Crony,

I also am trying to setup both AIX 6.1 and AIX 7 clients.

Is there anyway I could get you to post you  working configurations?

Thanks,
David
-----Original Message-----From: crony 
<leszek....@gmail.com<mailto:crony%20%3cleszek....@gmail.com%3e>>
To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: [Freeipa-users] AD Cross Realm Trust + AIX
Date: Thu, 12 Feb 2015 19:06:59 +0100

Hi All,
can I ask you for some advice?

My setup is:
- updated RHEL7 as IPA server (UX.EXAMPLE.COM<http://UX.EXAMPLE.COM>)  in trust 
with Active Directory 2008R2 domain (EXAMPLE.COM<http://EXAMPLE.COM>)
- AIX 7 as IPA client

I'm using compat tree for connecting AIX as client.

A lot of things work correctly:

# /usr/krb5/bin/kinit leszek
Password for ad_u...@example.com<mailto:ad_u...@example.com>:

 # /usr/krb5/bin/klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  ad_u...@example.com<mailto:ad_u...@example.com>
Valid starting     Expires            Service principal
02/12/15 15:46:23  02/13/15 01:46:31  
krbtgt/example....@example.com<mailto:example....@example.com>
        Renew until 02/13/15 01:46:23

# lsldap -a passwd ad_u...@example.com<mailto:ad_u...@example.com>
dn: 
uid=ad_u...@example.com<mailto:ad_u...@example.com>,cn=users,cn=compat,dc=ux,dc=example,dc=com
objectClass: posixAccount
objectClass: extensibleObject
objectClass: top
gecos: ad_user
cn: ad_user
uidNumber: 1036620735
gidNumber: 1036620735
homeDirectory: /home/example.com/ad_user<http://example.com/ad_user>
ipaNTSecurityIdentifier: S-1-5-21-XXXXXXXX-XXXXX-XXXXXX
uid: ad_u...@example.com<mailto:ad_u...@example.com>
# id ad_u...@example.com<mailto:ad_u...@example.com>
uid=1036620735(ad_u...@example.com<mailto:ad_u...@example.com>) 
gid=1036620735(ad_u...@example.com<mailto:ad_u...@example.com>) 
groups=1036620733(another_gr...@example.com<mailto:another_gr...@example.com>)

Here I found the first problem:

# su - ad_u...@example.com<mailto:ad_u...@example.com>
3004-614 Unable to change directory to "".
        You are in "/home/guest" instead.
$ id
uid=1036620735(ad_u...@example.com<mailto:ad_u...@example.com>) 
gid=1036620735(ad_u...@example.com<mailto:ad_u...@example.com>) 
groups=1036620733(another_gr...@example.com<mailto:another_gr...@example.com>)

The "3004-614 Unable to change directory to ""." appears after I added to 
/etc/methods.cfg:

KRB5A:
program = /usr/lib/security/KRB5A
program_64 = /usr/lib/security/KRB5A_64
options = authonly
LDAP:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64

Without these lines there is no error "about change to home directory", su from 
root works smoothly and entered the user to the homedirectory. But now I can't 
ssh to the system, because I have no correct registry.
-----
I made another test: if I can log in by just IPA user, ex. admin. There is no 
such problem:

# id admin
uid=30000(admin) gid=30000(admins)

 # su - admin

-bash-3.2$ pwd
/export/home/admin

-bash-3.2$ id
uid=30000(admin) gid=30000(admins)
# ssh admin@localhost
admin@localhost's password:
*******************************************************************************
*                                                                             *
*                                                                             *
*  Welcome to AIX Version 7.1!                                                *
*                                                                             *
*                                                                             *
*  Please see the README file in /usr/lpp/bos for information pertinent to    *
*  this release of the AIX Operating System.                                  *
*                                                                             *
*                                                                             *
*******************************************************************************
-bash-3.2$ id

uid=30000(admin) gid=30000(admins)

Any idea what is wrong?

I have already changed the AIX max_logname from 8 to 40 characters. Maybe the 
"@" character in login name is a problem?


Thank you in advance. -- /lm



________________________________
#####################################################################################
The information contained in this electronic mail message, including 
attachments, if any, is PetSmart confidential information. It is intended only 
for the use of the person(s) named above. If the reader of this message is not 
the intended recipient, or has received this message in error, you are hereby 
notified that any review, dissemination, distribution or copying of this 
communication is strictly prohibited. If you are not the intended recipient or 
have received this message in error, please notify the sender via e-mail and 
promptly delete the original message.
#####################################################################################

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to