Well
I think I can now answer my own question.
The following is from:
http://fedoraproject.org/wiki/QA:Testcase_freeipav2_nis
Password Hashes
You may notice that password hashes are not available, even when you
attempt to retrieve entries as root. As this is the default behavior, a
prospective client system would need to also be configured to use either
Kerberos or LDAP to check user passwords.
I'm sorry for the spam.. :-)... And also, my inconsistent hosts and IP's
below are the result of a failed obfuscation, rather than actual
inconsistencies in my config.
Cheers and thanks for FreeIPA!
-Joshua
P.S. I guess I'll go some other route to authenticate these ancient Ubuntu
9.04 boxes to IPA. lol
On Thu, Mar 8, 2012 at 7:29 PM, freeipa-devel-requ...@redhat.com wrote:
Send Freeipa-devel mailing list submissions to
freeipa-devel@redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/freeipa-devel
or, via email, send a message with subject or body 'help' to
freeipa-devel-requ...@redhat.com
You can reach the person managing the list at
freeipa-devel-ow...@redhat.com
When replying, please edit your Subject line so it is more specific
than Re: Contents of Freeipa-devel digest...
Today's Topics:
1. IPAv2 on SL6.2 using NIS fails with Failed password error
(Joshua Dotson)
--
Message: 1
Date: Thu, 8 Mar 2012 19:29:10 -0500
From: Joshua Dotson j...@knoesis.org
To: freeipa-devel@redhat.com
Subject: [Freeipa-devel] IPAv2 on SL6.2 using NIS fails with Failed
password error
Message-ID:
canlzmlhi99zk986f4mh0pcykrrhx3wgdk7crw+34q3eofbm...@mail.gmail.com
Content-Type: text/plain; charset=iso-8859-1
Hi All,
I'm having a problem with my IPA installs; I can't seem to get the NIS mode
to work. I tried it with and without 'Migration Mode' enabled.
I bind to it and 'getent passwd' and 'getent group' just fine, but when I
type my password (post initial kinit password change) in for ssh, I get
permission denied and the following in my client-side /var/log/secure log:
Mar 8 18:15:07 bastion sshd[18480]: Failed password for bob from
192.168.5.68 port 50788 ssh2
Mar 8 18:15:22 bastion sshd[18480]: Failed password for bob from
192.168.5.68 port 50788 ssh2
Mar 8 18:46:13 bastion sshd[18556]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.6.68 user=bob
Mar 8 18:46:16 bastion sshd[18556]: Failed password for bob from
192.168.5.68 port 50839 ssh2
On the server, I can find no error on the server side, matching the
timestamp of when I attempt login from a third host to the bastion host
(see below).
Am I mistaken that IPAv2 provides backwards compatible NIS, without
client-side SSSD, KRB5 and the like? Am I missing a service or something?
Thanks very much! Please excuse the long email. Perhaps I'm too eager.
lol :-)
-Joshua.
BACKGROUND INFO FOLLOWS=
Here are the details of my install, which is my fourth IPA install, so far.
As a side note, however, I've not been able to get the NIS mode working,
yet.
- 2 nearly identical KVM's to test this. (1 for server and 1 for NIS
client)
- x86_64
- ext4 over LVM over qcow2 over NFSv3
- using virtio
- Scientific Linux 6.2 minimal install from GUI of Install DVD
- all available yum updates applied
- iptables off
- ipv4 only
- added self FQDN to both /etc/hosts files
- NetworkManager off in favor of network
- static public IP's
- Used the following commands to install my IPA server:
# yum -y install \
ipa-server \
bind \
bind-dyndb-ldap
# ipa-server-install \
-a 'admin_pass_example' \
--hostname=ipa.example.com \
-p 'dir_man_password_example' \
-n exampledom.com \
-r EXAMPLE.COM \
--setup-dns \
--forwarder=192.168.2.10 \
--forwarder=192.168.1.20
- After a reboot, logging in with Firefox works well... kinit works well
after I create an initial user in the UI... Everything is cool..even
enrolling other machine with the ipa-client-install tool works well.. No
other changes were made inside the UI
- Here are the commands I ran on the server outside the UI, per
instructions (here:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/migrating-from-nis.html
)
[root@ipa ~]# ipa-compat-manage enable
Directory Manager password:
Plugin already Enabled
[root@ipa ~]# rpcinfo
program version netid addressserviceowner
104tcp6 ::.0.111 portmapper superuser
103tcp6 ::.0.111 portmapper superuser
104udp6 ::.0.111 portmapper superuser
103udp6 ::.0.111 portmapper superuser
104