FreeIPA Server & Client



  • Dears,
    i have configured FreeIPA Server on CentOS 7 and it seems that it works without any problem,
    and i have fedora 23 and Ubuntu 15 to authenticate from the IPA Server,
    all configurations done and i can switch to the Ldap user normally ( su - ldapuser ) from shell
    but the main problem is that i can not login with that ldapuser through the Desktop Login Screen .
    any advice ?.
    thanks



  • Are you using SSS for the client auth?



  • @stacksofplates yes , and here is the content of /etc/sssd/sssd.conf

    [domain/server.local]

    cache_credentials = True
    krb5_store_password_if_offline = True
    ipa_domain = server.local
    id_provider = ipa
    auth_provider = ipa
    access_provider = ipa
    ipa_hostname = client.server.local
    chpass_provider = ipa
    ipa_server = srv, ipa.server.local
    ldap_tls_cacert = /etc/ipa/ca.crt
    [sssd]
    services = nss, sudo, pam, ssh

    domains = server.local
    [nss]
    homedir_substring = /home

    [pam]

    [sudo]

    [autofs]

    [ssh]

    [pac]

    [ifp]



  • Do you have an OTP set up for that user?



  • Also, can you SSH in as the IPA user, without using su?



  • @stacksofplates i can not login as ssh using the IPA user , after writing the password it gives this error :
    Permission denied, please try again



  • @stacksofplates also there is no any OTP Configuration on the IPA Server



  • Can you post your /etc/pam.d/system-auth and password-auth configs?



  • @stacksofplates the " /etc/pam.d/system-auth "

    #%PAM-1.0

    This file is auto-generated.

    User changes will be destroyed the next time authconfig is run.

    auth required pam_env.so
    auth sufficient pam_fprintd.so
    auth sufficient pam_unix.so nullok try_first_pass
    auth requisite pam_succeed_if.so uid >= 1000 quiet_success
    auth sufficient pam_sss.so use_first_pass
    auth required pam_deny.so

    account required pam_unix.so
    account sufficient pam_localuser.so
    account sufficient pam_succeed_if.so uid < 1000 quiet
    account [default=bad success=ok user_unknown=ignore] pam_sss.so
    account required pam_permit.so

    password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
    password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
    password sufficient pam_sss.so use_authtok
    password required pam_deny.so

    session optional pam_keyinit.so revoke
    session required pam_limits.so
    -session optional pam_systemd.so
    session optional pam_oddjob_mkhomedir.so umask=0077
    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session required pam_unix.so
    session optional pam_sss.so

    =================================================

    and " /etc/pam.d/password-auth "

    #%PAM-1.0

    This file is auto-generated.

    User changes will be destroyed the next time authconfig is run.

    auth required pam_env.so
    auth sufficient pam_unix.so nullok try_first_pass
    auth requisite pam_succeed_if.so uid >= 1000 quiet_success
    auth sufficient pam_sss.so use_first_pass
    auth required pam_deny.so

    account required pam_unix.so
    account sufficient pam_localuser.so
    account sufficient pam_succeed_if.so uid < 1000 quiet
    account [default=bad success=ok user_unknown=ignore] pam_sss.so
    account required pam_permit.so

    password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
    password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
    password sufficient pam_sss.so use_authtok
    password required pam_deny.so

    session optional pam_keyinit.so revoke
    session required pam_limits.so
    -session optional pam_systemd.so
    session optional pam_oddjob_mkhomedir.so umask=0077
    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session required pam_unix.so
    session optional pam_sss.so



  • Looks fairly normal. What's in your /etc/nsswitch.conf file?



  • Also, if you log into the system with a different user, can you do a kinit ldapuser to get a kerberos ticket?



  • @stacksofplates the " /etc/nsswitch.conf "

    passwd: files sss
    shadow: files sss
    group: files sss
    #initgroups: files

    #hosts: db files nisplus nis dns
    hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname

    Example - obey only what nisplus tells us...

    #services: nisplus [NOTFOUND=return] files
    #networks: nisplus [NOTFOUND=return] files
    #protocols: nisplus [NOTFOUND=return] files
    #rpc: nisplus [NOTFOUND=return] files
    #ethers: nisplus [NOTFOUND=return] files
    #netmasks: nisplus [NOTFOUND=return] files

    bootparams: nisplus [NOTFOUND=return] files

    ethers: files
    netmasks: files
    networks: files
    protocols: files
    rpc: files
    services: files sss

    netgroup: files sss

    publickey: nisplus

    automount: files sss
    aliases: files nisplus
    sudoers: files sss

    ==============
    also what make the case is very strange is that i can do kinit ldapuser normally and su - user
    also getent passwd user
    but can not login as ssh or GUI



  • i think the main question here is : how can we allow the Enterprise Login ?



  • Did you change the password for the user after you set it?

    Can you log into the IPA web interface with that user?



  • @stacksofplates said in FreeIPA Server & Client:

    Did you change the password for the user after you set it?

    Can you log into the IPA web interface with that user?

    the password is changed in the first login
    and also i can access the IPA web interface with that user



  • It really sounds like it's something to do with pam. You can try doing an authconfig --update and see if that helps. If not, I'd just reinstall the ipa-client.



  • Another thing to try, do you have the ipa-admintools package installed on your client? If you do, what output do you get if you kinit and then run ipa user-find --all?



  • This post is deleted!


  • This post is deleted!


  • @stacksofplates said in FreeIPA Server & Client:

    Another thing to try, do you have the ipa-admintools package installed on your client? If you do, what output do you get if you kinit and then run ipa user-find --all?

    the admintools package is installed , but when i tried to run " ipa user-find --all " it shows this error :
    [[email protected] ~]# ipa user-find --all
    ipa: ERROR: 2.114 client incompatible with 2.112 server at 'https://ipa.server.local/ipa/xml'



  • @AlyRagab said in FreeIPA Server & Client:

    @stacksofplates said in FreeIPA Server & Client:

    Another thing to try, do you have the ipa-admintools package installed on your client? If you do, what output do you get if you kinit and then run ipa user-find --all?

    the admintools package is installed , but when i tried to run " ipa user-find --all " it shows this error :
    [[email protected] ~]# ipa user-find --all
    ipa: ERROR: 2.114 client incompatible with 2.112 server at 'https://ipa.server.local/ipa/xml'

    That's what I feared. I think to be able to run the IPA client on Fedora you will need to run the IPA server on Fedora server, not CentOS.

    Or go the opposite and use CentOS 7 workstation instead of Fedora. I actually prefer the CentOS 7 workstation to Fedora, and I'm going to be switching back on my home laptop.



  • @stacksofplates said in FreeIPA Server & Client:

    @AlyRagab said in FreeIPA Server & Client:

    @stacksofplates said in FreeIPA Server & Client:

    Another thing to try, do you have the ipa-admintools package installed on your client? If you do, what output do you get if you kinit and then run ipa user-find --all?

    the admintools package is installed , but when i tried to run " ipa user-find --all " it shows this error :
    [[email protected] ~]# ipa user-find --all
    ipa: ERROR: 2.114 client incompatible with 2.112 server at 'https://ipa.server.local/ipa/xml'

    That's what I feared. I think to be able to run the IPA client on Fedora you will need to run the IPA server on Fedora server, not CentOS.

    Or go the opposite and use CentOS 7 workstation instead of Fedora. I actually prefer the CentOS 7 workstation to Fedora, and I'm going to be switching back on my home laptop.

    What about CentOS 7 workstation are you liking? I'm a Fedora fan and like Korora's mix of it the most.



  • @scottalanmiller said in FreeIPA Server & Client:

    @stacksofplates said in FreeIPA Server & Client:

    @AlyRagab said in FreeIPA Server & Client:

    @stacksofplates said in FreeIPA Server & Client:

    Another thing to try, do you have the ipa-admintools package installed on your client? If you do, what output do you get if you kinit and then run ipa user-find --all?

    the admintools package is installed , but when i tried to run " ipa user-find --all " it shows this error :
    [[email protected] ~]# ipa user-find --all
    ipa: ERROR: 2.114 client incompatible with 2.112 server at 'https://ipa.server.local/ipa/xml'

    That's what I feared. I think to be able to run the IPA client on Fedora you will need to run the IPA server on Fedora server, not CentOS.

    Or go the opposite and use CentOS 7 workstation instead of Fedora. I actually prefer the CentOS 7 workstation to Fedora, and I'm going to be switching back on my home laptop.

    What about CentOS 7 workstation are you liking? I'm a Fedora fan and like Korora's mix of it the most.It

    I like fedora a lot. But I had CentOS workstation for a long time after 7 came out. It's rock solid, like you have to try to break it. I've had some weird issues with fedora, both 23 and 24 that seemed a little buggy. In my experience Fedora with Gnome has been slower than CentOS with Gnome. Ive only ever found one thing I couldn't run on CentOS and that was FreeCAD, but it didn't run super well on Fedora either.

    Plus there is the not needing to reinstall every 6 months or whatever the release schedule is.

    And the fact I work with RHEL 7 WS every day, it feels comfortable.



  • @stacksofplates said in FreeIPA Server & Client:

    @scottalanmiller said in FreeIPA Server & Client:

    @stacksofplates said in FreeIPA Server & Client:

    @AlyRagab said in FreeIPA Server & Client:

    @stacksofplates said in FreeIPA Server & Client:

    Another thing to try, do you have the ipa-admintools package installed on your client? If you do, what output do you get if you kinit and then run ipa user-find --all?

    the admintools package is installed , but when i tried to run " ipa user-find --all " it shows this error :
    [[email protected] ~]# ipa user-find --all
    ipa: ERROR: 2.114 client incompatible with 2.112 server at 'https://ipa.server.local/ipa/xml'

    That's what I feared. I think to be able to run the IPA client on Fedora you will need to run the IPA server on Fedora server, not CentOS.

    Or go the opposite and use CentOS 7 workstation instead of Fedora. I actually prefer the CentOS 7 workstation to Fedora, and I'm going to be switching back on my home laptop.

    What about CentOS 7 workstation are you liking? I'm a Fedora fan and like Korora's mix of it the most.It

    I like fedora a lot. But I had CentOS workstation for a long time after 7 came out. It's rock solid, like you have to try to break it. I've had some weird issues with fedora, both 23 and 24 that seemed a little buggy. In my experience Fedora with Gnome has been slower than CentOS with Gnome. Ive only ever found one thing I couldn't run on CentOS and that was FreeCAD, but it didn't run super well on Fedora either.

    Plus there is the not needing to reinstall every 6 months or whatever the release schedule is.

    I'm stuck with Ubuntu 16.10 on the laptop but run Korora 24 in a VM.



  • @scottalanmiller said in FreeIPA Server & Client:

    @stacksofplates said in FreeIPA Server & Client:

    @scottalanmiller said in FreeIPA Server & Client:

    @stacksofplates said in FreeIPA Server & Client:

    @AlyRagab said in FreeIPA Server & Client:

    @stacksofplates said in FreeIPA Server & Client:

    Another thing to try, do you have the ipa-admintools package installed on your client? If you do, what output do you get if you kinit and then run ipa user-find --all?

    the admintools package is installed , but when i tried to run " ipa user-find --all " it shows this error :
    [[email protected] ~]# ipa user-find --all
    ipa: ERROR: 2.114 client incompatible with 2.112 server at 'https://ipa.server.local/ipa/xml'

    That's what I feared. I think to be able to run the IPA client on Fedora you will need to run the IPA server on Fedora server, not CentOS.

    Or go the opposite and use CentOS 7 workstation instead of Fedora. I actually prefer the CentOS 7 workstation to Fedora, and I'm going to be switching back on my home laptop.

    What about CentOS 7 workstation are you liking? I'm a Fedora fan and like Korora's mix of it the most.It

    I like fedora a lot. But I had CentOS workstation for a long time after 7 came out. It's rock solid, like you have to try to break it. I've had some weird issues with fedora, both 23 and 24 that seemed a little buggy. In my experience Fedora with Gnome has been slower than CentOS with Gnome. Ive only ever found one thing I couldn't run on CentOS and that was FreeCAD, but it didn't run super well on Fedora either.

    Plus there is the not needing to reinstall every 6 months or whatever the release schedule is.

    I'm stuck with Ubuntu 16.10 on the laptop but run Korora 24 in a VM.

    I haveKorora 24 Gnome on my laptop currently. Its ok, I still prefer stock Fedora with Gnome though.



  • @stacksofplates said in FreeIPA Server & Client:

    @scottalanmiller said in FreeIPA Server & Client:

    @stacksofplates said in FreeIPA Server & Client:

    @scottalanmiller said in FreeIPA Server & Client:

    @stacksofplates said in FreeIPA Server & Client:

    @AlyRagab said in FreeIPA Server & Client:

    @stacksofplates said in FreeIPA Server & Client:

    Another thing to try, do you have the ipa-admintools package installed on your client? If you do, what output do you get if you kinit and then run ipa user-find --all?

    the admintools package is installed , but when i tried to run " ipa user-find --all " it shows this error :
    [[email protected] ~]# ipa user-find --all
    ipa: ERROR: 2.114 client incompatible with 2.112 server at 'https://ipa.server.local/ipa/xml'

    That's what I feared. I think to be able to run the IPA client on Fedora you will need to run the IPA server on Fedora server, not CentOS.

    Or go the opposite and use CentOS 7 workstation instead of Fedora. I actually prefer the CentOS 7 workstation to Fedora, and I'm going to be switching back on my home laptop.

    What about CentOS 7 workstation are you liking? I'm a Fedora fan and like Korora's mix of it the most.It

    I like fedora a lot. But I had CentOS workstation for a long time after 7 came out. It's rock solid, like you have to try to break it. I've had some weird issues with fedora, both 23 and 24 that seemed a little buggy. In my experience Fedora with Gnome has been slower than CentOS with Gnome. Ive only ever found one thing I couldn't run on CentOS and that was FreeCAD, but it didn't run super well on Fedora either.

    Plus there is the not needing to reinstall every 6 months or whatever the release schedule is.

    I'm stuck with Ubuntu 16.10 on the laptop but run Korora 24 in a VM.

    I haveKorora 24 Gnome on my laptop currently. Its ok, I still prefer stock Fedora with Gnome though.

    I use it with Cinnamon, that's the cool bit 🙂



  • @scottalanmiller said in FreeIPA Server & Client:

    @stacksofplates said in FreeIPA Server & Client:

    @scottalanmiller said in FreeIPA Server & Client:

    @stacksofplates said in FreeIPA Server & Client:

    @scottalanmiller said in FreeIPA Server & Client:

    @stacksofplates said in FreeIPA Server & Client:

    @AlyRagab said in FreeIPA Server & Client:

    @stacksofplates said in FreeIPA Server & Client:

    Another thing to try, do you have the ipa-admintools package installed on your client? If you do, what output do you get if you kinit and then run ipa user-find --all?

    the admintools package is installed , but when i tried to run " ipa user-find --all " it shows this error :
    [[email protected] ~]# ipa user-find --all
    ipa: ERROR: 2.114 client incompatible with 2.112 server at 'https://ipa.server.local/ipa/xml'

    That's what I feared. I think to be able to run the IPA client on Fedora you will need to run the IPA server on Fedora server, not CentOS.

    Or go the opposite and use CentOS 7 workstation instead of Fedora. I actually prefer the CentOS 7 workstation to Fedora, and I'm going to be switching back on my home laptop.

    What about CentOS 7 workstation are you liking? I'm a Fedora fan and like Korora's mix of it the most.It

    I like fedora a lot. But I had CentOS workstation for a long time after 7 came out. It's rock solid, like you have to try to break it. I've had some weird issues with fedora, both 23 and 24 that seemed a little buggy. In my experience Fedora with Gnome has been slower than CentOS with Gnome. Ive only ever found one thing I couldn't run on CentOS and that was FreeCAD, but it didn't run super well on Fedora either.

    Plus there is the not needing to reinstall every 6 months or whatever the release schedule is.

    I'm stuck with Ubuntu 16.10 on the laptop but run Korora 24 in a VM.

    I haveKorora 24 Gnome on my laptop currently. Its ok, I still prefer stock Fedora with Gnome though.

    I use it with Cinnamon, that's the cool bit 🙂

    Ah ya, I use Gnome 3 for the extensions.



  • So what about Ubuntu , i have a client with a lot of ubuntu 14.04 as workstations , do i need to install the FreeIPA on a Ubuntu Server to be compatible with ubuntu workstations ?.



  • @AlyRagab I have connected Linux Mint, to a CentOS freeIPA server.



  • @brianlittlejohn said in FreeIPA Server & Client:

    @AlyRagab I have connected Linux Mint, to a CentOS freeIPA server.

    if the problem is not related to compatibility issues so may be the problem is related to PAM Configuration , so the question here is did you do any manual configuration to any of the PAM Modules ? , do i need to do for the Module that responsible for the authentication through the login screen in Ubuntu ?.


Log in to reply