subject:"\[Freeipa\-users\] Re\: freeipa client on Ubuntu SSH fails"

[Freeipa-users] Re: freeipa client on Ubuntu SSH fails

2019-03-11 Thread Will Kay via FreeIPA-users

I knew we are close because there wasn't much to check anymore. =)

The sshd configuration was updated by the installation.  On 18.04, somehow 
there was only one line in one pam files.  I added what Alex suggested and 
followed up with pam-auth-update.  It is good on 18.04 now.  16.04 is also 
fixed.

Thanks Alex
W
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: freeipa client on Ubuntu SSH fails

2019-03-08 Thread Alex Georgopoulos via FreeIPA-users

Also make sure your pam configs are sorted and using sssd

grep -R sss /etc/pam.d/
/etc/pam.d/common-password:password sufficient  
pam_sss.so use_authtok
/etc/pam.d/common-auth:auth [success=1 default=ignore]  pam_sss.so 
use_first_pass
/etc/pam.d/common-account:account   [default=bad success=ok 
user_unknown=ignore]pam_sss.so 
/etc/pam.d/common-session:session   optional
pam_sss.so 

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: freeipa client on Ubuntu SSH fails

2019-03-08 Thread Alex Georgopoulos via FreeIPA-users

I forgot we configured or /etc/ssh/sshd_config as well.  You need to have the 
authorizedkeys command.  Here is what ours looks like.


AcceptEnv LANG LC_*
AuthorizedKeysCommandUser nobody
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
Banner /etc/issue.net
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
HostbasedAuthentication no
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
IgnoreRhosts yes
KerberosAuthentication no
KeyRegenerationInterval 3600
LoginGraceTime 120
LogLevel INFO
MaxSessions 50
MaxStartups 50:30:60
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
Port 22
PrintLastLog yes
PrintMotd no
Protocol 2
PubkeyAuthentication yes
RhostsRSAAuthentication no
RSAAuthentication yes
ServerKeyBits 1024
StrictModes yes
Subsystem sftp /usr/lib/openssh/sftp-server
SyslogFacility AUTH
TCPKeepAlive yes
UseDNS no
UsePAM yes
UsePrivilegeSeparation yes
X11DisplayOffset 10
X11Forwarding yes
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: freeipa client on Ubuntu SSH fails

2019-03-08 Thread Will Kay via FreeIPA-users

Thanks for the tip.   I made the nsswitch.conf just like yours.  I also look at 
the files on a CentOS7 client and make changes on the Ubuntu.  But it is still 
no good.   As more suggestion?

The test user ID are on the system, I can su to them. However I cant' ssh it.  
I also notice when I try `passwd dummy1`, I got 
passwd: Authentication token manipulation error
passwd: password unchanged

I can't run `sudo -l` either. It is something with passwd? (which is right 
login the CentOS 7 VM)

root@test02:~# id -a dummy1
uid=35221(dummy1) gid=35221(dummy1) groups=35221(dummy1)
root@test02:~# su - dummy1
dummy1@ny4test02:~$ sudo -l dummy1
[sudo] password for dummy1: 
Sorry, try again.
[sudo] password for dummy1: 




1) I made nsswitch just like yours

2) My ipa.default
[global]
basedn = dc=x,dc=local
realm = X.LOCAL
domain = x.local
server = ipa1.x.local
host = test02.x.local
xmlrpc_uri = https://ipa1.x.local/ipa/xml
enable_ra = True

3) my krb5.conf

includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = X.LOCAL
  dns_lookup_realm = true
  dns_lookup_kdc = truee
  rdns = false
  dns_canonicalize_hostname = false
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}


[realms]
  X.LOCAL = {
kdc = ipa1.x.local:88
master_kdc = ipa1.x.local:88
admin_server = ipa1.x.local:749
kpasswd_server = ipa1.x.local:464
default_domain = x.local
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
  }

[domain_realm]
  .x.local = X.LOCAL
  x.local = X.LOCAL
  test02.x.local = X.LOCAL

4) My ldap.conf

TLS_CACERT /etc/ipa/ca.crt # modified by IPA
URI ldaps://ipa1.x.local
BASE dc=x,dc=local

5) My sssd.conf
[sssd]
services = nss, sudo, pam, ssh
domains = x.local

[domain/x.local]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = x.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = test02.x.local
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, ipa1.x.local
dyndns_iface = ens3
ldap_tls_cacert = /etc/ipa/ca.crt

[nss]
homedir_substring = /home
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: freeipa client on Ubuntu SSH fails

2019-03-06 Thread Alex Georgopoulos via FreeIPA-users

We have 16.04 working here.  We had to make changes to the following files
/etc/nsswitch.conf
/etc/ipa/default.conf
/etc/krb5.conf
/etc/ldap/ldap.conf
/etc/sssd/sssd.conf
/usr/share/pam-configs/mkhomedir

I'm guessing your nsswitch.conf is prob the issue if I had to guess.  Here is 
what ours looks like
#---
passwd: compat sss
group:  compat sss
shadow: compat

hosts:  files dns
networks:   files

protocols:  db files
services:   db sss files
ethers: db files
rpc:db files

netgroup:   sss
sudoers:sss files
#---
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: freeipa client on Ubuntu SSH fails

[Freeipa-users] Re: freeipa client on Ubuntu SSH fails

[Freeipa-users] Re: freeipa client on Ubuntu SSH fails

[Freeipa-users] Re: freeipa client on Ubuntu SSH fails

[Freeipa-users] Re: freeipa client on Ubuntu SSH fails

5 matches

Site Navigation

Mail list logo

Footer information