Bug 631907

Summary: ipa-client provides limited functionality in rhel 5.6
Product: Red Hat Enterprise Linux 5 Reporter: Rob Crittenden <rcritten>
Component: ipa-clientAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: low    
Version: 5.6CC: benl, dpal, jgalipea, mkhusid, nsoman, sgallagh
Target Milestone: rcKeywords: Rebase, Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-client-2.0-13.el5 Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
ipa-client The ipa-client package provides a tool to enroll a machine to an IPA server version 2, and is not backward compatible with version 1 of the server. ipa-client is considered a Technology Preview in Red Hat Enterprise Linux 5.6 Note, however that SSSD needs to be manually configured for use with IPA. Configuring NSS to fetch user and group information SSSD provides the nss_sss NSS module. To use this module, configure NSS to use the sss name database in addition to the UNIX file database. Edit /etc/nsswitch.conf, adding the following lines: passwd: files sss group: files sss Configuring PAM for authentication Errors when editing the PAM configuration file can lock you out of the system. Always back up the configuration file and keep another session open to revert changes if an error is made. Change the PAM config file to: auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-21 03:05:15 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 629021    
Bug Blocks: 656090, 665307    
Attachments:
Description Flags
ipaclient-install.log none

Description Rob Crittenden 2010-09-08 12:05:30 EDT
Description of problem:

sssd is available in el5.6 but the version of authconfig does not support configuring it. In ipa-client we call out to authconfig to handle the nss and pam configurations.

If we include our own copy of authconfig 6.x in ipa-client we should be able to enable sssd that way.
Comment 5 RHEL Product and Program Management 2010-09-14 21:14:38 EDT
Product Management has reviewed and declined this request.  You may appeal this
decision by reopening this request.
Comment 7 Stephen Gallagher 2010-09-16 09:48:49 EDT
Tech note content taken from https://fedorahosted.org/sssd/wiki/HOWTO_Configure




Configure NSS for fetching user and group information ¶

In order to configure your system to use sssd for user information, SSSD provides a new nss_sss NSS module. To use it, you need to configure NSS to use the sss name database along with the classic UNIX file database. Edit your /etc/nsswitch.conf:

passwd:     files sss
group:      files sss

Configure PAM for authentication ¶

Configuring PAM should be done with extreme care. A mistake or typo in the PAM config file can lock you out of the system completely. Always backup your config files before doing any changes and keep a session open in order to be able to revert changes you do.

Enable the use of the SSSD for PAM. If you are changing the default PAM config on Fedora, it should look like:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so


Recent PAM implementations allow to include PAM configurations, e.g.

...
session     include      system-auth
session     optional     pam_console.so
...

If you use includes please note that in the example above pam_console.so is not executed if a sufficient condition from system-auth returns PAM_SUCCESS.

Some of the later examples use a proxy auth provider between pam_sss and other PAM modules using the pam-target configuration directive that references a file in /etc/pam.d. It is important not to include pam_sss.so modules in these proxied targets, otherwise the PAM stack may go into a loop.
Comment 12 Ryan Lerch 2011-01-05 00:07:47 EST
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
ipa-client
The ipa-client package provides a tool to enroll a machine to an IPA server version 2, and is not backward compatible with version 1 of the server. ipa-client is considered a Technology Preview in Red Hat Enterprise Linux 5.6

Note, however that SSSD needs to be manually configured for use with IPA.

Configuring NSS to fetch user and group information

SSSD provides the nss_sss NSS module. To use this module, configure NSS to use the sss name database in addition to the UNIX file database. Edit /etc/nsswitch.conf, adding the following lines:

passwd:     files sss
group:      files sss
	



					
Configuring PAM for authentication

Errors when editing the PAM configuration file can lock you out of the system. Always back up the configuration file and keep another session open to revert changes if an error is made.
Change the PAM config file to:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
Comment 14 Stephen Gallagher 2011-01-05 06:54:49 EST
The tech note might also want to mention that the PAM config file is a recommended configuration and not an exclusive one. Additionally, it's also possible (and maybe recommended) to have:

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

This version of the session stack includes pam_mkhomedir.so which will automatically create a home directory for an SSSD user upon their first login. This is useful for machines that will operate offline often (such as laptops), but is NOT recommended for machines that rely on NFS-connected home directories.
Comment 15 RHEL Product and Program Management 2011-01-11 15:10:27 EST
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 20 Namita Soman 2011-05-12 10:33:57 EDT
Using:
ipa-client-2.0-13.el5

Failed to verify. 

After the install, which had a failure (bug 704235), checked /etc/nssswitch.conf. This wasn't updated. Nor was /etc/sysconfig/authconfig. This still had USESSSDAUTH=no.

sssd service wasn't running when install ended.
Comment 21 Rob Crittenden 2011-05-12 10:56:40 EDT
What command-line options did you pass to ipa-client-install? Can you attach /var/log/ipaclient-install.log?
Comment 22 Namita Soman 2011-05-12 11:42:07 EDT
Installed client as -

 ipa-client-install --domain=testrelm --realm=TESTRELM -p admin -w Secret123

attaching install log
Comment 23 Namita Soman 2011-05-12 11:44:47 EDT
Created attachment 498570 [details]
ipaclient-install.log
Comment 24 Rob Crittenden 2011-05-12 15:00:08 EDT
You are unable to verify this because the other bug is blowing up the client
installer. It isn't getting to the point where SSSD would be configured. This
is fixed by the patch in BZ 704235.
Comment 25 Namita Soman 2011-05-12 15:41:22 EDT
verified using ipa-client-2.0-14.el5

verified updates in /etc/sssd/sssd.conf. /etc/nsswitch.conf, /etc/sysconfig/authconfig, /etc/pam.d/system-auth

kinit as admin from client. then was able to use ssh to server machine, without being prompted for pwd...single sign on looked good.
Comment 26 errata-xmlrpc 2011-07-21 03:05:15 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0990.html