Crony, I also am trying to setup both AIX 6.1 and AIX 7 clients.
Is there anyway I could get you to post you working configurations? Thanks, David -----Original Message-----From: crony <leszek....@gmail.com<mailto:crony%20%3cleszek....@gmail.com%3e>> To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: [Freeipa-users] AD Cross Realm Trust + AIX Date: Thu, 12 Feb 2015 19:06:59 +0100 Hi All, can I ask you for some advice? My setup is: - updated RHEL7 as IPA server (UX.EXAMPLE.COM<http://UX.EXAMPLE.COM>) in trust with Active Directory 2008R2 domain (EXAMPLE.COM<http://EXAMPLE.COM>) - AIX 7 as IPA client I'm using compat tree for connecting AIX as client. A lot of things work correctly: # /usr/krb5/bin/kinit leszek Password for ad_u...@example.com<mailto:ad_u...@example.com>: # /usr/krb5/bin/klist Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: ad_u...@example.com<mailto:ad_u...@example.com> Valid starting Expires Service principal 02/12/15 15:46:23 02/13/15 01:46:31 krbtgt/example....@example.com<mailto:example....@example.com> Renew until 02/13/15 01:46:23 # lsldap -a passwd ad_u...@example.com<mailto:ad_u...@example.com> dn: uid=ad_u...@example.com<mailto:ad_u...@example.com>,cn=users,cn=compat,dc=ux,dc=example,dc=com objectClass: posixAccount objectClass: extensibleObject objectClass: top gecos: ad_user cn: ad_user uidNumber: 1036620735 gidNumber: 1036620735 homeDirectory: /home/example.com/ad_user<http://example.com/ad_user> ipaNTSecurityIdentifier: S-1-5-21-XXXXXXXX-XXXXX-XXXXXX uid: ad_u...@example.com<mailto:ad_u...@example.com> # id ad_u...@example.com<mailto:ad_u...@example.com> uid=1036620735(ad_u...@example.com<mailto:ad_u...@example.com>) gid=1036620735(ad_u...@example.com<mailto:ad_u...@example.com>) groups=1036620733(another_gr...@example.com<mailto:another_gr...@example.com>) Here I found the first problem: # su - ad_u...@example.com<mailto:ad_u...@example.com> 3004-614 Unable to change directory to "". You are in "/home/guest" instead. $ id uid=1036620735(ad_u...@example.com<mailto:ad_u...@example.com>) gid=1036620735(ad_u...@example.com<mailto:ad_u...@example.com>) groups=1036620733(another_gr...@example.com<mailto:another_gr...@example.com>) The "3004-614 Unable to change directory to ""." appears after I added to /etc/methods.cfg: KRB5A: program = /usr/lib/security/KRB5A program_64 = /usr/lib/security/KRB5A_64 options = authonly LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64 Without these lines there is no error "about change to home directory", su from root works smoothly and entered the user to the homedirectory. But now I can't ssh to the system, because I have no correct registry. ----- I made another test: if I can log in by just IPA user, ex. admin. There is no such problem: # id admin uid=30000(admin) gid=30000(admins) # su - admin -bash-3.2$ pwd /export/home/admin -bash-3.2$ id uid=30000(admin) gid=30000(admins) # ssh admin@localhost admin@localhost's password: ******************************************************************************* * * * * * Welcome to AIX Version 7.1! * * * * * * Please see the README file in /usr/lpp/bos for information pertinent to * * this release of the AIX Operating System. * * * * * ******************************************************************************* -bash-3.2$ id uid=30000(admin) gid=30000(admins) Any idea what is wrong? I have already changed the AIX max_logname from 8 to 40 characters. Maybe the "@" character in login name is a problem? Thank you in advance. -- /lm ________________________________ ##################################################################################### The information contained in this electronic mail message, including attachments, if any, is PetSmart confidential information. It is intended only for the use of the person(s) named above. If the reader of this message is not the intended recipient, or has received this message in error, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify the sender via e-mail and promptly delete the original message. ##################################################################################### -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
