Trouble with Kerberos/LDAP and AIX 6.1 | Unix Linux Forums | AIX

  Go Back    


AIX AIX is IBM's industry-leading UNIX operating system that meets the demands of applications that businesses rely upon in today's marketplace.

Trouble with Kerberos/LDAP and AIX 6.1

AIX


Tags
aix, kerberos, krb5aldap, ldap, solved

Closed Thread    
 
Thread Tools Search this Thread Display Modes
    #1  
Old 01-21-2013
jgeiger jgeiger is offline
Registered User
 
Join Date: Jan 2013
Last Activity: 8 July 2013, 10:42 AM EDT
Location: Nebraska
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
IBM [Solved] Trouble with Kerberos/LDAP and AIX 6.1

The KRB5ALDAP compound load module is giving me fits. Everything looks like it should be working, but no.

Goal: Integrate AIX host with Active Directory using a KRB5ALDAP compound load module so that users can be created in AD and used in AIX, with unix attributes (registry values) being pulled from AD. Eliminate the need to manage user accounts on a per-server basis.

Issue: User attributes are visible with lsuser and returned with ldapsearch. Kerberos authentication shows successful at the domain controller, but a "permission denied" or "invalid login or password" message is displayed. Files can be chown-ed to the user accounts, but SU fails.

I attached a doc with the pertinent configs and troubleshooting steps. Since making that doc, I have also chased the enctype (switched to solely RC4) and the KVNO (tried 2, 3, 4). But no love.

Any help would be greatly appreciated.
Attached Files
File Type: txt AIX_KRB5ALDAP.txt (12.2 KB, 24 views)
Sponsored Links
    #2  
Old 01-21-2013
Neo's Avatar
Neo Neo is offline Forum Staff  
Administrator
 
Join Date: Sep 2000
Last Activity: 2 September 2014, 3:36 PM EDT
Location: Asia pacific region
Posts: 13,016
Thanks: 519
Thanked 873 Times in 400 Posts
Looks like you have a lot of fundamental setup problems not directly related to AD or LDAP or Kerb... for example:


Code:
# su - aixtest2
3004-503 Cannot set process credentials.

# tail -2 /var/log/syslog.log
Jan 17 15:32:07 9111-52A auth|security:info sshd[6095100]: Connection closed by 10.0.0.6 [preauth]
Jan 17 15:34:31 9111-52A auth|security:crit su: BAD SU from root to aixtest2 at /dev/pts/1

# telnet 9111-52A
Trying...
Connected to 9111-52A.TESTDOMAIN.LOCAL.

AIX Version 6
Copyright IBM Corporation, 1982, 2012.
login: aixtest2
aixtest2's Password:
3004-007 You entered an invalid login name or password.

You are going to have to get the basics set up and working before focusing on the application layer protocols, it appears from here.
Sponsored Links
    #3  
Old 01-21-2013
jgeiger jgeiger is offline
Registered User
 
Join Date: Jan 2013
Last Activity: 8 July 2013, 10:42 AM EDT
Location: Nebraska
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Got it!

2 small things:

1: The primary group of the AD user needed to be a group defined in AD.
(This fixed the su issue.)

2: Changed methods.cfg, added tgt_verify=no to the options.

Code:
KRB5A:
        program = /usr/lib/security/KRB5A
        program_64 = /usr/lib/security/KRB5A_64
        options = authonly,is_kadmind_compat=no,tgt_verify=no

Moderator's Comments:
edit by bakunin: changed thread title accordingly. Thank you for writing a follow-up.

Last edited by bakunin; 01-22-2013 at 10:43 AM..
Sponsored Links
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
LDAP Problem during Kerberos setting for Win server 03 Active Directory chongzh Solaris 0 03-31-2011 12:35 AM
Compiling Samba from Source on AIX, Active Directory, LDAP, Kerberos raidzero UNIX for Advanced & Expert Users 9 03-16-2010 08:04 PM
Kerberos and LDAP Auth mariusb AIX 1 01-25-2010 05:53 AM
ldap+samba+gdm trouble capibolso UNIX for Advanced & Expert Users 5 12-06-2008 05:00 AM
LDAP/Kerberos Issue dhernand HP-UX 1 12-06-2005 05:06 PM



All times are GMT -4. The time now is 05:19 PM.