<div dir="ltr"><div>Hi All,<br>can I ask you for some advice?<br><br>My setup is:<br>- updated RHEL7 as IPA server (<a href="http://UX.EXAMPLE.COM">UX.EXAMPLE.COM</a>) in trust with Active Directory 2008R2 domain (<a href="http://EXAMPLE.COM">EXAMPLE.COM</a>)<br>- AIX 7 as IPA client<br><br>I'm using compat tree for connecting AIX as client. <br><br>A lot of things work correctly:<br><br># /usr/krb5/bin/kinit leszek<br>Password for <a href="mailto:ad_user@EXAMPLE.COM">ad_user@EXAMPLE.COM</a>:<br><br> # /usr/krb5/bin/klist<br>Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0<br>Default principal: <a href="mailto:ad_user@EXAMPLE.COM">ad_user@EXAMPLE.COM</a><br>Valid starting Expires Service principal<br>02/12/15 15:46:23 02/13/15 01:46:31 krbtgt/<a href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a><br> Renew until 02/13/15 01:46:23<br><br># lsldap -a passwd <a href="mailto:ad_user@EXAMPLE.COM">ad_user@EXAMPLE.COM</a><br>dn: uid=<a href="mailto:ad_user@example.com">ad_user@example.com</a>,cn=users,cn=compat,dc=ux,dc=example,dc=com<br>objectClass: posixAccount<br>objectClass: extensibleObject<br>objectClass: top<br>gecos: ad_user<br>cn: ad_user<br>uidNumber: 1036620735<br>gidNumber: 1036620735<br>homeDirectory: /home/<a href="http://example.com/ad_user">example.com/ad_user</a><br>ipaNTSecurityIdentifier: S-1-5-21-XXXXXXXX-XXXXX-XXXXXX<br>uid: <a href="mailto:ad_user@example.com">ad_user@example.com</a><br># id <a href="mailto:ad_user@EXAMPLE.COM">ad_user@EXAMPLE.COM</a><br>uid=1036620735(<a href="mailto:ad_user@example.com">ad_user@example.com</a>) gid=1036620735(<a href="mailto:ad_user@example.com">ad_user@example.com</a>) groups=1036620733(<a href="mailto:another_group@example.com">another_group@example.com</a>)<br><br>Here I found the first problem:<br><br># su - <a href="mailto:ad_user@EXAMPLE.COM">ad_user@EXAMPLE.COM</a><br>3004-614 Unable to change directory to "".<br> You are in "/home/guest" instead.<br>$ id<br>uid=1036620735(<a href="mailto:ad_user@example.com">ad_user@example.com</a>) gid=1036620735(<a href="mailto:ad_user@example.com">ad_user@example.com</a>) groups=1036620733(<a href="mailto:another_group@example.com">another_group@example.com</a>)<br><br>The "3004-614 Unable to change directory to ""." appears after I added to /etc/methods.cfg:<br><br>KRB5A:<br>program = /usr/lib/security/KRB5A<br>program_64 = /usr/lib/security/KRB5A_64<br>options = authonly<br>LDAP:<br>program = /usr/lib/security/LDAP<br>program_64 =/usr/lib/security/LDAP64<br><br>Without these lines there is no error "about change to home directory", su from root works smoothly and entered the user to the homedirectory. But now I can't ssh to the system, because I have no correct registry.<br>-----<br>I made another test: if I can log in by just IPA user, ex. admin. There is no such problem:<br><br># id admin<br>uid=30000(admin) gid=30000(admins)<br><br> # su - admin<br><br>-bash-3.2$ pwd<br>/export/home/admin<br><br>-bash-3.2$ id<br>uid=30000(admin) gid=30000(admins)<br># ssh admin@localhost<br>admin@localhost's password:<br>*******************************************************************************<br>* *<br>* *<br>* Welcome to AIX Version 7.1! *<br>* *<br>* *<br>* Please see the README file in /usr/lpp/bos for information pertinent to *<br>* this release of the AIX Operating System. *<br>* *<br>* *<br>*******************************************************************************<br>-bash-3.2$ id<br><br>uid=30000(admin) gid=30000(admins)<br><br>Any idea what is wrong? <br><br>I have already changed the AIX max_logname from 8 to 40 characters. Maybe the "@" character in login name is a problem? <br clear="all"><br></div>Thank you in advance.<br><div>-- <br><div class="gmail_signature">/lm<br><br></div>
</div></div>