Re: [Freeipa-devel] IPAv2 on SL6.2 using NIS fails with Failed password error

2012-03-12 Thread Nalin Dahyabhai
On Fri, Mar 09, 2012 at 04:06:33PM -0500, Dmitri Pal wrote:
As far as I understand underlying DS can also be configured to create
weak hashes needed for NIS but it is not recommended. But this is
something that gurus should confirm.

The NIS server will serve up password hashes which are compatible with
traditional crypt() if any are found in an entry's userPassword
attribute.  By default, the directory server doesn't create them in this
form (it prefers SSHA, or SSHA256, I guess), but this can be changed by
setting passwordStorageScheme: CRYPT in its cn=config entry.

Two things to watch out for, though.

The first is that when you make the change, the directory server starts
generating userPassword values which begin with {crypt}, but the
default configuration for the NIS server told it to look for values
which began with {CRYPT}, in a case-sensitive manner, so it wouldn't
match them.  This was corrected in slapi-nis 0.29.  You'll want to
either grab a newer package to pick up the new defaults, or override the
run-time configuration of your copy to match the defaults from later
versions.

The second is that changing your passwordStorageScheme only affects how
the server hashes passwords that will be set after you make the change,
so if you're going to do it, it's better done sooner rather than later.

HTH,

Nalin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] IPAv2 on SL6.2 using NIS fails with Failed password error

2012-03-09 Thread Dmitri Pal
On 03/08/2012 07:49 PM, Joshua Dotson wrote:
 Well

 I think I can now answer my own question.

 The following is
 from: http://fedoraproject.org/wiki/QA:Testcase_freeipav2_nis

 Password Hashes
 You may notice that password hashes are not available, even when
 you attempt to retrieve entries as root. As this is the default
 behavior, a prospective client system would need to also be
 configured to use either Kerberos or LDAP to check user passwords.

 I'm sorry for the spam.. :-)... And also, my inconsistent hosts and
 IP's below are the result of a failed obfuscation, rather than actual
 inconsistencies in my config.

 Cheers and thanks for FreeIPA!


Joshua is this just test of waters or you actually plan to use NIS on 6.2?
It seams odd as 6.2 has much more superior solution (SSSD configured
with ipa-client) then NIS.
NIS support is mostly for legacy systems that can't do the LDAP.

As far as I understand underlying DS can also be configured to create
weak hashes needed for NIS but it is not recommended. But this is
something that gurus should confirm.


 -Joshua

 P.S. I guess I'll go some other route to authenticate these ancient
 Ubuntu 9.04 boxes to IPA. lol


 On Thu, Mar 8, 2012 at 7:29 PM, freeipa-devel-requ...@redhat.com
 mailto:freeipa-devel-requ...@redhat.com wrote:

 Send Freeipa-devel mailing list submissions to
freeipa-devel@redhat.com mailto:freeipa-devel@redhat.com

 To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/freeipa-devel
 or, via email, send a message with subject or body 'help' to
freeipa-devel-requ...@redhat.com
 mailto:freeipa-devel-requ...@redhat.com

 You can reach the person managing the list at
freeipa-devel-ow...@redhat.com
 mailto:freeipa-devel-ow...@redhat.com

 When replying, please edit your Subject line so it is more specific
 than Re: Contents of Freeipa-devel digest...


 Today's Topics:

   1. IPAv2 on SL6.2 using NIS fails with Failed   password error
  (Joshua Dotson)


 --

 Message: 1
 Date: Thu, 8 Mar 2012 19:29:10 -0500
 From: Joshua Dotson j...@knoesis.org mailto:j...@knoesis.org
 To: freeipa-devel@redhat.com mailto:freeipa-devel@redhat.com
 Subject: [Freeipa-devel] IPAv2 on SL6.2 using NIS fails with Failed
password error
 Message-ID:
  
  canlzmlhi99zk986f4mh0pcykrrhx3wgdk7crw+34q3eofbm...@mail.gmail.com
 
 mailto:canlzmlhi99zk986f4mh0pcykrrhx3wgdk7crw%2b34q3eofbm...@mail.gmail.com
 Content-Type: text/plain; charset=iso-8859-1

 Hi All,

 I'm having a problem with my IPA installs; I can't seem to get the
 NIS mode
 to work.  I tried it with and without 'Migration Mode' enabled.

 I bind to it and 'getent passwd' and 'getent group' just fine, but
 when I
 type my password (post initial kinit password change) in for ssh,
 I get
 permission denied and the following in my client-side
 /var/log/secure log:

 Mar  8 18:15:07 bastion sshd[18480]: Failed password for bob from
 192.168.5.68 port 50788 ssh2
 Mar  8 18:15:22 bastion sshd[18480]: Failed password for bob from
 192.168.5.68 port 50788 ssh2
 Mar  8 18:46:13 bastion sshd[18556]: pam_unix(sshd:auth):
 authentication
 failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.6.68
  user=bob
 Mar  8 18:46:16 bastion sshd[18556]: Failed password for bob from
 192.168.5.68 port 50839 ssh2

 On the server, I can find no error on the server side, matching the
 timestamp of when I attempt login from a third host to the bastion
 host
 (see below).

 Am I mistaken that IPAv2 provides backwards compatible NIS, without
 client-side SSSD, KRB5 and the like?  Am I missing a service or
 something?

 Thanks very much!  Please excuse the long email.  Perhaps I'm too
 eager.
 lol  :-)

 -Joshua.

 BACKGROUND INFO FOLLOWS=

 Here are the details of my install, which is my fourth IPA
 install, so far.
  As a side note, however, I've not been able to get the NIS mode
 working,
 yet.


   - 2 nearly identical KVM's to test this. (1 for server and 1 for NIS
   client)
   - x86_64
   - ext4 over LVM over qcow2 over NFSv3
   - using virtio
   - Scientific Linux 6.2 minimal install from GUI of Install DVD
   - all available yum updates applied
   - iptables off
   - ipv4 only
   - added self FQDN to both /etc/hosts files
   - NetworkManager off in favor of network
   - static public IP's
   - Used the following commands to install my IPA server:

 # yum -y install \
ipa-server \
bind \
bind-dyndb-ldap

 # ipa-server-install \
  -a 'admin_pass_example' \
  --hostname=ipa.example.com 

Re: [Freeipa-devel] IPAv2 on SL6.2 using NIS fails with Failed password error

2012-03-08 Thread Joshua Dotson
Well

I think I can now answer my own question.

The following is from:
http://fedoraproject.org/wiki/QA:Testcase_freeipav2_nis

Password Hashes
You may notice that password hashes are not available, even when you
attempt to retrieve entries as root. As this is the default behavior, a
prospective client system would need to also be configured to use either
Kerberos or LDAP to check user passwords.

I'm sorry for the spam.. :-)... And also, my inconsistent hosts and IP's
below are the result of a failed obfuscation, rather than actual
inconsistencies in my config.

Cheers and thanks for FreeIPA!

-Joshua

P.S. I guess I'll go some other route to authenticate these ancient Ubuntu
9.04 boxes to IPA. lol


On Thu, Mar 8, 2012 at 7:29 PM, freeipa-devel-requ...@redhat.com wrote:

 Send Freeipa-devel mailing list submissions to
freeipa-devel@redhat.com

 To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/freeipa-devel
 or, via email, send a message with subject or body 'help' to
freeipa-devel-requ...@redhat.com

 You can reach the person managing the list at
freeipa-devel-ow...@redhat.com

 When replying, please edit your Subject line so it is more specific
 than Re: Contents of Freeipa-devel digest...


 Today's Topics:

   1. IPAv2 on SL6.2 using NIS fails with Failed   password error
  (Joshua Dotson)


 --

 Message: 1
 Date: Thu, 8 Mar 2012 19:29:10 -0500
 From: Joshua Dotson j...@knoesis.org
 To: freeipa-devel@redhat.com
 Subject: [Freeipa-devel] IPAv2 on SL6.2 using NIS fails with Failed
password error
 Message-ID:
canlzmlhi99zk986f4mh0pcykrrhx3wgdk7crw+34q3eofbm...@mail.gmail.com
 
 Content-Type: text/plain; charset=iso-8859-1

 Hi All,

 I'm having a problem with my IPA installs; I can't seem to get the NIS mode
 to work.  I tried it with and without 'Migration Mode' enabled.

 I bind to it and 'getent passwd' and 'getent group' just fine, but when I
 type my password (post initial kinit password change) in for ssh, I get
 permission denied and the following in my client-side /var/log/secure log:

 Mar  8 18:15:07 bastion sshd[18480]: Failed password for bob from
 192.168.5.68 port 50788 ssh2
 Mar  8 18:15:22 bastion sshd[18480]: Failed password for bob from
 192.168.5.68 port 50788 ssh2
 Mar  8 18:46:13 bastion sshd[18556]: pam_unix(sshd:auth): authentication
 failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.6.68  user=bob
 Mar  8 18:46:16 bastion sshd[18556]: Failed password for bob from
 192.168.5.68 port 50839 ssh2

 On the server, I can find no error on the server side, matching the
 timestamp of when I attempt login from a third host to the bastion host
 (see below).

 Am I mistaken that IPAv2 provides backwards compatible NIS, without
 client-side SSSD, KRB5 and the like?  Am I missing a service or something?

 Thanks very much!  Please excuse the long email.  Perhaps I'm too eager.
 lol  :-)

 -Joshua.

 BACKGROUND INFO FOLLOWS=

 Here are the details of my install, which is my fourth IPA install, so far.
  As a side note, however, I've not been able to get the NIS mode working,
 yet.


   - 2 nearly identical KVM's to test this. (1 for server and 1 for NIS
   client)
   - x86_64
   - ext4 over LVM over qcow2 over NFSv3
   - using virtio
   - Scientific Linux 6.2 minimal install from GUI of Install DVD
   - all available yum updates applied
   - iptables off
   - ipv4 only
   - added self FQDN to both /etc/hosts files
   - NetworkManager off in favor of network
   - static public IP's
   - Used the following commands to install my IPA server:

 # yum -y install \
ipa-server \
bind \
bind-dyndb-ldap

 # ipa-server-install \
  -a 'admin_pass_example' \
  --hostname=ipa.example.com \
  -p 'dir_man_password_example' \
  -n exampledom.com \
  -r EXAMPLE.COM \
  --setup-dns \
  --forwarder=192.168.2.10 \
  --forwarder=192.168.1.20


   - After a reboot, logging in with Firefox works well... kinit works well
   after I create an initial user in the UI... Everything is cool..even
   enrolling other machine with the ipa-client-install tool works well.. No
   other changes were made inside the UI
   - Here are the commands I ran on the server outside the UI, per
   instructions (here:

 http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/migrating-from-nis.html
   )


 [root@ipa ~]# ipa-compat-manage enable
 Directory Manager password:

 Plugin already Enabled
 [root@ipa ~]# rpcinfo
   program version netid addressserviceowner
104tcp6  ::.0.111   portmapper superuser
103tcp6  ::.0.111   portmapper superuser
104udp6  ::.0.111   portmapper superuser
103udp6  ::.0.111   portmapper superuser
104