[Freeipa-users] Solaris 10 problem using netgroups

[Eli J. Elliott]

I have a problem with Solaris 10 and netgroups with IPA.

I am able to login to the Solaris 10 server with IPA users as long as I am
not using netgroups. As soon as I add a netgroup I can no longer
authenticate.

I have updated nsswitch.conf:

#passwd:     files ldap****

passwd: compat****

passwd_compat:  files ldap****

group:  files ldap


And then added the netgroup to /etc/passwd:

+ at MYHOST:x:::::****

And used pwconv to get the netgroup into /etc/shadow:

+ at MYHOST:x:15765::::::****

I am able to see the user in getent (and none of the users I want
restricted show up, only the user I want which is great):

-bash-3.2# getent passwd testuser****

testuser:x:3713:3713:Test User:/export/home/testuser:/bin/bash****

** **

I am also able to su to testuser as root:

-bash-3.2# su - testuser****

Oracle Corporation      SunOS 5.10      Generic Patch   January 2005****

-bash-3.2$ id****

uid=3713(testuser) gid=3713(testgroup)


I cannot su to the user from another user, it appears to be the password
that is the problem. I can successfully change passwords using kpasswd from
the Solaris 10 host.


I've enabled Pam debugging:


Mar  1 12:54:04 MYHOST sshd[3928]: [ID 228857 auth.debug] PAM[3928]:
pam_start(sshd-kbdint,testuser,80a98a8:80c8b18) - debug = 1****

Mar  1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
pam_set_item(80c8b18:service)****

Mar  1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
pam_set_item(80c8b18:user)****

Mar  1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
pam_set_item(80c8b18:conv)****

Mar  1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
pam_set_item(80c8b18:rhost)****

Mar  1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
pam_set_item(80c8b18:tty)****

Mar  1 12:54:04 MYHOST sshd[3928]: [ID 122435 auth.debug] PAM[3928]:
pam_authenticate(80c8b18, 1)****

Mar  1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
load_modules(80c8b18,
pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1****

Mar  1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
load_function: successful load of pam_sm_authenticate****

Mar  1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
load_modules(80c8b18, pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1
****

Mar  1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
load_function: successful load of pam_sm_authenticate****

Mar  1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
load_modules(80c8b18,
pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1****

Mar  1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
load_function: successful load of pam_sm_authenticate****

Mar  1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
load_modules(80c8b18,
pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1****

Mar  1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
load_function: successful load of pam_sm_authenticate****

Mar  1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
load_modules(80c8b18, pam_sm_authenticate)=/usr/lib/security/pam_ldap.so.1**
**

Mar  1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
load_function: successful load of pam_sm_authenticate****

Mar  1 12:54:04 MYHOST sshd[3928]: [ID 425581 auth.debug] PAM[3928]:
pam_get_user(80c8b18, 80c8b18, NULL)****

Mar  1 12:54:07 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
pam_set_item(80c8b18:authtok)****

Mar  1 12:54:07 MYHOST last message repeated 1 time****

Mar  1 12:54:07 MYHOST sshd[3928]: [ID 117705 auth.debug] PAM[3928]:
pam_authenticate(80c8b18, 1): error Authentication failed****

Mar  1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
pam_set_item(80c8b18:authtok)****

Mar  1 12:54:08 MYHOST sshd[3928]: [ID 800047 auth.info]
Keyboard-interactive (PAM) userauth failed[9] while authenticating:
Authentication failed****

Mar  1 12:54:08 MYHOST sshd[3928]: [ID 800047 auth.notice] Failed
keyboard-interactive for testuser from 30.241.208.21 port 4469 ssh2****

Mar  1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
pam_set_item(80c8b18:conv)****

Mar  1 12:54:08 MYHOST sshd[3928]: [ID 185624 auth.debug] PAM[3928]:
pam_end(80c8b18): status = Authentication failed****

Mar  1 12:54:08 MYHOST sshd[3928]: [ID 228857 auth.debug] PAM[3928]:
pam_start(sshd-kbdint,testuser,80a98a8:80c8b18) - debug = 1****

Mar  1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
pam_set_item(80c8b18:service)****

Mar  1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
pam_set_item(80c8b18:user)****

Mar  1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
pam_set_item(80c8b18:conv)****

Mar  1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
pam_set_item(80c8b18:rhost)****

Mar  1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
pam_set_item(80c8b18:tty)****

Mar  1 12:54:08 MYHOST sshd[3928]: [ID 122435 auth.debug] PAM[3928]:
pam_authenticate(80c8b18, 1)****

Mar  1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
load_modules(80c8b18,
pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1****

Mar  1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
load_function: successful load of pam_sm_authenticate****

Mar  1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
load_modules(80c8b18, pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1
****

Mar  1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
load_function: successful load of pam_sm_authenticate****

Mar  1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
load_modules(80c8b18,
pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1****

Mar  1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
load_function: successful load of pam_sm_authenticate****

Mar  1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
load_modules(80c8b18,
pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1****

Mar  1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
load_function: successful load of pam_sm_authenticate****

Mar  1 12:54:08 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]:
load_modules(80c8b18, pam_sm_authenticate)=/usr/lib/security/pam_ldap.so.1**
**

Mar  1 12:54:08 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]:
load_function: successful load of pam_sm_authenticate****

Mar  1 12:54:08 MYHOST sshd[3928]: [ID 425581 auth.debug] PAM[3928]:
pam_get_user(80c8b18, 80c8b18, NULL)****

Mar  1 12:54:09 MYHOST sshd[3928]: [ID 800047 auth.info] Received
disconnect from 30.241.208.21: 13: Unable to authenticate****

Mar  1 12:54:09 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]:
pam_set_item(80c8b18:conv)****

Mar  1 12:54:09 MYHOST sshd[3928]: [ID 185624 auth.debug] PAM[3928]:
pam_end(80c8b18): status = General PAM failure****

Mar  1 12:54:11 MYHOST sshd[3906]: [ID 800047 auth.info] Received
disconnect from 30.241.208.21: 13: Unable to authenticate****

Mar  1 12:54:11 MYHOST sshd[3906]: [ID 583457 auth.debug] PAM[3906]:
pam_set_item(80c8b18:conv)****

Mar  1 12:54:11 MYHOST sshd[3906]: [ID 278145 auth.debug] PAM[3906]:
pam_end(80c8b18): status = General PAM failure****

**

I'm at a loss at this point. I can't seem to determine how simply adding a
netgroup causes authentication to fail. Every other aspect of the netgroup
works and the system without the netgroup works.


Any ideas?

-Eli
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130301/9cb688d3/attachment.htm>