[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Freeipa-users] Solaris 11 (OpenIndiana) PAM stack Password Change



Hello All,

I'm in the process of setting up a ZFS file server that authenticates against our freeipa infrastructure. I'm running into a few issues, and ALOT of confusion between discrepancies in the documentation. Specifically between (http://freeipa.com/page/ConfiguringSolarisClients) and (http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html)

userA is a freeipa user

SSH with kerberos ticket already acquired:

CLIENT:~ userA$ ssh server.domain -l userA
Last login: Thu Sep 13 22:43:42 2012 from IP
OpenIndiana (powered by illumos)    SunOS 5.11    oi_151a5    June 2012
-bash-4.0$ passwd
passwd: Changing password for userA
Enter existing login password: 
Unexpected failure. Password file/table unchanged.
-bash-4.0$ su  
Password: 
# passwd userA
Enter userA's password: 
passwd: userA does not exist.
Permission denied
# exit
exit

SSH With password login (notice the LACK of 'passwd: userA does not exist.' as apposed to with kerberos:

CLIENT:~ userA$ ssh server.domain -l userA
Password: 
Last login: Thu Sep 13 22:59:02 2012 from IP
OpenIndiana (powered by illumos)    SunOS 5.11    oi_151a5    June 2012
-bash-4.0$ passwd
passwd: Changing password for userA
Enter existing login password: 
Unexpected failure. Password file/table unchanged.
-bash-4.0$ 


Here is my pam.conf, you can see the comments showing the various configurations. The current one works the "best" in that BOTH "getent passwd" and "getent passwd userA". Some configurations only "getetn passwd userA" would work, and not "getent passwd". No

My aim here is to get password changes working so I can capture smb passwords for SMB/CIFS.

Does any one have a working OpenIndiana and freeIPA setup for SMB shares. If so would you be so kind as to help me with some sample configs?

<PAM CONFIG>
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
#login   auth sufficient         pam_krb5.so.1 try_first_pass
login   auth required           pam_unix_cred.so.1
login   auth required           pam_unix_auth.so.1 use_first_pass
login   auth required           pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth required           pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth required           pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth required           pam_krb5.so.1
#
# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth required           pam_krb5.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
#
# GDM Autologin (explicit because of pam_allow).  These need to be
# here as there is no mechanism for packages to amend pam.conf as
# they are installed.
#
gdm-autologin auth  required    pam_unix_cred.so.1
gdm-autologin auth  sufficient  pam_allow.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth sufficient         pam_krb5.so.1
other   auth required           pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
#passwd auth required           pam_passwd_auth.so.1
passwd  auth binding          pam_passwd_auth.so.1 server_policy
passwd  auth required         pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# cups service (explicit because of non-usage of pam_roles.so.1)
#
cups    account required        pam_unix_account.so.1
#
# GDM Autologin (explicit because of pam_allow) This needs to be here
# as there is no mechanism for packages to amend pam.conf as they are
# installed.
#
gdm-autologin account  sufficient  pam_allow.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
#other  account requisite       pam_roles.so.1
#other  account optional        pam_unix_account.so.1
#other   account optional        pam_krb5.so.1 debug
other   account requisite     pam_roles.so.1
other   account binding       pam_unix_account.so.1 server_policy
other   account required      pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1 
other   password required     pam_authtok_store.so.1 server_policy
#other   password sufficient     pam_krb5.so.1
#other  password required       pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#

other   password required   pam_smb_passwd.so.1 nowarn
</PAM CONFIG>

Jonathan Mullen
jonathan ou edu



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]