Secure; HttpOnly', 'expires': 'Thu, 01 Jan 1970 00:00:00 UTC', 'server': > >> 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Wed, 14 Dec > >> 2016 16:53:05 GMT', 'content-type': 'application/xml'} > >> 2016-12-14T16:53:05Z DEBUG response body '<?xml version="1.0" > >> encoding="UTF-8" standalone="yes"?><Account > >> id="ipara"><FullName>ipara</FullName><Roles><Role>Certificate Manager > >> Agents</Role><Role>Registration Manager Agents</Role></Roles></Account>' > >> 2016-12-14T16:53:05Z DEBUG request POST > >> https://ldap.example.com:8443/ca/rest/profiles/raw > >> 2016-12-14T16:53:05Z DEBUG request body > >> 'profileId=IECUserRoles\nclassId=caEnrollImpl\ndesc=Enroll user > >> certificates with IECUserRoles extension via IPA-RA agent > >> authentication.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=raCertAuth\nname=IPA-RA > >> Agent-Authenticated Server Certificate > >> Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject > >> Name > >> Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject > >> Name > >> Default\npolicyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, > >> O=EXAMPLE.COM\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity > >> Constraint\npolicyset.serverCertSet.2.constraint.params.range=740\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity > >> Default\npolicyset.serverCertSet.2.default.params.range=731\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key > >> Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=RSA\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key > >> Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No > >> Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority > >> Key Identifier > >> Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No > >> Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA > >> Extension > >> Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.example.com/ca/ocsp\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key > >> Usage Extension > >> Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key > >> Usage > >> Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No > >> Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended > >> Key Usage Extension > >> Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No > >> Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing > >> Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\npolicyset.serverCertSet.9.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.9.constraint.name=No > >> Constraint\npolicyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.serverCertSet.9.default.name=CRL > >> Distribution Points Extension > >> Default\npolicyset.serverCertSet.9.default.params.crlDistPointsCritical=false\npolicyset.serverCertSet.9.default.params.crlDistPointsNum=1\npolicyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true\npolicyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate > >> Authority,o=ipaca\npolicyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName\npolicyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.example.com/ipa/crl/MasterCRL.bin\npolicyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName\npolicyset.serverCertSet.9.default.params.crlDistPointsReasons_0=\npolicyset.serverCertSet.10.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.10.constraint.name=No > >> Constraint\npolicyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.10.default.name=Subject > >> Key Identifier Extension > >> Default\npolicyset.serverCertSet.10.default.params.critical=false\npolicyset.serverCertSet.11.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.11.constraint.name=No > >> Constraint\npolicyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl\npolicyset.serverCertSet.11.default.name=User > >> Supplied Extension > >> Default\npolicyset.serverCertSet.11.default.params.userExtOID=2.5.29.17\npolicyset.serverCertSet.12.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.12.constraint.name=No > >> Constraint\npolicyset.serverCertSet.12.default.class_id=userExtensionDefaultImpl\npolicyset.serverCertSet.12.default.name=IECUserRoles > >> Extension > >> Default\npolicyset.serverCertSet.12.default.params.userExtOID=1.2.840.10070.8.1\n' > >> > >> Is there anything I can do to get around this? > >> > >> Thanks, > >> > >> Tommy > >> > > Could you look at `journalctl -u pki-tomcatd@pki-tomcat' and see if > > there are any errors there? > > > > Also could you provide more of /var/log/ipaserver-install.log and > > /var/log/pki/pki-tomcat/ca/debug ? > > > > Thanks, > > Fraser > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project