[Freeipa-users] AD Cross Realm Trust + AIX

David Fischer DFischer at PetSmart.com
Mon Oct 5 19:24:06 UTC 2015 

Crony,

I also am trying to setup both AIX 6.1 and AIX 7 clients.

Is there anyway I could get you to post you  working configurations?

Thanks,
David
-----Original Message-----From: crony <leszek.mis at gmail.com<mailto:crony%20%3cleszek.mis at gmail.com%3e>>
To: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
Subject: [Freeipa-users] AD Cross Realm Trust + AIX
Date: Thu, 12 Feb 2015 19:06:59 +0100

Hi All,
can I ask you for some advice?

My setup is:
- updated RHEL7 as IPA server (UX.EXAMPLE.COM<http://UX.EXAMPLE.COM>)  in trust with Active Directory 2008R2 domain (EXAMPLE.COM<http://EXAMPLE.COM>)
- AIX 7 as IPA client

I'm using compat tree for connecting AIX as client.

A lot of things work correctly:

# /usr/krb5/bin/kinit leszek
Password for ad_user at EXAMPLE.COM<mailto:ad_user at EXAMPLE.COM>:

 # /usr/krb5/bin/klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  ad_user at EXAMPLE.COM<mailto:ad_user at EXAMPLE.COM>
Valid starting     Expires            Service principal
02/12/15 15:46:23  02/13/15 01:46:31  krbtgt/EXAMPLE.COM at EXAMPLE.COM<mailto:EXAMPLE.COM at EXAMPLE.COM>
        Renew until 02/13/15 01:46:23

# lsldap -a passwd ad_user at EXAMPLE.COM<mailto:ad_user at EXAMPLE.COM>
dn: uid=ad_user at example.com<mailto:ad_user at example.com>,cn=users,cn=compat,dc=ux,dc=example,dc=com
objectClass: posixAccount
objectClass: extensibleObject
objectClass: top
gecos: ad_user
cn: ad_user
uidNumber: 1036620735
gidNumber: 1036620735
homeDirectory: /home/example.com/ad_user<http://example.com/ad_user>
ipaNTSecurityIdentifier: S-1-5-21-XXXXXXXX-XXXXX-XXXXXX
uid: ad_user at example.com<mailto:ad_user at example.com>
# id ad_user at EXAMPLE.COM<mailto:ad_user at EXAMPLE.COM>
uid=1036620735(ad_user at example.com<mailto:ad_user at example.com>) gid=1036620735(ad_user at example.com<mailto:ad_user at example.com>) groups=1036620733(another_group at example.com<mailto:another_group at example.com>)

Here I found the first problem:

# su - ad_user at EXAMPLE.COM<mailto:ad_user at EXAMPLE.COM>
3004-614 Unable to change directory to "".
        You are in "/home/guest" instead.
$ id
uid=1036620735(ad_user at example.com<mailto:ad_user at example.com>) gid=1036620735(ad_user at example.com<mailto:ad_user at example.com>) groups=1036620733(another_group at example.com<mailto:another_group at example.com>)

The "3004-614 Unable to change directory to ""." appears after I added to /etc/methods.cfg:

KRB5A:
program = /usr/lib/security/KRB5A
program_64 = /usr/lib/security/KRB5A_64
options = authonly
LDAP:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64

Without these lines there is no error "about change to home directory", su from root works smoothly and entered the user to the homedirectory. But now I can't ssh to the system, because I have no correct registry.
-----
I made another test: if I can log in by just IPA user, ex. admin. There is no such problem:

# id admin
uid=30000(admin) gid=30000(admins)

 # su - admin

-bash-3.2$ pwd
/export/home/admin

-bash-3.2$ id
uid=30000(admin) gid=30000(admins)
# ssh admin at localhost
admin at localhost's password:
*******************************************************************************
*                                                                             *
*                                                                             *
*  Welcome to AIX Version 7.1!                                                *
*                                                                             *
*                                                                             *
*  Please see the README file in /usr/lpp/bos for information pertinent to    *
*  this release of the AIX Operating System.                                  *
*                                                                             *
*                                                                             *
*******************************************************************************
-bash-3.2$ id

uid=30000(admin) gid=30000(admins)

Any idea what is wrong?

I have already changed the AIX max_logname from 8 to 40 characters. Maybe the "@" character in login name is a problem?


Thank you in advance. -- /lm



________________________________
#####################################################################################
The information contained in this electronic mail message, including attachments, if any, is PetSmart confidential information. It is intended only for the use of the person(s) named above. If the reader of this message is not the intended recipient, or has received this message in error, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify the sender via e-mail and promptly delete the original message.
#####################################################################################

More information about the Freeipa-users mailing list