The KRB5ALDAP compound load module is giving me fits. Everything looks like it should be working, but no.
Goal: Integrate AIX host with Active Directory using a KRB5ALDAP compound load module so that users can be created in AD and used in AIX, with unix attributes (registry values) being pulled from AD. Eliminate the need to manage user accounts on a per-server basis.
Issue: User attributes are visible with lsuser and returned with ldapsearch. Kerberos authentication shows successful at the domain controller, but a "permission denied" or "invalid login or password" message is displayed. Files can be chown-ed to the user accounts, but SU fails.
I attached a doc with the pertinent configs and troubleshooting steps. Since making that doc, I have also chased the enctype (switched to solely RC4) and the KVNO (tried 2, 3, 4). But no love.
I am getting the following error message when trying to login to the client:
while verifying tgt
If I move the /etc/krb5.keytab out of /etc, it works fine. This is HP-UX v23
Does anyone have any ideas? (1 Reply)
I'm having troubles setting up a client(with Ubuntu 8.10) for a ldap+samba server. I can't authenticate through the client with gdm, the messages I have in /etc/auth.log at the client is
Dec 4 14:21:56 myuser-mydesktop gdm: nss_ldap: failed to bind to LDAP server ldap://192.168.0.1: Invalid... (5 Replies)
Good day
I am trying to configure Kerberos and LDAP authentication on AIX 5.3 with Windows 2003 R2 but something is not quite right.
When I ran kinit username I get a ticket and I can display it using klist.
When the user login I can see the ticket request on Windows 2003, but the user... (1 Reply)
Hello, I asked this question in the AIX subforum but never received an answer, probably because the AIX forum is not that heavily trafficked. Anyway, here it is..
I have never had any issues like this when compiling applications from source. When I try to compile samba-3.5.0pre2, configure runs... (9 Replies)
Hi, FYI, I'm new in Solaris
I'm trying to use Kerberos on authenticating LDAP Client with the Active Directory on Windows Server 2003 on both Solaris 10 5/08 and Solaris 10 9/10 by referring to the pdf file kerberos_s10.pdf available at sun official site.
... (0 Replies)
I've configured an AIX 5.3 client to use our Windows AD for user authentication via Kerberos.
When I try to ssh to the server using the AD credentials, I eventually get access but not after getting prompted for a password 3 times (which doesn't work) followed by an accepted login on the 4th... (3 Replies)
I have been able to configure on an AIX 5.2 ldap.cfg so service starts correctly.
but when I try to log on with a windows user after entering the password login hangs and get no response.
I have set it up on Aix 5.3 with no problem but in Aix 5.2 I have not been able to log in.
ldap.cfg... (1 Reply)
Hi all,
I have installed samba 3.6.22 on AIX 7.1 and join a windows AD with success.
All seem to work fine, I have configured smb.conf, methods.cfg, kerberos, user .... the following command work fine wbinfo -u, wbinfo -g, wbinfo -i, wbinfo -s, wbinfo -S, lsuser, id...
The unique... (20 Replies)
Has anyone attempted to define GPO / HBAC policies in Windows Server 2012 that could be respected by Kerberos/LDAP on AIX?
I'm looking to associate servers to groups so that when a user part of a group tries to login to a host not associated with that group, it would be denied. This would allow... (3 Replies)
Discussion started by: Devyn
3 Replies
LEARN ABOUT HPUX
userstat
userstat(1M)userstat(1M)NAME
userstat - check status of local user accounts
SYNOPSIS
[parm]...
[parm]...
DESCRIPTION
checks the status of local user accounts and reports abnormal conditions, such as account locks.
If any parm arguments are specified, abnormal status is displayed only for those parameters, otherwise abnormal status is displayed for all
parameters. The section describes the various parameter values that can be used for parm.
Each account with an abnormal status is displayed on a single line. Each line contains the username followed by one or more parameters,
indicating what abnormal conditions exist for the account. The section describes the various parameters that can be displayed.
Options
The following options are recognized:
Display the status of all users listed in
(Quiet) Do not print anything to standard output.
This can be used when interested only in the return value.
Check the status of only the specified user
name. The user must be a local user listed in
Parameters
The parameters that could be displayed to indicate abnormal account status, or that could be used with the option, include the following:
is displayed if an administrator lock is present on the account. This lock indicates that the encrypted password in or begins with An
administrator lock can be set, for example, with
is displayed if the account is locked because the account expiration
date has been reached. days is the number of days that the account has been expired. See the description of the expiration field
in shadow(4).
is displayed if the account's password has expired.
days is the number of days that the password has been expired. days is displayed only if its value can be determined.
is displayed if the account is locked because there have been no logins
to the account for a time interval that exceeds the maximum allowed. days is the number of days that the account has been inactive.
See the description of the attribute in security(4).
is displayed if the account is locked because the number of
consecutive authentication failures exceeded the maximum allowed. num is the number of consecutive authentication failures. See
the description of the attribute in security(4).
is displayed if the account is locked because the account has
a null password and is not allowed to have a null password. See the description of the attribute in security(4).
is displayed if the account has a time-of-day login restriction.
times defines the time periods that the user may login. See the description of the attribute in security(4).
Security Restrictions
Users invoking this command must have the authorization. See authadm(1M).
is not supported for trusted systems.
RETURN VALUE
exits with one of the following values:
did not find abnormal status
found abnormal status
invalid usage or user not found
EXAMPLES
The following example reports all abnormal status for all local accounts.
The following example shows that the account for user is not locked due to too many consecutive authentication failures.
FILES
standard password file
shadow password file
user database
SEE ALSO authadm(1M), passwd(4), security(4), shadow(4), userdb(4).
userstat(1M)