[Freeipa-devel] IPAv2 on SL6.2 using NIS fails with "Failed password" error
Joshua Dotson
josh at knoesis.org
Fri Mar 9 00:29:10 UTC 2012
Hi All,
I'm having a problem with my IPA installs; I can't seem to get the NIS mode
to work. I tried it with and without 'Migration Mode' enabled.
I bind to it and 'getent passwd' and 'getent group' just fine, but when I
type my password (post initial kinit password change) in for ssh, I get
permission denied and the following in my client-side /var/log/secure log:
Mar 8 18:15:07 bastion sshd[18480]: Failed password for bob from
192.168.5.68 port 50788 ssh2
Mar 8 18:15:22 bastion sshd[18480]: Failed password for bob from
192.168.5.68 port 50788 ssh2
Mar 8 18:46:13 bastion sshd[18556]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.6.68 user=bob
Mar 8 18:46:16 bastion sshd[18556]: Failed password for bob from
192.168.5.68 port 50839 ssh2
On the server, I can find no error on the server side, matching the
timestamp of when I attempt login from a third host to the bastion host
(see below).
Am I mistaken that IPAv2 provides backwards compatible NIS, without
client-side SSSD, KRB5 and the like? Am I missing a service or something?
Thanks very much! Please excuse the long email. Perhaps I'm too eager.
lol :-)
-Joshua.
========BACKGROUND INFO FOLLOWS=========
Here are the details of my install, which is my fourth IPA install, so far.
As a side note, however, I've not been able to get the NIS mode working,
yet.
- 2 nearly identical KVM's to test this. (1 for server and 1 for NIS
client)
- x86_64
- ext4 over LVM over qcow2 over NFSv3
- using virtio
- Scientific Linux 6.2 minimal install from GUI of Install DVD
- all available yum updates applied
- iptables off
- ipv4 only
- added self FQDN to both /etc/hosts files
- NetworkManager off in favor of network
- static public IP's
- Used the following commands to install my IPA server:
# yum -y install \
ipa-server \
bind \
bind-dyndb-ldap
# ipa-server-install \
-a 'admin_pass_example' \
--hostname=ipa.example.com \
-p 'dir_man_password_example' \
-n exampledom.com \
-r EXAMPLE.COM \
--setup-dns \
--forwarder=192.168.2.10 \
--forwarder=192.168.1.20
- After a reboot, logging in with Firefox works well... kinit works well
after I create an initial user in the UI... Everything is cool..even
enrolling other machine with the ipa-client-install tool works well.. No
other changes were made inside the UI
- Here are the commands I ran on the server outside the UI, per
instructions (here:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/migrating-from-nis.html
)
[root at ipa ~]# ipa-compat-manage enable
Directory Manager password:
Plugin already Enabled
[root at ipa ~]# rpcinfo
program version netid address service owner
100000 4 tcp6 ::.0.111 portmapper superuser
100000 3 tcp6 ::.0.111 portmapper superuser
100000 4 udp6 ::.0.111 portmapper superuser
100000 3 udp6 ::.0.111 portmapper superuser
100000 4 tcp 0.0.0.0.0.111 portmapper superuser
100000 3 tcp 0.0.0.0.0.111 portmapper superuser
100000 2 tcp 0.0.0.0.0.111 portmapper superuser
100000 4 udp 0.0.0.0.0.111 portmapper superuser
100000 3 udp 0.0.0.0.0.111 portmapper superuser
100000 2 udp 0.0.0.0.0.111 portmapper superuser
100000 4 local /var/run/rpcbind.sock portmapper superuser
100000 3 local /var/run/rpcbind.sock portmapper superuser
[root at ipa ~]# ipa-nis-manage enable
Directory Manager password:
Enabling plugin
Restarting IPA to initialize updates before performing deletes:
[1/2]: stopping directory server
[2/2]: starting directory server
done configuring dirsrv.
This setting will not take effect until you restart Directory Server.
The rpcbind service may need to be started.
[root at ipa ~]# reboot
The system is going down for reboot NOW!
sam at bastion:~$ ssh 192.168.5.25
Last login: Thu Mar 8 17:58:58 2012 from 192.168.5.99
[sam at ipa ~]$ su -
Password:
[root at ipa ~]# rpcinfo
program version netid address service owner
100000 4 tcp6 ::.0.111 portmapper superuser
100000 3 tcp6 ::.0.111 portmapper superuser
100000 4 udp6 ::.0.111 portmapper superuser
100000 3 udp6 ::.0.111 portmapper superuser
100000 4 tcp 0.0.0.0.0.111 portmapper superuser
100000 3 tcp 0.0.0.0.0.111 portmapper superuser
100000 2 tcp 0.0.0.0.0.111 portmapper superuser
100000 4 udp 0.0.0.0.0.111 portmapper superuser
100000 3 udp 0.0.0.0.0.111 portmapper superuser
100000 2 udp 0.0.0.0.0.111 portmapper superuser
100000 4 local /var/run/rpcbind.sock portmapper superuser
100000 3 local /var/run/rpcbind.sock portmapper superuser
100004 2 udp6 ::.2.84 ypserv superuser
100004 2 udp 0.0.0.0.2.84 ypserv superuser
100004 2 tcp6 ::.2.84 ypserv superuser
100004 2 tcp 0.0.0.0.2.84 ypserv superuser
[root at ipa ~]#
- Here is chkconfig for the server (iptables/ip6tables are disabled by
the service command when debugging)
chkconfig --list|grep ':on'
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
certmonger 0:off 1:off 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ipa 0:off 1:off 2:on 3:on 4:on 5:on 6:off
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off
messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
portreserve 0:off 1:off 2:on 3:on 4:on 5:on 6:off
qpidd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rpcbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off
- On the client, it's the same OS... SL6.2 x86_64, no firewall, minimal
install, ipv4 only
- I used authconfig to setup NIS, and am able to 'getent passwd' on the
directory.
# authconfig --enablenis --nisdomain=knoesis.org --nisserver=192.168.5.82
--enablemkhomedir --update
- resolv.conf points to the IPA address for dns
- client is same domain on the same 24-bit subnet
- here are the packages I installed for NIS:
Mar 08 16:05:19 Installed: libgssglue-0.1-11.el6.x86_64
Mar 08 16:05:19 Installed: libtirpc-0.2.1-5.el6.x86_64
Mar 08 16:05:19 Installed: rpcbind-0.2.0-8.el6.x86_64
Mar 08 16:05:56 Installed: 3:ypbind-1.20.4-29.el6.x86_64
Mar 08 16:05:56 Installed: yp-tools-2.9-12.el6.x86_64
- Here is chkconfig on the client:
chkconfig --list|grep ':on' (iptables/ip6tables are disabled by the
service command when debugging)
auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off
messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
qpidd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rpcbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off
ypbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off
- /etc/yp.conf (client) (I tried it with the server domain syntax, as
well)
ypserver 192.168.6.82
#domain example.com server 192.168.6.82
- rpcinfo (client)
program version netid address service owner
100000 4 tcp6 ::.0.111 portmapper superuser
100000 3 tcp6 ::.0.111 portmapper superuser
100000 4 udp6 ::.0.111 portmapper superuser
100000 3 udp6 ::.0.111 portmapper superuser
100000 4 tcp 0.0.0.0.0.111 portmapper superuser
100000 3 tcp 0.0.0.0.0.111 portmapper superuser
100000 2 tcp 0.0.0.0.0.111 portmapper superuser
100000 4 udp 0.0.0.0.0.111 portmapper superuser
100000 3 udp 0.0.0.0.0.111 portmapper superuser
100000 2 udp 0.0.0.0.0.111 portmapper superuser
100000 4 local /var/run/rpcbind.sock portmapper superuser
100000 3 local /var/run/rpcbind.sock portmapper superuser
100007 2 udp 0.0.0.0.3.46 ypbind superuser
100007 1 udp 0.0.0.0.3.46 ypbind superuser
100007 2 tcp 0.0.0.0.3.49 ypbind superuser
100007 1 tcp 0.0.0.0.3.49 ypbind superuser
--
Joshua M. Dotson
Systems Administrator
Kno.e.sis Center
Wright State University - Dayton, OH
josh at knoesis.org
937-350-1563
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120308/f63089e2/attachment.htm>
More information about the Freeipa-devel
mailing list