"Why don't you just use the /bin/sh as default shell in IPA ? In aix /bin/sh is the same as /bin/ksh and in linux it is a symlink to /bin/bash ."
Wow, never thought of that, very elegant solution! Atenciosamente/Best Regards __________________________________________ Luiz Fernando Vianna da Silva Em 12-05-2017 10:27, Iulian Roman escreveu: On Fri, May 12, 2017 at 2:32 PM, <wouter.hummel...@kpn.com<mailto:wouter.hummel...@kpn.com>> wrote: Hi All, We’re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module. All the moving parts seem to be working on their own, however logging in doesn’t work with SSH on AIX reporting Failed password for user <xxx> We’re using ID views to overwrite the user shell and home dirs. (Since AIX will refuse a login with a nonexisting shell (like bash)) Why don't you just use the /bin/sh as default shell in IPA ? In aix /bin/sh is the same as /bin/ksh and in linux it is a symlink to /bin/bash . AIXs lsuser command is able to find all of the users it’s supposed to and su to IPA users works. Also when a user tries to log in I can see a successful Kerberos conversation to our IPA server. Tips for troubleshooting would be much appreciated, increasing SSH log level did not produce any meaningful logging. =============== Configuration Excerpt ================================================================ /etc/security/ldap/ldap.cfg: ldapservers:ipaserver.example.org binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org bindpwd:{DESv2}<redacted> authtype:ldap_auth useSSL:TLS ldapsslkeyf:/etc/security/ldap/example.kdb ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 932F219867AA7C2C552A12BEEC0CC67 useKRB5:yes krbprincipal:host/aixlpar.example.org<http://example.org> krbkeypath:/etc/krb5/krb5.keytab userattrmappath:/etc/security/ldap/2307user.map groupattrmappath:/etc/security/ldap/2307group.map userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org automountbasedn:cn=default,cn=automount,dc=example,dc=org etherbasedn:cn=computers,cn=accounts,dc=example,dc=org userclasses:posixaccount,account,shadowaccount groupclasses:posixgroup ldapport:389 searchmode:ALL defaultentrylocation:LDAP /etc/security/user default: SYSTEM = KRB5LDAP or compat I am using the following settings in in /etc/security/user: SYSTEM = KRB5LDAP registry = KRB5LDAP it works for AIX5,6 and 7 in my setup. /etc/methods.cfg LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64 NIS: program = /usr/lib/security/NIS program_64 = /usr/lib/security/NIS_64 DCE: program = /usr/lib/security/DCE KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,keep_creds=yes,allow_expired_pwd=no KRB5LDAP: options = auth=KRB5,db=LDAP Met vriendelijke groet, Wouter Hummelink Technical Consultant - Enterprise Webhosting / Tooling & Automation T: +31-6-12882447 E: wouter.hummel...@kpn.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project