[Freeipa-users] AD Cross Realm Trust + AIX

crony leszek.mis at gmail.com
Thu Feb 12 18:06:59 UTC 2015 

Hi All,
can I ask you for some advice?

My setup is:
- updated RHEL7 as IPA server (UX.EXAMPLE.COM)  in trust with Active
Directory 2008R2 domain (EXAMPLE.COM)
- AIX 7 as IPA client

I'm using compat tree for connecting AIX as client.

A lot of things work correctly:

# /usr/krb5/bin/kinit leszek
Password for ad_user at EXAMPLE.COM:

 # /usr/krb5/bin/klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  ad_user at EXAMPLE.COM
Valid starting     Expires            Service principal
02/12/15 15:46:23  02/13/15 01:46:31  krbtgt/EXAMPLE.COM at EXAMPLE.COM
        Renew until 02/13/15 01:46:23

# lsldap -a passwd ad_user at EXAMPLE.COM
dn: uid=ad_user at example.com,cn=users,cn=compat,dc=ux,dc=example,dc=com
objectClass: posixAccount
objectClass: extensibleObject
objectClass: top
gecos: ad_user
cn: ad_user
uidNumber: 1036620735
gidNumber: 1036620735
homeDirectory: /home/example.com/ad_user
ipaNTSecurityIdentifier: S-1-5-21-XXXXXXXX-XXXXX-XXXXXX
uid: ad_user at example.com
# id ad_user at EXAMPLE.COM
uid=1036620735(ad_user at example.com) gid=1036620735(ad_user at example.com)
groups=1036620733(another_group at example.com)

Here I found the first problem:

# su - ad_user at EXAMPLE.COM
3004-614 Unable to change directory to "".
        You are in "/home/guest" instead.
$ id
uid=1036620735(ad_user at example.com) gid=1036620735(ad_user at example.com)
groups=1036620733(another_group at example.com)

The "3004-614 Unable to change directory to ""." appears after I added to
/etc/methods.cfg:

KRB5A:
program = /usr/lib/security/KRB5A
program_64 = /usr/lib/security/KRB5A_64
options = authonly
LDAP:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64

Without these lines there is no error "about change to home directory", su
from root works smoothly and entered the user to the homedirectory. But now
I can't ssh to the system, because I have no correct registry.
-----
I made another test: if I can log in by just IPA user, ex. admin. There is
no such problem:

# id admin
uid=30000(admin) gid=30000(admins)

 # su - admin

-bash-3.2$ pwd
/export/home/admin

-bash-3.2$ id
uid=30000(admin) gid=30000(admins)
# ssh admin at localhost
admin at localhost's password:
*******************************************************************************
*
*
*
*
*  Welcome to AIX Version
7.1!                                                *
*
*
*
*
*  Please see the README file in /usr/lpp/bos for information pertinent
to    *
*  this release of the AIX Operating
System.                                  *
*
*
*
*
*******************************************************************************
-bash-3.2$ id

uid=30000(admin) gid=30000(admins)

Any idea what is wrong?

I have already changed the AIX max_logname from 8 to 40 characters. Maybe
the "@" character in login name is a problem?

Thank you in advance.
-- 
/lm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150212/51ca51b1/attachment.htm>

More information about the Freeipa-users mailing list