Open vega82 opened 1 year ago
@vega82
Hope you've already figured this out, but if not I have a few notes to share that have helped me in the past.
testuser@domain.com
).spacecmd -- help |grep user
to see your options if you'd rather create the users via CLI.satpasswd
and satwho
can be helpful sometimes.If you're still having issues, you can share more information about how you joined AD, and your configuration, including:
for i in /etc/pam.d/common-{account,auth,password,session}; do cat $i; done |grep -v "^#"
pam-config --help
for options, then restart the given service). date
before and after testing to help with thislogger -s "TESTING"
to insert a timestamp into the logs.spacecmd -u <user>
, if you'd rather do that than test from the webUI. Any news? also faced with same problem. Using FreeIPA as directory backend, can ssh with my FreeIPA user into Uyuni server. Followed the guide.
uyuni-server:~ # cat /etc/nsswitch.conf | grep -v "#"
passwd: compat sss
group: compat sss
shadow: compat sss
hosts: files dns
networks: files dns
aliases: files usrfiles
ethers: files usrfiles
gshadow: files usrfiles
netgroup: files sss
protocols: files usrfiles
publickey: files
rpc: files usrfiles
services: files usrfiles
automount: files sss
bootparams: files
netmasks: files
sudoers: files sss
uyuni-server:~ # cat /etc/krb5.conf
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = DOMAIN.ORG
dns_lookup_realm = true
rdns = false
dns_canonicalize_hostname = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
DOMAIN.ORG = {
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.dc1.domain.org = DOMAIN.ORG
dc1.domain.org = DOMAIN.ORG
uyuni-server.dc1.domain.org = DOMAIN.ORG
uyuni-server:~ # for i in /etc/pam.d/common-{account,auth,password,session}; do cat $i; done |grep -v "^#"
account requisite pam_unix.so try_first_pass
account sufficient pam_localuser.so
account required pam_sss.so use_first_pass
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass
auth required pam_sss.so use_first_pass
password requisite pam_cracklib.so
password sufficient pam_unix.so use_authtok nullok shadow try_first_pass
password required pam_sss.so use_authtok
session optional pam_mkhomedir.so umask=0077
session optional pam_systemd.so
session required pam_limits.so
session required pam_unix.so try_first_pass
session optional pam_sss.so
session optional pam_umask.so
session optional pam_env.so
uyuni-server:~ # tail -f /var/log/messages
2024-02-13T22:49:04.547296+00:00 Uyuni-Server unix2_chkpwd: pam_unix(susemanager:auth): authentication failure; logname= uid=472 euid=0 tty= ruser= rhost= user=krakazyabra
2024-02-13T22:49:04.781555+00:00 Uyuni-Server unix2_chkpwd: pam_sss(susemanager:auth): authentication success; logname= uid=472 euid=0 tty= ruser= rhost= user=krakazyabra
2024-02-13T22:49:04.841542+00:00 Uyuni-Server unix2_chkpwd: pam_sss(susemanager:account): Access denied for user krakazyabra: 6 (Permission denied)
2024-02-13T22:49:04.841754+00:00 Uyuni-Server unix2_chkpwd[23347]: pam_acct_mgmt(susemanager, krakazyabra): Permission denied
uyuni-server:~ # satwho
admin
krakazyabra
UPD: I was able to login using my FreeIPA user by modifying /etc/pam.d/susemanager:
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_sss.so
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
Maybe there is a lot of extra values, correct me if so.
I try to configure Active Directory Login for Uyuni WebFrontend. So i followed the instructions for PAM Configuration. The System is also joined in AD and communication to AD should work, i think so.
While trying to login i got following errors:
cat /etc/pam.d/susemanager
cat /etc/rhn/rhn.conf | grep pam_auth