Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues

2013-04-05 Thread Joseph, Matthew (EXP)
Hey Rob,

The passwd section of nsswitch.conf is the following;

Passwd: files nis

Matt

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Thursday, April 04, 2013 3:05 PM
To: Joseph, Matthew (EXP); freeipa-users@redhat.com
Subject: EXTERNAL: Re: [Freeipa-users] NIS Compat Password Issues

Joseph, Matthew (EXP) wrote:
 Hello,

 I've having issues with trying to login to our NIS clients that are 
 looking at IPA as a NIS Server.

 The NIS Client can view all of the usernames when I do a ypcat passwd 
 but when I try to login a with a user account it will not accept the 
 password. I've even tried setting it as simple as Password123 and 
 still nothing.

 I don't see anything NIS related in the error logs on the IPA server.

 Can someone point me in the right direction for this?

What does your nsswitch.conf look like?

Note that IPA does not provide the shadow map (because it sends hashes in the 
clear).

rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues

2013-04-05 Thread Joseph, Matthew (EXP)
My old NIS server we used shadow passwords.
When I migrated my passwd nis file to IPA I'm assuming it also imported the 
part of the file that contains  the x to point it towards a shadow file.

Would I need to remove the x from the nis passwd file and re-migrate it to 
IPA?
Is there a better way to get around this?

Matt

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew (EXP)
Sent: Friday, April 05, 2013 6:40 AM
To: Rob Crittenden; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues

Hey Rob,

The passwd section of nsswitch.conf is the following;

Passwd: files nis

Matt

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Thursday, April 04, 2013 3:05 PM
To: Joseph, Matthew (EXP); freeipa-users@redhat.com
Subject: EXTERNAL: Re: [Freeipa-users] NIS Compat Password Issues

Joseph, Matthew (EXP) wrote:
 Hello,

 I've having issues with trying to login to our NIS clients that are 
 looking at IPA as a NIS Server.

 The NIS Client can view all of the usernames when I do a ypcat passwd 
 but when I try to login a with a user account it will not accept the 
 password. I've even tried setting it as simple as Password123 and 
 still nothing.

 I don't see anything NIS related in the error logs on the IPA server.

 Can someone point me in the right direction for this?

What does your nsswitch.conf look like?

Note that IPA does not provide the shadow map (because it sends hashes in the 
clear).

rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues

2013-04-05 Thread Joseph, Matthew (EXP)
It looks like I missed a step in setting up my IPA server for NIS compatability.

[root@server ~]# ldapmodify -D cn=directory server -w secret -p 389 -h 
ipaserver.example.com

dn: cn=config
changetype: modify
replace: passwordStorageScheme
passwordStorageScheme: crypt

When I try to run that command I get the following error;
Ldap_bind: No Such Object (32)

I can manually add that to the dse.ldif right? If so where would it go?

Thanks,

Matt


-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew (EXP)
Sent: Friday, April 05, 2013 8:14 AM
To: Rob Crittenden; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues

My old NIS server we used shadow passwords.
When I migrated my passwd nis file to IPA I'm assuming it also imported the 
part of the file that contains  the x to point it towards a shadow file.

Would I need to remove the x from the nis passwd file and re-migrate it to 
IPA?
Is there a better way to get around this?

Matt

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew (EXP)
Sent: Friday, April 05, 2013 6:40 AM
To: Rob Crittenden; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues

Hey Rob,

The passwd section of nsswitch.conf is the following;

Passwd: files nis

Matt

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Thursday, April 04, 2013 3:05 PM
To: Joseph, Matthew (EXP); freeipa-users@redhat.com
Subject: EXTERNAL: Re: [Freeipa-users] NIS Compat Password Issues

Joseph, Matthew (EXP) wrote:
 Hello,

 I've having issues with trying to login to our NIS clients that are 
 looking at IPA as a NIS Server.

 The NIS Client can view all of the usernames when I do a ypcat passwd 
 but when I try to login a with a user account it will not accept the 
 password. I've even tried setting it as simple as Password123 and 
 still nothing.

 I don't see anything NIS related in the error logs on the IPA server.

 Can someone point me in the right direction for this?

What does your nsswitch.conf look like?

Note that IPA does not provide the shadow map (because it sends hashes in the 
clear).

rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues

2013-04-05 Thread Rob Crittenden

Joseph, Matthew (EXP) wrote:

My old NIS server we used shadow passwords.
When I migrated my passwd nis file to IPA I'm assuming it also imported the part of the 
file that contains  the x to point it towards a shadow file.

Would I need to remove the x from the nis passwd file and re-migrate it to 
IPA?
Is there a better way to get around this?


This is why I asked what nsswitch.conf looked like. IPA does not provide 
the shadow map, so no passwords at all area available.


It is possible to add a shadow map, but it is unsecure and one of the 
primary reasons people don't use NIS much any more.


What kind of client are you configuring, and do you need it to be pure NIS?

rob



Matt

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew (EXP)
Sent: Friday, April 05, 2013 6:40 AM
To: Rob Crittenden; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues

Hey Rob,

The passwd section of nsswitch.conf is the following;

Passwd: files nis

Matt

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Thursday, April 04, 2013 3:05 PM
To: Joseph, Matthew (EXP); freeipa-users@redhat.com
Subject: EXTERNAL: Re: [Freeipa-users] NIS Compat Password Issues

Joseph, Matthew (EXP) wrote:

Hello,

I've having issues with trying to login to our NIS clients that are
looking at IPA as a NIS Server.

The NIS Client can view all of the usernames when I do a ypcat passwd
but when I try to login a with a user account it will not accept the
password. I've even tried setting it as simple as Password123 and
still nothing.

I don't see anything NIS related in the error logs on the IPA server.

Can someone point me in the right direction for this?


What does your nsswitch.conf look like?

Note that IPA does not provide the shadow map (because it sends hashes in the 
clear).

rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues

2013-04-05 Thread Joseph, Matthew (EXP)
Hey Rob,

The NIS Clients that I am adding are Solaris 2.7, and Solaris 8. So I believe 
looking at the IPA document they would need to be Solaris 9 or above for it to 
communicate with IPA natively using LDAP.
These Servers aren't going to be around much longer (Probably another year at 
the most) so I am just looking for the quickest way possible to get them to 
communicate with IPA.

What do you think the best course of action would be for my situation?

Matt

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Friday, April 05, 2013 10:36 AM
To: Joseph, Matthew (EXP); freeipa-users@redhat.com
Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues

Joseph, Matthew (EXP) wrote:
 My old NIS server we used shadow passwords.
 When I migrated my passwd nis file to IPA I'm assuming it also imported the 
 part of the file that contains  the x to point it towards a shadow file.

 Would I need to remove the x from the nis passwd file and re-migrate it to 
 IPA?
 Is there a better way to get around this?

This is why I asked what nsswitch.conf looked like. IPA does not provide the 
shadow map, so no passwords at all area available.

It is possible to add a shadow map, but it is unsecure and one of the primary 
reasons people don't use NIS much any more.

What kind of client are you configuring, and do you need it to be pure NIS?

rob


 Matt

 -Original Message-
 From: freeipa-users-boun...@redhat.com 
 [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew 
 (EXP)
 Sent: Friday, April 05, 2013 6:40 AM
 To: Rob Crittenden; freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues

 Hey Rob,

 The passwd section of nsswitch.conf is the following;

 Passwd: files nis

 Matt

 -Original Message-
 From: Rob Crittenden [mailto:rcrit...@redhat.com]
 Sent: Thursday, April 04, 2013 3:05 PM
 To: Joseph, Matthew (EXP); freeipa-users@redhat.com
 Subject: EXTERNAL: Re: [Freeipa-users] NIS Compat Password Issues

 Joseph, Matthew (EXP) wrote:
 Hello,

 I've having issues with trying to login to our NIS clients that are 
 looking at IPA as a NIS Server.

 The NIS Client can view all of the usernames when I do a ypcat passwd 
 but when I try to login a with a user account it will not accept the 
 password. I've even tried setting it as simple as Password123 and 
 still nothing.

 I don't see anything NIS related in the error logs on the IPA server.

 Can someone point me in the right direction for this?

 What does your nsswitch.conf look like?

 Note that IPA does not provide the shadow map (because it sends hashes in the 
 clear).

 rob


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues

2013-04-05 Thread Rob Crittenden

Joseph, Matthew (EXP) wrote:

Hey Rob,

The NIS Clients that I am adding are Solaris 2.7, and Solaris 8. So I believe 
looking at the IPA document they would need to be Solaris 9 or above for it to 
communicate with IPA natively using LDAP.
These Servers aren't going to be around much longer (Probably another year at 
the most) so I am just looking for the quickest way possible to get them to 
communicate with IPA.

What do you think the best course of action would be for my situation?


You have two choices.

You can try the instructions at 
http://freeipa.org/page/ConfiguringUnixClients to configure LDAP for 
authentication. We haven't tested this for many moons but it should 
still work.


Or you can proceed and try to use crypt passwords which will be sent in 
the passwd entry. The LDIF you provided should have worked fine, I'm not 
sure why it didn't, particularly the error it returned. If you do it on 
the IPA server you shoudl just need:


ldapmodify -x -D 'cn=directory manager' -W
dn: ...

As for migrating existing passwords, you need to enable migration mode 
(ipa config-mod --enable-migration=true) and set the password when the 
user is added.


ipa user-add --first=Rob --last=Crittenden rcritten --setattr 
userPassword='{CRYPT}hash'


ypcat passwd should confirm that the password is visible. We don't 
recommend this.


rob



Matt

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Friday, April 05, 2013 10:36 AM
To: Joseph, Matthew (EXP); freeipa-users@redhat.com
Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues

Joseph, Matthew (EXP) wrote:

My old NIS server we used shadow passwords.
When I migrated my passwd nis file to IPA I'm assuming it also imported the part of the 
file that contains  the x to point it towards a shadow file.

Would I need to remove the x from the nis passwd file and re-migrate it to 
IPA?
Is there a better way to get around this?


This is why I asked what nsswitch.conf looked like. IPA does not provide the 
shadow map, so no passwords at all area available.

It is possible to add a shadow map, but it is unsecure and one of the primary 
reasons people don't use NIS much any more.

What kind of client are you configuring, and do you need it to be pure NIS?

rob



Matt

-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew
(EXP)
Sent: Friday, April 05, 2013 6:40 AM
To: Rob Crittenden; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues

Hey Rob,

The passwd section of nsswitch.conf is the following;

Passwd: files nis

Matt

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Thursday, April 04, 2013 3:05 PM
To: Joseph, Matthew (EXP); freeipa-users@redhat.com
Subject: EXTERNAL: Re: [Freeipa-users] NIS Compat Password Issues

Joseph, Matthew (EXP) wrote:

Hello,

I've having issues with trying to login to our NIS clients that are
looking at IPA as a NIS Server.

The NIS Client can view all of the usernames when I do a ypcat passwd
but when I try to login a with a user account it will not accept the
password. I've even tried setting it as simple as Password123 and
still nothing.

I don't see anything NIS related in the error logs on the IPA server.

Can someone point me in the right direction for this?


What does your nsswitch.conf look like?

Note that IPA does not provide the shadow map (because it sends hashes in the 
clear).

rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues

2013-04-05 Thread Joseph, Matthew (EXP)
Hey Rob,

I was able to get NIS passwords working.
I had a space at the end of dn: cn=config (stupid me).

Thanks for the help!

Matt

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Friday, April 05, 2013 11:07 AM
To: Joseph, Matthew (EXP); freeipa-users@redhat.com
Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues

Joseph, Matthew (EXP) wrote:
 Hey Rob,

 The NIS Clients that I am adding are Solaris 2.7, and Solaris 8. So I believe 
 looking at the IPA document they would need to be Solaris 9 or above for it 
 to communicate with IPA natively using LDAP.
 These Servers aren't going to be around much longer (Probably another year at 
 the most) so I am just looking for the quickest way possible to get them to 
 communicate with IPA.

 What do you think the best course of action would be for my situation?

You have two choices.

You can try the instructions at 
http://freeipa.org/page/ConfiguringUnixClients to configure LDAP for 
authentication. We haven't tested this for many moons but it should 
still work.

Or you can proceed and try to use crypt passwords which will be sent in 
the passwd entry. The LDIF you provided should have worked fine, I'm not 
sure why it didn't, particularly the error it returned. If you do it on 
the IPA server you shoudl just need:

ldapmodify -x -D 'cn=directory manager' -W
dn: ...

As for migrating existing passwords, you need to enable migration mode 
(ipa config-mod --enable-migration=true) and set the password when the 
user is added.

ipa user-add --first=Rob --last=Crittenden rcritten --setattr 
userPassword='{CRYPT}hash'

ypcat passwd should confirm that the password is visible. We don't 
recommend this.

rob


 Matt

 -Original Message-
 From: Rob Crittenden [mailto:rcrit...@redhat.com]
 Sent: Friday, April 05, 2013 10:36 AM
 To: Joseph, Matthew (EXP); freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues

 Joseph, Matthew (EXP) wrote:
 My old NIS server we used shadow passwords.
 When I migrated my passwd nis file to IPA I'm assuming it also imported the 
 part of the file that contains  the x to point it towards a shadow file.

 Would I need to remove the x from the nis passwd file and re-migrate it to 
 IPA?
 Is there a better way to get around this?

 This is why I asked what nsswitch.conf looked like. IPA does not provide the 
 shadow map, so no passwords at all area available.

 It is possible to add a shadow map, but it is unsecure and one of the primary 
 reasons people don't use NIS much any more.

 What kind of client are you configuring, and do you need it to be pure NIS?

 rob


 Matt

 -Original Message-
 From: freeipa-users-boun...@redhat.com
 [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew
 (EXP)
 Sent: Friday, April 05, 2013 6:40 AM
 To: Rob Crittenden; freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues

 Hey Rob,

 The passwd section of nsswitch.conf is the following;

 Passwd: files nis

 Matt

 -Original Message-
 From: Rob Crittenden [mailto:rcrit...@redhat.com]
 Sent: Thursday, April 04, 2013 3:05 PM
 To: Joseph, Matthew (EXP); freeipa-users@redhat.com
 Subject: EXTERNAL: Re: [Freeipa-users] NIS Compat Password Issues

 Joseph, Matthew (EXP) wrote:
 Hello,

 I've having issues with trying to login to our NIS clients that are
 looking at IPA as a NIS Server.

 The NIS Client can view all of the usernames when I do a ypcat passwd
 but when I try to login a with a user account it will not accept the
 password. I've even tried setting it as simple as Password123 and
 still nothing.

 I don't see anything NIS related in the error logs on the IPA server.

 Can someone point me in the right direction for this?

 What does your nsswitch.conf look like?

 Note that IPA does not provide the shadow map (because it sends hashes in 
 the clear).

 rob


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues

2013-04-05 Thread Joseph, Matthew (EXP)
Hey Rob,

I modified the command but now I am getting the following;
Ldapmodify: wrong attributeType at line 4, entry cn=config

Looking at the command I don't see any entry in my dse.ldif for 
passwordStorageScheme.
I'm assuming it should be a changetype: add instead of modify.
But it's not complaining about that. It can't seem to find the dn: cn=config 
which is weird since I see it in the file.

Matt

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Friday, April 05, 2013 11:07 AM
To: Joseph, Matthew (EXP); freeipa-users@redhat.com
Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues

Joseph, Matthew (EXP) wrote:
 Hey Rob,

 The NIS Clients that I am adding are Solaris 2.7, and Solaris 8. So I believe 
 looking at the IPA document they would need to be Solaris 9 or above for it 
 to communicate with IPA natively using LDAP.
 These Servers aren't going to be around much longer (Probably another year at 
 the most) so I am just looking for the quickest way possible to get them to 
 communicate with IPA.

 What do you think the best course of action would be for my situation?

You have two choices.

You can try the instructions at 
http://freeipa.org/page/ConfiguringUnixClients to configure LDAP for 
authentication. We haven't tested this for many moons but it should 
still work.

Or you can proceed and try to use crypt passwords which will be sent in 
the passwd entry. The LDIF you provided should have worked fine, I'm not 
sure why it didn't, particularly the error it returned. If you do it on 
the IPA server you shoudl just need:

ldapmodify -x -D 'cn=directory manager' -W
dn: ...

As for migrating existing passwords, you need to enable migration mode 
(ipa config-mod --enable-migration=true) and set the password when the 
user is added.

ipa user-add --first=Rob --last=Crittenden rcritten --setattr 
userPassword='{CRYPT}hash'

ypcat passwd should confirm that the password is visible. We don't 
recommend this.

rob


 Matt

 -Original Message-
 From: Rob Crittenden [mailto:rcrit...@redhat.com]
 Sent: Friday, April 05, 2013 10:36 AM
 To: Joseph, Matthew (EXP); freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues

 Joseph, Matthew (EXP) wrote:
 My old NIS server we used shadow passwords.
 When I migrated my passwd nis file to IPA I'm assuming it also imported the 
 part of the file that contains  the x to point it towards a shadow file.

 Would I need to remove the x from the nis passwd file and re-migrate it to 
 IPA?
 Is there a better way to get around this?

 This is why I asked what nsswitch.conf looked like. IPA does not provide the 
 shadow map, so no passwords at all area available.

 It is possible to add a shadow map, but it is unsecure and one of the primary 
 reasons people don't use NIS much any more.

 What kind of client are you configuring, and do you need it to be pure NIS?

 rob


 Matt

 -Original Message-
 From: freeipa-users-boun...@redhat.com
 [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew
 (EXP)
 Sent: Friday, April 05, 2013 6:40 AM
 To: Rob Crittenden; freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues

 Hey Rob,

 The passwd section of nsswitch.conf is the following;

 Passwd: files nis

 Matt

 -Original Message-
 From: Rob Crittenden [mailto:rcrit...@redhat.com]
 Sent: Thursday, April 04, 2013 3:05 PM
 To: Joseph, Matthew (EXP); freeipa-users@redhat.com
 Subject: EXTERNAL: Re: [Freeipa-users] NIS Compat Password Issues

 Joseph, Matthew (EXP) wrote:
 Hello,

 I've having issues with trying to login to our NIS clients that are
 looking at IPA as a NIS Server.

 The NIS Client can view all of the usernames when I do a ypcat passwd
 but when I try to login a with a user account it will not accept the
 password. I've even tried setting it as simple as Password123 and
 still nothing.

 I don't see anything NIS related in the error logs on the IPA server.

 Can someone point me in the right direction for this?

 What does your nsswitch.conf look like?

 Note that IPA does not provide the shadow map (because it sends hashes in 
 the clear).

 rob


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users