[Freeipa-devel] IPAv2 on SL6.2 using NIS fails with Failed password error

2012-03-08 Thread Joshua Dotson 
Hi All,

I'm having a problem with my IPA installs; I can't seem to get the NIS mode
to work.  I tried it with and without 'Migration Mode' enabled.

I bind to it and 'getent passwd' and 'getent group' just fine, but when I
type my password (post initial kinit password change) in for ssh, I get
permission denied and the following in my client-side /var/log/secure log:

Mar  8 18:15:07 bastion sshd[18480]: Failed password for bob from
192.168.5.68 port 50788 ssh2
Mar  8 18:15:22 bastion sshd[18480]: Failed password for bob from
192.168.5.68 port 50788 ssh2
Mar  8 18:46:13 bastion sshd[18556]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.6.68  user=bob
Mar  8 18:46:16 bastion sshd[18556]: Failed password for bob from
192.168.5.68 port 50839 ssh2

On the server, I can find no error on the server side, matching the
timestamp of when I attempt login from a third host to the bastion host
(see below).

Am I mistaken that IPAv2 provides backwards compatible NIS, without
client-side SSSD, KRB5 and the like?  Am I missing a service or something?

Thanks very much!  Please excuse the long email.  Perhaps I'm too eager.
lol  :-)

-Joshua.

BACKGROUND INFO FOLLOWS=

Here are the details of my install, which is my fourth IPA install, so far.
 As a side note, however, I've not been able to get the NIS mode working,
yet.


   - 2 nearly identical KVM's to test this. (1 for server and 1 for NIS
   client)
   - x86_64
   - ext4 over LVM over qcow2 over NFSv3
   - using virtio
   - Scientific Linux 6.2 minimal install from GUI of Install DVD
   - all available yum updates applied
   - iptables off
   - ipv4 only
   - added self FQDN to both /etc/hosts files
   - NetworkManager off in favor of network
   - static public IP's
   - Used the following commands to install my IPA server:

# yum -y install \
ipa-server \
bind \
bind-dyndb-ldap

# ipa-server-install \
  -a 'admin_pass_example' \
  --hostname=ipa.example.com \
  -p 'dir_man_password_example' \
  -n exampledom.com \
  -r EXAMPLE.COM \
  --setup-dns \
  --forwarder=192.168.2.10 \
  --forwarder=192.168.1.20


   - After a reboot, logging in with Firefox works well... kinit works well
   after I create an initial user in the UI... Everything is cool..even
   enrolling other machine with the ipa-client-install tool works well.. No
   other changes were made inside the UI
   - Here are the commands I ran on the server outside the UI, per
   instructions (here:
   
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/migrating-from-nis.html
   )


[root@ipa ~]# ipa-compat-manage enable
Directory Manager password:

Plugin already Enabled
[root@ipa ~]# rpcinfo
   program version netid addressserviceowner
104tcp6  ::.0.111   portmapper superuser
103tcp6  ::.0.111   portmapper superuser
104udp6  ::.0.111   portmapper superuser
103udp6  ::.0.111   portmapper superuser
104tcp   0.0.0.0.0.111  portmapper superuser
103tcp   0.0.0.0.0.111  portmapper superuser
102tcp   0.0.0.0.0.111  portmapper superuser
104udp   0.0.0.0.0.111  portmapper superuser
103udp   0.0.0.0.0.111  portmapper superuser
102udp   0.0.0.0.0.111  portmapper superuser
104local /var/run/rpcbind.sock  portmapper superuser
103local /var/run/rpcbind.sock  portmapper superuser
[root@ipa ~]# ipa-nis-manage enable
Directory Manager password:

Enabling plugin
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
This setting will not take effect until you restart Directory Server.
The rpcbind service may need to be started.
[root@ipa ~]# reboot

The system is going down for reboot NOW!


sam@bastion:~$ ssh 192.168.5.25
Last login: Thu Mar  8 17:58:58 2012 from 192.168.5.99
[sam@ipa ~]$ su -
Password:
[root@ipa ~]# rpcinfo
   program version netid addressserviceowner
104tcp6  ::.0.111   portmapper superuser
103tcp6  ::.0.111   portmapper superuser
104udp6  ::.0.111   portmapper superuser
103udp6  ::.0.111   portmapper superuser
104tcp   0.0.0.0.0.111  portmapper superuser
103tcp   0.0.0.0.0.111  portmapper superuser
102tcp   0.0.0.0.0.111  portmapper superuser
104udp   0.0.0.0.0.111  portmapper superuser
103udp   0.0.0.0.0.111  portmapper superuser
102

Re: [Freeipa-devel] IPAv2 on SL6.2 using NIS fails with Failed password error

2012-03-08 Thread Joshua Dotson 
Well

I think I can now answer my own question.

The following is from:
http://fedoraproject.org/wiki/QA:Testcase_freeipav2_nis

Password Hashes
You may notice that password hashes are not available, even when you
attempt to retrieve entries as root. As this is the default behavior, a
prospective client system would need to also be configured to use either
Kerberos or LDAP to check user passwords.

I'm sorry for the spam.. :-)... And also, my inconsistent hosts and IP's
below are the result of a failed obfuscation, rather than actual
inconsistencies in my config.

Cheers and thanks for FreeIPA!

-Joshua

P.S. I guess I'll go some other route to authenticate these ancient Ubuntu
9.04 boxes to IPA. lol


On Thu, Mar 8, 2012 at 7:29 PM, freeipa-devel-requ...@redhat.com wrote:

 Send Freeipa-devel mailing list submissions to
freeipa-devel@redhat.com

 To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/freeipa-devel
 or, via email, send a message with subject or body 'help' to
freeipa-devel-requ...@redhat.com

 You can reach the person managing the list at
freeipa-devel-ow...@redhat.com

 When replying, please edit your Subject line so it is more specific
 than Re: Contents of Freeipa-devel digest...


 Today's Topics:

   1. IPAv2 on SL6.2 using NIS fails with Failed   password error
  (Joshua Dotson)


 --

 Message: 1
 Date: Thu, 8 Mar 2012 19:29:10 -0500
 From: Joshua Dotson j...@knoesis.org
 To: freeipa-devel@redhat.com
 Subject: [Freeipa-devel] IPAv2 on SL6.2 using NIS fails with Failed
password error
 Message-ID:
canlzmlhi99zk986f4mh0pcykrrhx3wgdk7crw+34q3eofbm...@mail.gmail.com
 
 Content-Type: text/plain; charset=iso-8859-1

 Hi All,

 I'm having a problem with my IPA installs; I can't seem to get the NIS mode
 to work.  I tried it with and without 'Migration Mode' enabled.

 I bind to it and 'getent passwd' and 'getent group' just fine, but when I
 type my password (post initial kinit password change) in for ssh, I get
 permission denied and the following in my client-side /var/log/secure log:

 Mar  8 18:15:07 bastion sshd[18480]: Failed password for bob from
 192.168.5.68 port 50788 ssh2
 Mar  8 18:15:22 bastion sshd[18480]: Failed password for bob from
 192.168.5.68 port 50788 ssh2
 Mar  8 18:46:13 bastion sshd[18556]: pam_unix(sshd:auth): authentication
 failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.6.68  user=bob
 Mar  8 18:46:16 bastion sshd[18556]: Failed password for bob from
 192.168.5.68 port 50839 ssh2

 On the server, I can find no error on the server side, matching the
 timestamp of when I attempt login from a third host to the bastion host
 (see below).

 Am I mistaken that IPAv2 provides backwards compatible NIS, without
 client-side SSSD, KRB5 and the like?  Am I missing a service or something?

 Thanks very much!  Please excuse the long email.  Perhaps I'm too eager.
 lol  :-)

 -Joshua.

 BACKGROUND INFO FOLLOWS=

 Here are the details of my install, which is my fourth IPA install, so far.
  As a side note, however, I've not been able to get the NIS mode working,
 yet.


   - 2 nearly identical KVM's to test this. (1 for server and 1 for NIS
   client)
   - x86_64
   - ext4 over LVM over qcow2 over NFSv3
   - using virtio
   - Scientific Linux 6.2 minimal install from GUI of Install DVD
   - all available yum updates applied
   - iptables off
   - ipv4 only
   - added self FQDN to both /etc/hosts files
   - NetworkManager off in favor of network
   - static public IP's
   - Used the following commands to install my IPA server:

 # yum -y install \
ipa-server \
bind \
bind-dyndb-ldap

 # ipa-server-install \
  -a 'admin_pass_example' \
  --hostname=ipa.example.com \
  -p 'dir_man_password_example' \
  -n exampledom.com \
  -r EXAMPLE.COM \
  --setup-dns \
  --forwarder=192.168.2.10 \
  --forwarder=192.168.1.20


   - After a reboot, logging in with Firefox works well... kinit works well
   after I create an initial user in the UI... Everything is cool..even
   enrolling other machine with the ipa-client-install tool works well.. No
   other changes were made inside the UI
   - Here are the commands I ran on the server outside the UI, per
   instructions (here:

 http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/migrating-from-nis.html
   )


 [root@ipa ~]# ipa-compat-manage enable
 Directory Manager password:

 Plugin already Enabled
 [root@ipa ~]# rpcinfo
   program version netid addressserviceowner
104tcp6  ::.0.111   portmapper superuser
103tcp6  ::.0.111   portmapper superuser
104udp6  ::.0.111   portmapper superuser
103udp6  ::.0.111   portmapper superuser
104