On ma, 23 loka 2017, Harald Dunkel wrote:
On Mon, 23 Oct 2017 08:29:30 +0300
Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org> 

On su, 22 loka 2017, Harald Dunkel wrote:

>My problem is, that authentication appears to be broken on
>all NIS clients (2 AIX 6.1 hosts). The problem came up on
>Friday, 2017-10-20 at about 10:00 or 11:00.
I'd suggest reviewing configuration on those boxes. As I said, there is
nothing in NIS protocol that could help you protecting the traffic with
certificates so certificate changes wouldn't be affecting you.

I did a review on the weekend. I wasn't thinking about certificates to
authenticate the traffic between NIS client and server, but between
the "regular" freeipa and freeipa's NIS support. Seems like NIS is
much deeper integrated in freeipa than I expected.
NIS server is a plugin to FreeIPA LDAP server, running in the same
instance and performing internal queries. It is not affected by any
external LDAP client changes because it is part of the LDAP server

ypbind seems to work on AIX. ypcat -k passwd lists passwd entries
without password hash. (AIX 6.1 does not support an /etc/shadow file,
AFAICT, but the users are supposed to log in via ssh public key and
.ssh/authorized_keys. This wasn't a problem in the past.)

The problem I have now is that apparently authentication gets stuck
completely. Even root cannot login on the console. To login I had
to boot AIX in maintenance mode and disable NIS first. If I enable
NIS again, then no login is possible.
So, NIS client can still get data from NIS server? Just AIX login fails?

If ypcat -k passwd doesn't block on accessing the server, then the issue
likely is not on an LDAP server side. Otherwise NIS server plugin in
LDAP server would be blocking itself and you'd see it as ypcat not
retrieving the data at all.

/ Alexander Bokovoy
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to