On Fri, May 12, 2017 at 4:03 PM, <wouter.hummel...@kpn.com> wrote: > Yes, kinit works with IPA users. GSSAPI authentication is not keeping it > simple, since we want passwords to work before trying TGS based logins over > GSSAPI. > > The keytab works sinds lsuser is still able to get user data. > (Documentation specifies that enabling krb5 in ldap.cfg makes the bind user > and password moot, secldapclntd uses krb5 to identify itself to IPA) > > > > Also we are able to kinit host/aixlpar.example....@example.org -kt > /etc/krb5/krb5.keytab > If your kerberos client works (and it looks like it works as long as you can properly kinit) the only option you have is to check the /var/log/krb5kdc.log on the IPA and /var/log/messages or whatever you have configured in syslog for auth. on the AIX client.
> > > We van try using su from an unprivileged user, but su has some different > issues altogether, it doesn’t like @ in usernames which we need at the next > stage (integrating AD Trust) > > > > > > *From:* Iulian Roman [mailto:iulian.ro...@gmail.com] > *Sent:* vrijdag 12 mei 2017 15:56 > *To:* Hummelink, Wouter > *Cc:* luiz.via...@tivit.com.br; freeipa-users@redhat.com > *Subject:* Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 > > > > > > > > On Fri, May 12, 2017 at 3:31 PM, <wouter.hummel...@kpn.com> wrote: > > The shell is shown correctly as ksh in lsuser, so that doesnt appear to be > an issue for the ID view. > > > > My advice would be to start simple ,prove that your authentication works > and you can develop a more elaborated setup afterwards. If you combine them > all together it will be a trial and error which eventually will work at > some point. > > Do you have the correct keytabs in /etc/krb5/krb5.keytab ? can you run > kinit (with password and with the keytab) from aix and get a ticket from > Kerberos ? can you su to an IPA account ? do you have GSSAPIAuthentication > enabled in sshd_config ? > > From what you've described i would suspect that your keytab is not correct > , but that should be confirmed only by answering the questions above. > > > > > > > > Verzonden vanaf mijn Samsung-apparaat > > > > -------- Oorspronkelijk bericht -------- > Van: Luiz Fernando Vianna da Silva <luiz.via...@tivit.com.br> > Datum: 12-05-17 15:03 (GMT+01:00) > Aan: "Hummelink, Wouter" <wouter.hummel...@kpn.com>, > freeipa-users@redhat.com > Onderwerp: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 > > > > Hello Wouter. > > It may seem silly, but try installing bash on one AIX server and test > authenticating against that one. > > Its a single rpm with no dependencies. For me it did the trick and I ended > up doing that on all my AIX servers. > > Let me know how it goes or if you have any issues. > > Best Regards > > *__________________________________________* > > *Luiz Fernando Vianna da Silva* > > > > Em 12-05-2017 09:47, wouter.hummel...@kpn.com escreveu: > > Hi All, > > > > We’re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound > module. > > All the moving parts seem to be working on their own, however logging in > doesn’t work with SSH on AIX reporting Failed password for user <xxx> > > > > We’re using ID views to overwrite the user shell and home dirs. (Since AIX > will refuse a login with a nonexisting shell (like bash)) > > AIXs lsuser command is able to find all of the users it’s supposed to and > su to IPA users works. > > Also when a user tries to log in I can see a successful Kerberos > conversation to our IPA server. > > > > Tips for troubleshooting would be much appreciated, increasing SSH log > level did not produce any meaningful logging. > > > > =============== Configuration Excerpt ============================== > ================================== > > /etc/security/ldap/ldap.cfg: > > ldapservers:ipaserver.example.org > > binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org > > bindpwd:{DESv2}<redacted> > > authtype:ldap_auth > > useSSL:TLS > > ldapsslkeyf:/etc/security/ldap/example.kdb > > ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 > 932F219867AA7C2C552A12BEEC0CC67 > > useKRB5:yes > > krbprincipal:host/aixlpar.example.org > > krbkeypath:/etc/krb5/krb5.keytab > > userattrmappath:/etc/security/ldap/2307user.map > > groupattrmappath:/etc/security/ldap/2307group.map > > userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org > > groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org > > netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org > > automountbasedn:cn=default,cn=automount,dc=example,dc=org > > etherbasedn:cn=computers,cn=accounts,dc=example,dc=org > > userclasses:posixaccount,account,shadowaccount > > groupclasses:posixgroup > > ldapport:389 > > searchmode:ALL > > defaultentrylocation:LDAP > > > > /etc/security/user default: > > SYSTEM = KRB5LDAP or compat > > */etc/methods.cfg* > > LDAP: > > program = /usr/lib/security/LDAP > > program_64 =/usr/lib/security/LDAP64 > > NIS: > > program = /usr/lib/security/NIS > > program_64 = /usr/lib/security/NIS_64 > > DCE: > > program = /usr/lib/security/DCE > > KRB5: > > program = /usr/lib/security/KRB5 > > program_64 = /usr/lib/security/KRB5_64 > > options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no, > keep_creds=yes,allow_expired_pwd=no > > > > KRB5LDAP: > > options = auth=KRB5,db=LDAP > > > > > > Met vriendelijke groet, > > Wouter Hummelink > > Technical Consultant - Enterprise Webhosting / Tooling & Automation > > T: +31-6-12882447 <+31%206%2012882447> > > E: wouter.hummel...@kpn.com > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project