[Freeipa-users] slapi-nis user password error
Hi, I have some services that need to work with a NIS server and I would like to use slapi-nis plugin in order to use just FreeIPA as our Directory Server. The users were imported from a openldap server and the password encryption is MD5. I installed slapi-nis in the server and configure a NIS client(Red Hat 5.9) with FreeIPA server (Red Hat 6.3, FreeIPA: 3.0.0-26). I'm able to get info of the users from NIS client (getent passwd user_id) but when the user try to log in to the NIS client the authentication fails. Slapi-nis was installed and configured using the default options. Any clue about this problem or How can I debug this? Thanks!! CBU ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] slapi-nis user password error
On Thu, 05 Sep 2013, cbul...@gmail.com wrote: Hi, I have some services that need to work with a NIS server and I would like to use slapi-nis plugin in order to use just FreeIPA as our Directory Server. The users were imported from a openldap server and the password encryption is MD5. I installed slapi-nis in the server and configure a NIS client(Red Hat 5.9) with FreeIPA server (Red Hat 6.3, FreeIPA: 3.0.0-26). I'm able to get info of the users from NIS client (getent passwd user_id) but when the user try to log in to the NIS client the authentication fails. Slapi-nis was installed and configured using the default options. Any clue about this problem or How can I debug this? From what you are describing, it looks like what I have fixed recently in slapi-nis as side-effect of adding support for trusted domains. Not sure if Nalin has backported this fix to older versions (slapi-nis 0.48 is in Fedora 19 at this point) but filing a bug against RHEL 6.3 would help in promoting the fix to stable packages. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] slapi-nis user password error
On Thu, 05 Sep 2013, cbul...@gmail.com wrote: Hi Alexander, Thanks so much for you reply. Do you know if there is a patch available for RH 6.3 that I can use?... There is no backport available. Look at the Dmitri's answer as well. You can authenticate these boxes through pam_krb5 in combination with slapi-nis identity source, for example. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] slapi-nis user password error
On 09/05/2013 10:47 AM, Alexander Bokovoy wrote: On Thu, 05 Sep 2013, cbul...@gmail.com wrote: Hi, I have some services that need to work with a NIS server and I would like to use slapi-nis plugin in order to use just FreeIPA as our Directory Server. The users were imported from a openldap server and the password encryption is MD5. I installed slapi-nis in the server and configure a NIS client(Red Hat 5.9) with FreeIPA server (Red Hat 6.3, FreeIPA: 3.0.0-26). I'm able to get info of the users from NIS client (getent passwd user_id) but when the user try to log in to the NIS client the authentication fails. Slapi-nis was installed and configured using the default options. Any clue about this problem or How can I debug this? From what you are describing, it looks like what I have fixed recently in slapi-nis as side-effect of adding support for trusted domains. Not sure if Nalin has backported this fix to older versions (slapi-nis 0.48 is in Fedora 19 at this point) but filing a bug against RHEL 6.3 would help in promoting the fix to stable packages. Well... I should say that originally slapi-nis did not support binding. And it was not intended to support binding. We had to add binding to slapi-nis for other reasons not related to the use case at hand. I doubt that the change would be backported. Is there any other authentication method that you can use from those boxes? pam_krb5 or pam_ldap or may be something along those lines? What OS/version they are running? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] slapi-nis user password error
Hi Alexander, Thanks so much for you reply. Do you know if there is a patch available for RH 6.3 that I can use?... Thanks again, On 09/05/2013 09:47 AM, Alexander Bokovoy wrote: On Thu, 05 Sep 2013, cbul...@gmail.com wrote: Hi, I have some services that need to work with a NIS server and I would like to use slapi-nis plugin in order to use just FreeIPA as our Directory Server. The users were imported from a openldap server and the password encryption is MD5. I installed slapi-nis in the server and configure a NIS client(Red Hat 5.9) with FreeIPA server (Red Hat 6.3, FreeIPA: 3.0.0-26). I'm able to get info of the users from NIS client (getent passwd user_id) but when the user try to log in to the NIS client the authentication fails. Slapi-nis was installed and configured using the default options. Any clue about this problem or How can I debug this? From what you are describing, it looks like what I have fixed recently in slapi-nis as side-effect of adding support for trusted domains. Not sure if Nalin has backported this fix to older versions (slapi-nis 0.48 is in Fedora 19 at this point) but filing a bug against RHEL 6.3 would help in promoting the fix to stable packages. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] slapi-nis user password error
On Thu, Sep 05, 2013 at 09:17:36AM -0500, cbul...@gmail.com wrote: The users were imported from a openldap server and the password encryption is MD5. Is that {CRYPT} using an md5-based crypt, or {MD5} or {SMD5}? A client that's trying to check passwords using hashes which it reads via NIS is usually only compatible with hashes that are identified with {CRYPT}. I installed slapi-nis in the server and configure a NIS client(Red Hat 5.9) with FreeIPA server (Red Hat 6.3, FreeIPA: 3.0.0-26). I'm able to get info of the users from NIS client (getent passwd user_id) but when the user try to log in to the NIS client the authentication fails. Which authentication mechanism did you configure in combination with NIS for user information? Slapi-nis was installed and configured using the default options. Any clue about this problem or How can I debug this? If you're using pam_unix (which you probably are, if you're using neither LDAP nor Kerberos for authenticating users), then you need to have {CRYPT} hashes in your user entries. If you don't have those, you'll need to remedy that first, by configuring the server to use the CRYPT password storage scheme (IIRC the default is SSHA), and then forcing some password changes. After that, the default configuration for the version of slapi-nis you have should cause them to start showing up when you use getent (or ypmatch) to read the user's entry from the passwd map. Then you can double-check that a password is correct by taking a hashed value and a candidate password and running them through something like python -c 'import crypt; print crypt.crypt(password,hash)' to check if hashing the password using the salt that's part of the hashed value reproduces the hashed value, which is more or less what pam_unix does to check the password. That all said, I'd recommend using SSSD's support for reading identity information via LDAP, or better still its IPA provider, which can interact with the IPA server when it's in migration mode, and start moving you toward being able to switch over to using Kerberos. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] slapi-nis user password error
Nalin, Alexander and Dmitri, Thanks so much for help and clarified me some points. Yes, we are using {CRYPT} and after configure Kerberos for authentication we are able to log in. Again, thank so much! On 09/05/2013 10:11 AM, Nalin Dahyabhai wrote: On Thu, Sep 05, 2013 at 09:17:36AM -0500, cbul...@gmail.com wrote: The users were imported from a openldap server and the password encryption is MD5. Is that {CRYPT} using an md5-based crypt, or {MD5} or {SMD5}? A client that's trying to check passwords using hashes which it reads via NIS is usually only compatible with hashes that are identified with {CRYPT}. I installed slapi-nis in the server and configure a NIS client(Red Hat 5.9) with FreeIPA server (Red Hat 6.3, FreeIPA: 3.0.0-26). I'm able to get info of the users from NIS client (getent passwd user_id) but when the user try to log in to the NIS client the authentication fails. Which authentication mechanism did you configure in combination with NIS for user information? Slapi-nis was installed and configured using the default options. Any clue about this problem or How can I debug this? If you're using pam_unix (which you probably are, if you're using neither LDAP nor Kerberos for authenticating users), then you need to have {CRYPT} hashes in your user entries. If you don't have those, you'll need to remedy that first, by configuring the server to use the CRYPT password storage scheme (IIRC the default is SSHA), and then forcing some password changes. After that, the default configuration for the version of slapi-nis you have should cause them to start showing up when you use getent (or ypmatch) to read the user's entry from the passwd map. Then you can double-check that a password is correct by taking a hashed value and a candidate password and running them through something like python -c 'import crypt; print crypt.crypt(password,hash)' to check if hashing the password using the salt that's part of the hashed value reproduces the hashed value, which is more or less what pam_unix does to check the password. That all said, I'd recommend using SSSD's support for reading identity information via LDAP, or better still its IPA provider, which can interact with the IPA server when it's in migration mode, and start moving you toward being able to switch over to using Kerberos. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users