Re: [Freeipa-users] Switch sudoers to IPA

[Jakub Hrozek]

On Thu, Mar 02, 2017 at 09:50:41PM +0530, deepak dimri wrote:
> Hi Jakub, Actually that is what i am doing. i am creating the user with
> same UID in IPA and then if i delete the user locally then i can
> authenticate via IPA. Is there anyway i can do this without deleting the
> user? This is just to use the same GID and avoid recreation of
> home/directories.

I think you'd need to modify the PAM stack to keep going even if
authentication against pam_unix fails. I /think/ (but haven't tested )
that modifying the lines that deal with pam_unix/pam_sss like this:

auth [default=2 success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth [success=done ignore=ignore default=die] pam_sss.so use_first_pass

could work. The other lines in the PAM auth stack and all the other
stacks should be left intact.

(Please keep a root shell around if you're going to tinker with PAM
settings and preferably try this out on a test box first.)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Switch sudoers to IPA

[deepak dimri]

Hi Jakub, Actually that is what i am doing. i am creating the user with
same UID in IPA and then if i delete the user locally then i can
authenticate via IPA. Is there anyway i can do this without deleting the
user? This is just to use the same GID and avoid recreation of
home/directories.

Many Thanks for your response!

Regards,
Deepak

On Thu, Mar 2, 2017 at 8:40 PM, Jakub Hrozek  wrote:

> On Thu, Mar 02, 2017 at 07:09:41PM +0530, deepak dimri wrote:
> > Hi List,
> >
> > I have sudo and normal users accessing linux systems using their private
> > key without IPA. I have IPA fully functioning and now i want to switch
> the
> > users from local file login to IPA.
> >
> > Any new user i create in IPA can SSH into ipa client jump boxes fine. I
> > want to know how i can migrate existing local sudoers users to IPA.  This
> > is what i have done to achieve this:
> >
> > 1-  Created a new user in IPA with the same name as i have in Jumpbox.
> > 2 - Added the public key of that user in IPA.
> > 3-  Added the user to jumpbox_usergroup as my sshd.conf forces the users
> of
> > this group to authenticate against the pam/sssd
> >
> > Now when i try to ssh into jumpbox using as i was doing before i still
> logs
> > into the jumpbox via unix pam and not IPA.  What should i be doing so
> that
> > the "existing" local unix users can login via IPA?
>
> But do you need to keep the local users around? Why not create the IPA
> user with the same UID as the local user and remove the local user?
>
> Typically, if there is a user both in the local files and a remote
> source, the system (as configured in nsswitch.conf) would first return
> the local user and the PAM stack then only authenticates this user using
> pam_unix.so
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Switch sudoers to IPA

[Jakub Hrozek]

On Thu, Mar 02, 2017 at 07:09:41PM +0530, deepak dimri wrote:
> Hi List,
> 
> I have sudo and normal users accessing linux systems using their private
> key without IPA. I have IPA fully functioning and now i want to switch the
> users from local file login to IPA.
> 
> Any new user i create in IPA can SSH into ipa client jump boxes fine. I
> want to know how i can migrate existing local sudoers users to IPA.  This
> is what i have done to achieve this:
> 
> 1-  Created a new user in IPA with the same name as i have in Jumpbox.
> 2 - Added the public key of that user in IPA.
> 3-  Added the user to jumpbox_usergroup as my sshd.conf forces the users of
> this group to authenticate against the pam/sssd
> 
> Now when i try to ssh into jumpbox using as i was doing before i still logs
> into the jumpbox via unix pam and not IPA.  What should i be doing so that
> the "existing" local unix users can login via IPA?

But do you need to keep the local users around? Why not create the IPA
user with the same UID as the local user and remove the local user?

Typically, if there is a user both in the local files and a remote
source, the system (as configured in nsswitch.conf) would first return
the local user and the PAM stack then only authenticates this user using
pam_unix.so

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Switch sudoers to IPA

[deepak dimri]

Hi List,

I have sudo and normal users accessing linux systems using their private
key without IPA. I have IPA fully functioning and now i want to switch the
users from local file login to IPA.

Any new user i create in IPA can SSH into ipa client jump boxes fine. I
want to know how i can migrate existing local sudoers users to IPA.  This
is what i have done to achieve this:

1-  Created a new user in IPA with the same name as i have in Jumpbox.
2 - Added the public key of that user in IPA.
3-  Added the user to jumpbox_usergroup as my sshd.conf forces the users of
this group to authenticate against the pam/sssd

Now when i try to ssh into jumpbox using as i was doing before i still logs
into the jumpbox via unix pam and not IPA.  What should i be doing so that
the "existing" local unix users can login via IPA?

I am still playing with configuration to make it work but thought of asking
this to you all to see if i can get a solution faster.

Many Thanks,
Deepak
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project