Is there a way for the compat view to respond to both fully qualified and short 
uids?  IBM seems to require that for trust to work



Verzonden vanaf mijn Samsung-apparaat


-------- Oorspronkelijk bericht --------
Van: "Hummelink, Wouter" <wouter.hummel...@kpn.com>
Datum: 22-05-17 15:46 (GMT+01:00)
Aan: freeipa-users@lists.fedorahosted.org
Onderwerp: RE: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

Hi All,

We have our basic configuration working now however AD trusted users cannot log 
in. The system reports:
Can't retrieve attribute SYSTEM for NOUSER: No such file or directory

In LDAP Access logs we see AIX query user@<ad.domain<mailto:user@%3cad.domain>> 
and directly after <user> on slapd.
The same behavior happens with SU and that results in a session with empty HOME 
and SHELL variables (and an error report that you can’t change directory to ‘’)

LSUSER command do however return correct information about these users. (IPA 
groups included)

[22/May/2017:15:14:10.074845110 +0200] conn=1046 op=75 SRCH 
base="cn=users,cn=aixtest,cn=views,cn=compat,dc=ipa,dc=domain" scope=2 
filter="(&(objectClass=posixaccount)(uid=aduser@ad.domain))" attrs=ALL
[22/May/2017:15:14:10.076149098 +0200] conn=1046 op=75 RESULT err=0 tag=101 
nentries=1 etime=0
[22/May/2017:15:14:10.099789298 +0200] conn=1046 op=76 SRCH 
base="cn=users,cn=aixtest,cn=views,cn=compat,dc=ipa,dc=domain" scope=2 
filter="(&(objectClass=posixaccount)(uid=aduser))" attrs=ALL
[22/May/2017:15:14:10.110271957 +0200] conn=1046 op=76 RESULT err=0 tag=101 
nentries=0 etime=0



From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Bjarne Blichfeldt
Sent: woensdag 17 mei 2017 07:30
To: Luiz Fernando Vianna da Silva; freeipa-us...@redhat.com
Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

Thank you for pointing that out.
I should of course have been more specific: native aix sudo does not support 
ldap and therefore sudorules from ldap, but it is possible
to install a different sudo version with ldap enabled.
Unfortunately, in our case, using external rpm’s is not an option.

Regards
Bjarne Blichfeldt.

From: Luiz Fernando Vianna da Silva [mailto:luiz.via...@tivit.com.br]
Sent: 16. maj 2017 16:43
To: Bjarne Blichfeldt <b...@jndata.dk<mailto:b...@jndata.dk>>; 
freeipa-us...@redhat.com<mailto:freeipa-us...@redhat.com>
Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

As far as I found out, it is not possible to integrate sudo rules from IPA into 
AIX. sudo on aix does not support that.
You will have to maintain /etc/sudoers by som other means.
Thats where you are mistaken. It is possible to integrate sudo rules into AIX, 
I've done it and have documented it here: 
https://www.freeipa.org/page/SUDO_Integration_for_AIX

Give it a try, its a fairly simple procedure.

P.S.

IBM has recently pimped the AIX toolbox RPMs and even implemented it as a YUM 
server. I haven't tried using these new RPMs yet to see if they work with sudo 
integration.

If you want to keep it safe, user perzl RPMs as I describe on the 
documentation. If you want, and I would appreciate it if you would, give the 
new RPMs from toolbox a go and if it works please update the documentaion, or 
send me your notes and I'll update it.
Atenciosamente/Best Regards
__________________________________________
Luiz Fernando Vianna da Silva
Em 15-05-2017 02:53, Bjarne Blichfeldt escreveu:
We have a working setup on three aix servers and by comparing our config with 
yours, I see the following differences:

LDAP:
/etc/security/ldap/ldap.cfg :
userattrmappath:/etc/security/ldap/FreeIPAuser.map
groupattrmappath:/etc/security/ldap/FreeIPAgroup.map
userclasses:posixaccount

/etc/security/ldap/FreeIPAuser.map:

#FreeIPAuser.map file

# 
https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_AIX.html





keyobjectclass  SEC_CHAR        posixaccount    s



# The following attributes are required by AIX to be functional

username        SEC_CHAR        uid             s

id              SEC_INT         uidnumber       s

pgrp            SEC_CHAR        gidnumber       s

home            SEC_CHAR        homedirectory   s

shell           SEC_CHAR        loginshell      s

gecos           SEC_CHAR        gecos           s

spassword       SEC_CHAR        userpassword    s

lastupdate      SEC_INT         shadowlastchange        s


/etc/security/ldap/FreeIPAgroup.map:
#FreeIPAgroup.map file
# 
https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_AIX.html

groupname       SEC_CHAR        cn              s
id              SEC_INT         gidNumber       s
users           SEC_LIST        member          m


To test if the ldap is working:
ls-secldapclntd
lsldap -a passwd
lsuser -R LDAP ALL

KERBEROS:

/etc/methods.cfg:
KRB5:
        program = /usr/lib/security/KRB5
        program_64 = /usr/lib/security/KRB5_64
        options = 
authonly,is_kadmind_compat=no,tgt_verify=no,allow_expired_pwd=yes



Add Kerberos to authorized authentication entities and verify:
chauthent -k5 -std
#Verify
lsauthent
Kerberos 5
Standard Aix

To test:
lsuser -R KRB5LDAP <someuser>

Configure aix to create homedir during login:
/etc/security/login.cfg:
mkhomeatlogin = true

usw:
        shells = 
/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/
usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/sliplogin,/usr/sbin/uucp/uucico,/usr/sbin/snappd
        maxlogins = 32767
        logintimeout = 30
        maxroles = 8
        auth_type = STD_AUTH
        mkhomeatlogin = true


Also remember: user can be locked in AIX so use smitty to unlock user and reset 
login attempts.

As far as I found out, it is not possible to integrate sudo rules from IPA into 
AIX. sudo on aix does not support that.
You will have to maintain /etc/sudoers by som other means.

Hope that helps, good luck.





Regards
Bjarne Blichfeldt.

From: wouter.hummel...@kpn.com<mailto:wouter.hummel...@kpn.com> 
[mailto:wouter.hummel...@kpn.com]
Sent: 12. maj 2017 16:03
To: iulian.ro...@gmail.com<mailto:iulian.ro...@gmail.com>
Cc: freeipa-us...@redhat.com<mailto:freeipa-us...@redhat.com>
Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

Yes, kinit works with IPA users. GSSAPI authentication is not keeping it 
simple, since we want passwords to work before trying TGS based logins over 
GSSAPI.
The keytab works sinds lsuser is still able to get user data. (Documentation 
specifies that enabling krb5 in ldap.cfg makes the bind user and password moot, 
secldapclntd uses krb5 to identify itself to IPA)

Also we are able to kinit 
host/aixlpar.example....@example.org<mailto:host/aixlpar.example....@example.org>
 -kt /etc/krb5/krb5.keytab

We van try using su from an unprivileged user, but su has some different issues 
altogether, it doesn’t like @ in usernames which we need at the next stage 
(integrating AD Trust)


From: Iulian Roman [mailto:iulian.ro...@gmail.com]
Sent: vrijdag 12 mei 2017 15:56
To: Hummelink, Wouter
Cc: luiz.via...@tivit.com.br<mailto:luiz.via...@tivit.com.br>; 
freeipa-us...@redhat.com<mailto:freeipa-us...@redhat.com>
Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1



On Fri, May 12, 2017 at 3:31 PM, 
<wouter.hummel...@kpn.com<mailto:wouter.hummel...@kpn.com>> wrote:
The shell is shown correctly as ksh in lsuser, so that doesnt appear to be an 
issue for the ID view.

My advice would be to start simple ,prove that your authentication works and 
you can develop a more elaborated setup afterwards. If you combine them all 
together it will be a trial and error which eventually will work at some point.
Do you have the correct keytabs in /etc/krb5/krb5.keytab ? can you run kinit 
(with password and with the keytab) from aix and get a ticket from Kerberos ? 
can you su to an IPA account ? do you have GSSAPIAuthentication enabled in 
sshd_config  ?
From what you've described i would suspect that your keytab is not correct , 
but that should be confirmed only by answering the questions above.



Verzonden vanaf mijn Samsung-apparaat


-------- Oorspronkelijk bericht --------
Van: Luiz Fernando Vianna da Silva 
<luiz.via...@tivit.com.br<mailto:luiz.via...@tivit.com.br>>
Datum: 12-05-17 15:03 (GMT+01:00)
Aan: "Hummelink, Wouter" 
<wouter.hummel...@kpn.com<mailto:wouter.hummel...@kpn.com>>, 
freeipa-us...@redhat.com<mailto:freeipa-us...@redhat.com>
Onderwerp: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1


Hello Wouter.

It may seem silly, but try installing bash on one AIX server and test 
authenticating against that one.

Its a single rpm with no dependencies. For me it did the trick and I ended up 
doing that on all my AIX servers.

Let me know how it goes or if you have any issues.
Best Regards
__________________________________________
Luiz Fernando Vianna da Silva

Em 12-05-2017 09:47, wouter.hummel...@kpn.com<mailto:wouter.hummel...@kpn.com> 
escreveu:
Hi All,

We’re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module.
All the moving parts seem to be working on their own, however logging in 
doesn’t work with SSH on AIX reporting Failed password for user <xxx>

We’re using ID views to overwrite the user shell and home dirs. (Since AIX will 
refuse a login with a nonexisting shell (like bash))
AIXs lsuser command is able to find all of the users it’s supposed to and su to 
IPA users works.
Also when a user tries to log in I can see a successful Kerberos conversation 
to our IPA server.

Tips for troubleshooting would be much appreciated, increasing SSH log level 
did not produce any meaningful logging.

=============== Configuration Excerpt 
================================================================
/etc/security/ldap/ldap.cfg:
ldapservers:ipaserver.example.org<http://ipaserver.example.org>
binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org
bindpwd:{DESv2}<redacted>
authtype:ldap_auth
useSSL:TLS
ldapsslkeyf:/etc/security/ldap/example.kdb
ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 
932F219867AA7C2C552A12BEEC0CC67
useKRB5:yes
krbprincipal:host/aixlpar.example.org<http://aixlpar.example.org>
krbkeypath:/etc/krb5/krb5.keytab
userattrmappath:/etc/security/ldap/2307user.map
groupattrmappath:/etc/security/ldap/2307group.map
userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org
automountbasedn:cn=default,cn=automount,dc=example,dc=org
etherbasedn:cn=computers,cn=accounts,dc=example,dc=org
userclasses:posixaccount,account,shadowaccount
groupclasses:posixgroup
ldapport:389
searchmode:ALL
defaultentrylocation:LDAP

/etc/security/user default:
SYSTEM = KRB5LDAP or compat
/etc/methods.cfg

LDAP:

       program = /usr/lib/security/LDAP

       program_64 =/usr/lib/security/LDAP64

NIS:

       program = /usr/lib/security/NIS

       program_64 = /usr/lib/security/NIS_64

DCE:

       program = /usr/lib/security/DCE

KRB5:

       program = /usr/lib/security/KRB5

       program_64 = /usr/lib/security/KRB5_64

       options = 
authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,keep_creds=yes,allow_expired_pwd=no



KRB5LDAP:

       options = auth=KRB5,db=LDAP


Met vriendelijke groet,
Wouter Hummelink
Technical Consultant - Enterprise Webhosting / Tooling & Automation
T: +31-6-12882447<tel:+31%206%2012882447>
E: wouter.hummel...@kpn.com<mailto:wouter.hummel...@kpn.com>



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to