Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users
> root is not an ipa managed user so it is purely your pam configuration. > I thought we were trying to figure out why your ipa users are not > handled properly. > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > I would like to thank you guys for your help in troubleshooting this. I managed to fix the issue. We had a custom jumpstart file creating our Solaris images and it made some configuration changes that broke the pam/kerberos interaction. I still don't know what exactly was the cause, but I re-installed on a Fresh Solaris 10 8/11 image and was able to get an ipa user to log in. For reference, here are the complete steps I had to take from installation of the machine to get it working. Hopefully someone else finds this useful or you can add it to your docs. This instructions assume a minimal console only Solaris install so we have to add some packages first. #pkgadd -d . SUNWbash #pkgadd -d . SUNWuiu8 #pkgadd -d . SUNWwgetr #pkgadd -d . SUNWwgetu #pkgadd -d . SUNWbind #pkgadd -d . SUNWntpr #pkgadd -d . SUNWntpu #pkgadd -d . SUNWman #pkgadd -d . SUNWdoc #pkgadd -d . SUNWtexi #pkgadd -d . SUNWsfdoc #pkgadd -d . SUNWsfman #pkgadd -d . SUNWsfinf #pkgadd -d . SUNWgcmn #pkgadd -d . SUNWsshcu #pkgadd -d . SUNWsshdr #pkgadd -d . SUNWsshdu #pkgadd -d . SUNWsshr #pkgadd -d . SUNWsshu Fix IP Setup #rm /etc/dhcp.e1000g0 #chmod u+w /etc/hosts #echo "10.21.19.17 ipaclient6-sandbox-atdev-van.ipadomain.net ipaclient6-sandbox-atdev-van loghost" >> /etc/hosts #echo "10.21.19.17 netmask 255.255.0.0" > /etc/hostname.e1000g0 #echo "ipaclient6-sandbox-atdev-van.ipadomain.net" > /etc/nodename #echo "ipadomain.net" > /etc/defaultdomain #echo "10.21.0.1" /etc/defaultrouter DNS Configuration This DNS configuration needs to be done no matter whether you used jumpstart or not. #vi /etc/resolv.conf Remove all existing lines and Set the following values domain ipadomain.net nameserver 10.21.19.20 Reboot to get the updated hostname and domainname and ip settings #reboot Enable SSH daemon #/lib/svc/method/sshd -c #svcadm enable ssh NSSwitch Configuration edit /etc/nsswitch.conf and make sure the following lines are set passwd: files ldap group: files ldap hosts: dns files Edit /etc/nsswitch.ldap and make sure the same following lines are set passwd: files ldap group: files ldap hosts: dns files Configure Client edit /etc/krb5/krb5.conf and set the following values --- snip --- [libdefaults] default_realm = IPADOMAIN.NET dns_lookup_kdc = true [realms] IPADOMAIN.NET = { kdc = ipadc1.ipadomain.net admin_server = ipadc1.ipadomain.net } [domain_realm] .ipadomain.net = IPADOMAIN.NET ipadomain.net = IPADOMAIN.NET [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log kdc_rotate = { # How often to rotate kdc.log. Logs will get rotated no more # often than the period, and less often if the KDC is not used# frequently. period = 1d # how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...) version = 10 } [appdefaults] kinit = { renewable = true forwardable= true } --- snip --- First, synchronize the date on the Solaris client bash-3.00# ntpdate ipadc1.ipadomain.net On the Solaris machine setup the ldap configuration # ldapclient -v init -a domainName=ipadomain.net ipadc1.ipadomain.net On the freeIPA domain controller, enroll the host [root@ipadc1 ~]# ipa host-add --force --ip-address=10.21.19.17 ipaclient6-sandbox-atdev-van.ipadomain.net On the IPA server, get the keytab and copy it to the Solaris machine #rm /tmp/solaris.keytab [root@ipadc1 tmp]# ipa-getkeytab -s ipadc1 -p host/ipaclient6-sandbox-atdev-van.ipadomain.net -k /tmp/solaris.keytab [root@ipadc1 tmp]# scp solaris.keytab root@10.21.19.17:/etc/krb5/krb5.keytab After all this, I was able to login to my Solaris machine using one of my ipa user accounts -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users
Nathan Peters wrote: > Yes, we are trying to figure out why IPA users are not being handled > properly however > given that : > 1. the method you suggested to troubleshoot my Solaris 10 system, adding > pam_permit.so to the stack, will never work because Solaris does not > include pam_permit.so. > so therefore > 2. I had to come up with some different way to troubleshoot how or why > FreeIPA authorization is failing. > so therefore > 3. Lacking the module you suggested, I chose an alternative approach : > put the pam configuration to a default and prove that no logins were broken > and once the basic pam configuration was proven then I had to : > 4. I added the freeIPA components (kerberos) until something broke. In > this case, the ipa users were never able to login, so stating that > adding kerberos broke the whole pam stack so that not even a regular > user could login should have been a useful troubleshooting step. > > So... perhaps you could answer one of 2 things > 1. how do I troubleshoot a Solaris system without pam_permit.so? > and > 2. why would adding kerberos in the exact way that the manual stated > break my whole pam stack so that both regular users and freeipa users > could not login? We don't have any in-house Solaris (or AIX or HP/ux for that matter) expertise which is why we no longer provide detailed documentation on how to configure non-Linux clients (what you found are really, really old). It's a no-win for us because we can't keep the docs updated, tested, etc. so they atrophy and generally just make people mad. On at least some of the pages there is a big fat warning (e.g. http://www.freeipa.org/page/FreeIPAv1:ConfiguringSolarisClients). >From the Solaris perspective this is just Kerberos authentication. The OS docs should provide the necessary details. This looks like a good place to start: http://docs.oracle.com/cd/E23824_01/html/821-1456/setup-148.html#setup-341 (though it's Solaris 11, not 10). This is a blog I found on configuring Solaris 10 against an AD server which is a reasonable parallel: http://blog.scottlowe.org/2006/08/15/solaris-10-and-active-directory-integration/ Here is something contributed by another IPA user, again for Solaris 11: https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users
Yes, we are trying to figure out why IPA users are not being handled properly however given that : 1. the method you suggested to troubleshoot my Solaris 10 system, adding pam_permit.so to the stack, will never work because Solaris does not include pam_permit.so. so therefore 2. I had to come up with some different way to troubleshoot how or why FreeIPA authorization is failing. so therefore 3. Lacking the module you suggested, I chose an alternative approach : put the pam configuration to a default and prove that no logins were broken and once the basic pam configuration was proven then I had to : 4. I added the freeIPA components (kerberos) until something broke. In this case, the ipa users were never able to login, so stating that adding kerberos broke the whole pam stack so that not even a regular user could login should have been a useful troubleshooting step. So... perhaps you could answer one of 2 things 1. how do I troubleshoot a Solaris system without pam_permit.so? and 2. why would adding kerberos in the exact way that the manual stated break my whole pam stack so that both regular users and freeipa users could not login? -Original Message- From: Dmitri Pal Sent: Thursday, February 26, 2015 2:12 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users root is not an ipa managed user so it is purely your pam configuration. I thought we were trying to figure out why your ipa users are not handled properly. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users
On 02/26/2015 01:15 PM, nat...@nathanpeters.com wrote: On 02/25/2015 04:37 PM, nat...@nathanpeters.com wrote: It does not seem to recognize the user in the secan attempt but the first attempt seems to authenticate and then disconnect. I do not see trace from accounting session but I suspect that your pam stack does not authorize authenticated user. Try to allow all authenticated users first. This will prove that it is a pam stack accounting phase configuration issue. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project How do I allow all authenticated users? In the freeIPA domain I have a rule 'allow_all' that allows any user to connect to any system on any service. This is working fine for linux clients. I assume you mean to do it on the Solaris machine? I don't have any users specifically blocked, ie, there is nothing in my sshd_config file that is limiting the users and groups that can login. Eg, I've got no 'AllowUsers' lines or anything like that. I've even got PermitRootLogin set to yes and have tested that root can login. other accountrequired pam_permit.so and comment other pam modules in the section: Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 debug other account requiredpam_unix_account.so.1 debug #other account sufficient pam_ldap.so.1 other account requiredpam_krb5.so.1 debug -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project pam_permit does not exist in Solaris 10 so I cannot use that to test. The only way I could break down where the error is happening is to restore to a completely default pam.conf and add the krb5.so entries 1 at a time. The first entry was added fine in the login section although I noted that the 'try_first_pass' option also does not exist in Solaris, so not sure why the guide for Solaris is saying to use that: login auth sufficient pam_krb5.so.1 The following entry is what broke the system : other auth sufficient pam_krb5.so.1 I placed it in the same place as in the guide (under unix_cred and before unix_auth). So we know its the auth thats failing, not the account? Here is how it broke : root can no longer login through ssh. I compared the log entries for logins before and after the auth change and they are identical up to about line 127. I noticed that the login that failed threw a strange krb5 pam_no_module_data error before disconnecting the ssh client. Here are the 2 logs for reference: unsuccessful root login --- Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 872586 auth.debug] PAM[494]: pam_authenticate(812bf10, 1): /usr/lib/security/pam_authtok_get.so.1 returned Ignore module Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 455340 auth.debug] PAM[494]: pam_get_item(812bf10:user)=root Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 455340 auth.debug] PAM[494]: pam_get_item(812bf10:authtok)= Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 455340 auth.debug] PAM[494]: pam_get_item(812bf10:repository)=NULL Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 872586 auth.debug] PAM[494]: pam_authenticate(812bf10, 1): /usr/lib/security/pam_dhkeys.so.1 returned Ignore module Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 872586 auth.debug] PAM[494]: pam_authenticate(812bf10, 1): /usr/lib/security/pam_unix_cred.so.1 returned Ignore module Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 455340 auth.debug] PAM[494]: pam_get_item(812bf10:user)=root Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 395087 auth.debug] PAM[494]: pam_get_data(812bf10:SUNW-KRB5-AUTH-DATA)=PAM_NO_MODULE_DATA Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 140038 auth.debug] PAM[494]: pam_set_data(812bf10:SUNW-KRB5-AUTH-DATA:2)=812cc20 Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 455340 auth.debug] PAM[494]: pam_get_item(812bf10:repository)=NULL Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 455340 auth.debug] PAM[494]: pam_get_item(812bf10:authtok)= successful root login - Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID 806026 auth.debug] PAM[482]: pam_authenticate(812e218, 1): /usr/lib/security/pam_authtok_get.so.1 returned Ignore modul
Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users
> On 02/25/2015 04:37 PM, nat...@nathanpeters.com wrote: >>> It does not seem to recognize the user in the secan attempt but the >>> first attempt seems to authenticate and then disconnect. >>> I do not see trace from accounting session but I suspect that your pam >>> stack does not authorize authenticated user. >>> Try to allow all authenticated users first. This will prove that it is >>> a >>> pam stack accounting phase configuration issue. >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go To http://freeipa.org for more info on the project >>> >> How do I allow all authenticated users? In the freeIPA domain I have a >> rule 'allow_all' that allows any user to connect to any system on any >> service. This is working fine for linux clients. >> >> I assume you mean to do it on the Solaris machine? I don't have any >> users >> specifically blocked, ie, there is nothing in my sshd_config file that >> is >> limiting the users and groups that can login. Eg, I've got no >> 'AllowUsers' lines or anything like that. I've even got PermitRootLogin >> set to yes and have tested that root can login. >> >> >> >> > > other accountrequired pam_permit.so > > and comment other pam modules in the section: > > Default definition for Account management > # Used when service name is not explicitly mentioned for account > management > # > other account requisite pam_roles.so.1 debug > other account requiredpam_unix_account.so.1 debug > #other account sufficient pam_ldap.so.1 > other account requiredpam_krb5.so.1 debug > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > pam_permit does not exist in Solaris 10 so I cannot use that to test. The only way I could break down where the error is happening is to restore to a completely default pam.conf and add the krb5.so entries 1 at a time. The first entry was added fine in the login section although I noted that the 'try_first_pass' option also does not exist in Solaris, so not sure why the guide for Solaris is saying to use that: login auth sufficient pam_krb5.so.1 The following entry is what broke the system : other auth sufficient pam_krb5.so.1 I placed it in the same place as in the guide (under unix_cred and before unix_auth). So we know its the auth thats failing, not the account? Here is how it broke : root can no longer login through ssh. I compared the log entries for logins before and after the auth change and they are identical up to about line 127. I noticed that the login that failed threw a strange krb5 pam_no_module_data error before disconnecting the ssh client. Here are the 2 logs for reference: unsuccessful root login --- Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 872586 auth.debug] PAM[494]: pam_authenticate(812bf10, 1): /usr/lib/security/pam_authtok_get.so.1 returned Ignore module Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 455340 auth.debug] PAM[494]: pam_get_item(812bf10:user)=root Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 455340 auth.debug] PAM[494]: pam_get_item(812bf10:authtok)= Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 455340 auth.debug] PAM[494]: pam_get_item(812bf10:repository)=NULL Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 872586 auth.debug] PAM[494]: pam_authenticate(812bf10, 1): /usr/lib/security/pam_dhkeys.so.1 returned Ignore module Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 872586 auth.debug] PAM[494]: pam_authenticate(812bf10, 1): /usr/lib/security/pam_unix_cred.so.1 returned Ignore module Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 455340 auth.debug] PAM[494]: pam_get_item(812bf10:user)=root Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 395087 auth.debug] PAM[494]: pam_get_data(812bf10:SUNW-KRB5-AUTH-DATA)=PAM_NO_MODULE_DATA Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 140038 auth.debug] PAM[494]: pam_set_data(812bf10:SUNW-KRB5-AUTH-DATA:2)=812cc20 Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 455340 auth.debug] PAM[494]: pam_get_item(812bf10:repository)=NULL Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID 455340 auth.debug] PAM[494]: pam_get_item(812bf10:authtok)= successful root login - Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID 806026 auth.deb
Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users
On 02/25/2015 04:37 PM, nat...@nathanpeters.com wrote: It does not seem to recognize the user in the secan attempt but the first attempt seems to authenticate and then disconnect. I do not see trace from accounting session but I suspect that your pam stack does not authorize authenticated user. Try to allow all authenticated users first. This will prove that it is a pam stack accounting phase configuration issue. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project How do I allow all authenticated users? In the freeIPA domain I have a rule 'allow_all' that allows any user to connect to any system on any service. This is working fine for linux clients. I assume you mean to do it on the Solaris machine? I don't have any users specifically blocked, ie, there is nothing in my sshd_config file that is limiting the users and groups that can login. Eg, I've got no 'AllowUsers' lines or anything like that. I've even got PermitRootLogin set to yes and have tested that root can login. other accountrequired pam_permit.so and comment other pam modules in the section: Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 debug other account requiredpam_unix_account.so.1 debug #other account sufficient pam_ldap.so.1 other account requiredpam_krb5.so.1 debug -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users
> It does not seem to recognize the user in the secan attempt but the > first attempt seems to authenticate and then disconnect. > I do not see trace from accounting session but I suspect that your pam > stack does not authorize authenticated user. > Try to allow all authenticated users first. This will prove that it is a > pam stack accounting phase configuration issue. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > I'm not sure how to enable a trace for an accounting session. Here is what I've done to enable debugging so far : add the following line to /etc/syslog.conf *.debug /var/log/pam_log svcadm restart system-log touch /etc/pam_debug cat "debug_flags=65535" > /etc/pam_debug I have a little more debugging info now than before, but it still stops at the krb5 line. See below for more detailed log. Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: Client protocol version 2.0; client software version PuTTY_Release_0.63 Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: no match: PuTTY_Release_0.63 Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: Enabling compatibility mode for protocol 2.0 Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: Local version string SSH-2.0-OpenSSH_6.6 Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: permanently_set_uid: 100/65534 [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEXINIT sent [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEXINIT received [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: kex: client->server aes256-ctr hmac-sha2-256 none [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: kex: server->client aes256-ctr hmac-sha2-256 none [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: SSH2_MSG_NEWKEYS sent [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: expecting SSH2_MSG_NEWKEYS [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: SSH2_MSG_NEWKEYS received [preauth] Feb 25 22:53:02 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: KEX done [preauth] Feb 25 22:53:05 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: userauth-request for user ipauser1 service ssh-connection method none [preauth] Feb 25 22:53:05 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: attempt 0 failures 0 [preauth] Feb 25 22:53:05 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 800047 auth.debug] debug1: PAM: initializing for "ipauser1" Feb 25 22:53:05 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 489767 auth.debug] PAM[938]: pam_start(sshd,ipauser1,811c170:812b8e0) - debug = Feb 25 22:53:05 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 984622 auth.debug] PAM[938]: pam_set_item(812b8e0:service)=sshd Feb 25 22:53:05 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 984622 auth.debug] PAM[938]: pam_set_item(812b8e0:user)=ipauser1 Feb 25 22:53:05 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 984619 auth.debug] PAM[938]: pam_set_item(812b8e0:conv)=8086ff8 Feb 25 22:53:05 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 960046 auth.debug] PAM[938]: pam_get_item(812b8e0:service)=sshd Feb 25 22:53:05 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[938]: [ID 102344 auth.debug] PAM[938]: pam.conf entry:login auth requisite pam_authtok_get.so.1 Feb
Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users
> It does not seem to recognize the user in the secan attempt but the > first attempt seems to authenticate and then disconnect. > I do not see trace from accounting session but I suspect that your pam > stack does not authorize authenticated user. > Try to allow all authenticated users first. This will prove that it is a > pam stack accounting phase configuration issue. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > How do I allow all authenticated users? In the freeIPA domain I have a rule 'allow_all' that allows any user to connect to any system on any service. This is working fine for linux clients. I assume you mean to do it on the Solaris machine? I don't have any users specifically blocked, ie, there is nothing in my sshd_config file that is limiting the users and groups that can login. Eg, I've got no 'AllowUsers' lines or anything like that. I've even got PermitRootLogin set to yes and have tested that root can login. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users
On 02/25/2015 02:58 PM, nat...@nathanpeters.com wrote: I am having trouble logging in with an IPA user on Solaris 10. The machine is able to correctly initialize tickets using kinit. The issue appears to be PAM related. I am using FreeIPA 4.1.3. I have tried to follow the instructions here as best I can : http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html Here is my kinit and klist tests $ kinit ipauser1 Password for ipaus...@ipadomain.net: [07:45 PM] ipaclient5-sandbox-atdev-van:/var/log$ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ipaus...@ipadomain.net Valid startingExpiresService principal 02/25/15 19:45:10 02/26/15 19:45:10 krbtgt/ipadomain@ipadomain.net renew until 03/04/15 19:45:10 Here is the last 2 lines of the output of getent passwd showing my ipa admin and user - admin:x:37520:37520:Administrator:/home/admin:/bin/bash ipauser1:x:37526:37526:ipa user1:/home/ipauser1:/bin/bash However, this is what happens when I try to login as 'ipauser1'. On the console I am prompted with 'Password:' I enter the valid password, and suddenly Putty pops up a window 'Server unexpectedly closed network connection'. If I try to login as ipaus...@ipadomain.net it still fails, but in a different way. The putty window stays open and I get an 'Access denied' message and am prompted for the password again: Logs with 'ipauser1' Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.info] Connection from 10.5.5.57 port 57607 on 10.21.19.16 port 22 Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: Client protocol version 2.0; client software version PuTTY_Release_0.63 Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: no match: PuTTY_Release_0.63 Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: Enabling compatibility mode for protocol 2.0 Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: Local version string SSH-2.0-OpenSSH_6.6 Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: permanently_set_uid: 100/65534 [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEXINIT sent [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEXINIT received [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: kex: client->server aes256-ctr hmac-sha2-256 none [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: kex: server->client aes256-ctr hmac-sha2-256 none [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID 800047 auth.debug] debug1: server_input_channel_req: channel 0 request win...@putty.projects.tartarus.org reply 1 Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID 800047 auth.debug] debug1: session_by_channel: session 0 channel 0 Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID 800047 auth.debug] debug1: session_input_channel_req: session 0 req win...@putty.projects.tartarus.org Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: SSH2_MSG_NEWKEYS sent [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: expecting SSH2_MSG_NEWKEYS [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: SSH2_MSG_NEWKEYS received [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: KEX done [preauth] Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: userau
[Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users
I am having trouble logging in with an IPA user on Solaris 10. The machine is able to correctly initialize tickets using kinit. The issue appears to be PAM related. I am using FreeIPA 4.1.3. I have tried to follow the instructions here as best I can : http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html Here is my kinit and klist tests $ kinit ipauser1 Password for ipaus...@ipadomain.net: [07:45 PM] ipaclient5-sandbox-atdev-van:/var/log$ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ipaus...@ipadomain.net Valid startingExpiresService principal 02/25/15 19:45:10 02/26/15 19:45:10 krbtgt/ipadomain@ipadomain.net renew until 03/04/15 19:45:10 Here is the last 2 lines of the output of getent passwd showing my ipa admin and user - admin:x:37520:37520:Administrator:/home/admin:/bin/bash ipauser1:x:37526:37526:ipa user1:/home/ipauser1:/bin/bash However, this is what happens when I try to login as 'ipauser1'. On the console I am prompted with 'Password:' I enter the valid password, and suddenly Putty pops up a window 'Server unexpectedly closed network connection'. If I try to login as ipaus...@ipadomain.net it still fails, but in a different way. The putty window stays open and I get an 'Access denied' message and am prompted for the password again: Logs with 'ipauser1' Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.info] Connection from 10.5.5.57 port 57607 on 10.21.19.16 port 22 Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: Client protocol version 2.0; client software version PuTTY_Release_0.63 Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: no match: PuTTY_Release_0.63 Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: Enabling compatibility mode for protocol 2.0 Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: Local version string SSH-2.0-OpenSSH_6.6 Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: permanently_set_uid: 100/65534 [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEXINIT sent [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEXINIT received [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: kex: client->server aes256-ctr hmac-sha2-256 none [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: kex: server->client aes256-ctr hmac-sha2-256 none [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID 800047 auth.debug] debug1: server_input_channel_req: channel 0 request win...@putty.projects.tartarus.org reply 1 Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID 800047 auth.debug] debug1: session_by_channel: session 0 channel 0 Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID 800047 auth.debug] debug1: session_input_channel_req: session 0 req win...@putty.projects.tartarus.org Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: SSH2_MSG_NEWKEYS sent [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: expecting SSH2_MSG_NEWKEYS [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: SSH2_MSG_NEWKEYS received [preauth] Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: KEX done [preauth] Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID 800047 auth.debug] debug1: userauth-request for user ipauser1 service ssh-connection method