"Why don't you just use the /bin/sh as default shell in IPA  ? In aix /bin/sh 
is the same as /bin/ksh and in linux it is a symlink to /bin/bash ."

Wow, never thought of that, very elegant solution!
Atenciosamente/Best Regards
__________________________________________
Luiz Fernando Vianna da Silva
Em 12-05-2017 10:27, Iulian Roman escreveu:


On Fri, May 12, 2017 at 2:32 PM, 
<wouter.hummel...@kpn.com<mailto:wouter.hummel...@kpn.com>> wrote:
Hi All,

We’re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module.
All the moving parts seem to be working on their own, however logging in 
doesn’t work with SSH on AIX reporting Failed password for user <xxx>

We’re using ID views to overwrite the user shell and home dirs. (Since AIX will 
refuse a login with a nonexisting shell (like bash))

Why don't you just use the /bin/sh as default shell in IPA  ? In aix /bin/sh is 
the same as /bin/ksh and in linux it is a symlink to /bin/bash .

AIXs lsuser command is able to find all of the users it’s supposed to and su to 
IPA users works.
Also when a user tries to log in I can see a successful Kerberos conversation 
to our IPA server.

Tips for troubleshooting would be much appreciated, increasing SSH log level 
did not produce any meaningful logging.

=============== Configuration Excerpt 
================================================================
/etc/security/ldap/ldap.cfg:
ldapservers:ipaserver.example.org
binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org
bindpwd:{DESv2}<redacted>
authtype:ldap_auth
useSSL:TLS
ldapsslkeyf:/etc/security/ldap/example.kdb
ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 
932F219867AA7C2C552A12BEEC0CC67
useKRB5:yes
krbprincipal:host/aixlpar.example.org<http://example.org>
krbkeypath:/etc/krb5/krb5.keytab
userattrmappath:/etc/security/ldap/2307user.map
groupattrmappath:/etc/security/ldap/2307group.map
userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org
automountbasedn:cn=default,cn=automount,dc=example,dc=org
etherbasedn:cn=computers,cn=accounts,dc=example,dc=org
userclasses:posixaccount,account,shadowaccount
groupclasses:posixgroup
ldapport:389
searchmode:ALL
defaultentrylocation:LDAP

/etc/security/user default:
SYSTEM = KRB5LDAP or compat

I am using the following settings in in /etc/security/user:
SYSTEM = KRB5LDAP
registry = KRB5LDAP
it works for AIX5,6 and 7 in my setup.

/etc/methods.cfg

LDAP:

       program = /usr/lib/security/LDAP

       program_64 =/usr/lib/security/LDAP64

NIS:

       program = /usr/lib/security/NIS

       program_64 = /usr/lib/security/NIS_64

DCE:

       program = /usr/lib/security/DCE

KRB5:

       program = /usr/lib/security/KRB5

       program_64 = /usr/lib/security/KRB5_64

       options = 
authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,keep_creds=yes,allow_expired_pwd=no



KRB5LDAP:

       options = auth=KRB5,db=LDAP


Met vriendelijke groet,
Wouter Hummelink
Technical Consultant - Enterprise Webhosting / Tooling & Automation
T: +31-6-12882447
E: wouter.hummel...@kpn.com


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to