[Freeipa-users] IPA Compat + ID Views + AIX 7.1

Fri May 12 14:34:31 UTC 2017

On Fri, May 12, 2017 at 4:03 PM, <wouter.hummelink at kpn.com> wrote:

> Yes, kinit works with IPA users. GSSAPI authentication is not keeping it
> simple, since we want passwords to work before trying TGS based logins over
> GSSAPI.
>
> The keytab works sinds lsuser is still able to get user data.
> (Documentation specifies that enabling krb5 in ldap.cfg makes the bind user
> and password moot, secldapclntd uses krb5 to identify itself to IPA)
>
>
>
> Also we are able to kinit host/aixlpar.example.org at EXAMPLE.ORG -kt
> /etc/krb5/krb5.keytab
>
If your kerberos client works (and it looks like it works as long as you
can properly kinit)  the only option you have is to check the
/var/log/krb5kdc.log on the IPA and /var/log/messages or whatever you have
configured in syslog for auth. on the AIX client.

>
>
> We van try using su from an unprivileged user, but su has some different
> issues altogether, it doesn’t like @ in usernames which we need at the next
> stage (integrating AD Trust)
>
>
>
>
>
> *From:* Iulian Roman [mailto:iulian.roman at gmail.com]
> *Sent:* vrijdag 12 mei 2017 15:56
> *To:* Hummelink, Wouter
> *Cc:* luiz.vianna at tivit.com.br; freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1
>
>
>
>
>
>
>
> On Fri, May 12, 2017 at 3:31 PM, <wouter.hummelink at kpn.com> wrote:
>
> The shell is shown correctly as ksh in lsuser, so that doesnt appear to be
> an issue for the ID view.
>
>
>
> My advice would be to start simple ,prove that your authentication works
> and you can develop a more elaborated setup afterwards. If you combine them
> all together it will be a trial and error which eventually will work at
> some point.
>
> Do you have the correct keytabs in /etc/krb5/krb5.keytab ? can you run
> kinit (with password and with the keytab) from aix and get a ticket from
> Kerberos ? can you su to an IPA account ? do you have GSSAPIAuthentication
> enabled in sshd_config  ?
>
> From what you've described i would suspect that your keytab is not correct
> , but that should be confirmed only by answering the questions above.
>
>
>
>
>
>
>
> Verzonden vanaf mijn Samsung-apparaat
>
>
>
> -------- Oorspronkelijk bericht --------
> Van: Luiz Fernando Vianna da Silva <luiz.vianna at tivit.com.br>
> Datum: 12-05-17 15:03 (GMT+01:00)
> Aan: "Hummelink, Wouter" <wouter.hummelink at kpn.com>,
> freeipa-users at redhat.com
> Onderwerp: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1
>
>
>
> Hello Wouter.
>
> It may seem silly, but try installing bash on one AIX server and test
> authenticating against that one.
>
> Its a single rpm with no dependencies. For me it did the trick and I ended
> up doing that on all my AIX servers.
>
> Let me know how it goes or if you have any issues.
>
> Best Regards
>
> *__________________________________________*
>
> *Luiz Fernando Vianna da Silva*
>
>
>
> Em 12-05-2017 09:47, wouter.hummelink at kpn.com escreveu:
>
> Hi All,
>
>
>
> We’re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound
> module.
>
> All the moving parts seem to be working on their own, however logging in
> doesn’t work with SSH on AIX reporting Failed password for user <xxx>
>
>
>
> We’re using ID views to overwrite the user shell and home dirs. (Since AIX
> will refuse a login with a nonexisting shell (like bash))
>
> AIXs lsuser command is able to find all of the users it’s supposed to and
> su to IPA users works.
>
> Also when a user tries to log in I can see a successful Kerberos
> conversation to our IPA server.
>
>
>
> Tips for troubleshooting would be much appreciated, increasing SSH log
> level did not produce any meaningful logging.
>
>
>
> =============== Configuration Excerpt ==============================
> ==================================
>
> /etc/security/ldap/ldap.cfg:
>
> ldapservers:ipaserver.example.org
>
> binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org
>
> bindpwd:{DESv2}<redacted>
>
> authtype:ldap_auth
>
> useSSL:TLS
>
> ldapsslkeyf:/etc/security/ldap/example.kdb
>
> ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8
> 932F219867AA7C2C552A12BEEC0CC67
>
> useKRB5:yes
>
> krbprincipal:host/aixlpar.example.org
>
> krbkeypath:/etc/krb5/krb5.keytab
>
> userattrmappath:/etc/security/ldap/2307user.map
>
> groupattrmappath:/etc/security/ldap/2307group.map
>
> userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
>
> groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
>
> netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org
>
> automountbasedn:cn=default,cn=automount,dc=example,dc=org
>
> etherbasedn:cn=computers,cn=accounts,dc=example,dc=org
>
> userclasses:posixaccount,account,shadowaccount
>
> groupclasses:posixgroup
>
> ldapport:389
>
> searchmode:ALL
>
> defaultentrylocation:LDAP
>
>
>
> /etc/security/user default:
>
> SYSTEM = KRB5LDAP or compat
>
> */etc/methods.cfg*
>
> LDAP:
>
>        program = /usr/lib/security/LDAP
>
>        program_64 =/usr/lib/security/LDAP64
>
> NIS:
>
>        program = /usr/lib/security/NIS
>
>        program_64 = /usr/lib/security/NIS_64
>
> DCE:
>
>        program = /usr/lib/security/DCE
>
> KRB5:
>
>        program = /usr/lib/security/KRB5
>
>        program_64 = /usr/lib/security/KRB5_64
>
>        options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,
> keep_creds=yes,allow_expired_pwd=no
>
>
>
> KRB5LDAP:
>
>        options = auth=KRB5,db=LDAP
>
>
>
>
>
> Met vriendelijke groet,
>
> Wouter Hummelink
>
> Technical Consultant - Enterprise Webhosting / Tooling & Automation
>
> T: +31-6-12882447 <+31%206%2012882447>
>
> E: wouter.hummelink at kpn.com
>
>
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170512/40de60aa/attachment.htm>