Re: [Freeipa-devel] IPAv2 on SL6.2 using NIS fails with Failed password error
On Fri, Mar 09, 2012 at 04:06:33PM -0500, Dmitri Pal wrote: As far as I understand underlying DS can also be configured to create weak hashes needed for NIS but it is not recommended. But this is something that gurus should confirm. The NIS server will serve up password hashes which are compatible with traditional crypt() if any are found in an entry's userPassword attribute. By default, the directory server doesn't create them in this form (it prefers SSHA, or SSHA256, I guess), but this can be changed by setting passwordStorageScheme: CRYPT in its cn=config entry. Two things to watch out for, though. The first is that when you make the change, the directory server starts generating userPassword values which begin with {crypt}, but the default configuration for the NIS server told it to look for values which began with {CRYPT}, in a case-sensitive manner, so it wouldn't match them. This was corrected in slapi-nis 0.29. You'll want to either grab a newer package to pick up the new defaults, or override the run-time configuration of your copy to match the defaults from later versions. The second is that changing your passwordStorageScheme only affects how the server hashes passwords that will be set after you make the change, so if you're going to do it, it's better done sooner rather than later. HTH, Nalin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] IPAv2 on SL6.2 using NIS fails with Failed password error
On 03/08/2012 07:49 PM, Joshua Dotson wrote: Well I think I can now answer my own question. The following is from: http://fedoraproject.org/wiki/QA:Testcase_freeipav2_nis Password Hashes You may notice that password hashes are not available, even when you attempt to retrieve entries as root. As this is the default behavior, a prospective client system would need to also be configured to use either Kerberos or LDAP to check user passwords. I'm sorry for the spam.. :-)... And also, my inconsistent hosts and IP's below are the result of a failed obfuscation, rather than actual inconsistencies in my config. Cheers and thanks for FreeIPA! Joshua is this just test of waters or you actually plan to use NIS on 6.2? It seams odd as 6.2 has much more superior solution (SSSD configured with ipa-client) then NIS. NIS support is mostly for legacy systems that can't do the LDAP. As far as I understand underlying DS can also be configured to create weak hashes needed for NIS but it is not recommended. But this is something that gurus should confirm. -Joshua P.S. I guess I'll go some other route to authenticate these ancient Ubuntu 9.04 boxes to IPA. lol On Thu, Mar 8, 2012 at 7:29 PM, freeipa-devel-requ...@redhat.com mailto:freeipa-devel-requ...@redhat.com wrote: Send Freeipa-devel mailing list submissions to freeipa-devel@redhat.com mailto:freeipa-devel@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-devel or, via email, send a message with subject or body 'help' to freeipa-devel-requ...@redhat.com mailto:freeipa-devel-requ...@redhat.com You can reach the person managing the list at freeipa-devel-ow...@redhat.com mailto:freeipa-devel-ow...@redhat.com When replying, please edit your Subject line so it is more specific than Re: Contents of Freeipa-devel digest... Today's Topics: 1. IPAv2 on SL6.2 using NIS fails with Failed password error (Joshua Dotson) -- Message: 1 Date: Thu, 8 Mar 2012 19:29:10 -0500 From: Joshua Dotson j...@knoesis.org mailto:j...@knoesis.org To: freeipa-devel@redhat.com mailto:freeipa-devel@redhat.com Subject: [Freeipa-devel] IPAv2 on SL6.2 using NIS fails with Failed password error Message-ID: canlzmlhi99zk986f4mh0pcykrrhx3wgdk7crw+34q3eofbm...@mail.gmail.com mailto:canlzmlhi99zk986f4mh0pcykrrhx3wgdk7crw%2b34q3eofbm...@mail.gmail.com Content-Type: text/plain; charset=iso-8859-1 Hi All, I'm having a problem with my IPA installs; I can't seem to get the NIS mode to work. I tried it with and without 'Migration Mode' enabled. I bind to it and 'getent passwd' and 'getent group' just fine, but when I type my password (post initial kinit password change) in for ssh, I get permission denied and the following in my client-side /var/log/secure log: Mar 8 18:15:07 bastion sshd[18480]: Failed password for bob from 192.168.5.68 port 50788 ssh2 Mar 8 18:15:22 bastion sshd[18480]: Failed password for bob from 192.168.5.68 port 50788 ssh2 Mar 8 18:46:13 bastion sshd[18556]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.6.68 user=bob Mar 8 18:46:16 bastion sshd[18556]: Failed password for bob from 192.168.5.68 port 50839 ssh2 On the server, I can find no error on the server side, matching the timestamp of when I attempt login from a third host to the bastion host (see below). Am I mistaken that IPAv2 provides backwards compatible NIS, without client-side SSSD, KRB5 and the like? Am I missing a service or something? Thanks very much! Please excuse the long email. Perhaps I'm too eager. lol :-) -Joshua. BACKGROUND INFO FOLLOWS= Here are the details of my install, which is my fourth IPA install, so far. As a side note, however, I've not been able to get the NIS mode working, yet. - 2 nearly identical KVM's to test this. (1 for server and 1 for NIS client) - x86_64 - ext4 over LVM over qcow2 over NFSv3 - using virtio - Scientific Linux 6.2 minimal install from GUI of Install DVD - all available yum updates applied - iptables off - ipv4 only - added self FQDN to both /etc/hosts files - NetworkManager off in favor of network - static public IP's - Used the following commands to install my IPA server: # yum -y install \ ipa-server \ bind \ bind-dyndb-ldap # ipa-server-install \ -a 'admin_pass_example' \ --hostname=ipa.example.com
Re: [Freeipa-devel] IPAv2 on SL6.2 using NIS fails with Failed password error
Well I think I can now answer my own question. The following is from: http://fedoraproject.org/wiki/QA:Testcase_freeipav2_nis Password Hashes You may notice that password hashes are not available, even when you attempt to retrieve entries as root. As this is the default behavior, a prospective client system would need to also be configured to use either Kerberos or LDAP to check user passwords. I'm sorry for the spam.. :-)... And also, my inconsistent hosts and IP's below are the result of a failed obfuscation, rather than actual inconsistencies in my config. Cheers and thanks for FreeIPA! -Joshua P.S. I guess I'll go some other route to authenticate these ancient Ubuntu 9.04 boxes to IPA. lol On Thu, Mar 8, 2012 at 7:29 PM, freeipa-devel-requ...@redhat.com wrote: Send Freeipa-devel mailing list submissions to freeipa-devel@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-devel or, via email, send a message with subject or body 'help' to freeipa-devel-requ...@redhat.com You can reach the person managing the list at freeipa-devel-ow...@redhat.com When replying, please edit your Subject line so it is more specific than Re: Contents of Freeipa-devel digest... Today's Topics: 1. IPAv2 on SL6.2 using NIS fails with Failed password error (Joshua Dotson) -- Message: 1 Date: Thu, 8 Mar 2012 19:29:10 -0500 From: Joshua Dotson j...@knoesis.org To: freeipa-devel@redhat.com Subject: [Freeipa-devel] IPAv2 on SL6.2 using NIS fails with Failed password error Message-ID: canlzmlhi99zk986f4mh0pcykrrhx3wgdk7crw+34q3eofbm...@mail.gmail.com Content-Type: text/plain; charset=iso-8859-1 Hi All, I'm having a problem with my IPA installs; I can't seem to get the NIS mode to work. I tried it with and without 'Migration Mode' enabled. I bind to it and 'getent passwd' and 'getent group' just fine, but when I type my password (post initial kinit password change) in for ssh, I get permission denied and the following in my client-side /var/log/secure log: Mar 8 18:15:07 bastion sshd[18480]: Failed password for bob from 192.168.5.68 port 50788 ssh2 Mar 8 18:15:22 bastion sshd[18480]: Failed password for bob from 192.168.5.68 port 50788 ssh2 Mar 8 18:46:13 bastion sshd[18556]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.6.68 user=bob Mar 8 18:46:16 bastion sshd[18556]: Failed password for bob from 192.168.5.68 port 50839 ssh2 On the server, I can find no error on the server side, matching the timestamp of when I attempt login from a third host to the bastion host (see below). Am I mistaken that IPAv2 provides backwards compatible NIS, without client-side SSSD, KRB5 and the like? Am I missing a service or something? Thanks very much! Please excuse the long email. Perhaps I'm too eager. lol :-) -Joshua. BACKGROUND INFO FOLLOWS= Here are the details of my install, which is my fourth IPA install, so far. As a side note, however, I've not been able to get the NIS mode working, yet. - 2 nearly identical KVM's to test this. (1 for server and 1 for NIS client) - x86_64 - ext4 over LVM over qcow2 over NFSv3 - using virtio - Scientific Linux 6.2 minimal install from GUI of Install DVD - all available yum updates applied - iptables off - ipv4 only - added self FQDN to both /etc/hosts files - NetworkManager off in favor of network - static public IP's - Used the following commands to install my IPA server: # yum -y install \ ipa-server \ bind \ bind-dyndb-ldap # ipa-server-install \ -a 'admin_pass_example' \ --hostname=ipa.example.com \ -p 'dir_man_password_example' \ -n exampledom.com \ -r EXAMPLE.COM \ --setup-dns \ --forwarder=192.168.2.10 \ --forwarder=192.168.1.20 - After a reboot, logging in with Firefox works well... kinit works well after I create an initial user in the UI... Everything is cool..even enrolling other machine with the ipa-client-install tool works well.. No other changes were made inside the UI - Here are the commands I ran on the server outside the UI, per instructions (here: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/migrating-from-nis.html ) [root@ipa ~]# ipa-compat-manage enable Directory Manager password: Plugin already Enabled [root@ipa ~]# rpcinfo program version netid addressserviceowner 104tcp6 ::.0.111 portmapper superuser 103tcp6 ::.0.111 portmapper superuser 104udp6 ::.0.111 portmapper superuser 103udp6 ::.0.111 portmapper superuser 104