On Apr 7, 2015, at 13:41, Bobby Prins <bobby.pr...@proxy.nl> wrote:
> 
> 
>> On Apr 3, 2015, at 14:40, Bobby Prins <bobby.pr...@proxy.nl> wrote:
>> 
>>> ----- Oorspronkelijk bericht -----
>>> Van: "Alexander Bokovoy" <aboko...@redhat.com>
>>> Aan: "Bobby Prins" <bobby.pr...@proxy.nl>
>>> Cc: d...@redhat.com, freeipa-users@redhat.com
>>> Verzonden: Vrijdag 3 april 2015 14:26:17
>>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in 
>>> ipa_server_mode
>>> 
>>> On Fri, 03 Apr 2015, Bobby Prins wrote:
>>>>> ----- Oorspronkelijk bericht -----
>>>>> Van: "Alexander Bokovoy" <aboko...@redhat.com>
>>>>> Aan: "Bobby Prins" <bobby.pr...@proxy.nl>
>>>>> Cc: d...@redhat.com, freeipa-users@redhat.com
>>>>> Verzonden: Vrijdag 3 april 2015 12:45:07
>>>>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in 
>>>>> ipa_server_mode
>>>>> 
>>>>> On Fri, 03 Apr 2015, Bobby Prins wrote:
>>>>>> access:
>>>>>> [03/Apr/2015:11:58:47 +0200] conn=5950 fd=68 slot=68 connection from 
>>>>>> 192.168.140.107 to 192.168.140.133
>>>>>> [03/Apr/2015:11:58:47 +0200] conn=5950 op=0 BIND dn="" method=128 
>>>>>> version=3
>>>>>> [03/Apr/2015:11:58:47 +0200] conn=5950 op=0 RESULT err=0 tag=97 
>>>>>> nentries=0 etime=0 dn=""
>>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=1 SRCH 
>>>>>> base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 
>>>>>> filter="(&(objectClass=posixaccount)(uid=bpr...@example.corp))" attrs=ALL
>>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=1 RESULT err=0 tag=101 
>>>>>> nentries=1 etime=0
>>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=2 SRCH 
>>>>>> base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 
>>>>>> filter="(&(objectClass=posixaccount)(uid=bprins))" attrs=ALL
>>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=2 RESULT err=0 tag=101 
>>>>>> nentries=0 etime=0
>>>>> Above there are two lookups:
>>>>> 
>>>>> - successful lookup for user bpri...@example.com
>>>>> - unsuccessful lookup for user bprins
>>>>> 
>>>>> What is causing to perform a lookup without @example.com? Compat tree
>>>>> presents AD users fully qualified, it is the only way it knows to
>>>>> trigger lookup via SSSD on IPA master for these users (because non-fully
>>>>> qualified users are in IPA LDAP tree already and copied to compat tree
>>>>> automatically).
>>>> This seems to be (standard?) behaviour of the AIX LDAP client. Did some
>>>> more tests with different accounts and always see the two lookups. I
>>>> doubt if I can influence that..
>>> No, this is not standard -- I haven't seen such behavior when testing
>>> FreeIPA with AIX last autumn.
>>> -- 
>>> / Alexander Bokovoy
>> OK, with the idsldap client software and an AD trust configured? This is on 
>> AIX7.1. I'm spinning up an AIX5.3 machine now for another test. Might try 
>> AIX6.1 as well. What works is creating the user object in freeIPA so the 
>> lookup succeeds. After that I can authenticate succesfully against AD. Not 
>> the solution I'm looking for though.
> Did some tests with AIX5.3 and then I don’t run into any issues. There is no 
> lookup to be seen after entering my username on AIX5.3 (as there was on 
> AIX7.1), only the authentication request which succeeds. Will test AIX6.1 
> later on..

AIX6.1 also worked without any problems. In the end my methods.cfg was causing 
the problems on AIX7.1. After deleting these lines authentication worked:

KRB5:
       program = /usr/lib/security/KRB5
       program_64 = /usr/lib/security/KRB5_64
       options = authonly,kadmind=no

KRB5LDAP:
       options = auth=KRB5,db=LDAP

So my methods.cfg now looks like this:

LDAP:
       program = /usr/lib/security/LDAP
       program_64 = /usr/lib/security/LDAP64

NIS:
       program = /usr/lib/security/NIS
       program_64 = /usr/lib/security/NIS_64

DCE:
       program = /usr/lib/security/DCE

I was not expecting this since I was not using KRB5 or KRB5LDAP in 
/etc/security/user. Well, I’m glad I got this sorted out now :)

> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to