Services for UNIX on Red Hat 6 using NIS?

Latest response

Hey,

 

I was wondering if anyone has been able to get the SSOD Module for Services for UNIX working on Red Hat 6?

We primarly use it to sync our passwords from Windows 2003 Active Directory to our Red Hat 6 server running NIS as the name service.

 

I'm at wits end here. I've tried many different variations of PAM configurations to get it to work but it just isn't working.

Here is my current system-auth, passwd, password-auth, and ssod configurations located under /etc/pam.d/

 

System-Auth:

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth required pam_env.so

auth sufficient pam_unix.so nullok try_first_pass

auth required pam_deny.so

account required pam_unix.so

account sufficient pam_localuser.so debug

account sufficient pam_succeed_if.so uid < 500 quiet

account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type= debug

password required /lib64/security/pam_sso.so.1

password sufficient pam_unix.so nis try_first_pass use_authtok

password required pam_deny.so

session optional pam_keyinit.so revoke

session required pam_limits.so

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session required pam_unix.so

 

passwd:

#%PAM-1.0

auth include system-auth

account include system-auth

password include system-auth

#-password optional pam_gnome_keyring.so

password required pam_unix.so nis

password required pam_cracklib.so retry=3

 

password-auth:

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth required pam_env.so

auth sufficient pam_unix.so nullok try_first_pass

auth required pam_deny.so

account required pam_unix.so

account sufficient pam_localuser.so debug

account sufficient pam_succeed_if.so uid < 500 quiet

account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type= debug

password sufficient pam_unix.so shadow nis try_first_pass use_authtok

password required /lib64/security/pam_sso.so.1

password required pam_deny.so

session optional pam_keyinit.so revoke

session required pam_limits.so

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session required pam_unix.so

 

ssod:

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth required pam_env.so

auth sufficient pam_unix.so

auth requisite pam_succeed_if.so uid >= 500 quiet

auth required pam_deny.so

account required pam_unix.so

account sufficient pam_localuser.so

account sufficient pam_succeed_if.so uid < 500 quiet

account required pam_permit.so

password required pam_cracklib.so retry=3 type=

password sufficient pam_unix.so nis

password required pam_deny.so

session optional pam_keyinit.so revoke

session required pam_limits.so

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session required pam_unix.so

 

/etc/sso.conf

# ============================================================================

# This is the configuration file for SFU's Password Synchronization Single

# Sign-On Daemon (SSOD) and Password Synchronization Pluggable Authentication

# Module (PAM).

#

# File Name: sso.conf

#

# This file is named sso.cfg on the SFU CD. Please copy the file as /etc/sso.conf

# on your UNIX box.

#

# If you edit this file make sure to save it in Unix file format.

# ============================================================================

# Note that each line can not exceed 256 characters in length.

# In cases where you need to specify entries exceeding this limitation, split them

# into multiple entries.

#

# For example, you can specify multiple SYNC_USERS entries as below:

#

# SYNC_USERS=+lindag,+marydoe,+jane,-peter

# SYNC_USERS=-root

#-----------------------------------------------------------

# The following are common to both SSOD and SFU'S PAM module

#-----------------------------------------------------------

# ENCRYPT_KEY: This is the encryption/decryption key.

# ssod uses this key to decrypt password change messages

# from Windows computers. This is also the default

# encryption key to encrypt password change messages sent from

# this computer to Windows computers. The encryption key

# for a specific Windows computer may be set using SYNC_HOSTS

# entry below.

# The encryption key must meet the following requirements:

# It must be at least 16 and at most 21 characters long.

# It must contain characters from at least three of the following four groups:

# Uppercase English letters (A-Z)

# Lowercase English letters (a-z)

# Westernized Arabic numerals (0-9)

# Punctuation symbols

# ( ` ~ ! @ # $ % ^ & * _ - + = | \ { } [ ] : ; \ " ' < > . ? )

# NOTE:

# Make sure that the key does not contain '(', ')' or ',' characters

#

ENCRYPT_KEY=M\02E6#c6fa032Si

# PORT_NUMBER - This specifies the default Port number to wait on.

# ssod uses this port to listen for password change messages

# from Windows computers. This is also the default port

# on Windows computer to which this computer sends password

# change requests. Port number for a specific Windows computer

# may be set using SYNC_HOSTS entry below.

PORT_NUMBER=5000

#PORT_NUMBER=6677

# SYNC_USERS

#

# Passwords are synchronized for users as specificed in this entry.

#

# You can specify multiple entries of SYNC_USERS.

#

# SYNC_USERS=[[+/-]user]*

# user - username of the user or ALL

# Password will be synchronized for those users with '+'.

# Password will not be synchronized for those users with '-'.

# Examples:

# 1. SYNC_USERS=+lindag,+marydoe,+jane,-peter

# Synchronize passwords for lindag, marydoe, jane but not

# for peter

# 2. SYNC_USERS=all

# Synchronize passwords for all users.

# 3. SYNC_USERS=all,-root

# Synchronize passwords for users except root

 

SYNC_USERS=all

# SYNC_HOSTS - This list specifies the Windows computers that

# participate in password synchronization with this UNIX computer.

# This consists of tuples that specify computer name

# port number and the encryption key.

#

# You can specify multiple entries of SYNC_HOSTS.

#

# Port number specifies the port on Windows computer

# that Password Synchronization service is listening for

# password changes. This port number should match the

# port number on the Default pane of Password Synchronization

# management console on Windows computer.

# Encryption key specifies the key used to encrypt the password

# change messages sent to the Windows computer. This key should

# match the encryption key on the Default pane of Password

# synchronization management console on Windows computer.

#

# SYNC_HOSTS=(host,[port],[encryption key]) (host,[port],[encryption key]) ...

# If either port or encryption key is omitted, the values specified in ENCRYPT_KEY and

# PORT_NUMBER will be used.

#

# Examples:

# 1. SYNC_HOSTS=(tpilc1,3000,STR783$12123TQWE) (tpilc2,,453TrE$323$3#Asf) (tpilc3,4000) (tpilc4)

# Synchronize passwords with tpilc1, tpilc2, tpilc3, and tpilc4 Windows

# computers.

# For tpilc1, it connects on port 3000 and uses STR783$12123TQWE for encrypting

# messages. On tpilc1, the default encryption/decryption key should be

# the same.

# For tpilc2, it connects on the default PORT_NUMBER 6677 listed above.

# It uses 453TrE$323$3#Asf for encrypting messages.

# For tpilc3, it connects on port 4000 on tpilc3. It uses the encryption

# key listed in ENCRYPT_KEY which is ABCDZ#efgh$12345

# For tpilc4, it connects on default port (PORT_NUMBER listed above)

# 6677 and default encryption key (ENRYPT_KEY listed above).

#

# Port number and encryption key are only used by SFU'S PAM Module.

SYNC_HOSTS=(WINDOWS_SERVER)

 

#-----------------------------------------------------

# The following are specific to SSOD (Windows to UNIX)

#-----------------------------------------------------

# USE_SHADOW - Indicates if shadow password is used.

#

# 0 indicates this computer does not use shadow passwords.

# 1 indicates this computer uses shadow passwords

#

USE_SHADOW=1

# FILE_PATH - Full path to the password file, either /etc/shadow or /etc/passwd

# depending on the value of USE_SHADOW.

#

# Note: In some UNIX platforms both passwd and shadow files may be named differntly and

# be placed in different locations. Choose the appropriate path to specify here.

FILE_PATH=/etc/yp/etc/shadow

# USE_NIS - This flag is used if this computer is part of a NIS domain

# and NIS database needs to be updated when passwd change request

# comes from a Windows computer.

#

# 0 if not synchronizing with NIS domain.

# 1 if synchronizing with NIS domain.

#

# If USE_NIS is set to 1, you should also specify the NIS_UPDATE_PATH

# described below.

USE_NIS=1

# NIS_UPDATE_PATH - Full path of Makefile used for building NIS database

# This value is used only when the USE_NIS is set to 1.

NIS_UPDATE_PATH=/var/yp/Makefile

# TEMP_FILE_PATH - Directory path name where a temporary file is to be

# created while updating the passwd or shadow file. For security reasons,

# this should be a directory where only administrator has access.

#

# Set this value to the same directory where your passwd or shadow file

# is located.

#

# Note that this is the name of the directory and not the file itself.

TEMP_FILE_PATH=/etc/yp/etc

# CASE_IGNORE_NAME

# Windows user name is case insensitive while UNIX user name is case sensitive.

# When passwd change request comes from a Windows computer, this flag is used to

# decides whether to look for a UNIX user name with case or ignore case.

#

# 0 implies case sensitive comparision of names

# 1 implies case insensitive comparision of names

# If this flag is not specified, case in user name is ignored.

CASE_IGNORE_NAME=1

#-----------------------------------------------------------------

# The following are specific to SFU'S PAM Module (UNIX to Windows)

#-----------------------------------------------------------------

# IGNORE_PROPAGATION_ERRORS - If this flag is set to 1, any errors that occur

# when a Windows password is being changed will be ignored.

# Password Synchronization will continue with the remaining hosts in SYNC_HOSTS entry.

IGNORE_PROPAGATION_ERRORS=1

# SYNC_RETRIES - Specifies the number of times SFU'S PAM module will attempt to synchronize

# the password change with a Windows host.

SYNC_RETRIES=5

# SYNC_DELAY - Specifies the number of seconds SFU'S PAM module will wait when a synchronize

# attempt fails.

SYNC_DELAY=30

 

The error provided by the /var/log/secure file is the following;

ssod: pam_unix(ssod:chauthtok): password not changed for *USER* on *NIS_SERVER*

 

The error provided by the /var/log/messages is the following;

rpc.yppasswdd: updated *USER* (uid=****) from host 127.0.0.1 rejected

rpc.yppasswdd: Invalid Password

ssod: Failed to update Password Error: ERROR User: *USER*

 

The Error provided by the Windows 2003 Server is the following;

Unable to update Password for user:

user = *USER*

check if user account is locked,expired or disabled

 

On the Red Hat NIS server the accounts are not locked,expired or disabled. I can log in as every user account in our NIS Passwd table. I can manually change the users password as root using the yppasswd command.

 

Does anyone have any expierence with Services for UNIX running on Red Hat? Any thoughts/ideas?

 

 

 

 

MJ

Responses