[Freeipa-users] IPA Compat + ID Views + AIX 7.1
wouter.hummelink at kpn.com
wouter.hummelink at kpn.com
Fri May 12 12:32:24 UTC 2017
Hi All,
We're running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module.
All the moving parts seem to be working on their own, however logging in doesn't work with SSH on AIX reporting Failed password for user <xxx>
We're using ID views to overwrite the user shell and home dirs. (Since AIX will refuse a login with a nonexisting shell (like bash))
AIXs lsuser command is able to find all of the users it's supposed to and su to IPA users works.
Also when a user tries to log in I can see a successful Kerberos conversation to our IPA server.
Tips for troubleshooting would be much appreciated, increasing SSH log level did not produce any meaningful logging.
=============== Configuration Excerpt ================================================================
/etc/security/ldap/ldap.cfg:
ldapservers:ipaserver.example.org
binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org
bindpwd:{DESv2}<redacted>
authtype:ldap_auth
useSSL:TLS
ldapsslkeyf:/etc/security/ldap/example.kdb
ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 932F219867AA7C2C552A12BEEC0CC67
useKRB5:yes
krbprincipal:host/aixlpar.example.org
krbkeypath:/etc/krb5/krb5.keytab
userattrmappath:/etc/security/ldap/2307user.map
groupattrmappath:/etc/security/ldap/2307group.map
userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org
automountbasedn:cn=default,cn=automount,dc=example,dc=org
etherbasedn:cn=computers,cn=accounts,dc=example,dc=org
userclasses:posixaccount,account,shadowaccount
groupclasses:posixgroup
ldapport:389
searchmode:ALL
defaultentrylocation:LDAP
/etc/security/user default:
SYSTEM = KRB5LDAP or compat
/etc/methods.cfg
LDAP:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64
NIS:
program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64
DCE:
program = /usr/lib/security/DCE
KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,keep_creds=yes,allow_expired_pwd=no
KRB5LDAP:
options = auth=KRB5,db=LDAP
Met vriendelijke groet,
Wouter Hummelink
Technical Consultant - Enterprise Webhosting / Tooling & Automation
T: +31-6-12882447
E: wouter.hummelink at kpn.com<mailto:wouter.hummelink at kpn.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170512/02480a7b/attachment.htm>
More information about the Freeipa-users
mailing list