I was following this guide to setup an LDAP server on CentOS 6.6: http://www.learnitguide.net/2016/01/configure-openldap-server-on-rhel7.html. I know the guide is for RHEL, but I think the vast majority of steps should be the same. I went through the tutorial and everything seems to work right except for sshing into the server as an LDAP user. As root I am able to su to any LDAP user. getent passwd username returns appropriate results. But every time I try to ssh in as a user I get permission denied and these messages show up in /var/log/secure:
Aug 8 22:13:14 servername sshd[5900]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhostname user=username
Aug 8 22:13:14 servername sshd[5900]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhostname user=username
Aug 8 22:13:14 servername sshd[5900]: pam_sss(sshd:auth): received for user username: 6 (Permission denied)
Aug 8 22:13:17 servername sshd[5900]: Failed password for username from rhostIPaddress port 34758 ssh2
I was hoping maybe someone may know of a step that guide left out that would cause this behavior. Thanks.
Turns out the self signed certificate I was using needed to have the IP address as the common name as opposed to the FQDN, not sure why that is but it's working now.
Information that can help others.
In my case this message was a time difference problem between the FreeIPA server and the clients. The command systemctl status sssd -l presented the message (skew clock too great).
This message from the Kerberos authentication server appears if the difference hour in servers is too large (more than three or four minutes).
OS: Ubuntu Server
Related
We are looking to migrate some systems away from MSSQL. We have our first few environments built and currently using LDAP, which is OK but has a good number of flaws.
I followed this link to setup Kreberos\GSS for the most part: https://info.crunchydata.com/blog/windows-active-directory-postgresql-gssapi-kerberos-authentication
Off the bat I got the below error when trying to connect:
psql: error: SSPI continuation error: The specified target is unknown or unreachable
I believe the SPN is setup properly:
setspn -S POSTGRES/server.domain.local domain\service_account
I suspect something is wrong in the keytab file, as there is an extra "" between the server FQDN and domain:
Keytab name: FILE:/opt/pgsql/server.keytab
KVNO Principal
---- --------------------------------------------------------------------------
5 postgres#server.domain.local\#DOMAIN.LOCAL
Server side error:
2020-12-28 18:37:43.820 EST [64534] user#DOMAIN.LOCAL#postgres FATAL: GSSAPI authentication failed for user "user#DOMAIN.LOCAL"
2020-12-28 18:37:43.820 EST [64534] user#DOMAIN.LOCAL#postgres DETAIL: Connection matched pg_hba.conf line 95: "host all all 0.0.0.0/0 gss"
I'd appreciate any feedback and thank you!
I'm having a strange problem. I followed few guides from the net. My goal is to create a SMTP postfix that will use Cyrus SASL to authenticate users upon sending email with different imap server.
Making all more simple: have to transfer/replace current smtp server with new one as current is on public cloud and gets on black lists pretty often.
What I managed so far is:
Working Postfix
Authentication working when using :
testsaslauthd -u user#domain.com -p password
I'm getting Ok "Success" so I assume sasl itself work.
When I invoke saslfinger -s
I'm getting:
There is no smtpd.conf that defines what SASL should do for Postfix.
SMTP AUTH can't work!
but it seems that all is fine within the configuration files:
/etc/postfix/sasls/smtp.conf:
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
/etc/postfix/main.cf:
smtpd_recipient_restrictions = reject_invalid_hostname,
permit permit_mynetworks,
permit_sasl_authenticated
disable_vrfy_command = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
/etc/default/saslauthd-postfix:
START=yes
MECHANISMS="rimap"
MECH_OPTIONS="domain.com -r"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
I'm running postfix chroot'ed so had to create a symlink but like I said. It all seems to work independently, just need to be linked somehow.
When I try to setup account in outlook, I got wrong name or password.
The log on Debian says:
May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: unknown[192.168.108.1]: SASL NTLM authentication failed: authentication failure
May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: SASL authentication failure: unable to canonify user and get auxprops
May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: unknown[192.168.108.1]: SASL DIGEST-MD5 authentication failed: authentication failure
May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: unknown[192.168.108.1]: SASL LOGIN authentication failed: authentication failure
May 11 23:35:43 smtp-test postfix/smtpd[741]: lost connection after AUTH from unknown[192.168.108.1]
May 11 23:35:43 smtp-test postfix/smtpd[741]: disconnect from unknown[192.168.108.1]
Strange thing is it tries NTLM(not mentioned anywhere) instead of RIMAP. And cannot make canonical name of user even after adding -r switch that should combine name and realm/domain name.
I guess that is related to first warning from saslfinger but cannot find the cause.
All updated to newest available versions.
Any help?
I have a CentOS7 server that will be deployed to a customer site. I want to get alerts via emails when something goes wrong on the server.
I have an office365 account so I am thinking whether I can use it as a SMTP relay server. (Forgive me here if my words don't make sense since I have very limited knowledge about SMTP and email related technology).
My first question is, do I need to do anything special with the office365 account? I am using smtp.office365.com:587 as the SMTP relay host.
Here is my postfix main.cf config:
relayhost = [smtp.office365.com]:587
smtp_always_send_ehlo = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_generic_maps = hash:/etc/postfix/generic
smtp_tls_security_level = may
smtp_sasl_security_options = noanonymous
Here is my "generic" and "sasl_passwd" file look like. I also used the "postmap" to generate the .db file
/.*/ <o365 email>
root#server.difan.local <o365 email>
root#localdomain <o365 email>
#localdomain <o365 email>
[smtp.office365.com]:587 <o365 email>:<o365 password>
This is the command I used to test it
echo "This is the body of the email" | mail -s "This is the subject line" difan.zhao#outlook.com
Here is what I see in /var/log/maillog
Mar 26 10:46:00 server postfix/pickup[1921]: 5DC594087202: uid=0 from=<root>
Mar 26 10:46:00 server postfix/cleanup[2495]: 5DC594087202: message-id=<20170326164600.5DC594087202#server.difan.local>
Mar 26 10:46:00 server postfix/qmgr[1922]: 5DC594087202: from=<root#server.difan.local>, size=486, nrcpt=1 (queue active)
Mar 26 10:46:00 server postfix/smtp[2497]: warning: SASL authentication failure: No worthy mechs found
Mar 26 10:46:00 server postfix/smtp[2497]: 5DC594087202: SASL authentication failed; cannot authenticate to server smtp.office365.com[40.97.128.34]: no mechanism available
... <last two messages repeated 4 times>
Mar 26 10:46:02 server postfix/smtp[2497]: 5DC594087202: to=<difan.zhao#outlook.com>, relay=smtp.office365.com[40.97.142.194]:587, delay=2.2, delays=0.02/0/2.2/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.office365.com[40.97.142.194]: no mechanism available)
Where did I do wrong here? Thanks!
Firstly change your generic files to:
/.*/ email#domain.com
Secondly verify your generic and sasl permissions:
set the owner and permissions.
sudo postmap hash:/etc/postfix/generic
sudo chown root:root /etc/postfix/generic /etc/postfix/generic.db
sudo chmod 644 /etc/postfix/generic /etc/postfix/generic.db
Same to sasl_passwd and db file.
On new versions of Ubuntu/Debian you need install this package: libsasl2-modules
apt install libsasl2-modules
And then reload postfix
systemctl reload postfix
I had to install these... Not sure what they are but they worked!
yum install cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain
I'm using "Net::SFTP" in perl cgi file to put files to a windows M/C from my dev box.
After adding below new directory manually (with 0777 permissions) everything works fine:
bash-4.1$ pwd
/.ssh
-bash-4.1$ cd ..
-bash-4.1$ ls -ltra | grep .ssh
drwxrwxrwx 2 root root 4096 Jan 23 23:57 .ssh
Problem (if I don't add above directory manually ) here is as per my understanding:
Apache is running cgi with user as "nobody" which do not have permissions to make directory after connection is established via sftp and I'm getting below error messages in logs:
xxx.xxx.net: Reading configuration data /.ssh/config
xxx.xxx.net: Reading configuration data /etc/ssh_config
xxx.xxx.net: Connecting to xxx.xxx.xxx.com, port 22.
xxx.xxx.net: Remote protocol version 2.0, remote software version 5.17 FlowSsh: Bitvise SSH Server (WinSSHD) 5.58: free only for personal non-commercial use^M
Math::BigInt: couldn't load specified math lib(s), fallback to Math::BigInt::Calc at /usr/lib/perl5/site_perl/5.8.8/Crypt/DH.pm line 6
xxx.xxx.net: Net::SSH::Perl Version 1.34, protocol version 2.0.
xxx.xxx.net: No compat match: 5.17 FlowSsh: Bitvise SSH Server (WinSSHD) 5.58: free only for personal non-commercial use^M.
xxx.xxx.net: Connection established.
xxx.xxx.net: Sent key-exchange init (KEXINIT), wait response.
xxx.xxx.net: Algorithms, c->s: 3des-cbc hmac-sha1 none
xxx.xxx.net: Algorithms, s->c: 3des-cbc hmac-sha1 none
xxx.xxx.net: Entering Diffie-Hellman Group 1 key exchange.
xxx.xxx.net: Sent DH public key, waiting for reply.
xxx.xxx.net: Received host key, type 'ssh-dss'.
xxx.xxx.net: Permanently added 'xxx.xxx.xxx.com' to the list of known hosts.
**mkdir //.ssh: Permission denied at /usr/lib/perl5/site_perl/5.8.8/Net/SSH/Perl/Util/Hosts.pm line 92**
I tried to solve this problem with different methods given over internet but nothing is working for me.
Can anybody suggest possible solution?
Any help will be greatly appreciated.
I recently ran into the same problem myself and you are correct that it is a permissions issue. When your nobody process tries to connect to the remote server, it wants to write the remote host key to a file. This is the step that is failing in your error message (Hosts.pm line 92).
My solution was to create a nobody-writable location for the NET::SFTP to write the known_hosts file and to specify that location before you construct your NET::SFTP connection.
$ENV{HOME} = '/nobody/writable/location/';
You can find more information on this problem at http://www.perlmonks.org/?node_id=599078
I am on a Windows Vista 64-bit Enterprise machine with Subsystem for Unix Applications installed and the applications downloaded. I am attempting to use RSH to connect to a FreeBSD server. The command I would like to execute is:
rsh host.suffix1.company.com command
The .rhosts file in my home directory on host.suffix1.company.com looks like this:
+ myusername
+ mydomain\myusername
+ mydomain/myusername
+ myusername#mydomain
+ +
mycomputer.suffix2 myusername
mycomputer.suffix2 +
mycomputer.suffix2.company.com myusername
mycomputer.suffix2.company.com +
I know + + is bad, but let's ignore that for now. When I run this:
rsh host.suffix1.company.com command
I get the following error:
rshd: Login incorrect.
However, when I run
rsh -l myusername host.suffix1.company.com command
this works flawlessly. What I'd like to know is:
What is SUA sending as the username when I don't specify it via -l?
How can I change what SUA is sending?
I'm assuming that here SUA is sending some form of mydomain\myusername, but I'm wondering what other entries I might need to make to the rhosts file to allow this and why the + + isn't allowing this?
I would guess that examining syslog (or another appropriate log?) on the freebsd box could give you the login name from the failed login. On my linux machine I get the lines like the following from the frequent ssh attacks:
May 19 19:57:40 anton sshd[29795]: Failed password for invalid user mercedes from 124.217.246.181 port 49198 ssh2
May 19 19:57:40 anton sshd[29796]: Received disconnect from 124.217.246.181: 11: Bye Bye
May 19 19:57:45 anton unix_chkpwd[29802]: password check failed for user (games)
May 19 19:57:45 anton sshd[29799]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ns1.1oasis.net user=games
May 19 19:57:48 anton sshd[29799]: Failed password for games from 124.217.246.181 port 49956 ssh2
This is from sshd, but I would be surprised if not rshd is not able to log something similar (although it might be off by default and needs to be enabled).
For guesses on what the rsh client made by microsoft gets the name from I have few ideas. A traditional unix rsh would of course get the name from /etc/passwd, reading it indirectly with getpwent() (failing that it might fall back to environmental variables LOGNAME or USER?). Is "myusername" present in c:\windows\system\etc\passwd (or whatever SUA maps as /etc/passwd)?