Solaris NIS server with SuSE NIS client

Discussion in 'Linux Networking' started by christian.charette, Jun 15, 2006.

  1. Hello all.

    I'm trying to get a SuSE 9 Linux NIS client to connect to a Solaris 10
    NIS server, with some difficulty.

    I can get the client to bind.

    [[email protected] ~]>> rpcinfo -p localhost
    program vers proto port
    100000 2 tcp 111 portmapper
    100000 2 udp 111 portmapper
    100024 1 udp 32768 status
    100021 1 udp 32768 nlockmgr
    100021 3 udp 32768 nlockmgr
    100021 4 udp 32768 nlockmgr
    100024 1 tcp 32768 status
    100021 1 tcp 32768 nlockmgr
    100021 3 tcp 32768 nlockmgr
    100021 4 tcp 32768 nlockmgr
    100007 2 udp 807 ypbind
    100007 1 udp 807 ypbind
    100007 2 tcp 810 ypbind
    100007 1 tcp 810 ypbind

    the command rpcinfo -u localhost ypbind returns the following values:
    [[email protected] ~]>> rpcinfo -u localhost ypbind
    program 100007 version 1 ready and waiting
    program 100007 version 2 ready and waiting

    I can perform a ypmatch
    [[email protected] ~]>> ypmatch -k chris passwd
    chris chris:moOfMUdmr9FoM:50000:50004:christian
    charette:/export/home/chris:/bin/sh

    So that's good. I've removed c2secure on the NIS master, and I now get
    the passwords returned in the passwd.byname map. This isn't perfect,
    as I'd rather have c2secure on the Solaris server on AND get the Linux
    client to authenticate clients, but I'm trying to deal with issues one
    at a time.

    I have the following values set in various configuration files for
    compatibility mode:

    [[email protected] ~]>> tail -2 /etc/passwd
    +:Allowed_group:::::
    -:*:::::

    [[email protected] ~]>> tail -1 /etc/shadow
    +::::::::

    [[email protected] ~]>> tail -1 /etc/group
    +:::

    /etc/nsswitch.conf has the following set:
    passwd: compat
    group: compat

    My user is set in the netgroup. This setup works fine with the Solaris
    clients.
    [[email protected] ~]>> ypmatch -k Allowed_group netgroup
    Allowed_group (,chris,mydomain) (,user1,mydomain) (,user2,mydomain)
    (,bob,mydomain)


    Here are my symptoms:

    A) On Linux, when I attempt to do an su to a user (chris) from root, I
    get the following errors:
    [[email protected] ~]>> su - chris
    [[email protected]] # bash
    [I have no [email protected] ~]>> whoami
    whoami: cannot find username for UID 50000
    [I have no [email protected] ~]>> id
    uid=50000 gid=50004 groups=50004

    Though I could su into my user, and it found the right UID for him, my
    user doesn't seem too happy with things.

    B) SSH works for local users. When I try to login using SSH on an NIS
    account, my session fails. Here is the trace I get from syslog (I set
    the syslog level to auth.debug + the sshd to log at debug level):
    Jun 15 10:20:20 mp-03 sshd[19542]: debug1: Forked child 19736.
    Jun 15 10:20:20 mp-03 sshd[19736]: Connection from 192.168.180.140 port
    23041
    Jun 15 10:20:20 mp-03 sshd[19736]: debug1: Client protocol version 2.0;
    client software version Sun_SSH_1.1
    Jun 15 10:20:20 mp-03 sshd[19736]: debug1: no match: Sun_SSH_1.1
    Jun 15 10:20:20 mp-03 sshd[19736]: debug1: Enabling compatibility mode
    for protocol 2.0
    Jun 15 10:20:20 mp-03 sshd[19736]: debug1: Local version string
    SSH-1.99-OpenSSH_3.8p1
    Jun 15 10:20:21 mp-03 sshd[19736]: debug1: PAM: initializing for
    "chris"
    Jun 15 10:20:21 mp-03 sshd[19736]: debug1: PAM: setting PAM_RHOST to
    "om-00"
    Jun 15 10:20:21 mp-03 sshd[19736]: debug1: PAM: setting PAM_TTY to
    "ssh"
    Jun 15 10:20:21 mp-03 sshd[19736]: Failed none for chris from
    192.168.180.140 port 23041 ssh2
    Jun 15 10:20:24 mp-03 sshd[19736]: error: PAM: Authentication failure
    Jun 15 10:20:24 mp-03 sshd[19736]: Failed keyboard-interactive/pam for
    chris from 192.168.180.140 port 23041 ssh2
    Jun 15 10:20:25 mp-03 sshd[19736]: error: PAM: Authentication failure
    Jun 15 10:20:25 mp-03 sshd[19736]: Failed keyboard-interactive/pam for
    chris from 192.168.180.140 port 23041 ssh2
    Jun 15 10:20:25 mp-03 sshd[19736]: error: PAM: Authentication failure
    Jun 15 10:20:25 mp-03 sshd[19736]: Failed keyboard-interactive/pam for
    chris from 192.168.180.140 port 23041 ssh2
    Jun 15 10:20:26 mp-03 sshd[19736]: error: Could not get shadow
    information for chris
    Jun 15 10:20:26 mp-03 sshd[19736]: Failed password for chris from
    192.168.180.140 port 23041 ssh2
    Jun 15 10:20:27 mp-03 last message repeated 2 times
    Jun 15 10:20:27 mp-03 sshd[19736]: debug1: do_cleanup
    Jun 15 10:20:27 mp-03 sshd[19736]: debug1: PAM: cleanup

    C) I try the same test using SSH keys (rather than password
    authentication). Below is the output that I get. Notice that SSH
    reports a key pair match, and fails at the pam_unix2 module:
    Jun 15 10:22:55 mp-03 sshd[19542]: debug1: Forked child 20331.
    Jun 15 10:22:55 mp-03 sshd[20331]: Connection from 192.168.180.140 port
    23072
    Jun 15 10:22:55 mp-03 sshd[20331]: debug1: Client protocol version 2.0;
    client software version Sun_SSH_1.1
    Jun 15 10:22:55 mp-03 sshd[20331]: debug1: no match: Sun_SSH_1.1
    Jun 15 10:22:55 mp-03 sshd[20331]: debug1: Enabling compatibility mode
    for protocol 2.0
    Jun 15 10:22:55 mp-03 sshd[20331]: debug1: Local version string
    SSH-1.99-OpenSSH_3.8p1
    Jun 15 10:22:55 mp-03 sshd[20331]: debug1: PAM: initializing for
    "chris"
    Jun 15 10:22:55 mp-03 sshd[20331]: debug1: PAM: setting PAM_RHOST to
    "om-00"
    Jun 15 10:22:55 mp-03 sshd[20331]: debug1: PAM: setting PAM_TTY to
    "ssh"
    Jun 15 10:22:55 mp-03 sshd[20331]: Failed none for chris from
    192.168.180.140 port 23072 ssh2
    Jun 15 10:22:55 mp-03 sshd[20331]: debug1: temporarily_use_uid:
    50000/50004 (e=0/0)
    Jun 15 10:22:55 mp-03 sshd[20331]: debug1: trying public key file
    /export/home/chris/.ssh/authorized_keys
    Jun 15 10:22:55 mp-03 sshd[20331]: debug1: matching key found: file
    /export/home/chris/.ssh/authorized_keys, line 2
    Jun 15 10:22:55 mp-03 sshd[20331]: Found matching DSA key:
    ed:4c:e6:02:4c:c9:61:3a:87:70:13:e7:1e:99:43:42
    Jun 15 10:22:55 mp-03 sshd[20331]: debug1: restore_uid: 0/0
    Jun 15 10:22:55 mp-03 sshd[20331]: debug1: temporarily_use_uid:
    50000/50004 (e=0/0)
    Jun 15 10:22:55 mp-03 sshd[20331]: debug1: trying public key file
    /export/home/chris/.ssh/authorized_keys
    Jun 15 10:22:55 mp-03 sshd[20331]: debug1: matching key found: file
    /export/home/chris/.ssh/authorized_keys, line 2
    Jun 15 10:22:55 mp-03 sshd[20331]: Found matching DSA key:
    ed:4c:e6:02:4c:c9:61:3a:87:70:13:e7:1e:99:43:42
    Jun 15 10:22:55 mp-03 sshd[20331]: debug1: restore_uid: 0/0
    Jun 15 10:22:55 mp-03 sshd[20331]: debug1: ssh_dss_verify: signature
    correct
    Jun 15 10:22:55 mp-03 sshd[20331]: Accepted publickey for chris from
    192.168.180.140 port 23072 ssh2
    Jun 15 10:22:55 mp-03 sshd[20331]: debug1: monitor_child_preauth: chris
    has been authenticated by privileged process
    Jun 15 10:22:55 mp-03 sshd[20333]: debug1: PAM: reinitializing
    credentials
    Jun 15 10:22:55 mp-03 sshd[20333]: debug1: permanently_set_uid:
    50000/50004
    Jun 15 10:22:55 mp-03 sshd[20333]: debug1: Entering interactive session
    for SSH2.
    Jun 15 10:22:55 mp-03 sshd[20333]: debug1: server_init_dispatch_20
    Jun 15 10:22:55 mp-03 sshd[20333]: debug1: server_input_channel_open:
    ctype session rchan 0 win 65536 max 16384
    Jun 15 10:22:55 mp-03 sshd[20333]: debug1: input_session_request
    Jun 15 10:22:55 mp-03 sshd[20333]: debug1: channel 0: new
    [server-session]
    Jun 15 10:22:55 mp-03 sshd[20333]: debug1: session_new: init
    Jun 15 10:22:55 mp-03 sshd[20333]: debug1: session_new: session 0
    Jun 15 10:22:55 mp-03 sshd[20333]: debug1: session_open: channel 0
    Jun 15 10:22:55 mp-03 sshd[20333]: debug1: session_open: session 0:
    link with channel 0
    Jun 15 10:22:55 mp-03 sshd[20333]: debug1: server_input_channel_open:
    confirm session
    Jun 15 10:22:55 mp-03 sshd[20333]: debug1: server_input_channel_req:
    channel 0 request pty-req reply 0
    Jun 15 10:22:55 mp-03 sshd[20333]: debug1: session_by_channel: session
    0 channel 0
    Jun 15 10:22:55 mp-03 sshd[20333]: debug1: session_input_channel_req:
    session 0 req pty-req
    Jun 15 10:22:55 mp-03 sshd[20333]: fatal: login_get_lastlog: Cannot
    find account for uid 50000
    Jun 15 10:22:55 mp-03 sshd[20333]: debug1: do_cleanup
    Jun 15 10:22:55 mp-03 sshd[20333]: debug1: PAM: cleanup
    Jun 15 10:22:55 mp-03 sshd[20333]: pam_unix2: cannot get options
    Jun 15 10:22:55 mp-03 PAM-env[20333]: Unable to open config file:
    Permission denied
    Jun 15 10:22:55 mp-03 sshd[20333]: pam_unix2: cannot get options
    Jun 15 10:22:55 mp-03 sshd[20331]: debug1: do_cleanup
    Jun 15 10:22:55 mp-03 sshd[20331]: debug1: PAM: cleanup


    The pam_unix2 seems to be at the heart of the problem (the 2nd listing
    even authenticates public keys (bypassing passwords, but fails at
    pam_unix2).

    Any ideas? My Solaris clients work well... so what do I have to do to
    get the two to talk to each other?
     
    christian.charette, Jun 15, 2006
    #1
    1. Advertisements

  2. Try taking those "NIS separator" lines out of the passwd etc. files and
    changing from "compat" to "files nis" in nsswitch.conf.

    Also make sure that you can access the passwd.byuid map as its absence
    will cause the symptom above.

    My NIS server is Solaris 9 not 10 but I wouldn't have thought that would
    make a lot of difference.

    Regards, Ian
     
    Ian Northeast, Jun 15, 2006
    #2
    1. Advertisements

  3. So get rid of compatibility mode? Goes against my requirements....

    Tried it just for fun. Removed the "=" and "-" lines in /etc/passwd,
    /etc/group, /etc/shadow, and changed nsswitch to use this instead.
    passwd: files nis
    shadow: files nis
    group: files nis


    btw, I do see the map passwd.byuid:

    [[email protected] ~]>> ypmatch -k 50000 passwd.byuid
    50000 chris:moOfMUdmr9FoM:50000:50004:christian
    charette:/export/home/chris:/bin/sh

    But the SSH into the box still didn't work. The login log gave me this
    instead:

    Jun 15 14:20:11 mp-03 sshd[13579]: Illegal user chris from
    ::ffff:192.168.180.140
    Jun 15 14:20:11 mp-03 sshd[13579]: Failed none for illegal user chris
    from ::ffff:192.168.180.140 port 26604 ssh2
    Jun 15 14:20:13 mp-03 sshd[13579]: error: PAM: User not known to the
    underlying authentication module
    Jun 15 14:20:13 mp-03 sshd[13579]: Failed keyboard-interactive/pam for
    illegal user chris from ::ffff:192.168.180.140 port 26604 ssh2
    Jun 15 14:20:13 mp-03 sshd[13579]: error: PAM: User not known to the
    underlying authentication module
    Jun 15 14:20:13 mp-03 sshd[13579]: Failed keyboard-interactive/pam for
    illegal user chris from ::ffff:192.168.180.140 port 26604 ssh2
    Jun 15 14:20:13 mp-03 sshd[13579]: error: PAM: User not known to the
    underlying authentication module
    Jun 15 14:20:13 mp-03 sshd[13579]: Failed keyboard-interactive/pam for
    illegal user chris from ::ffff:192.168.180.140 port 26604 ssh2
    Jun 15 14:20:21 mp-03 sshd[13579]: error: Could not get shadow
    information for NOUSER
    Jun 15 14:20:21 mp-03 sshd[13579]: Failed password for illegal user
    chris from ::ffff:192.168.180.140 port 26604 ssh2


    Once again, seems to be pointing to a problem inside the PAM modules.

    I'm not sure if I'm farthur along with this.

    ttyl

    Christian
     
    christian.charette, Jun 15, 2006
    #3
  4. Getting beyond me I think I'm afraid. This has always "just worked" for me.

    What happens when you su to the user from root and from non root with
    password, and run "id"?

    Regards, Ian
     
    Ian Northeast, Jun 15, 2006
    #4

  5. The first scenario I had up there already. The second doesn't work
    either.
    User "chris" is on NIS. User "bob" is local.

    [[email protected] /var/log]>> su - chris
    [[email protected]] # id
    uid=50000 gid=50004 groups=50004
    [[email protected]] # exit
    logout

    The log file created in /var/adm/loginlog is as follows:

    Jun 16 10:38:02 mp-03 su: (to chris) root on /dev/ttyS0
    Jun 16 10:38:02 mp-03 su: pam_unix2: session started for user chris,
    service su
    Jun 16 10:38:28 mp-03 su: pam_unix2: cannot get options

    Note that the last line is only done when I do an exit from the "chris"
    shell.

    [[email protected] /var/log]>> su - bob
    [email protected]:~> su - chris
    Password:
    su: incorrect password
    [email protected]:~>

    The log file created in /var/adm/loginlog is as follows:

    Jun 16 10:40:41 mp-03 su: (to bob) root on /dev/ttyS0
    Jun 16 10:40:41 mp-03 su: pam_unix2: session started for user bob,
    service su
    Jun 16 10:40:49 mp-03 su: FAILED SU (to chris) root on /dev/ttyS0
    Jun 16 10:40:55 mp-03 su: pam_unix2: cannot get options

    The same thing here, in that the error message (cannot get options) is
    sent out when I exit from the "bob" shell.
     
    christian.charette, Jun 16, 2006
    #5
  6. Found it.

    After much headache and pain, I was able to track it down.

    Two problems existed in my configuration:

    1) I was missing a package to get it all to work. It seems that NSCD
    is required for the system to utilize NIS in Linux -- something that
    does not seem obvious in the package discriptions or the howto guide.
    Since we were using a minimized system to deliver our software packages
    on, it did not include this.

    Hint: The same author listed for nscd is the guy who maintained the
    pam_unix2 modules and the NIS howto guide (Thorsten Kukuk). Likely an
    undocumented dependancy between his libraries.

    2) Netgroups were not properly defined in /etc/passwd. The line:

    +:Allowed_group:::::

    should have read:

    [email protected]_group

    This was clearly my mistake.


    Hope it helps someone out there.

    Chris
     
    christian.charette, Jul 13, 2006
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.