Re: [Fedora-directory-users] Problems with sasl authentication
Hmm... What I'm trying to accomplish here is a configuration where users authenticate to the ldap server with username/password (no kerberos ticket) and their password is checked from kerberos. Is this possible to do with the standard plugins? I've had a hard time trying to figure out how to do this... =) The idea in this is that we'd like to have a single service for authenticating users, even for services that do not support kerberos. This isn't supported in the current code. If it's not possible, I'll look into writing a plugin that does this. Sounds good. First you'd need to figure out how to perform a proxied authentiation against kerberos. With the existing SASL/GSSAPI mechanism we don't need to do that because we're simply passing through the authentication payload between GSSAPI and the client. Presumably you'd need to do whatever 'kinit' does, but inside the DS. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Problems with sasl authentication
David Boreham wrote: Hmm... What I'm trying to accomplish here is a configuration where users authenticate to the ldap server with username/password (no kerberos ticket) and their password is checked from kerberos. Is this possible to do with the standard plugins? I've had a hard time trying to figure out how to do this... =) The idea in this is that we'd like to have a single service for authenticating users, even for services that do not support kerberos. This isn't supported in the current code. If you just want to do LDAP SIMPLE BINDs with username/password (hopefully over a TLS connection), and use the Kerberos password instead of the userPassword attribute, you can use the PAM passthru bind plugin. You will have to grab the Fedora DS source and build it. What this does is pass the BIND authentication request to PAM, which you can configure to go to Kerberos for authentication. If it's not possible, I'll look into writing a plugin that does this. Sounds good. First you'd need to figure out how to perform a proxied authentiation against kerberos. With the existing SASL/GSSAPI mechanism we don't need to do that because we're simply passing through the authentication payload between GSSAPI and the client. Presumably you'd need to do whatever 'kinit' does, but inside the DS. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
RE: [Fedora-directory-users] Problem with solaris FDS authentication
Gary,
I did like you said. There was nothing in msgs file. From the remote host I
got this:
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/identity
debug1: Trying private key: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: password
[EMAIL PROTECTED]'s password:
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
Permission denied, please try again.
sshd -d produced nothing either. So, I'm confused now.
Also, ldaplist by itself gives this:
bash-2.03# ldaplist
ldaplist: Object not found (LDAP ERROR (50): Insufficient access.)
Is that normal?
And when I snoop -v ldap | grep LDAP I don't see the {crypt} password
anywhere.?
--- Tay, Gary [EMAIL PROTECTED] wrote:
To troublshoot PAM issue, you may add debug keyword at the end of
every or selected lines of /etc/pam.conf, and /var/adm/messages should
show more messages.
To troubleshoot SSH Server, you may start sshd with -d (debfufg)
option (Interactive Mode Only), or use ssh -v [EMAIL PROTECTED] at the
SSH Client (-v means verbose mode).
You may use the sample pam.conf from
http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view, do comment
out all the pam_unix_cred.so.1 lines as they are meant for Solaris10.
Gary
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Igor
Sent: Tuesday, August 30, 2005 4:30 AM
To: General discussion list for the Fedora Directory server project.
Subject: [Fedora-directory-users] Problem with solaris FDS
authentication
Hi, guys. I finally got the solaris box to talk to the FDS (thank you
all for your
help).
I'm now having a problem where I can't telnet/ssh from another machine.
On the client, I have this:
bash-2.03# ldaplist -l passwd testdba
dn: uid=testdba,ou=People, dc=composers,dc=foo,dc=com
givenName: oracle
sn: user
loginShell: /bin/bash
uidNumber: 10001
gidNumber: 7000
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowaccount
uid: testdba
cn: oracle user
homeDirectory: /home/testdba
bash-2.03#
The ACIs (in addition to the default ones):
Bind Password:
dc=composers,dc=foo,dc=com
aci=(targetattr =
cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowM
in||shadowMax||shadowWarning|
|shadowInactive||shadowExpire||shadowFlag||memberUid
)(version 3.0; acl LDAP_Naming_Services_deny_write_access;deny (write)
userdn = ldap:
///self;)
aci=(target=ldap:///dc=composers,dc=foo,dc=com;)(targetattr=userPasswo
rd)(version 3.0;
acl LDAP_Naming_Services_proxy_password_read; allow (compare,search)
userdn =
ldap:///cn=proxyagent,ou=profile,dc=composers,dc=foo,dc=com;;)
There's nothing in the /var/adm/messages. My pam.conf [snipped] is
this:
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_ldap.so.1 try_first_pass
login auth required pam_dial_auth.so.1
#ssh
sshd auth sufficient /usr/lib/security/pam_ldap.so.1
sshd auth required /usr/lib/security/pam_unix.so.1 use_first_pass
---
The userPassword field is not displayed when I do ldaplist. Is that
normal? Even when I
do this:
/usr/bin/ldapsearch -D
cn=proxyagent,ou=profile,dc=composers,dc=foo,dc=com -h
cnyitlin02 -b dc=composers,dc=foo,dc=com objectclass=\*
uid=testdba,ou=People, dc=composers,dc=foo,dc=com
givenName=oracle
sn=user
loginShell=/bin/bash
uidNumber=10001
gidNumber=7000
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=inetorgperson
objectClass=posixAccount
objectClass=shadowaccount
uid=testdba
cn=oracle user
homeDirectory=/home/testdba
How can I go about troubleshooting this?
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
[Fedora-directory-users] solaris 10 caching credentials? Inactivated users allowed in via ssh
Hi all, I'm running FDS (binary rpm) on rhel4. I have rhel4 and solaris 10 clients. If I inactivate a user account in the FDS admin GUI, then try to log in via ssh as that inactivated user on any ol' random Linux client, the BIND operation fails with err=53 (unwilling to perform). This, I should think, is the expected behaviour. Solaris 10, on the other hand, lets the user in (again, ssh). The only BIND I can correllate in the logs come from the solaris proxy user. Then a search is done for shadowaccount=username, and then a search is done for the group memberships of that user (presumably I'm already in when this is done). There's never a BIND operation as the inactive user at all! Can someone explain what's happening? brian. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
RE: [Fedora-directory-users] Problem with solaris FDS authentication
Gary, here's the output from /var/adm/messages: Aug 30 16:17:38 unknown last message repeated 1 time Aug 30 16:17:38 unknown sshd[1354]: [ID 800047 auth.error] error: PAM: Authentication failed for testdba from cnyitsun01.composers.foo.com Aug 30 16:17:39 unknown sshd[1354]: [ID 316739 auth.error] pam_ldap: no legal authentication method configured What does that mean? I took the pam.conf from the website you gave me and commented out the lines, like you said: login auth requisitepam_authtok_get.so.1 debug login auth required pam_dhkeys.so.1 debug #login auth required pam_unix_cred.so.1 debug login auth required pam_dial_auth.so.1debug login auth binding pam_unix_auth.so.1 server_policy debug login auth required pam_ldap.so.1 debug Also: bash-2.03# getent passwd testdba testdba::10001:7000::/home/testdba:/bin/bash sshd -d is totally silent. No output after startup: bash-2.03# /usr/local/sbin/sshd -d debug1: sshd version OpenSSH_3.9p1 debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA Disabling protocol version 1. Could not load host key debug1: rexec_argv[0]='/usr/local/sbin/sshd' debug1: rexec_argv[1]='-d' debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: fd 5 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 10 --- Tay, Gary [EMAIL PROTECTED] wrote: What is the output of id testdba and getent passwd testdba? To use ldap auth for SSH Server, you must set these lines in /etc/ssh/sshd_config: PasswordAuthentication yes ChallengeResponseAuthentication yes UsePAM yes Yep, changed that! Still (from the remote machine): cnyitsun01/ ssh [EMAIL PROTECTED] Password: LDAP Password: Password: LDAP Password: And it never lets me in. Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] solaris 10 caching credentials? Inactivated users allowed in via ssh
Brian, It sounds like you're using the pam_unix module for authentication on the Solaris 10 client instead of the pam_ldap module. The bind as the proxy user is to retrieve the crypted password hash of the account, which is then compared with the password given at login. If you want LDAP account deactivation to affect logins to Solaris clients, those clients must use pam_ldap to authenticate against the LDAP server, instead of pam_unix. Note also that deactivating a LDAP account will not prevent password-less rsh login with that account. -- George Brian K. Jones wrote: Anyone experiencing a similar issue should see this Sun forum thread http://forum.sun.com/thread.jspa?threadID=24568tstart=0 On Tuesday 30 August 2005 4:42 pm, Brian K. Jones wrote: Well, I'm running nscd, but before I go shutting that off, I should share this new info: I found that the solaris machine *does* try to bind as the user, and the server returns err=53, just like it does to the linux clients! However, it *then* does a search for the shadowaccount objectclass and the inactive user's uid, and memberUID=inactive user, and in the end, it lets the user in. Baffling. And scary that a failed bind request can potentially lead to users getting logged in anyway. On Tuesday 30 August 2005 4:24 pm, [EMAIL PROTECTED] wrote: Hi Brian, Is the nscd caching the query ? I guess try restarting nscd and see if that fixes your problem, if you aren't running nscd this is a useless suggession. Cheers, Aly. On Tue, 30 Aug 2005, Brian K. Jones wrote: Hi all, I'm running FDS (binary rpm) on rhel4. I have rhel4 and solaris 10 clients. If I inactivate a user account in the FDS admin GUI, then try to log in via ssh as that inactivated user on any ol' random Linux client, the BIND operation fails with err=53 (unwilling to perform). This, I should think, is the expected behaviour. Solaris 10, on the other hand, lets the user in (again, ssh). The only BIND I can correllate in the logs come from the solaris proxy user. Then a search is done for shadowaccount=username, and then a search is done for the group memberships of that user (presumably I'm already in when this is done). There's never a BIND operation as the inactive user at all! Can someone explain what's happening? brian. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] solaris 10 caching credentials? Inactivated users allowed in via ssh
Well, this makes sense, but I'm using the Sun-recommended pam_ldap configuration, straight from their documentation for Solaris 10. I don't have a machine in front of me, but if memory serves, their configuration includes pam_unix_auth, pam_unix_cred as well as pam_ldap. I've read about the changes with server_policy and the like, but even those example (again, iirc) use pam_unix. If you have a working pam.conf for solaris 10 that doesn't exhibit this behavior, I'd be happy not so much to see it, but to know what doc you referenced to develop it! Thanks, brianOn 8/30/05, George Holbert [EMAIL PROTECTED] wrote: Brian,It sounds like you're using the pam_unix module for authentication onthe Solaris 10 client instead of the pam_ldap module.The bind as theproxy user is to retrieve the crypted password hash of the account, which is then compared with the password given at login.If you want LDAP account deactivation to affect logins to Solarisclients, those clients must use pam_ldap to authenticate against theLDAP server, instead of pam_unix. Note also that deactivating a LDAP account will not preventpassword-less rsh login with that account.-- GeorgeBrian K. Jones wrote:Anyone experiencing a similar issue should see this Sun forum thread http://forum.sun.com/thread.jspa?threadID=24568tstart=0On Tuesday 30 August 2005 4:42 pm, Brian K. Jones wrote: Well, I'm running nscd, but before I go shutting that off, I should sharethis new info:I found that the solaris machine *does* try to bind as the user, and theserver returns err=53, just like it does to the linux clients! However, it *then* does a search for the shadowaccount objectclass and the inactiveuser's uid, and memberUID=inactive user, and in the end, it lets the userin.Baffling. And scary that a failed bind request can potentially lead to users getting logged in anyway.On Tuesday 30 August 2005 4:24 pm, [EMAIL PROTECTED] wrote:Hi Brian, Is the nscd caching the query ? I guess try restarting nscd andsee if that fixes your problem, if you aren't running nscd this is auseless suggession. Cheers, Aly.On Tue, 30 Aug 2005, Brian K. Jones wrote:Hi all, I'm running FDS (binary rpm) on rhel4. I have rhel4 and solaris 10clients.If I inactivate a user account in the FDS admin GUI, then try to log in via ssh as that inactivated user on any ol' random Linux client, theBIND operation fails with err=53 (unwilling to perform). This, I shouldthink, is the expected behaviour. Solaris 10, on the other hand, lets the user in (again, ssh). The onlyBIND I can correllate in the logs come from the solaris proxy user.Then a search is done for shadowaccount=username, and then a search is done for the group memberships of that user (presumably I'm alreadyin when this is done). There's never a BIND operation as the inactiveuser at all! Can someone explain what's happening?brian.--Fedora-directory-users mailing list Fedora-directory-users@redhat.comhttps://www.redhat.com/mailman/listinfo/fedora-directory-users --Fedora-directory-users mailing listFedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users--Fedora-directory-users mailing listFedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users--Fedora-directory-users mailing list Fedora-directory-users@redhat.comhttps://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
RE: [Fedora-directory-users] Problem with solaris FDS authentication
0) Make sure every time you restart /etc/init.d/ldap.client (ldap_cachemgr), restart also the /etc/init.d/nscd (name service cache daemon). 1) Make sure you define CRYPT as the default passwordStorageScheme in LDAP DIT (right click cn=config and edit its properties). 2) Make sure you have these three lines in /var/ldap/ldap_client_file and also in default profile in LDAP DIT? NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=composers,dc=foo,dc=com?one NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=composers,dc=foo,dc=com?one NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=composers,dc=foo,dc=com?one And there is a shadow: files ldap line in /etc/nsswitch.conf. 3) Make sure you restart SSH Server whenever there is a change in /etc/ssh/sshd_config. === Aug 30 16:17:38 unknown sshd[1354]: [ID 800047 auth.error] error: PAM: Authentication failed for testdba from cnyitsun01.composers.foo.com Aug 30 16:17:39 unknown sshd[1354]: [ID 316739 auth.error] pam_ldap: no legal authentication method configured === === 4) Did you install a binary version of OpenSSH Server with PAM support or compile from source with an ./configure --with-pam option? To check if sshd is built with PAM support, run: # ldd /usr/local/sbin/sshd It should have something like libpam.so,1 in it: libpam.so.1 = /usr/lib/libpam.so.1 libdl.so.1 =/usr/lib/libdl.so.1 libresolv.so.2 =/usr/lib/libresolv.so.2 libcrypto.so.0.9.7 =/usr/local/ssl/lib/libcrypto.so.0.9.7 librt.so.1 =/usr/lib/librt.so.1 libz.so = /usr/lib/libz.so libsocket.so.1 =/usr/lib/libsocket.so.1 libnsl.so.1 = /usr/lib/libnsl.so.1 libc.so.1 = /usr/lib/libc.so.1 libcmd.so.1 = /usr/lib/libcmd.so.1 libgcc_s.so.1 = /usr/local/lib/libgcc_s.so.1 libaio.so.1 = /usr/lib/libaio.so.1 libmp.so.2 =/usr/lib/libmp.so.2 /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 5) The output of your sshd -d looks perfectly fine and it isn't what you said totally silent, the SSH Server is listening, as and when you perform ssh connection from any host to the ssh server, you would see more debugging messages appearing in this interactive mode, to exit, press Ctrl-C to kill the debugging mode, note that after this sshd is no more running. 6) For ssh client connection, do this way to see more: $ ssh -v [EMAIL PROTECTED] Gary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Igor Sent: Wednesday, August 31, 2005 4:26 AM To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] Problem with solaris FDS authentication Gary, here's the output from /var/adm/messages: Aug 30 16:17:38 unknown last message repeated 1 time Aug 30 16:17:38 unknown sshd[1354]: [ID 800047 auth.error] error: PAM: Authentication failed for testdba from cnyitsun01.composers.foo.com Aug 30 16:17:39 unknown sshd[1354]: [ID 316739 auth.error] pam_ldap: no legal authentication method configured What does that mean? I took the pam.conf from the website you gave me and commented out the lines, like you said: login auth requisitepam_authtok_get.so.1 debug login auth required pam_dhkeys.so.1 debug #login auth required pam_unix_cred.so.1 debug login auth required pam_dial_auth.so.1debug login auth binding pam_unix_auth.so.1 server_policy debug login auth required pam_ldap.so.1 debug Also: bash-2.03# getent passwd testdba testdba::10001:7000::/home/testdba:/bin/bash sshd -d is totally silent. No output after startup: bash-2.03# /usr/local/sbin/sshd -d debug1: sshd version OpenSSH_3.9p1 debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA Disabling protocol version 1. Could not load host key debug1: rexec_argv[0]='/usr/local/sbin/sshd' debug1: rexec_argv[1]='-d' debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: fd 5 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 10 --- Tay, Gary [EMAIL PROTECTED] wrote: What is the output of id testdba and getent passwd testdba? To use ldap auth for SSH Server, you must set these lines in /etc/ssh/sshd_config: PasswordAuthentication yes ChallengeResponseAuthentication yes UsePAM yes Yep, changed that! Still (from the remote machine): cnyitsun01/ ssh [EMAIL PROTECTED] Password: LDAP Password: Password: LDAP Password: And it never lets me in. Start your day with Yahoo! - make it your
