Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users
root is not an ipa managed user so it is purely your pam configuration.
I thought we were trying to figure out why your ipa users are not
handled properly.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
I would like to thank you guys for your help in troubleshooting this. I
managed to fix the issue. We had a custom jumpstart file creating our
Solaris images and it made some configuration changes that broke the
pam/kerberos interaction. I still don't know what exactly was the cause,
but I re-installed on a Fresh Solaris 10 8/11 image and was able to get an
ipa user to log in.
For reference, here are the complete steps I had to take from installation
of the machine to get it working. Hopefully someone else finds this
useful or you can add it to your docs.
This instructions assume a minimal console only Solaris install so we have
to add some packages first.
#pkgadd -d . SUNWbash
#pkgadd -d . SUNWuiu8
#pkgadd -d . SUNWwgetr
#pkgadd -d . SUNWwgetu
#pkgadd -d . SUNWbind
#pkgadd -d . SUNWntpr
#pkgadd -d . SUNWntpu
#pkgadd -d . SUNWman
#pkgadd -d . SUNWdoc
#pkgadd -d . SUNWtexi
#pkgadd -d . SUNWsfdoc
#pkgadd -d . SUNWsfman
#pkgadd -d . SUNWsfinf
#pkgadd -d . SUNWgcmn
#pkgadd -d . SUNWsshcu
#pkgadd -d . SUNWsshdr
#pkgadd -d . SUNWsshdu
#pkgadd -d . SUNWsshr
#pkgadd -d . SUNWsshu
Fix IP Setup
#rm /etc/dhcp.e1000g0
#chmod u+w /etc/hosts
#echo 10.21.19.17 ipaclient6-sandbox-atdev-van.ipadomain.net
ipaclient6-sandbox-atdev-van loghost /etc/hosts
#echo 10.21.19.17 netmask 255.255.0.0 /etc/hostname.e1000g0
#echo ipaclient6-sandbox-atdev-van.ipadomain.net /etc/nodename
#echo ipadomain.net /etc/defaultdomain
#echo 10.21.0.1 /etc/defaultrouter
DNS Configuration
This DNS configuration needs to be done no matter whether you used
jumpstart or not.
#vi /etc/resolv.conf
Remove all existing lines and Set the following values
domain ipadomain.net
nameserver 10.21.19.20
Reboot to get the updated hostname and domainname and ip settings
#reboot
Enable SSH daemon
#/lib/svc/method/sshd -c
#svcadm enable ssh
NSSwitch Configuration
edit /etc/nsswitch.conf and make sure the following lines are set
passwd: files ldap
group: files ldap
hosts: dns files
Edit /etc/nsswitch.ldap and make sure the same following lines are set
passwd: files ldap
group: files ldap
hosts: dns files
Configure Client
edit /etc/krb5/krb5.conf and set the following values
--- snip ---
[libdefaults]
default_realm = IPADOMAIN.NET
dns_lookup_kdc = true
[realms]
IPADOMAIN.NET = {
kdc = ipadc1.ipadomain.net
admin_server = ipadc1.ipadomain.net
}
[domain_realm]
.ipadomain.net = IPADOMAIN.NET
ipadomain.net = IPADOMAIN.NET
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used# frequently.
period = 1d
# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
version = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
--- snip ---
First, synchronize the date on the Solaris client
bash-3.00# ntpdate ipadc1.ipadomain.net
On the Solaris machine setup the ldap configuration
# ldapclient -v init -a domainName=ipadomain.net ipadc1.ipadomain.net
On the freeIPA domain controller, enroll the host
[root@ipadc1 ~]# ipa host-add --force --ip-address=10.21.19.17
ipaclient6-sandbox-atdev-van.ipadomain.net
On the IPA server, get the keytab and copy it to the Solaris machine
#rm /tmp/solaris.keytab
[root@ipadc1 tmp]# ipa-getkeytab -s ipadc1 -p
host/ipaclient6-sandbox-atdev-van.ipadomain.net -k /tmp/solaris.keytab
[root@ipadc1 tmp]# scp solaris.keytab root@10.21.19.17:/etc/krb5/krb5.keytab
After all this, I was able to login to my Solaris machine using one of my
ipa user accounts
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users
On 02/26/2015 01:15 PM, nat...@nathanpeters.com wrote: On 02/25/2015 04:37 PM, nat...@nathanpeters.com wrote: It does not seem to recognize the user in the secan attempt but the first attempt seems to authenticate and then disconnect. I do not see trace from accounting session but I suspect that your pam stack does not authorize authenticated user. Try to allow all authenticated users first. This will prove that it is a pam stack accounting phase configuration issue. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project How do I allow all authenticated users? In the freeIPA domain I have a rule 'allow_all' that allows any user to connect to any system on any service. This is working fine for linux clients. I assume you mean to do it on the Solaris machine? I don't have any users specifically blocked, ie, there is nothing in my sshd_config file that is limiting the users and groups that can login. Eg, I've got no 'AllowUsers' lines or anything like that. I've even got PermitRootLogin set to yes and have tested that root can login. other accountrequired pam_permit.so and comment other pam modules in the section: Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 debug other account requiredpam_unix_account.so.1 debug #other account sufficient pam_ldap.so.1 other account requiredpam_krb5.so.1 debug -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project pam_permit does not exist in Solaris 10 so I cannot use that to test. The only way I could break down where the error is happening is to restore to a completely default pam.conf and add the krb5.so entries 1 at a time. The first entry was added fine in the login section although I noted that the 'try_first_pass' option also does not exist in Solaris, so not sure why the guide for Solaris is saying to use that: login auth sufficient pam_krb5.so.1 The following entry is what broke the system : other auth sufficient pam_krb5.so.1 I placed it in the same place as in the guide (under unix_cred and before unix_auth). So we know its the auth thats failing, not the account? Here is how it broke : root can no longer login through ssh. I compared the log entries for logins before and after the auth change and they are identical up to about line 127. I noticed that the login that failed threw a strange krb5 pam_no_module_data error before disconnecting the ssh client. Here are the 2 logs for reference: unsuccessful root login --- Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 872586 auth.debug] PAM[494]: pam_authenticate(812bf10, 1): /usr/lib/security/pam_authtok_get.so.1 returned Ignore module Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 455340 auth.debug] PAM[494]: pam_get_item(812bf10:user)=root Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 455340 auth.debug] PAM[494]: pam_get_item(812bf10:authtok)= Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 455340 auth.debug] PAM[494]: pam_get_item(812bf10:repository)=NULL Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 872586 auth.debug] PAM[494]: pam_authenticate(812bf10, 1): /usr/lib/security/pam_dhkeys.so.1 returned Ignore module Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 872586 auth.debug] PAM[494]: pam_authenticate(812bf10, 1): /usr/lib/security/pam_unix_cred.so.1 returned Ignore module Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 455340 auth.debug] PAM[494]: pam_get_item(812bf10:user)=root Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 395087 auth.debug] PAM[494]: pam_get_data(812bf10:SUNW-KRB5-AUTH-DATA)=PAM_NO_MODULE_DATA Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 140038 auth.debug] PAM[494]: pam_set_data(812bf10:SUNW-KRB5-AUTH-DATA:2)=812cc20 Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 455340 auth.debug] PAM[494]: pam_get_item(812bf10:repository)=NULL Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 455340 auth.debug] PAM[494]: pam_get_item(812bf10:authtok)= successful root login - Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID 806026 auth.debug] PAM[482]: pam_authenticate(812e218, 1): /usr/lib/security/pam_authtok_get.so.1 returned Ignore
Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users
On 02/25/2015 04:37 PM, nat...@nathanpeters.com wrote: It does not seem to recognize the user in the secan attempt but the first attempt seems to authenticate and then disconnect. I do not see trace from accounting session but I suspect that your pam stack does not authorize authenticated user. Try to allow all authenticated users first. This will prove that it is a pam stack accounting phase configuration issue. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project How do I allow all authenticated users? In the freeIPA domain I have a rule 'allow_all' that allows any user to connect to any system on any service. This is working fine for linux clients. I assume you mean to do it on the Solaris machine? I don't have any users specifically blocked, ie, there is nothing in my sshd_config file that is limiting the users and groups that can login. Eg, I've got no 'AllowUsers' lines or anything like that. I've even got PermitRootLogin set to yes and have tested that root can login. other accountrequired pam_permit.so and comment other pam modules in the section: Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 debug other account requiredpam_unix_account.so.1 debug #other account sufficient pam_ldap.so.1 other account requiredpam_krb5.so.1 debug -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project pam_permit does not exist in Solaris 10 so I cannot use that to test. The only way I could break down where the error is happening is to restore to a completely default pam.conf and add the krb5.so entries 1 at a time. The first entry was added fine in the login section although I noted that the 'try_first_pass' option also does not exist in Solaris, so not sure why the guide for Solaris is saying to use that: login auth sufficient pam_krb5.so.1 The following entry is what broke the system : other auth sufficient pam_krb5.so.1 I placed it in the same place as in the guide (under unix_cred and before unix_auth). So we know its the auth thats failing, not the account? Here is how it broke : root can no longer login through ssh. I compared the log entries for logins before and after the auth change and they are identical up to about line 127. I noticed that the login that failed threw a strange krb5 pam_no_module_data error before disconnecting the ssh client. Here are the 2 logs for reference: unsuccessful root login --- Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 872586 auth.debug] PAM[494]: pam_authenticate(812bf10, 1): /usr/lib/security/pam_authtok_get.so.1 returned Ignore module Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 455340 auth.debug] PAM[494]: pam_get_item(812bf10:user)=root Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 455340 auth.debug] PAM[494]: pam_get_item(812bf10:authtok)= Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 455340 auth.debug] PAM[494]: pam_get_item(812bf10:repository)=NULL Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 872586 auth.debug] PAM[494]: pam_authenticate(812bf10, 1): /usr/lib/security/pam_dhkeys.so.1 returned Ignore module Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 872586 auth.debug] PAM[494]: pam_authenticate(812bf10, 1): /usr/lib/security/pam_unix_cred.so.1 returned Ignore module Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 455340 auth.debug] PAM[494]: pam_get_item(812bf10:user)=root Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 395087 auth.debug] PAM[494]: pam_get_data(812bf10:SUNW-KRB5-AUTH-DATA)=PAM_NO_MODULE_DATA Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 140038 auth.debug] PAM[494]: pam_set_data(812bf10:SUNW-KRB5-AUTH-DATA:2)=812cc20 Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 455340 auth.debug] PAM[494]: pam_get_item(812bf10:repository)=NULL Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 455340 auth.debug] PAM[494]: pam_get_item(812bf10:authtok)= successful root login - Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID 806026 auth.debug] PAM[482]: pam_authenticate(812e218, 1): /usr/lib/security/pam_authtok_get.so.1 returned Ignore module Feb 26
Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users
Yes, we are trying to figure out why IPA users are not being handled properly however given that : 1. the method you suggested to troubleshoot my Solaris 10 system, adding pam_permit.so to the stack, will never work because Solaris does not include pam_permit.so. so therefore 2. I had to come up with some different way to troubleshoot how or why FreeIPA authorization is failing. so therefore 3. Lacking the module you suggested, I chose an alternative approach : put the pam configuration to a default and prove that no logins were broken and once the basic pam configuration was proven then I had to : 4. I added the freeIPA components (kerberos) until something broke. In this case, the ipa users were never able to login, so stating that adding kerberos broke the whole pam stack so that not even a regular user could login should have been a useful troubleshooting step. So... perhaps you could answer one of 2 things 1. how do I troubleshoot a Solaris system without pam_permit.so? and 2. why would adding kerberos in the exact way that the manual stated break my whole pam stack so that both regular users and freeipa users could not login? -Original Message- From: Dmitri Pal Sent: Thursday, February 26, 2015 2:12 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users root is not an ipa managed user so it is purely your pam configuration. I thought we were trying to figure out why your ipa users are not handled properly. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users
Nathan Peters wrote: Yes, we are trying to figure out why IPA users are not being handled properly however given that : 1. the method you suggested to troubleshoot my Solaris 10 system, adding pam_permit.so to the stack, will never work because Solaris does not include pam_permit.so. so therefore 2. I had to come up with some different way to troubleshoot how or why FreeIPA authorization is failing. so therefore 3. Lacking the module you suggested, I chose an alternative approach : put the pam configuration to a default and prove that no logins were broken and once the basic pam configuration was proven then I had to : 4. I added the freeIPA components (kerberos) until something broke. In this case, the ipa users were never able to login, so stating that adding kerberos broke the whole pam stack so that not even a regular user could login should have been a useful troubleshooting step. So... perhaps you could answer one of 2 things 1. how do I troubleshoot a Solaris system without pam_permit.so? and 2. why would adding kerberos in the exact way that the manual stated break my whole pam stack so that both regular users and freeipa users could not login? We don't have any in-house Solaris (or AIX or HP/ux for that matter) expertise which is why we no longer provide detailed documentation on how to configure non-Linux clients (what you found are really, really old). It's a no-win for us because we can't keep the docs updated, tested, etc. so they atrophy and generally just make people mad. On at least some of the pages there is a big fat warning (e.g. http://www.freeipa.org/page/FreeIPAv1:ConfiguringSolarisClients). From the Solaris perspective this is just Kerberos authentication. The OS docs should provide the necessary details. This looks like a good place to start: http://docs.oracle.com/cd/E23824_01/html/821-1456/setup-148.html#setup-341 (though it's Solaris 11, not 10). This is a blog I found on configuring Solaris 10 against an AD server which is a reasonable parallel: http://blog.scottlowe.org/2006/08/15/solaris-10-and-active-directory-integration/ Here is something contributed by another IPA user, again for Solaris 11: https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users
On 02/25/2015 02:58 PM, nat...@nathanpeters.com wrote: I am having trouble logging in with an IPA user on Solaris 10. The machine is able to correctly initialize tickets using kinit. The issue appears to be PAM related. I am using FreeIPA 4.1.3. I have tried to follow the instructions here as best I can : http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html Here is my kinit and klist tests $ kinit ipauser1 Password for ipaus...@ipadomain.net: [07:45 PM] ipaclient5-sandbox-atdev-van:/var/log$ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ipaus...@ipadomain.net Valid startingExpiresService principal 02/25/15 19:45:10 02/26/15 19:45:10 krbtgt/ipadomain@ipadomain.net renew until 03/04/15 19:45:10 Here is the last 2 lines of the output of getent passwd showing my ipa admin and user - admin:x:37520:37520:Administrator:/home/admin:/bin/bash ipauser1:x:37526:37526:ipa user1:/home/ipauser1:/bin/bash However, this is what happens when I try to login as 'ipauser1'. On the console I am prompted with 'Password:' I enter the valid password, and suddenly Putty pops up a window 'Server unexpectedly closed network connection'. If I try to login as ipaus...@ipadomain.net it still fails, but in a different way. The putty window stays open and I get an 'Access denied' message and am prompted for the password again: Logs with 'ipauser1' Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.info] Connection from 10.5.5.57 port 57607 on 10.21.19.16 port 22 Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: Client protocol version 2.0; client software version PuTTY_Release_0.63 Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: no match: PuTTY_Release_0.63 Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: Enabling compatibility mode for protocol 2.0 Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: Local version string SSH-2.0-OpenSSH_6.6 Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: permanently_set_uid: 100/65534 [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEXINIT sent [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEXINIT received [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: kex: client-server aes256-ctr hmac-sha2-256 none [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: kex: server-client aes256-ctr hmac-sha2-256 none [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID 800047 auth.debug] debug1: server_input_channel_req: channel 0 request win...@putty.projects.tartarus.org reply 1 Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID 800047 auth.debug] debug1: session_by_channel: session 0 channel 0 Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID 800047 auth.debug] debug1: session_input_channel_req: session 0 req win...@putty.projects.tartarus.org Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: SSH2_MSG_NEWKEYS sent [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: expecting SSH2_MSG_NEWKEYS [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: SSH2_MSG_NEWKEYS received [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: KEX done [preauth] Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1:
Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users
It does not seem to recognize the user in the secan attempt but the first attempt seems to authenticate and then disconnect. I do not see trace from accounting session but I suspect that your pam stack does not authorize authenticated user. Try to allow all authenticated users first. This will prove that it is a pam stack accounting phase configuration issue. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project How do I allow all authenticated users? In the freeIPA domain I have a rule 'allow_all' that allows any user to connect to any system on any service. This is working fine for linux clients. I assume you mean to do it on the Solaris machine? I don't have any users specifically blocked, ie, there is nothing in my sshd_config file that is limiting the users and groups that can login. Eg, I've got no 'AllowUsers' lines or anything like that. I've even got PermitRootLogin set to yes and have tested that root can login. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users
It does not seem to recognize the user in the secan attempt but the first attempt seems to authenticate and then disconnect. I do not see trace from accounting session but I suspect that your pam stack does not authorize authenticated user. Try to allow all authenticated users first. This will prove that it is a pam stack accounting phase configuration issue. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project I'm not sure how to enable a trace for an accounting session. Here is what I've done to enable debugging so far : add the following line to /etc/syslog.conf *.debug /var/log/pam_log svcadm restart system-log touch /etc/pam_debug cat debug_flags=65535 /etc/pam_debug I have a little more debugging info now than before, but it still stops at the krb5 line. See below for more detailed log. Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: Client protocol version 2.0; client software version PuTTY_Release_0.63 Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: no match: PuTTY_Release_0.63 Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: Enabling compatibility mode for protocol 2.0 Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: Local version string SSH-2.0-OpenSSH_6.6 Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: permanently_set_uid: 100/65534 [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEXINIT sent [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEXINIT received [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: kex: client-server aes256-ctr hmac-sha2-256 none [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: kex: server-client aes256-ctr hmac-sha2-256 none [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: SSH2_MSG_NEWKEYS sent [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: expecting SSH2_MSG_NEWKEYS [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: SSH2_MSG_NEWKEYS received [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: KEX done [preauth] Feb 25 22:53:05 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: userauth-request for user ipauser1 service ssh-connection method none [preauth] Feb 25 22:53:05 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: attempt 0 failures 0 [preauth] Feb 25 22:53:05 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: PAM: initializing for ipauser1 Feb 25 22:53:05 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 489767 auth.debug] PAM[938]: pam_start(sshd,ipauser1,811c170:812b8e0) - debug = Feb 25 22:53:05 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 984622 auth.debug] PAM[938]: pam_set_item(812b8e0:service)=sshd Feb 25 22:53:05 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 984622 auth.debug] PAM[938]: pam_set_item(812b8e0:user)=ipauser1 Feb 25 22:53:05 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 984619 auth.debug] PAM[938]: pam_set_item(812b8e0:conv)=8086ff8 Feb 25 22:53:05 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 960046 auth.debug] PAM[938]: pam_get_item(812b8e0:service)=sshd Feb 25 22:53:05 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 102344 auth.debug] PAM[938]: pam.conf entry:login auth requisite pam_authtok_get.so.1 Feb 25 22:53:05
Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users
On 02/25/2015 04:37 PM, nat...@nathanpeters.com wrote: It does not seem to recognize the user in the secan attempt but the first attempt seems to authenticate and then disconnect. I do not see trace from accounting session but I suspect that your pam stack does not authorize authenticated user. Try to allow all authenticated users first. This will prove that it is a pam stack accounting phase configuration issue. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project How do I allow all authenticated users? In the freeIPA domain I have a rule 'allow_all' that allows any user to connect to any system on any service. This is working fine for linux clients. I assume you mean to do it on the Solaris machine? I don't have any users specifically blocked, ie, there is nothing in my sshd_config file that is limiting the users and groups that can login. Eg, I've got no 'AllowUsers' lines or anything like that. I've even got PermitRootLogin set to yes and have tested that root can login. other accountrequired pam_permit.so and comment other pam modules in the section: Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 debug other account requiredpam_unix_account.so.1 debug #other account sufficient pam_ldap.so.1 other account requiredpam_krb5.so.1 debug -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
