Configuring a Solaris 11.3 system as a FreeIPA client. I've read various articles, mail list archives, and pages found on google trying to figure out how to properly make this work. So far, I've only gotten the ability to do su - user@domain.tld and check getent passwd/group. This successfully works. The things that do not work are ssh and console logins. This is what I've tried so far:
Setting authenticationMethod to 'simple:tls' -> My service account never seems to work and the log says: "libsldap: Status: 53 Mesg: openConnection: simple bind failed - DSA is unwilling to perform" -> "libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials" - This isn't the case as I've tried the credentials multiple times using ldapsearch commands with success. My credentials for my users are correct since I can login to a CentOS 6 and CentOS 7 client perfectly fine.
These are the steps I took:
-> Create host in IPA -> ipa-getkeytab and transferred it to the client -> Created nss database with CA certificate and placed it in /var/ldap with proper permissions -> Configured /etc/krb5/krb5.conf -> Configured nsswitch.conf to be files ldap -> Configured /etc/pam.d/* files accordingly -> Used ldapclient init on the client
Here is my kinit and ldap tests.
# kinit admin Password for admin@IPA.EXAMPLE.COM: kinit: no ktkt_warnd warning possible # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@IPA.EXAMPLE.COM
Valid starting Expires Service principal 09/13/17 16:22:29 09/14/17 16:22:29 krbtgt/IPA.EXAMPLE.COM@IPA.EXAMPLE.COM renew until 09/20/17 16:22:29
# ldaplist -l passwd louis.abel dn: uid=louis.abel,cn=users,cn=compat,dc=ipa,dc=example,dc=com cn: Louis Abel objectClass: posixAccount objectClass: top gidNumber: 1006800013 gecos: Louis Abel uidNumber: 25439 loginShell: /bin/bash homeDirectory: /home/louis.abel uid: louis.abel@ad.example.com uid: louis.abel
# ldaplist -l passwd louis.abel2 dn: uid=louis.abel2,cn=users,cn=compat,dc=ipa,dc=example,dc=com cn: Louis Abel objectClass: posixAccount objectClass: top gidNumber: 1006800001 gecos: Louis Abel uidNumber: 1006800001 loginShell: /bin/bash homeDirectory: /home/louis.abel2 uid: louis.abel2@ipa.example.com uid: louis.abel2
dn: uid=louis.abel2,cn=users,cn=compat,dc=ipa,dc=example,dc=com cn: Louis Abel objectClass: posixAccount objectClass: ipaOverrideTarget objectClass: top gidNumber: 1006800001 gecos: Louis Abel uidNumber: 1006800001 ipaAnchorUUID: :IPA:ipa.example.com:8babb9a8-5aaf-11e7-9769-00505690319e loginShell: /bin/bash homeDirectory: /home/louis.abel2 uid: louis.abel2
My pam configuration files:
/etc/pam.d/other
auth definitive pam_user_policy.so.1 auth sufficient pam_krb5.so.1 auth requisite pam_authtok_get.so.1 auth required pam_dhkeys.so.1 auth binding pam_unix_auth.so.1 server_policy auth required pam_unix_cred.so.1 auth sufficient pam_krb5.so.1 account requisite pam_roles.so.1 account definitive pam_user_policy.so.1 account binding pam_unix_account.so.1 server_policy account required pam_unix_account.so.1 account required pam_krb5.so.1 account required pam_tsol_account.so.1 session definitive pam_user_policy.so.1 session required pam_unix_session.so.1 password definitive pam_user_policy.so.1 password include pam_authtok_common password sufficient pam_krb5.so.1 password required pam_authtok_store.so.1 server_policy
/etc/pam.d/login
auth requisite pam_authtok_get.so.1 auth required pam_dhkeys.so.1 auth required pam_unix_cred.so.1 auth sufficient pam_krb5.so.1 try_first_pass auth required pam_unix_auth.so.1 use_first_pass auth required pam_dial_auth.so.1
# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=ipa,dc=example,dc=com NS_LDAP_BINDPASSWD= removed NS_LDAP_SERVERS= pentl01.ipa.example.com, pentl02.ipa.example.com, pentl03.ipa.example.com, sentl01.ipa.example.com, sentl02.ipa.example.com, sentl03.ipa.example.com NS_LDAP_SEARCH_BASEDN= dc=ipa,dc=example,dc=com NS_LDAP_AUTH= tls:simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_CACHETTL= 6000 NS_LDAP_PROFILE= default solaris_authssl NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=ipa,dc=example,dc=com NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=compat,dc=ipa,dc=example,dc=com NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=ipa,dc=example,dc=com NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=ipa,dc=example,dc=com NS_LDAP_SERVICE_SEARCH_DESC= sudoers:ou=sudoers,dc=ipa,dc=example,dc=com NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=posixaccount NS_LDAP_OBJECTCLASSMAP= group:posixGroup=posixgroup
nsswitch changes:
passwd: files ldap [NOTFOUND=return] group: files ldap [NOTFOUND=return]
This is what I looked at:
https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html https://www.redhat.com/archives/freeipa-users/2015-January/msg00017.html http://etcfstab.com/oraclelinux/solaris_n_freeipa.html https://mkosek.fedorapeople.org/publican_site/en-US/FreeIPA/3.3/html/FreeIPA...
Anyone have better experience or any documentation that could help?
I should probably mention that IPA users have started working. But not my AD users.
[root@rhn2 tmp]# ssh -l louis.abel2@ipa.example.com devu16 -q Password: Last login: Thu Sep 14 07:57:55 2017 from rhn2.example.com Could not chdir to home directory /home/louis.abel2: No such file or directory Oracle Corporation SunOS 5.11 11.3 June 2017 -bash-4.4$ logout [root@rhn2 tmp]# ssh -l louis.abel@ad.example.com devu16 -q Password: Password:
AD users seem to be suffering from the same errors:
libsldap: Status: 53 Mesg: openConnection: simple bind failed - DSA is unwilling to perform libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials
Louis Abel via FreeIPA-users wrote:
I should probably mention that IPA users have started working. But not my AD users.
[root@rhn2 tmp]# ssh -l louis.abel2@ipa.example.com devu16 -q Password: Last login: Thu Sep 14 07:57:55 2017 from rhn2.example.com Could not chdir to home directory /home/louis.abel2: No such file or directory Oracle Corporation SunOS 5.11 11.3 June 2017 -bash-4.4$ logout [root@rhn2 tmp]# ssh -l louis.abel@ad.example.com devu16 -q Password: Password:
AD users seem to be suffering from the same errors:
libsldap: Status: 53 Mesg: openConnection: simple bind failed - DSA is unwilling to perform libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials
Not sure why some users would work and some wouldn't but I'd suspect the bind password in your ldapclient config.
rob
On Thu, Sep 14, 2017 at 11:08:54AM -0400, Rob Crittenden via FreeIPA-users wrote:
Louis Abel via FreeIPA-users wrote:
I should probably mention that IPA users have started working. But not my AD users.
[root@rhn2 tmp]# ssh -l louis.abel2@ipa.example.com devu16 -q Password: Last login: Thu Sep 14 07:57:55 2017 from rhn2.example.com Could not chdir to home directory /home/louis.abel2: No such file or directory Oracle Corporation SunOS 5.11 11.3 June 2017 -bash-4.4$ logout [root@rhn2 tmp]# ssh -l louis.abel@ad.example.com devu16 -q Password: Password:
AD users seem to be suffering from the same errors:
libsldap: Status: 53 Mesg: openConnection: simple bind failed - DSA is unwilling to perform libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials
Not sure why some users would work and some wouldn't but I'd suspect the bind password in your ldapclient config.
Another thing that bit me in the past was that since on the IPA server, the password binds against AD users are intercepted and turned into a PAM conversation against the system-auth service, HBAC must allow the system-auth service on the IDM server itself.
(Check /var/log/secure on the IDM server for messages from pam-sss.so..)
On to, 14 syys 2017, Jakub Hrozek via FreeIPA-users wrote:
On Thu, Sep 14, 2017 at 11:08:54AM -0400, Rob Crittenden via FreeIPA-users wrote:
Louis Abel via FreeIPA-users wrote:
I should probably mention that IPA users have started working. But not my AD users.
[root@rhn2 tmp]# ssh -l louis.abel2@ipa.example.com devu16 -q Password: Last login: Thu Sep 14 07:57:55 2017 from rhn2.example.com Could not chdir to home directory /home/louis.abel2: No such file or directory Oracle Corporation SunOS 5.11 11.3 June 2017 -bash-4.4$ logout [root@rhn2 tmp]# ssh -l louis.abel@ad.example.com devu16 -q Password: Password:
AD users seem to be suffering from the same errors:
libsldap: Status: 53 Mesg: openConnection: simple bind failed - DSA is unwilling to perform libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials
Not sure why some users would work and some wouldn't but I'd suspect the bind password in your ldapclient config.
Another thing that bit me in the past was that since on the IPA server, the password binds against AD users are intercepted and turned into a PAM conversation against the system-auth service, HBAC must allow the system-auth service on the IDM server itself.
(Check /var/log/secure on the IDM server for messages from pam-sss.so..)
This one as well. It is documented in both slapi-nis and overall IPA documentation.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
5.4.1: ---- If the host-based access control (HBAC) allow_all rule is disabled, enable the system-auth service on the IdM server, which allows authentication of the AD users. ----
Jakub, you might be onto something.
Sep 14 18:11:08 pentl01.ipa.example.com ns-slapd: pam_sss(system-auth:auth): authentication failure; logname= uid=389 euid=389 tty= ruser= rhost= user=louis.abel@ad.example.com Sep 14 18:11:08 pentl01.ipa.example.com ns-slapd: pam_sss(system-auth:auth): received for user louis.abel@ad.example.com: 7 (Authentication failure)
Would this mean that I need an HBAC policy allowing specific/all users system-auth against the IPA servers? Or what would you suggest? It does seem a little overkill if I did that. Unless there's a better way.
On to, 14 syys 2017, Louis Abel via FreeIPA-users wrote:
Jakub, you might be onto something.
Sep 14 18:11:08 pentl01.ipa.example.com ns-slapd: pam_sss(system-auth:auth): authentication failure; logname= uid=389 euid=389 tty= ruser= rhost= user=louis.abel@ad.example.com Sep 14 18:11:08 pentl01.ipa.example.com ns-slapd: pam_sss(system-auth:auth): received for user louis.abel@ad.example.com: 7 (Authentication failure)
Would this mean that I need an HBAC policy allowing specific/all users system-auth against the IPA servers? Or what would you suggest? It does seem a little overkill if I did that. Unless there's a better way.
If you are authenticating AD users over the compat tree, you need to create an HBAC rule that allows all users to access system-auth HBAC service on the IPA master.
None of existing services (ssh, login, etc) use system-auth directly. Its the only direct user is the Schema Compatibility plugin that handles cn=compat tree.
This is documented in Windows Integration Guide, as I give you a link in the other email.
On Thu, Sep 14, 2017 at 06:28:50PM -0000, Louis Abel via FreeIPA-users wrote:
Jakub, you might be onto something.
Sep 14 18:11:08 pentl01.ipa.example.com ns-slapd: pam_sss(system-auth:auth): authentication failure; logname= uid=389 euid=389 tty= ruser= rhost= user=louis.abel@ad.example.com Sep 14 18:11:08 pentl01.ipa.example.com ns-slapd: pam_sss(system-auth:auth): received for user louis.abel@ad.example.com: 7 (Authentication failure)
Would this mean that I need an HBAC policy allowing specific/all users system-auth against the IPA servers? Or what would you suggest? It does seem a little overkill if I did that. Unless there's a better way.
Well, yes and no.
If it was the HBAC access control that was kicking you out, I would have expected the error code to be different (6 is typically returned for access denied).
So I would also suggest to increase the sssd debug log on the server and try the login attempt again, then check out sssd logs.
Thank you for pointing that out. I've put sssd into debug to see what I can find. Is there anything specific I should look for in the logs? Or is there anything specific I can put here. The current set of logs of my login (based on time) is 2643 lines.
On 15 Sep 2017, at 01:25, Louis Abel via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Thank you for pointing that out. I've put sssd into debug to see what I can find. Is there anything specific I should look for in the logs? Or is there anything specific I can put here. The current set of logs of my login (based on time) is 2643 lines.
Maybe try grepping for errors? grep 0x00 *.log
Or feel free to send the logs to me if you need help.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Thank you again for assisting. I did a little more digging myself and realized something wrong about my /etc/pam.d/system-auth and /etc/pam.d/password-auth files. The auth line for pam_sss.so had both use_first_pass and forward_pass. It seems to me that these counter each other in some way. Once I took off use_first_pass, password logins to the domain controllers and to my solaris 11 clients are working. I'm no longer getting an error 7, I'm instead getting successes in /var/log/secure.
Only issue now is it seems my pam configuration on Solaris must be incorrect or there is a major bug - while the password works, I cannot open a session. Trying to su into an account while on the system as root gives me some assertion error and then aborted. The login with user@domain works (which is not what I want to use).
Solaris 10 on the other hand gives me "no legal authentication methods". Might be a pam/nsswitch misconfiguration. I'll report back if I figure it out.
Perhaps, but I'm not sure it's the bind password. When I've done binds with the proxy account using for example, ldapsearch, it works without issue. I've also attempted to change the password and do ldapclient uninit and ldapclient init with the new password. So IPA users are working but not AD trust users.
# ldapsearch -x -LLL -D 'uid=solaris,cn=sysaccounts,cn=etc,dc=ipa,dc=example,dc=com' -W uid=louis.abel Enter LDAP Password: dn: uid=louis.abel,cn=users,cn=compat,dc=ipa,dc=example,dc=com cn: Louis Abel objectClass: posixAccount objectClass: top gidNumber: 1006800013 gecos: Louis Abel uidNumber: 25439 loginShell: /bin/bash homeDirectory: /home/louis.abel uid: louis.abel@ad.example.com uid: louis.abel
On to, 14 syys 2017, Rob Crittenden via FreeIPA-users wrote:
Louis Abel via FreeIPA-users wrote:
I should probably mention that IPA users have started working. But not my AD users.
[root@rhn2 tmp]# ssh -l louis.abel2@ipa.example.com devu16 -q Password: Last login: Thu Sep 14 07:57:55 2017 from rhn2.example.com Could not chdir to home directory /home/louis.abel2: No such file or directory Oracle Corporation SunOS 5.11 11.3 June 2017 -bash-4.4$ logout [root@rhn2 tmp]# ssh -l louis.abel@ad.example.com devu16 -q Password: Password:
AD users seem to be suffering from the same errors:
libsldap: Status: 53 Mesg: openConnection: simple bind failed - DSA is unwilling to perform libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials
Not sure why some users would work and some wouldn't but I'd suspect the bind password in your ldapclient config.
Another thing is that compat tree wasn't actually designed to have IPA users addressed as fully-qualified ones. E.g. louis.abel2@ipa.example.com is wrong, it was expected to be louis.abel2.
Using fqdn user name for IPA user causes some troubles to slapi-nis code because it forces it to go through SSSD instead of relying on the LDAP state.
freeipa-users@lists.fedorahosted.org