Re: [Freeipa-users] Switch sudoers to IPA
On Thu, Mar 02, 2017 at 09:50:41PM +0530, deepak dimri wrote: > Hi Jakub, Actually that is what i am doing. i am creating the user with > same UID in IPA and then if i delete the user locally then i can > authenticate via IPA. Is there anyway i can do this without deleting the > user? This is just to use the same GID and avoid recreation of > home/directories. I think you'd need to modify the PAM stack to keep going even if authentication against pam_unix fails. I /think/ (but haven't tested ) that modifying the lines that deal with pam_unix/pam_sss like this: auth [default=2 success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth [success=done ignore=ignore default=die] pam_sss.so use_first_pass could work. The other lines in the PAM auth stack and all the other stacks should be left intact. (Please keep a root shell around if you're going to tinker with PAM settings and preferably try this out on a test box first.) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Switch sudoers to IPA
Hi Jakub, Actually that is what i am doing. i am creating the user with same UID in IPA and then if i delete the user locally then i can authenticate via IPA. Is there anyway i can do this without deleting the user? This is just to use the same GID and avoid recreation of home/directories. Many Thanks for your response! Regards, Deepak On Thu, Mar 2, 2017 at 8:40 PM, Jakub Hrozekwrote: > On Thu, Mar 02, 2017 at 07:09:41PM +0530, deepak dimri wrote: > > Hi List, > > > > I have sudo and normal users accessing linux systems using their private > > key without IPA. I have IPA fully functioning and now i want to switch > the > > users from local file login to IPA. > > > > Any new user i create in IPA can SSH into ipa client jump boxes fine. I > > want to know how i can migrate existing local sudoers users to IPA. This > > is what i have done to achieve this: > > > > 1- Created a new user in IPA with the same name as i have in Jumpbox. > > 2 - Added the public key of that user in IPA. > > 3- Added the user to jumpbox_usergroup as my sshd.conf forces the users > of > > this group to authenticate against the pam/sssd > > > > Now when i try to ssh into jumpbox using as i was doing before i still > logs > > into the jumpbox via unix pam and not IPA. What should i be doing so > that > > the "existing" local unix users can login via IPA? > > But do you need to keep the local users around? Why not create the IPA > user with the same UID as the local user and remove the local user? > > Typically, if there is a user both in the local files and a remote > source, the system (as configured in nsswitch.conf) would first return > the local user and the PAM stack then only authenticates this user using > pam_unix.so > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Switch sudoers to IPA
On Thu, Mar 02, 2017 at 07:09:41PM +0530, deepak dimri wrote: > Hi List, > > I have sudo and normal users accessing linux systems using their private > key without IPA. I have IPA fully functioning and now i want to switch the > users from local file login to IPA. > > Any new user i create in IPA can SSH into ipa client jump boxes fine. I > want to know how i can migrate existing local sudoers users to IPA. This > is what i have done to achieve this: > > 1- Created a new user in IPA with the same name as i have in Jumpbox. > 2 - Added the public key of that user in IPA. > 3- Added the user to jumpbox_usergroup as my sshd.conf forces the users of > this group to authenticate against the pam/sssd > > Now when i try to ssh into jumpbox using as i was doing before i still logs > into the jumpbox via unix pam and not IPA. What should i be doing so that > the "existing" local unix users can login via IPA? But do you need to keep the local users around? Why not create the IPA user with the same UID as the local user and remove the local user? Typically, if there is a user both in the local files and a remote source, the system (as configured in nsswitch.conf) would first return the local user and the PAM stack then only authenticates this user using pam_unix.so -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Switch sudoers to IPA
Hi List, I have sudo and normal users accessing linux systems using their private key without IPA. I have IPA fully functioning and now i want to switch the users from local file login to IPA. Any new user i create in IPA can SSH into ipa client jump boxes fine. I want to know how i can migrate existing local sudoers users to IPA. This is what i have done to achieve this: 1- Created a new user in IPA with the same name as i have in Jumpbox. 2 - Added the public key of that user in IPA. 3- Added the user to jumpbox_usergroup as my sshd.conf forces the users of this group to authenticate against the pam/sssd Now when i try to ssh into jumpbox using as i was doing before i still logs into the jumpbox via unix pam and not IPA. What should i be doing so that the "existing" local unix users can login via IPA? I am still playing with configuration to make it work but thought of asking this to you all to see if i can get a solution faster. Many Thanks, Deepak -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project