[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

> > I configured the following in krb5.conf and now at least get prompted > > for a password and kinit works!: > > [libdefaults] > > dns_lookup_kdc = no > > dns_lookup_realm = no > > > > klist > > Ticket cache: API:krb5cc > > Default principal: ouru...@ourdomain.edu

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

Robert Kudyba via FreeIPA-users wrote: > On Wed, Mar 17, 2021 at 9:27 AM Rob Crittenden > wrote: > > Robert Kudyba via FreeIPA-users wrote: > > > > > > On Tue, Mar 16, 2021 at 3:40 PM Rob Crittenden > mailto:rcrit...@redhat.com> > >

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

On Wed, Mar 17, 2021 at 9:27 AM Rob Crittenden wrote: > Robert Kudyba via FreeIPA-users wrote: > > > > > > On Tue, Mar 16, 2021 at 3:40 PM Rob Crittenden > > wrote: > > > > > It depends on what the expectations are for these user-owned > > machines. > >

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

Robert Kudyba via FreeIPA-users wrote: > > > On Tue, Mar 16, 2021 at 3:40 PM Rob Crittenden > wrote: > > >     It depends on what the expectations are for these user-owned > machines. > > > > > > Only expectation is to be able to log in to a

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

On Tue, Mar 16, 2021 at 3:40 PM Rob Crittenden wrote: > > It depends on what the expectations are for these user-owned > machines. > > > > > > Only expectation is to be able to log in to a server, get access to > > their home directory and be able to do their assignments, e.g., C++, > > Java

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

Robert Kudyba wrote: > > > On Mon, Mar 15, 2021 at 4:31 PM Rob Crittenden > wrote: > > Robert Kudyba wrote: > > I'd like to provide an update. I can get ssh -k to work but here's > what > > I had to do: > > 1. I had to run ipa-client-install on

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

On Mon, Mar 15, 2021 at 4:31 PM Rob Crittenden wrote: > Robert Kudyba wrote: > > I'd like to provide an update. I can get ssh -k to work but here's what > > I had to do: > > 1. I had to run ipa-client-install on another server/computer > > 2. I ran kinit ouru...@ourdomain.edu

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

Robert Kudyba wrote: > I'd like to provide an update. I can get ssh -k to work but here's what > I had to do: > 1. I had to run ipa-client-install on another server/computer > 2. I ran kinit ouru...@ourdomain.edu > 3. I could then run ssh -k ouru...@ourdomain.edu >

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

I'd like to provide an update. I can get ssh -k to work but here's what I had to do: 1. I had to run ipa-client-install on another server/computer 2. I ran kinit ouru...@ourdomain.edu 3. I could then run ssh -k ouru...@ourdomain.edu and automatically logged in without needing to enter a password.

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

Still seeing: preauth (spake) verify failure: Preauthentication failed kvno ldap/ourdomain kvno = 2 kvno http/ourdomain kvno = 1 klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 2

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

> > > > Keytab successfully retrieved and stored in: /tmp/client.keytab > > > > This is why SSSD isn't working. SSSD uses the host keytab in > > /etc/krb5.keytab and you invalidated it with the above command. > > > > > > OK what do I need to do to fix this? I got this > > from >

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

Robert Kudyba wrote: > > > On Thu, Mar 11, 2021 at 2:31 PM Rob Crittenden > wrote: > > Robert Kudyba via FreeIPA-users wrote: > I believe we've made some progress but not quite there yet. Just to > recap, any NEW user created via CLI or GUI can connect

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

On Thu, Mar 11, 2021 at 2:31 PM Rob Crittenden wrote: > Robert Kudyba via FreeIPA-users wrote: > I believe we've made some progress but not quite there yet. Just to recap, > any NEW user created via CLI or GUI can connect via ssh. All imported NIS > users can only log in with their NIS password.

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

Robert Kudyba via FreeIPA-users wrote: > I believe we've made some progress but not quite there yet. Just to > recap, any NEW user created via CLI or GUI can connect via ssh. All > imported NIS users can only log in with their NIS password. I change the > user's password in the UI and check the

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

I believe we've made some progress but not quite there yet. Just to recap, any NEW user created via CLI or GUI can connect via ssh. All imported NIS users can only log in with their NIS password. I change the user's password in the UI and check the Password checkbox in User authentication type and

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

> > have you enabled the migration mode with > > ipa config-mod --enable-migration=True > I've tried it with True and False. At what point should this be changed to False? > With this authentication with SSSD should fall back to LDAP > authentication if the Kerberos keys are not available

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

On Wed, Feb 17, 2021 at 10:58:54AM -0500, Robert Kudyba via FreeIPA-users wrote: > > > > that's odd, can you check with ps if nscd is running? > > > It is not. > > > > Does /var/run/nscd/socket exists? > > > > Yes it does, I then deleted it. > > > > > (2021-02-16 15:06:30):

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

> > that's odd, can you check with ps if nscd is running? It is not. > Does /var/run/nscd/socket exists? > Yes it does, I then deleted it. > > (2021-02-16 15:06:30): [be[ourdomain.edu]] [setup_tls_config] (0x0020): > > Unknown value for tls_reqcert 'never (or allow'. > > Can you check your

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

On Tue, Feb 16, 2021 at 03:36:59PM -0500, Robert Kudyba via FreeIPA-users wrote: > One one of the test servers sssd fails to start correctly. Here are the > errors and their respective logs, with debug enabled. > freeipa-server-4.9.1-1.fc33.x86_64 > > systemctl status sssd --no-pager -l > *

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

One one of the test servers sssd fails to start correctly. Here are the errors and their respective logs, with debug enabled. freeipa-server-4.9.1-1.fc33.x86_64 systemctl status sssd --no-pager -l * sssd.service - System Security Services Daemon Loaded: loaded

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

> > What is ourserver.edu? In order to log in using Kerberos/GSSAPI then the > machine acting as the server needs to be enrolled as an IPA client so it > has a keytab. > rob OK I added a Fedora server as a client. From ipa host-show client.ourserver.edu Host name: client.ourserver.edu

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

On Wed, Feb 10, 2021 at 03:09:37PM -0500, Robert Kudyba via FreeIPA-users wrote: > I tried this on another test server, and configured NIS for the users, > which are different. Same issue. All the verbose output adds a lot of log > noise but I'm hoping it provides a clue. > > ipactl status >

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

Robert Kudyba via FreeIPA-users wrote: > I tried this on another test server, and configured NIS for the users, > which are different. Same issue. All the verbose output adds a lot of > log noise but I'm hoping it provides a clue. > > ipactl status > Directory Service: RUNNING > krb5kdc Service:

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

I tried this on another test server, and configured NIS for the users, which are different. Same issue. All the verbose output adds a lot of log noise but I'm hoping it provides a clue. ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service:

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

On Tue, Feb 9, 2021 at 12:20 PM Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On Tue, Feb 09, 2021 at 11:33:15AM -0500, Robert Kudyba via FreeIPA-users > wrote: > > > > > > looks like sshd is trying to read /home/ouruser/.ssh/authorized_keys > and > > > is stuck.

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

On Tue, Feb 09, 2021 at 11:33:15AM -0500, Robert Kudyba via FreeIPA-users wrote: > > > > looks like sshd is trying to read /home/ouruser/.ssh/authorized_keys and > > is stuck. Can you read this file from the command line? Is it e.g. on > > NFS which might not be properly mounted? > > > > Does it

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

> > looks like sshd is trying to read /home/ouruser/.ssh/authorized_keys and > is stuck. Can you read this file from the command line? Is it e.g. on > NFS which might not be properly mounted? > > Does it work if you skip pubkey authentication > > ssh -o PubkeyAuthentication=no -vv -k

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

On Mon, Feb 08, 2021 at 04:42:31PM -0500, Robert Kudyba via FreeIPA-users wrote: > We have freeipa-server-4.8.10-6.fc33 running on top of NIS and I'm trying > to determine why ssh -k from any client is hanging and not even connecting. > Does sssd need to be configured as in this 2013 training