[Freeipa-users] Re: freeipa client on Ubuntu SSH fails
I knew we are close because there wasn't much to check anymore. =) The sshd configuration was updated by the installation. On 18.04, somehow there was only one line in one pam files. I added what Alex suggested and followed up with pam-auth-update. It is good on 18.04 now. 16.04 is also fixed. Thanks Alex W ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: freeipa client on Ubuntu SSH fails
Also make sure your pam configs are sorted and using sssd grep -R sss /etc/pam.d/ /etc/pam.d/common-password:password sufficient pam_sss.so use_authtok /etc/pam.d/common-auth:auth [success=1 default=ignore] pam_sss.so use_first_pass /etc/pam.d/common-account:account [default=bad success=ok user_unknown=ignore]pam_sss.so /etc/pam.d/common-session:session optional pam_sss.so ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: freeipa client on Ubuntu SSH fails
I forgot we configured or /etc/ssh/sshd_config as well. You need to have the authorizedkeys command. Here is what ours looks like. AcceptEnv LANG LC_* AuthorizedKeysCommandUser nobody AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys Banner /etc/issue.net ChallengeResponseAuthentication no GSSAPIAuthentication yes HostbasedAuthentication no HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key IgnoreRhosts yes KerberosAuthentication no KeyRegenerationInterval 3600 LoginGraceTime 120 LogLevel INFO MaxSessions 50 MaxStartups 50:30:60 PasswordAuthentication no PermitEmptyPasswords no PermitRootLogin no Port 22 PrintLastLog yes PrintMotd no Protocol 2 PubkeyAuthentication yes RhostsRSAAuthentication no RSAAuthentication yes ServerKeyBits 1024 StrictModes yes Subsystem sftp /usr/lib/openssh/sftp-server SyslogFacility AUTH TCPKeepAlive yes UseDNS no UsePAM yes UsePrivilegeSeparation yes X11DisplayOffset 10 X11Forwarding yes ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: freeipa client on Ubuntu SSH fails
Thanks for the tip. I made the nsswitch.conf just like yours. I also look at the files on a CentOS7 client and make changes on the Ubuntu. But it is still no good. As more suggestion? The test user ID are on the system, I can su to them. However I cant' ssh it. I also notice when I try `passwd dummy1`, I got passwd: Authentication token manipulation error passwd: password unchanged I can't run `sudo -l` either. It is something with passwd? (which is right login the CentOS 7 VM) root@test02:~# id -a dummy1 uid=35221(dummy1) gid=35221(dummy1) groups=35221(dummy1) root@test02:~# su - dummy1 dummy1@ny4test02:~$ sudo -l dummy1 [sudo] password for dummy1: Sorry, try again. [sudo] password for dummy1: 1) I made nsswitch just like yours 2) My ipa.default [global] basedn = dc=x,dc=local realm = X.LOCAL domain = x.local server = ipa1.x.local host = test02.x.local xmlrpc_uri = https://ipa1.x.local/ipa/xml enable_ra = True 3) my krb5.conf includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = X.LOCAL dns_lookup_realm = true dns_lookup_kdc = truee rdns = false dns_canonicalize_hostname = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] X.LOCAL = { kdc = ipa1.x.local:88 master_kdc = ipa1.x.local:88 admin_server = ipa1.x.local:749 kpasswd_server = ipa1.x.local:464 default_domain = x.local pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .x.local = X.LOCAL x.local = X.LOCAL test02.x.local = X.LOCAL 4) My ldap.conf TLS_CACERT /etc/ipa/ca.crt # modified by IPA URI ldaps://ipa1.x.local BASE dc=x,dc=local 5) My sssd.conf [sssd] services = nss, sudo, pam, ssh domains = x.local [domain/x.local] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = x.local id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = test02.x.local chpass_provider = ipa dyndns_update = True ipa_server = _srv_, ipa1.x.local dyndns_iface = ens3 ldap_tls_cacert = /etc/ipa/ca.crt [nss] homedir_substring = /home ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: freeipa client on Ubuntu SSH fails
We have 16.04 working here. We had to make changes to the following files /etc/nsswitch.conf /etc/ipa/default.conf /etc/krb5.conf /etc/ldap/ldap.conf /etc/sssd/sssd.conf /usr/share/pam-configs/mkhomedir I'm guessing your nsswitch.conf is prob the issue if I had to guess. Here is what ours looks like #--- passwd: compat sss group: compat sss shadow: compat hosts: files dns networks: files protocols: db files services: db sss files ethers: db files rpc:db files netgroup: sss sudoers:sss files #--- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org