> On Mar 24, 2015, at 18:42, Alexander Bokovoy <aboko...@redhat.com> wrote:
> 
> On Tue, 24 Mar 2015, Bobby Prins wrote:
>>>> The inability to login is reported in about the same time as the number of 
>>>> seconds you would find in the etime= field of the RESULT line.
>>>> 
>>>> I checked the "Common AD provider issues" and "Troubleshooting 
>>>> authentication, password change and access control" sections on the SSSD 
>>>> Troubleshooting page. None of the issues reported there seem to be 
>>>> applicable in my situation.
>>>> 
>>>> PAM logging on AIX:
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: 
>>>> pam_start(login bpr...@example.corp)
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: 
>>>> pam_set_item(1)
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: 
>>>> pam_set_item(2)
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: 
>>>> pam_set_item(5)
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: 
>>>> pam_set_item(3)
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: 
>>>> pam_set_item(4)
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: 
>>>> pam_set_item(8)
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: 
>>>> pam_authenticate()
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: 
>>>> load_modules: /usr/lib/security/pam_aix
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: 
>>>> load_function: successful load of pam_sm_authenticate
>>>> Mar 24 16:23:22 tst01 auth|security:debug /usr/sbin/getty PAM: 
>>>> pam_set_item(6)
>>>> Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: 
>>>> pam_authenticate: error Authentication failed
>>>> Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: 
>>>> pam_set_item(6)
>>>> Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: 
>>>> pam_acct_mgmt()
>>>> Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: 
>>>> load_modules: /usr/lib/security/pam_aix
>>>> Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: 
>>>> load_function: successful load of pam_sm_acct_mgmt
>>>> Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: 
>>>> pam_acct_mgmt: error No account present for user
>>>> Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: pam_end(): 
>>>> status = Authentication failed
>>>> Mar 24 16:23:37 tst01 auth|security:info syslog: vty0: failed login 
>>>> attempt for UNKNOWN_USER
>>>> 
>>>> Doing a ldapsearch with bpr...@example.corp as bind user works without any 
>>>> problems.
>>> According to the log above you get failure from pam_aix which should be
>>> expected if pam_aix doesn't think that the user in question is coming
>>> from LDAP.
>>> 
>>> Can you show output of
>>> 
>>> lsuser -R LDAP bpr...@example.corp
>>> lsuser -a registry SYSTEM bpr...@example.corp
>>> 
>>> The attributes 'registry' and 'SYSTEM' should be set to LDAP (or KRB5LDAP).
>>> 
>>> Can you show how you configured the AIX client?
>>> 
>>> --
>>> / Alexander Bokovoy
>> 
>> lsuser -R LDAP bpr...@example.corp:
>> bpr...@example.corp id=211623277 pgrp=bpr...@example.corp 
>> groups=bpr...@example.corp home=/home/example.corp/bprins shell=/bin/bash 
>> gecos=Bobby Prins login=true su=true rlogin=true daemon=true admin=false 
>> sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM 
>> auth2=NONE umask=22 registry=LDAP SYSTEM=LDAP logintimes= loginretries=0 
>> pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 
>> minalpha=0 minloweralpha=0 minupperalpha=0 minother=0 mindigit=0 
>> minspecialchar=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 
>> pwdchecks= dictionlist= default_roles= fsize=8388604 cpu=-1 data=262144 
>> stack=65536 core=2097151 rss=65536 nofiles=2000 roles=
> I assume you have /bin/bash installed on AIX? This user has shell
> defined as /bin/bash and if it is missing, login or ssh will deny its
> access to the system.
Yes, bash is a valid shell on this machine and also in use by local and IPA 
users.
> 
>> 
>> lsuser -a registry SYSTEM bpr...@example.corp:
>> bpr...@example.corp registry=LDAP SYSTEM=LDAP
>> 
>> Contents of /etc/security/ldap/ldap.cfg:
>> ldapservers:idm01.unix.example.corp
>> authtype:ldap_auth
>> useSSL:no
>> userattrmappath:/etc/security/ldap/IPAuser.map
>> groupattrmappath:/etc/security/ldap/IPAgroup.map
>> userbasedn:cn=users,cn=compat,dc=unix,dc=example,dc=corp
>> groupbasedn:cn=groups,cn=compat,dc=unix,dc=example,dc=corp
>> userclasses:posixaccount
>> groupclasses:posixgroup
>> ldapport:389
>> searchmode:ALL
>> defaultentrylocation:LDAP
>> serverschematype:rfc2307
>> 
>> Map file /etc/security/ldap/IPAuser.map:
>> #IPAuser.map file
>> keyobjectclass  SEC_CHAR        posixaccount            s
>> 
>> # The following attributes are required by AIX to be functional
>> username        SEC_CHAR        uid                     s
>> id              SEC_INT         uidnumber               s
>> pgrp            SEC_CHAR        gidnumber               s
>> home            SEC_CHAR        homedirectory           s
>> shell           SEC_CHAR        loginshell              s
>> gecos           SEC_CHAR        gecos                   s
>> spassword       SEC_CHAR        userpassword            s
>> lastupdate      SEC_INT         shadowlastchange        s
>> 
>> Map file /etc/security/ldap/IPAgroup.map:
>> #IPAgroup.map file
>> groupname       SEC_CHAR    cn                    s
>> id              SEC_INT     gidNumber             s
>> users           SEC_LIST    member                m
>> 
>> With the current setup users created on the IPA server work, AD users not.
> The rest of configuration looks fine. Given that PAM debug output
> mentions pam_aix, can you show /etc/pam.conf and
> /etc/security/login.cfg. I suspect that you have auth_type=PAM_AUTH in
> /etc/security/login.cfg, that's why PAM authentication is in use and
> pam_aix should theoretically pick up LDAP via LAM mechanism.
> -- 
> / Alexander Bokovoy

Contents of pam.conf:
...
#
# Authentication
#
authexec auth   required        pam_aix
dtaction auth   required        pam_aix
dtsession auth  required        pam_aix
dtlogin auth    required        pam_aix
ftp     auth    required        pam_aix
imap    auth    required        pam_aix
login   auth    required        pam_aix
rexec   auth    required        pam_aix
rlogin  auth    sufficient      pam_rhosts_auth
rlogin  auth    required        pam_aix
rsh     auth    required        pam_rhosts_auth
snapp   auth    required        pam_aix
su      auth    sufficient      pam_allowroot
su      auth    required        pam_aix
swrole  auth    required        pam_aix
telnet  auth    required        pam_aix
xdm     auth    required        pam_aix
sshd    auth    required        pam_aix
OTHER   auth    required        pam_prohibit
 
#
# Account Management
#
authexec account required       pam_aix
dtlogin account required        pam_aix
ftp     account required        pam_aix
login   account required        pam_aix
rexec   account required        pam_aix
rlogin  account required        pam_aix
rsh     account required        pam_aix
su      account sufficient      pam_allowroot
su      account required        pam_aix
swrole  account required        pam_aix
telnet  account required        pam_aix
xdm     account required        pam_aix
sshd    account required        pam_aix
OTHER   account required        pam_prohibit
 
#
# Password Management
#
authexec password  required     pam_aix
dtlogin password  required      pam_aix
login   password  required      pam_aix
passwd  password  required      pam_aix
rlogin  password  required      pam_aix
su      password  required      pam_aix
telnet  password  required      pam_aix
xdm     password  required      pam_aix
sshd    password  required      pam_aix
OTHER   password  required      pam_prohibit
 
#
# Session Management
#
dtlogin session required        pam_aix
ftp     session required        pam_aix
imap    session required        pam_aix
login   session required        pam_aix
rexec   session required        pam_aix
rlogin  session required        pam_aix
rsh     session required        pam_aix
snapp   session required        pam_aix
su      session required        pam_aix
swrole  session required        pam_aix
telnet  session required        pam_aix
xdm     session required        pam_aix
sshd    session required        pam_aix
OTHER   session required        pam_prohibit

Contents of login.cfg:
…
usw:
        shells = 
/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd,/bin/bash
        maxlogins = 32767
        logintimeout = 60
        maxroles = 8
        auth_type = PAM_AUTH

So you were correct about using PAM_AUTH. I’m thinking about logging a support 
case with IBM for this PAM behavior.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to