Re: [Freeipa-users] Configuring RHEL 5 clients for automatic failover of servers
>i.e. they both contain both sss and ldap, with sss first. The client was >installed with the script generated by running "ipa-advise config-redhat- >sssd-before-1-9" on the server. This script contains: > ># Use the authconfig to configure nsswitch.conf and the PAM stack >authconfig --updateall --enablesssd --enablesssdauth > >and it also updates the /etc/sssd/sssd.conf file: So why would client not be >using sssd? I figured out where the problem was, and it was operator error. I had written a script to install the client, and the script was running the output of ipa-advise before running ipa-client-install. Oops. I switched the order of those two lines, and now sssd is working correctly, and the client is failing over to alternate servers. Thanks for the help. David Guertin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Configuring RHEL 5 clients for automatic failover of servers
On 04/09/2015 11:19 AM, Guertin, David S. wrote: If that works it means that you are not using SSSD on RHEL5 clients. Please check your nsswitch and pam.conf to see what modules are actually used. Hmm. /etc/nsswitch.conf contains: -- passwd: files sss ldap shadow: files sss ldap group: files sss ldap -- And /etc/pam.d/system-auth contains: -- authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid >= 500 quiet authsufficientpam_sss.so use_first_pass authsufficientpam_ldap.so use_first_pass authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 passwordsufficientpam_unix.so md5 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordsufficientpam_ldap.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_ldap.so -- i.e. they both contain both sss and ldap, with sss first. The client was installed with the script generated by running "ipa-advise config-redhat-sssd-before-1-9" on the server. This script contains: # Use the authconfig to configure nsswitch.conf and the PAM stack authconfig --updateall --enablesssd --enablesssdauth and it also updates the /etc/sssd/sssd.conf file: So why would client not be using sssd? This only means that pam_sss/nss_sss fails and LDAP takes over and works. You need to look at the sssd logs to see why it fails. It probably does not find the right servers and falls though to LDAP. Which RHEL5 versions do you use? If memory does not fail me if you have SSSD 1.5 (I think it was starting 5.8) you should be able to use ipa-client-install to configure sssd and pass the list of the servers in the --server option. Most of them are RHEL 5.11 with sssd 1.5.1. I'll try reinstalling and passing the list of servers with the --server option. David Guertin -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Configuring RHEL 5 clients for automatic failover of servers
>If that works it means that you are not using SSSD on RHEL5 clients. >Please check your nsswitch and pam.conf to see what modules are actually >used. Hmm. /etc/nsswitch.conf contains: -- passwd: files sss ldap shadow: files sss ldap group: files sss ldap -- And /etc/pam.d/system-auth contains: -- authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid >= 500 quiet authsufficientpam_sss.so use_first_pass authsufficientpam_ldap.so use_first_pass authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 passwordsufficientpam_unix.so md5 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordsufficientpam_ldap.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_ldap.so -- i.e. they both contain both sss and ldap, with sss first. The client was installed with the script generated by running "ipa-advise config-redhat-sssd-before-1-9" on the server. This script contains: # Use the authconfig to configure nsswitch.conf and the PAM stack authconfig --updateall --enablesssd --enablesssdauth and it also updates the /etc/sssd/sssd.conf file: So why would client not be using sssd? >Which RHEL5 versions do you use? >If memory does not fail me if you have SSSD 1.5 (I think it was starting 5.8) >you should be able to use ipa-client-install to configure sssd and pass the >list >of the servers in the --server option. Most of them are RHEL 5.11 with sssd 1.5.1. I'll try reinstalling and passing the list of servers with the --server option. David Guertin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Configuring RHEL 5 clients for automatic failover of servers
On 04/08/2015 04:04 PM, Guertin, David S. wrote: I have a mixed environment of RHEL 5 and RHEL 6 clients, and three RHEL 7 IPA servers (one master and two duplicates). I'm trying to ensure that if one server goes down, the remain server(s) will still allow logins. With the RHEL 6 clients this is easy -- the line ipa_server = _srv_, server1.ipa.middlebury.edu in /etc/sssd/sssd.conf does this with the _srv_ entry, and everything is fine. But with the RHEL 5 clients, this doesn't work. If server 1 goes down, logins fail. Since RHEL 5 is using LDAP, I figured it was probably in the ldap_uri line in the sssd.conf file. I discovered that I could add multiple servers, which I did: ldap_uri = ldap://server1.ipa.middlebury.edu, ldap://server2.ipa.middlebury.edu, ldap://server3.ipa.middlebury.edu But this still failed. However, if I do something similar in /etc/ldap.conf: uri ldap://server1.ipa.middlebury.edu ldap://server2.ipa.middlebury.edu ldap://server3.ipa.middlebury.edu then logins work. In fact, I don't even need the change in sssd.conf. I can put that back the way it was, and logins still work. It's only the line in /etc/ldap.conf that seems to be necessary. If that works it means that you are not using SSSD on RHEL5 clients. Please check your nsswitch and pam.conf to see what modules are actually used. Which RHEL5 versions do you use? If memory does not fail me if you have SSSD 1.5 (I think it was starting 5.8) you should be able to use ipa-client-install to configure sssd and pass the list of the servers in the --server option. So, I have two questions: 1. Am I understanding this correctly? 2. If so, is there a way to automate this so that when I run ipa-client-install on my RHEL 5 clients, they get the correct LDAP settings from the beginning, and I don't have to go and manually edit the ldap.conf file? David Guertin -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Configuring RHEL 5 clients for automatic failover of servers
Guertin, David S. wrote: > I have a mixed environment of RHEL 5 and RHEL 6 clients, and three RHEL > 7 IPA servers (one master and two duplicates). I'm trying to ensure that > if one server goes down, the remain server(s) will still allow logins. > With the RHEL 6 clients this is easy -- the line > > > > ipa_server = _srv_, server1.ipa.middlebury.edu > > > > in /etc/sssd/sssd.conf does this with the _srv_ entry, and everything is > fine. > > > > But with the RHEL 5 clients, this doesn't work. If server 1 goes down, > logins fail. Since RHEL 5 is using LDAP, I figured it was probably in > the ldap_uri line in the sssd.conf file. I discovered that I could add > multiple servers, which I did: > > > > ldap_uri = ldap://server1.ipa.middlebury.edu, > ldap://server2.ipa.middlebury.edu, ldap://server3.ipa.middlebury.edu > > > > But this still failed. However, if I do something similar in /etc/ldap.conf: > > > > uri ldap://server1.ipa.middlebury.edu > ldap://server2.ipa.middlebury.edu ldap://server3.ipa.middlebury.edu > > > > then logins work. In fact, I don't even need the change in sssd.conf. I > can put that back the way it was, and logins still work. It's only the > line in /etc/ldap.conf that seems to be necessary. > > > > So, I have two questions: > > > > 1. Am I understanding this correctly? > > > > 2. If so, is there a way to automate this so that when I run > ipa-client-install on my RHEL 5 clients, they get the correct LDAP > settings from the beginning, and I don't have to go and manually edit > the ldap.conf file? I think the SSSD guys are going to want to see your full sssd.conf. An ipaclient-install.log for one of these clients might be handy too so we can discern how you are configuring the client. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project