Hi All, I'm having a problem with my IPA installs; I can't seem to get the NIS mode to work. I tried it with and without 'Migration Mode' enabled.
I bind to it and 'getent passwd' and 'getent group' just fine, but when I type my password (post initial kinit password change) in for ssh, I get permission denied and the following in my client-side /var/log/secure log: Mar 8 18:15:07 bastion sshd[18480]: Failed password for bob from 192.168.5.68 port 50788 ssh2 Mar 8 18:15:22 bastion sshd[18480]: Failed password for bob from 192.168.5.68 port 50788 ssh2 Mar 8 18:46:13 bastion sshd[18556]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.6.68 user=bob Mar 8 18:46:16 bastion sshd[18556]: Failed password for bob from 192.168.5.68 port 50839 ssh2 On the server, I can find no error on the server side, matching the timestamp of when I attempt login from a third host to the bastion host (see below). Am I mistaken that IPAv2 provides backwards compatible NIS, without client-side SSSD, KRB5 and the like? Am I missing a service or something? Thanks very much! Please excuse the long email. Perhaps I'm too eager. lol :-) -Joshua. ========BACKGROUND INFO FOLLOWS========= Here are the details of my install, which is my fourth IPA install, so far. As a side note, however, I've not been able to get the NIS mode working, yet. - 2 nearly identical KVM's to test this. (1 for server and 1 for NIS client) - x86_64 - ext4 over LVM over qcow2 over NFSv3 - using virtio - Scientific Linux 6.2 minimal install from GUI of Install DVD - all available yum updates applied - iptables off - ipv4 only - added self FQDN to both /etc/hosts files - NetworkManager off in favor of network - static public IP's - Used the following commands to install my IPA server: # yum -y install \ ipa-server \ bind \ bind-dyndb-ldap # ipa-server-install \ -a 'admin_pass_example' \ --hostname=ipa.example.com \ -p 'dir_man_password_example' \ -n exampledom.com \ -r EXAMPLE.COM \ --setup-dns \ --forwarder=192.168.2.10 \ --forwarder=192.168.1.20 - After a reboot, logging in with Firefox works well... kinit works well after I create an initial user in the UI... Everything is cool..even enrolling other machine with the ipa-client-install tool works well.. No other changes were made inside the UI - Here are the commands I ran on the server outside the UI, per instructions (here: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/migrating-from-nis.html ) [root@ipa ~]# ipa-compat-manage enable Directory Manager password: Plugin already Enabled [root@ipa ~]# rpcinfo program version netid address service owner 100000 4 tcp6 ::.0.111 portmapper superuser 100000 3 tcp6 ::.0.111 portmapper superuser 100000 4 udp6 ::.0.111 portmapper superuser 100000 3 udp6 ::.0.111 portmapper superuser 100000 4 tcp 0.0.0.0.0.111 portmapper superuser 100000 3 tcp 0.0.0.0.0.111 portmapper superuser 100000 2 tcp 0.0.0.0.0.111 portmapper superuser 100000 4 udp 0.0.0.0.0.111 portmapper superuser 100000 3 udp 0.0.0.0.0.111 portmapper superuser 100000 2 udp 0.0.0.0.0.111 portmapper superuser 100000 4 local /var/run/rpcbind.sock portmapper superuser 100000 3 local /var/run/rpcbind.sock portmapper superuser [root@ipa ~]# ipa-nis-manage enable Directory Manager password: Enabling plugin Restarting IPA to initialize updates before performing deletes: [1/2]: stopping directory server [2/2]: starting directory server done configuring dirsrv. This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. [root@ipa ~]# reboot The system is going down for reboot NOW! sam@bastion:~$ ssh 192.168.5.25 Last login: Thu Mar 8 17:58:58 2012 from 192.168.5.99 [sam@ipa ~]$ su - Password: [root@ipa ~]# rpcinfo program version netid address service owner 100000 4 tcp6 ::.0.111 portmapper superuser 100000 3 tcp6 ::.0.111 portmapper superuser 100000 4 udp6 ::.0.111 portmapper superuser 100000 3 udp6 ::.0.111 portmapper superuser 100000 4 tcp 0.0.0.0.0.111 portmapper superuser 100000 3 tcp 0.0.0.0.0.111 portmapper superuser 100000 2 tcp 0.0.0.0.0.111 portmapper superuser 100000 4 udp 0.0.0.0.0.111 portmapper superuser 100000 3 udp 0.0.0.0.0.111 portmapper superuser 100000 2 udp 0.0.0.0.0.111 portmapper superuser 100000 4 local /var/run/rpcbind.sock portmapper superuser 100000 3 local /var/run/rpcbind.sock portmapper superuser 100004 2 udp6 ::.2.84 ypserv superuser 100004 2 udp 0.0.0.0.2.84 ypserv superuser 100004 2 tcp6 ::.2.84 ypserv superuser 100004 2 tcp 0.0.0.0.2.84 ypserv superuser [root@ipa ~]# - Here is chkconfig for the server (iptables/ip6tables are disabled by the service command when debugging) chkconfig --list|grep ':on' atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off certmonger 0:off 1:off 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off ipa 0:off 1:off 2:on 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off portreserve 0:off 1:off 2:on 3:on 4:on 5:on 6:off qpidd 0:off 1:off 2:on 3:on 4:on 5:on 6:off rpcbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off sssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off - On the client, it's the same OS... SL6.2 x86_64, no firewall, minimal install, ipv4 only - I used authconfig to setup NIS, and am able to 'getent passwd' on the directory. # authconfig --enablenis --nisdomain=knoesis.org --nisserver=192.168.5.82 --enablemkhomedir --update - resolv.conf points to the IPA address for dns - client is same domain on the same 24-bit subnet - here are the packages I installed for NIS: Mar 08 16:05:19 Installed: libgssglue-0.1-11.el6.x86_64 Mar 08 16:05:19 Installed: libtirpc-0.2.1-5.el6.x86_64 Mar 08 16:05:19 Installed: rpcbind-0.2.0-8.el6.x86_64 Mar 08 16:05:56 Installed: 3:ypbind-1.20.4-29.el6.x86_64 Mar 08 16:05:56 Installed: yp-tools-2.9-12.el6.x86_64 - Here is chkconfig on the client: chkconfig --list|grep ':on' (iptables/ip6tables are disabled by the service command when debugging) auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off qpidd 0:off 1:off 2:on 3:on 4:on 5:on 6:off rpcbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off ypbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off - /etc/yp.conf (client) (I tried it with the server domain syntax, as well) ypserver 192.168.6.82 #domain example.com server 192.168.6.82 - rpcinfo (client) program version netid address service owner 100000 4 tcp6 ::.0.111 portmapper superuser 100000 3 tcp6 ::.0.111 portmapper superuser 100000 4 udp6 ::.0.111 portmapper superuser 100000 3 udp6 ::.0.111 portmapper superuser 100000 4 tcp 0.0.0.0.0.111 portmapper superuser 100000 3 tcp 0.0.0.0.0.111 portmapper superuser 100000 2 tcp 0.0.0.0.0.111 portmapper superuser 100000 4 udp 0.0.0.0.0.111 portmapper superuser 100000 3 udp 0.0.0.0.0.111 portmapper superuser 100000 2 udp 0.0.0.0.0.111 portmapper superuser 100000 4 local /var/run/rpcbind.sock portmapper superuser 100000 3 local /var/run/rpcbind.sock portmapper superuser 100007 2 udp 0.0.0.0.3.46 ypbind superuser 100007 1 udp 0.0.0.0.3.46 ypbind superuser 100007 2 tcp 0.0.0.0.3.49 ypbind superuser 100007 1 tcp 0.0.0.0.3.49 ypbind superuser -- Joshua M. Dotson Systems Administrator Kno.e.sis Center Wright State University - Dayton, OH j...@knoesis.org 937-350-1563
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel