[Freeipa-devel] IPAv2 on SL6.2 using NIS fails with "Failed password" error

Joshua Dotson josh at knoesis.org
Fri Mar 9 00:29:10 UTC 2012 

Hi All,

I'm having a problem with my IPA installs; I can't seem to get the NIS mode
to work.  I tried it with and without 'Migration Mode' enabled.

I bind to it and 'getent passwd' and 'getent group' just fine, but when I
type my password (post initial kinit password change) in for ssh, I get
permission denied and the following in my client-side /var/log/secure log:

Mar  8 18:15:07 bastion sshd[18480]: Failed password for bob from
192.168.5.68 port 50788 ssh2
Mar  8 18:15:22 bastion sshd[18480]: Failed password for bob from
192.168.5.68 port 50788 ssh2
Mar  8 18:46:13 bastion sshd[18556]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.6.68  user=bob
Mar  8 18:46:16 bastion sshd[18556]: Failed password for bob from
192.168.5.68 port 50839 ssh2

On the server, I can find no error on the server side, matching the
timestamp of when I attempt login from a third host to the bastion host
(see below).

Am I mistaken that IPAv2 provides backwards compatible NIS, without
client-side SSSD, KRB5 and the like?  Am I missing a service or something?

Thanks very much!  Please excuse the long email.  Perhaps I'm too eager.
lol  :-)

-Joshua.

========BACKGROUND INFO FOLLOWS=========

Here are the details of my install, which is my fourth IPA install, so far.
 As a side note, however, I've not been able to get the NIS mode working,
yet.


   - 2 nearly identical KVM's to test this. (1 for server and 1 for NIS
   client)
   - x86_64
   - ext4 over LVM over qcow2 over NFSv3
   - using virtio
   - Scientific Linux 6.2 minimal install from GUI of Install DVD
   - all available yum updates applied
   - iptables off
   - ipv4 only
   - added self FQDN to both /etc/hosts files
   - NetworkManager off in favor of network
   - static public IP's
   - Used the following commands to install my IPA server:

# yum -y install \
    ipa-server \
    bind \
    bind-dyndb-ldap

# ipa-server-install \
  -a 'admin_pass_example' \
  --hostname=ipa.example.com \
  -p 'dir_man_password_example' \
  -n exampledom.com \
  -r EXAMPLE.COM \
  --setup-dns \
  --forwarder=192.168.2.10 \
  --forwarder=192.168.1.20


   - After a reboot, logging in with Firefox works well... kinit works well
   after I create an initial user in the UI... Everything is cool..even
   enrolling other machine with the ipa-client-install tool works well.. No
   other changes were made inside the UI
   - Here are the commands I ran on the server outside the UI, per
   instructions (here:
   http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/migrating-from-nis.html
   )


[root at ipa ~]# ipa-compat-manage enable
Directory Manager password:

Plugin already Enabled
[root at ipa ~]# rpcinfo
   program version netid     address                service    owner
    100000    4    tcp6      ::.0.111               portmapper superuser
    100000    3    tcp6      ::.0.111               portmapper superuser
    100000    4    udp6      ::.0.111               portmapper superuser
    100000    3    udp6      ::.0.111               portmapper superuser
    100000    4    tcp       0.0.0.0.0.111          portmapper superuser
    100000    3    tcp       0.0.0.0.0.111          portmapper superuser
    100000    2    tcp       0.0.0.0.0.111          portmapper superuser
    100000    4    udp       0.0.0.0.0.111          portmapper superuser
    100000    3    udp       0.0.0.0.0.111          portmapper superuser
    100000    2    udp       0.0.0.0.0.111          portmapper superuser
    100000    4    local     /var/run/rpcbind.sock  portmapper superuser
    100000    3    local     /var/run/rpcbind.sock  portmapper superuser
[root at ipa ~]# ipa-nis-manage enable
Directory Manager password:

Enabling plugin
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
This setting will not take effect until you restart Directory Server.
The rpcbind service may need to be started.
[root at ipa ~]# reboot

The system is going down for reboot NOW!


sam at bastion:~$ ssh 192.168.5.25
Last login: Thu Mar  8 17:58:58 2012 from 192.168.5.99
[sam at ipa ~]$ su -
Password:
[root at ipa ~]# rpcinfo
   program version netid     address                service    owner
    100000    4    tcp6      ::.0.111               portmapper superuser
    100000    3    tcp6      ::.0.111               portmapper superuser
    100000    4    udp6      ::.0.111               portmapper superuser
    100000    3    udp6      ::.0.111               portmapper superuser
    100000    4    tcp       0.0.0.0.0.111          portmapper superuser
    100000    3    tcp       0.0.0.0.0.111          portmapper superuser
    100000    2    tcp       0.0.0.0.0.111          portmapper superuser
    100000    4    udp       0.0.0.0.0.111          portmapper superuser
    100000    3    udp       0.0.0.0.0.111          portmapper superuser
    100000    2    udp       0.0.0.0.0.111          portmapper superuser
    100000    4    local     /var/run/rpcbind.sock  portmapper superuser
    100000    3    local     /var/run/rpcbind.sock  portmapper superuser
    100004    2    udp6      ::.2.84                ypserv     superuser
    100004    2    udp       0.0.0.0.2.84           ypserv     superuser
    100004    2    tcp6      ::.2.84                ypserv     superuser
    100004    2    tcp       0.0.0.0.2.84           ypserv     superuser
[root at ipa ~]#


   - Here is chkconfig for the server (iptables/ip6tables are disabled by
   the service command when debugging)

 chkconfig --list|grep ':on'
atd             0:off 1:off 2:off 3:on 4:on 5:on 6:off
auditd         0:off 1:off 2:on 3:on 4:on 5:on 6:off
certmonger     0:off 1:off 2:on 3:on 4:on 5:on 6:off
crond           0:off 1:off 2:on 3:on 4:on 5:on 6:off
ip6tables       0:off 1:off 2:on 3:on 4:on 5:on 6:off
ipa             0:off 1:off 2:on 3:on 4:on 5:on 6:off
iptables       0:off 1:off 2:on 3:on 4:on 5:on 6:off
lvm2-monitor   0:off 1:on 2:on 3:on 4:on 5:on 6:off
messagebus     0:off 1:off 2:on 3:on 4:on 5:on 6:off
network         0:off 1:off 2:on 3:on 4:on 5:on 6:off
ntpd           0:off 1:off 2:on 3:on 4:on 5:on 6:off
portreserve     0:off 1:off 2:on 3:on 4:on 5:on 6:off
qpidd           0:off 1:off 2:on 3:on 4:on 5:on 6:off
rpcbind         0:off 1:off 2:on 3:on 4:on 5:on 6:off
rsyslog         0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd           0:off 1:off 2:on 3:on 4:on 5:on 6:off
sssd           0:off 1:off 2:off 3:on 4:on 5:on 6:off
udev-post       0:off 1:on 2:on 3:on 4:on 5:on 6:off




   - On the client, it's the same OS... SL6.2 x86_64, no firewall, minimal
   install, ipv4 only
   - I used authconfig to setup NIS, and am able to 'getent passwd' on the
   directory.

# authconfig --enablenis --nisdomain=knoesis.org --nisserver=192.168.5.82
--enablemkhomedir  --update

   - resolv.conf points to the IPA address for dns
   - client is same domain on the same 24-bit subnet
   - here are the packages I installed for NIS:

Mar 08 16:05:19 Installed: libgssglue-0.1-11.el6.x86_64
Mar 08 16:05:19 Installed: libtirpc-0.2.1-5.el6.x86_64
Mar 08 16:05:19 Installed: rpcbind-0.2.0-8.el6.x86_64
Mar 08 16:05:56 Installed: 3:ypbind-1.20.4-29.el6.x86_64
Mar 08 16:05:56 Installed: yp-tools-2.9-12.el6.x86_64


   - Here is chkconfig on the client:

chkconfig --list|grep ':on'  (iptables/ip6tables are disabled by the
service command when debugging)
auditd         0:off 1:off 2:on 3:on 4:on 5:on 6:off
crond           0:off 1:off 2:on 3:on 4:on 5:on 6:off
ip6tables       0:off 1:off 2:on 3:on 4:on 5:on 6:off
iptables       0:off 1:off 2:on 3:on 4:on 5:on 6:off
lvm2-monitor   0:off 1:on 2:on 3:on 4:on 5:on 6:off
messagebus     0:off 1:off 2:on 3:on 4:on 5:on 6:off
network         0:off 1:off 2:on 3:on 4:on 5:on 6:off
qpidd           0:off 1:off 2:on 3:on 4:on 5:on 6:off
rpcbind         0:off 1:off 2:on 3:on 4:on 5:on 6:off
rsyslog         0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd           0:off 1:off 2:on 3:on 4:on 5:on 6:off
udev-post       0:off 1:on 2:on 3:on 4:on 5:on 6:off
ypbind         0:off 1:off 2:on 3:on 4:on 5:on 6:off


   - /etc/yp.conf (client) (I tried it with the server domain syntax, as
   well)

ypserver 192.168.6.82
#domain example.com server 192.168.6.82


   - rpcinfo (client)

   program version netid     address                service    owner
    100000    4    tcp6      ::.0.111               portmapper superuser
    100000    3    tcp6      ::.0.111               portmapper superuser
    100000    4    udp6      ::.0.111               portmapper superuser
    100000    3    udp6      ::.0.111               portmapper superuser
    100000    4    tcp       0.0.0.0.0.111          portmapper superuser
    100000    3    tcp       0.0.0.0.0.111          portmapper superuser
    100000    2    tcp       0.0.0.0.0.111          portmapper superuser
    100000    4    udp       0.0.0.0.0.111          portmapper superuser
    100000    3    udp       0.0.0.0.0.111          portmapper superuser
    100000    2    udp       0.0.0.0.0.111          portmapper superuser
    100000    4    local     /var/run/rpcbind.sock  portmapper superuser
    100000    3    local     /var/run/rpcbind.sock  portmapper superuser
    100007    2    udp       0.0.0.0.3.46           ypbind     superuser
    100007    1    udp       0.0.0.0.3.46           ypbind     superuser
    100007    2    tcp       0.0.0.0.3.49           ypbind     superuser
    100007    1    tcp       0.0.0.0.3.49           ypbind     superuser

-- 
Joshua M. Dotson
Systems Administrator
Kno.e.sis Center
Wright State University - Dayton, OH
josh at knoesis.org
937-350-1563
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120308/f63089e2/attachment.htm>

More information about the Freeipa-devel mailing list