Re: [Freeipa-users] Fedora 13 client login problems
Stephen Gallagher wrote: On 06/28/2010 12:14 PM, Dan Scott wrote: Hello, I've just installed a new Fedora 13 client and configured it to use FreeIPA. During ipa-client install, I received the following error: nss_ldap is not able to use DNS discovery! However, the /etc/ldap.conf and /etc/krb5.conf appear to be configured correctly. I am unable to login to the machine. Here is an extract from /var/log/secure: Jun 28 12:12:01 pc45 sshd[2263]: Invalid user djscott from 192.168.1.35 Jun 28 12:12:01 pc45 sshd[2264]: input_userauth_request: invalid user djscott Jun 28 12:12:07 pc45 sshd[2263]: pam_unix(sshd:auth): check pass; user unknown Jun 28 12:12:07 pc45 sshd[2263]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc35.example.com Jun 28 12:12:07 pc45 sshd[2263]: pam_succeed_if(sshd:auth): error retrieving information about user djscott Jun 28 12:12:09 pc45 sshd[2263]: Failed password for invalid user djscott from 192.168.1.35 port 50502 ssh2 Here is the PAM configuration: [r...@pc45 ~]# cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_sepermit.so auth include password-auth accountrequired pam_nologin.so accountinclude password-auth password include password-auth # pam_selinux.so close should be the first session rule sessionrequired pam_selinux.so close sessionrequired pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context sessionrequired pam_selinux.so open env_params #sessionoptional pam_keyinit.so force revoke sessioninclude password-auth [r...@pc45 ~]# cat /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid>= 500 quiet authsufficientpam_krb5.so use_first_pass authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid< 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_krb5.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so [r...@pc45 ~]# Does anyone have any suggestions for why this is not working? Fedora 13 is using nss-ldapd, not nss_ldap anymore. Probably ipa-client needs to be updated to modify /etc/nslcd.conf instead of /etc/ldap.conf. I have a partial patch pending that should address this in v2. I'll need to clean things up and get it backported to v1.2 (bug https://bugzilla.redhat.com/show_bug.cgi?id=611858). rob In the meantime, you might have better luck configuring sssd instead of nss-ldap for user lookups. man sssd.conf man sssd-ldap ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Fedora 13 client login problems
On 06/28/2010 12:14 PM, Dan Scott wrote: Hello, I've just installed a new Fedora 13 client and configured it to use FreeIPA. During ipa-client install, I received the following error: nss_ldap is not able to use DNS discovery! However, the /etc/ldap.conf and /etc/krb5.conf appear to be configured correctly. I am unable to login to the machine. Here is an extract from /var/log/secure: Jun 28 12:12:01 pc45 sshd[2263]: Invalid user djscott from 192.168.1.35 Jun 28 12:12:01 pc45 sshd[2264]: input_userauth_request: invalid user djscott Jun 28 12:12:07 pc45 sshd[2263]: pam_unix(sshd:auth): check pass; user unknown Jun 28 12:12:07 pc45 sshd[2263]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc35.example.com Jun 28 12:12:07 pc45 sshd[2263]: pam_succeed_if(sshd:auth): error retrieving information about user djscott Jun 28 12:12:09 pc45 sshd[2263]: Failed password for invalid user djscott from 192.168.1.35 port 50502 ssh2 Here is the PAM configuration: [r...@pc45 ~]# cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_sepermit.so auth include password-auth accountrequired pam_nologin.so accountinclude password-auth password include password-auth # pam_selinux.so close should be the first session rule sessionrequired pam_selinux.so close sessionrequired pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context sessionrequired pam_selinux.so open env_params #sessionoptional pam_keyinit.so force revoke sessioninclude password-auth [r...@pc45 ~]# cat /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid>= 500 quiet authsufficientpam_krb5.so use_first_pass authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid< 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_krb5.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so [r...@pc45 ~]# Does anyone have any suggestions for why this is not working? Fedora 13 is using nss-ldapd, not nss_ldap anymore. Probably ipa-client needs to be updated to modify /etc/nslcd.conf instead of /etc/ldap.conf. In the meantime, you might have better luck configuring sssd instead of nss-ldap for user lookups. man sssd.conf man sssd-ldap -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Fedora 13 client login problems
Hello, I've just installed a new Fedora 13 client and configured it to use FreeIPA. During ipa-client install, I received the following error: nss_ldap is not able to use DNS discovery! However, the /etc/ldap.conf and /etc/krb5.conf appear to be configured correctly. I am unable to login to the machine. Here is an extract from /var/log/secure: Jun 28 12:12:01 pc45 sshd[2263]: Invalid user djscott from 192.168.1.35 Jun 28 12:12:01 pc45 sshd[2264]: input_userauth_request: invalid user djscott Jun 28 12:12:07 pc45 sshd[2263]: pam_unix(sshd:auth): check pass; user unknown Jun 28 12:12:07 pc45 sshd[2263]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc35.example.com Jun 28 12:12:07 pc45 sshd[2263]: pam_succeed_if(sshd:auth): error retrieving information about user djscott Jun 28 12:12:09 pc45 sshd[2263]: Failed password for invalid user djscott from 192.168.1.35 port 50502 ssh2 Here is the PAM configuration: [r...@pc45 ~]# cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_sepermit.so auth include password-auth accountrequired pam_nologin.so accountinclude password-auth password include password-auth # pam_selinux.so close should be the first session rule sessionrequired pam_selinux.so close sessionrequired pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context sessionrequired pam_selinux.so open env_params #sessionoptional pam_keyinit.so force revoke sessioninclude password-auth [r...@pc45 ~]# cat /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid >= 500 quiet authsufficientpam_krb5.so use_first_pass authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_krb5.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so [r...@pc45 ~]# Does anyone have any suggestions for why this is not working? Thanks, Dan Scott ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users