On Jun 11, 2015, at 15:37, Alexander Bokovoy <aboko...@redhat.com> wrote:
> 
> On Thu, 11 Jun 2015, Bobby Prins wrote:
>> On Apr 7, 2015, at 13:41, Bobby Prins <bobby.pr...@proxy.nl> wrote:
>>> 
>>> 
>>>> On Apr 3, 2015, at 14:40, Bobby Prins <bobby.pr...@proxy.nl> wrote:
>>>> 
>>>>> ----- Oorspronkelijk bericht -----
>>>>> Van: "Alexander Bokovoy" <aboko...@redhat.com>
>>>>> Aan: "Bobby Prins" <bobby.pr...@proxy.nl>
>>>>> Cc: d...@redhat.com, freeipa-users@redhat.com
>>>>> Verzonden: Vrijdag 3 april 2015 14:26:17
>>>>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in 
>>>>> ipa_server_mode
>>>>> 
>>>>> On Fri, 03 Apr 2015, Bobby Prins wrote:
>>>>>>> ----- Oorspronkelijk bericht -----
>>>>>>> Van: "Alexander Bokovoy" <aboko...@redhat.com>
>>>>>>> Aan: "Bobby Prins" <bobby.pr...@proxy.nl>
>>>>>>> Cc: d...@redhat.com, freeipa-users@redhat.com
>>>>>>> Verzonden: Vrijdag 3 april 2015 12:45:07
>>>>>>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in 
>>>>>>> ipa_server_mode
>>>>>>> 
>>>>>>> On Fri, 03 Apr 2015, Bobby Prins wrote:
>>>>>>>> access:
>>>>>>>> [03/Apr/2015:11:58:47 +0200] conn=5950 fd=68 slot=68 connection from 
>>>>>>>> 192.168.140.107 to 192.168.140.133
>>>>>>>> [03/Apr/2015:11:58:47 +0200] conn=5950 op=0 BIND dn="" method=128 
>>>>>>>> version=3
>>>>>>>> [03/Apr/2015:11:58:47 +0200] conn=5950 op=0 RESULT err=0 tag=97 
>>>>>>>> nentries=0 etime=0 dn=""
>>>>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=1 SRCH 
>>>>>>>> base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 
>>>>>>>> filter="(&(objectClass=posixaccount)(uid=bpr...@example.corp))" 
>>>>>>>> attrs=ALL
>>>>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=1 RESULT err=0 tag=101 
>>>>>>>> nentries=1 etime=0
>>>>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=2 SRCH 
>>>>>>>> base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 
>>>>>>>> filter="(&(objectClass=posixaccount)(uid=bprins))" attrs=ALL
>>>>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=2 RESULT err=0 tag=101 
>>>>>>>> nentries=0 etime=0
>>>>>>> Above there are two lookups:
>>>>>>> 
>>>>>>> - successful lookup for user bpri...@example.com
>>>>>>> - unsuccessful lookup for user bprins
>>>>>>> 
>>>>>>> What is causing to perform a lookup without @example.com? Compat tree
>>>>>>> presents AD users fully qualified, it is the only way it knows to
>>>>>>> trigger lookup via SSSD on IPA master for these users (because non-fully
>>>>>>> qualified users are in IPA LDAP tree already and copied to compat tree
>>>>>>> automatically).
>>>>>> This seems to be (standard?) behaviour of the AIX LDAP client. Did some
>>>>>> more tests with different accounts and always see the two lookups. I
>>>>>> doubt if I can influence that..
>>>>> No, this is not standard -- I haven't seen such behavior when testing
>>>>> FreeIPA with AIX last autumn.
>>>>> --
>>>>> / Alexander Bokovoy
>>>> OK, with the idsldap client software and an AD trust configured? This is 
>>>> on AIX7.1. I'm spinning up an AIX5.3 machine now for another test. Might 
>>>> try AIX6.1 as well. What works is creating the user object in freeIPA so 
>>>> the lookup succeeds. After that I can authenticate succesfully against AD. 
>>>> Not the solution I'm looking for though.
>>> Did some tests with AIX5.3 and then I don’t run into any issues. There is 
>>> no lookup to be seen after entering my username on AIX5.3 (as there was on 
>>> AIX7.1), only the authentication request which succeeds. Will test AIX6.1 
>>> later on..
>> 
>> AIX6.1 also worked without any problems. In the end my methods.cfg was 
>> causing the problems on AIX7.1. After deleting these lines authentication 
>> worked:
>> 
>> KRB5:
>>      program = /usr/lib/security/KRB5
>>      program_64 = /usr/lib/security/KRB5_64
>>      options = authonly,kadmind=no
>> 
>> KRB5LDAP:
>>      options = auth=KRB5,db=LDAP
>> 
>> So my methods.cfg now looks like this:
>> 
>> LDAP:
>>      program = /usr/lib/security/LDAP
>>      program_64 = /usr/lib/security/LDAP64
>> 
>> NIS:
>>      program = /usr/lib/security/NIS
>>      program_64 = /usr/lib/security/NIS_64
>> 
>> DCE:
>>      program = /usr/lib/security/DCE
>> 
>> I was not expecting this since I was not using KRB5 or KRB5LDAP in 
>> /etc/security/user. Well, I’m glad I got this sorted out now :)
> Great. Could you please write your configurations up somewhere so that
> we can have an article on freeipa.org detailing the configs for future
> users?

Yes, I will do that Alexander. Hope to have some time for that next week.

> -- 
> / Alexander Bokovoy


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to