[Freeipa-users] Solaris 11 (OpenIndiana) PAM stack Password Change
Sigbjorn Lie
sigbjorn at nixtra.com
Mon Sep 17 15:23:51 UTC 2012
On 09/14/2012 09:42 PM, Dmitri Pal wrote:
> On 09/14/2012 01:34 AM, Mullen, Jonathan W. wrote:
>> Hello All,
>>
>> I'm in the process of setting up a ZFS file server that authenticates against our freeipa infrastructure. I'm running into a few issues, and ALOT of confusion between discrepancies in the documentation. Specifically between (http://freeipa.com/page/ConfiguringSolarisClients) and (http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html)
> Hope those comments help
>
> https://bugzilla.redhat.com/show_bug.cgi?id=815533
>
> https://bugzilla.redhat.com/show_bug.cgi?id=815515
>
>
>> userA is a freeipa user
>>
>> SSH with kerberos ticket already acquired:
>>
>> CLIENT:~ userA$ ssh server.domain -l userA
>> Last login: Thu Sep 13 22:43:42 2012 from IP
>> OpenIndiana (powered by illumos) SunOS 5.11 oi_151a5 June 2012
>> -bash-4.0$ passwd
>> passwd: Changing password for userA
>> Enter existing login password:
>> Unexpected failure. Password file/table unchanged.
>> -bash-4.0$ su
>> Password:
>> # passwd userA
>> Enter userA's password:
>> passwd: userA does not exist.
>> Permission denied
>> # exit
>> exit
>>
>> SSH With password login (notice the LACK of 'passwd: userA does not exist.' as apposed to with kerberos:
>>
>> CLIENT:~ userA$ ssh server.domain -l userA
>> Password:
>> Last login: Thu Sep 13 22:59:02 2012 from IP
>> OpenIndiana (powered by illumos) SunOS 5.11 oi_151a5 June 2012
>> -bash-4.0$ passwd
>> passwd: Changing password for userA
>> Enter existing login password:
>> Unexpected failure. Password file/table unchanged.
>> -bash-4.0$
>>
>>
>> Here is my pam.conf, you can see the comments showing the various configurations. The current one works the "best" in that BOTH "getent passwd" and "getent passwd userA". Some configurations only "getetn passwd userA" would work, and not "getent passwd". No
>>
>> My aim here is to get password changes working so I can capture smb passwords for SMB/CIFS.
>>
>> Does any one have a working OpenIndiana and freeIPA setup for SMB shares. If so would you be so kind as to help me with some sample configs?
>>
>> <PAM CONFIG>
>> # Authentication management
>> #
>> # login service (explicit because of pam_dial_auth)
>> #
>> login auth requisite pam_authtok_get.so.1
>> login auth required pam_dhkeys.so.1
>> #login auth sufficient pam_krb5.so.1 try_first_pass
>> login auth required pam_unix_cred.so.1
>> login auth required pam_unix_auth.so.1 use_first_pass
>> login auth required pam_dial_auth.so.1
>> #
>> # rlogin service (explicit because of pam_rhost_auth)
>> #
>> rlogin auth sufficient pam_rhosts_auth.so.1
>> rlogin auth requisite pam_authtok_get.so.1
>> rlogin auth required pam_dhkeys.so.1
>> rlogin auth required pam_unix_cred.so.1
>> rlogin auth required pam_unix_auth.so.1
>> #
>> # Kerberized rlogin service
>> #
>> krlogin auth required pam_unix_cred.so.1
>> krlogin auth required pam_krb5.so.1
>> #
>> # rsh service (explicit because of pam_rhost_auth,
>> # and pam_unix_auth for meaningful pam_setcred)
>> #
>> rsh auth sufficient pam_rhosts_auth.so.1
>> rsh auth required pam_unix_cred.so.1
>> #
>> # Kerberized rsh service
>> #
>> krsh auth required pam_unix_cred.so.1
>> krsh auth required pam_krb5.so.1
>> #
>> # Kerberized telnet service
>> #
>> ktelnet auth required pam_unix_cred.so.1
>> ktelnet auth required pam_krb5.so.1
>> #
>> # PPP service (explicit because of pam_dial_auth)
>> #
>> ppp auth requisite pam_authtok_get.so.1
>> ppp auth required pam_dhkeys.so.1
>> ppp auth required pam_unix_cred.so.1
>> ppp auth required pam_unix_auth.so.1
>> ppp auth required pam_dial_auth.so.1
>> #
>> # GDM Autologin (explicit because of pam_allow). These need to be
>> # here as there is no mechanism for packages to amend pam.conf as
>> # they are installed.
>> #
>> gdm-autologin auth required pam_unix_cred.so.1
>> gdm-autologin auth sufficient pam_allow.so.1
>> #
>> # Default definitions for Authentication management
>> # Used when service name is not explicitly mentioned for authentication
>> #
>> other auth requisite pam_authtok_get.so.1
>> other auth required pam_dhkeys.so.1
>> other auth required pam_unix_cred.so.1
>> other auth sufficient pam_krb5.so.1
>> other auth required pam_unix_auth.so.1
>> #
>> # passwd command (explicit because of a different authentication module)
>> #
>> #passwd auth required pam_passwd_auth.so.1
>> passwd auth binding pam_passwd_auth.so.1 server_policy
>> passwd auth required pam_ldap.so.1
>> #
>> # cron service (explicit because of non-usage of pam_roles.so.1)
>> #
>> cron account required pam_unix_account.so.1
>> #
>> # cups service (explicit because of non-usage of pam_roles.so.1)
>> #
>> cups account required pam_unix_account.so.1
>> #
>> # GDM Autologin (explicit because of pam_allow) This needs to be here
>> # as there is no mechanism for packages to amend pam.conf as they are
>> # installed.
>> #
>> gdm-autologin account sufficient pam_allow.so.1
>> #
>> # Default definition for Account management
>> # Used when service name is not explicitly mentioned for account management
>> #
>> #other account requisite pam_roles.so.1
>> #other account optional pam_unix_account.so.1
>> #other account optional pam_krb5.so.1 debug
>> other account requisite pam_roles.so.1
>> other account binding pam_unix_account.so.1 server_policy
>> other account required pam_ldap.so.1
>> #
>> # Default definition for Session management
>> # Used when service name is not explicitly mentioned for session management
>> #
>> other session required pam_unix_session.so.1
>> #
>> # Default definition for Password management
>> # Used when service name is not explicitly mentioned for password management
>> #
>> other password required pam_dhkeys.so.1
>> other password requisite pam_authtok_get.so.1
>> other password requisite pam_authtok_check.so.1
>> other password required pam_authtok_store.so.1 server_policy
>> #other password sufficient pam_krb5.so.1
>> #other password required pam_authtok_store.so.1
>> #
>> # Support for Kerberos V5 authentication and example configurations can
>> # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
>> #
>>
>> other password required pam_smb_passwd.so.1 nowarn
>> </PAM CONFIG>
>>
>> Jonathan Mullen
>> jonathan at ou.edu
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
Hi,
Did you get anywhere with this?
Are you using Solaris 11 or OpenIndiana?
At first glance it looks like you haven't configured pam for krb5
password management. Have a look at the pam.conf below and see if that
will get you anywhere with password changes.
Regards,
Siggi
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_krb5.so.1 debug
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
#
# Kerberized telnet service
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_krb5.so.1 debug
other auth required pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
other account required pam_krb5.so.1 debug
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
other session required pam_krb5.so.1 debug
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
# Password construction requirements apply to all users.
# Remove force_check to have the traditional authorized administrator
# bypass of construction requirements.
other password sufficient pam_krb5.so.1
other password requisite pam_authtok_check.so.1 force_check
other password required pam_authtok_store.so.1
#
More information about the Freeipa-users
mailing list