Xen project Mailing List

[Xen-users] PAM authentication with FreeIPA

To: "xen-users@xxxxxxxxxxxxx" <xen-users@xxxxxxxxxxxxx>

From: Darren Poulson <darren.poulson@xxxxxxxxxxx>

Date: Fri, 12 Dec 2014 11:49:50 +0000

Accept-language: en-GB, en-US

Delivery-date: Fri, 12 Dec 2014 11:51:33 +0000

List-id: Xen user discussion <xen-users.lists.xen.org>

Thread-index: AdAWAXOy7Z2gDKKRTeayev1/lWEovg==

Thread-topic: PAM authentication with FreeIPA

Hi, I'm having some issues authenticating against FreeIPA/SSSD using the PAM module. It seems to be set up correctly, but it shows my user as disabled. Even tho I can connect to the server ok. [root@xen2-01 log]# xe subject-list uuid ( RO) : 315e4f29-bf99-ba41-67c4-07fca0e0f4a3 subject-identifier ( RO): g50108 other-config (MRO): subject-name: ops_admins; subject-uid: g50108; subject-gid: g50108; subject-is-group: true roles (SRO): pool-admin The user I'm using is in the ops_admins group: [root@xen2-01 log]# groups dpoulson dpoulson : ops_users admins helpdesk ops_admins sbmonitor_users The xensource.log shows this: Dec 12 06:19:47 xen2-01 xapi: [debug|xen2-01.bur.us.genops|7372 INET 0.0.0.0:80||cli] xe vm-list username=dpoulson password=(omitted) Dec 12 06:19:47 xen2-01 xapi: [debug|xen2-01.bur.us.genops|7372 INET 0.0.0.0:80|session.login_with_password D:4f21e7fcdb94|xapi] External authentication PAM is enabled Dec 12 06:19:47 xen2-01 xapi: [debug|xen2-01.bur.us.genops|7372 INET 0.0.0.0:80|session.login_with_password D:4f21e7fcdb94|xapi] Failed to locally authenticate user dpoulson from HTTP request from Internet with User-Agent: xen-api-libs/1.0: Local superuser must be root Dec 12 06:19:47 xen2-01 xapi: [debug|xen2-01.bur.us.genops|7372 INET 0.0.0.0:80|session.login_with_password D:4f21e7fcdb94|extauth] using external auth plugin PAM Dec 12 06:19:48 xen2-01 xapi: [debug|xen2-01.bur.us.genops|7372 INET 0.0.0.0:80|session.login_with_password D:4f21e7fcdb94|extauth_plugin_PAM_NSS] Executing cmd [/usr/bin/getent "passwd" ] Dec 12 06:19:48 xen2-01 xapi: [debug|xen2-01.bur.us.genops|7372 INET 0.0.0.0:80|session.login_with_password D:4f21e7fcdb94|xapi] Successful external authentication user dpoulson (subject_identifier, u50004 from HTTP request from Internet with User-Agent: xen-api-libs/1.0) Dec 12 06:19:48 xen2-01 xapi: [debug|xen2-01.bur.us.genops|7372 INET 0.0.0.0:80|session.login_with_password D:4f21e7fcdb94|extauth] using external auth plugin PAM Dec 12 06:19:48 xen2-01 xapi: [debug|xen2-01.bur.us.genops|7372 INET 0.0.0.0:80|session.login_with_password D:4f21e7fcdb94|extauth_plugin_PAM_NSS] Executing cmd [/usr/bin/getent "passwd" ] Dec 12 06:19:48 xen2-01 xapi: [debug|xen2-01.bur.us.genops|7372 INET 0.0.0.0:80|session.login_with_password D:4f21e7fcdb94|xapi] Subject Suspension Status: a.disabled=true a.expired=false a.locked=false p.expired=false Dec 12 06:19:48 xen2-01 xapi: [debug|xen2-01.bur.us.genops|7372 INET 0.0.0.0:80|session.login_with_password D:4f21e7fcdb94|xapi] Subject identifier u50004 is suspended Dec 12 06:19:48 xen2-01 xapi: [debug|xen2-01.bur.us.genops|7372 INET 0.0.0.0:80|session.login_with_password D:4f21e7fcdb94|xapi] User dpoulson (subject_id u50004, from HTTP request from Internet with User-Agent: xen-api-libs/1.0) suspended in external directory So, it recognises the user from getent passwd, but then shows the user as disabled. Any ideas what I might need to set/do? [root@xen2-01 log]# cat /etc/redhat-release XenServer release 6.2.0-70446c (xenenterprise) Patches are full applied up to XS62ESP1014 Cheers, Darren. _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.