[Freeipa-users] AD Cross Realm Trust + AIX
crony
leszek.mis at gmail.com
Thu Feb 12 18:06:59 UTC 2015
Hi All,
can I ask you for some advice?
My setup is:
- updated RHEL7 as IPA server (UX.EXAMPLE.COM) in trust with Active
Directory 2008R2 domain (EXAMPLE.COM)
- AIX 7 as IPA client
I'm using compat tree for connecting AIX as client.
A lot of things work correctly:
# /usr/krb5/bin/kinit leszek
Password for ad_user at EXAMPLE.COM:
# /usr/krb5/bin/klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: ad_user at EXAMPLE.COM
Valid starting Expires Service principal
02/12/15 15:46:23 02/13/15 01:46:31 krbtgt/EXAMPLE.COM at EXAMPLE.COM
Renew until 02/13/15 01:46:23
# lsldap -a passwd ad_user at EXAMPLE.COM
dn: uid=ad_user at example.com,cn=users,cn=compat,dc=ux,dc=example,dc=com
objectClass: posixAccount
objectClass: extensibleObject
objectClass: top
gecos: ad_user
cn: ad_user
uidNumber: 1036620735
gidNumber: 1036620735
homeDirectory: /home/example.com/ad_user
ipaNTSecurityIdentifier: S-1-5-21-XXXXXXXX-XXXXX-XXXXXX
uid: ad_user at example.com
# id ad_user at EXAMPLE.COM
uid=1036620735(ad_user at example.com) gid=1036620735(ad_user at example.com)
groups=1036620733(another_group at example.com)
Here I found the first problem:
# su - ad_user at EXAMPLE.COM
3004-614 Unable to change directory to "".
You are in "/home/guest" instead.
$ id
uid=1036620735(ad_user at example.com) gid=1036620735(ad_user at example.com)
groups=1036620733(another_group at example.com)
The "3004-614 Unable to change directory to ""." appears after I added to
/etc/methods.cfg:
KRB5A:
program = /usr/lib/security/KRB5A
program_64 = /usr/lib/security/KRB5A_64
options = authonly
LDAP:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64
Without these lines there is no error "about change to home directory", su
from root works smoothly and entered the user to the homedirectory. But now
I can't ssh to the system, because I have no correct registry.
-----
I made another test: if I can log in by just IPA user, ex. admin. There is
no such problem:
# id admin
uid=30000(admin) gid=30000(admins)
# su - admin
-bash-3.2$ pwd
/export/home/admin
-bash-3.2$ id
uid=30000(admin) gid=30000(admins)
# ssh admin at localhost
admin at localhost's password:
*******************************************************************************
*
*
*
*
* Welcome to AIX Version
7.1! *
*
*
*
*
* Please see the README file in /usr/lpp/bos for information pertinent
to *
* this release of the AIX Operating
System. *
*
*
*
*
*******************************************************************************
-bash-3.2$ id
uid=30000(admin) gid=30000(admins)
Any idea what is wrong?
I have already changed the AIX max_logname from 8 to 40 characters. Maybe
the "@" character in login name is a problem?
Thank you in advance.
--
/lm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150212/51ca51b1/attachment.htm>
More information about the Freeipa-users
mailing list