> On Mar 24, 2015, at 18:42, Alexander Bokovoy <[email protected]> wrote:
>
> On Tue, 24 Mar 2015, Bobby Prins wrote:
>>>> The inability to login is reported in about the same time as the number of
>>>> seconds you would find in the etime= field of the RESULT line.
>>>>
>>>> I checked the "Common AD provider issues" and "Troubleshooting
>>>> authentication, password change and access control" sections on the SSSD
>>>> Troubleshooting page. None of the issues reported there seem to be
>>>> applicable in my situation.
>>>>
>>>> PAM logging on AIX:
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM:
>>>> pam_start(login [email protected])
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM:
>>>> pam_set_item(1)
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM:
>>>> pam_set_item(2)
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM:
>>>> pam_set_item(5)
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM:
>>>> pam_set_item(3)
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM:
>>>> pam_set_item(4)
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM:
>>>> pam_set_item(8)
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM:
>>>> pam_authenticate()
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM:
>>>> load_modules: /usr/lib/security/pam_aix
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM:
>>>> load_function: successful load of pam_sm_authenticate
>>>> Mar 24 16:23:22 tst01 auth|security:debug /usr/sbin/getty PAM:
>>>> pam_set_item(6)
>>>> Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM:
>>>> pam_authenticate: error Authentication failed
>>>> Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM:
>>>> pam_set_item(6)
>>>> Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM:
>>>> pam_acct_mgmt()
>>>> Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM:
>>>> load_modules: /usr/lib/security/pam_aix
>>>> Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM:
>>>> load_function: successful load of pam_sm_acct_mgmt
>>>> Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM:
>>>> pam_acct_mgmt: error No account present for user
>>>> Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: pam_end():
>>>> status = Authentication failed
>>>> Mar 24 16:23:37 tst01 auth|security:info syslog: vty0: failed login
>>>> attempt for UNKNOWN_USER
>>>>
>>>> Doing a ldapsearch with [email protected] as bind user works without any
>>>> problems.
>>> According to the log above you get failure from pam_aix which should be
>>> expected if pam_aix doesn't think that the user in question is coming
>>> from LDAP.
>>>
>>> Can you show output of
>>>
>>> lsuser -R LDAP [email protected]
>>> lsuser -a registry SYSTEM [email protected]
>>>
>>> The attributes 'registry' and 'SYSTEM' should be set to LDAP (or KRB5LDAP).
>>>
>>> Can you show how you configured the AIX client?
>>>
>>> --
>>> / Alexander Bokovoy
>>
>> lsuser -R LDAP [email protected]:
>> [email protected] id=211623277 [email protected]
>> [email protected] home=/home/example.corp/bprins shell=/bin/bash
>> gecos=Bobby Prins login=true su=true rlogin=true daemon=true admin=false
>> sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM
>> auth2=NONE umask=22 registry=LDAP SYSTEM=LDAP logintimes= loginretries=0
>> pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1
>> minalpha=0 minloweralpha=0 minupperalpha=0 minother=0 mindigit=0
>> minspecialchar=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0
>> pwdchecks= dictionlist= default_roles= fsize=8388604 cpu=-1 data=262144
>> stack=65536 core=2097151 rss=65536 nofiles=2000 roles=
> I assume you have /bin/bash installed on AIX? This user has shell
> defined as /bin/bash and if it is missing, login or ssh will deny its
> access to the system.
Yes, bash is a valid shell on this machine and also in use by local and IPA
users.
>
>>
>> lsuser -a registry SYSTEM [email protected]:
>> [email protected] registry=LDAP SYSTEM=LDAP
>>
>> Contents of /etc/security/ldap/ldap.cfg:
>> ldapservers:idm01.unix.example.corp
>> authtype:ldap_auth
>> useSSL:no
>> userattrmappath:/etc/security/ldap/IPAuser.map
>> groupattrmappath:/etc/security/ldap/IPAgroup.map
>> userbasedn:cn=users,cn=compat,dc=unix,dc=example,dc=corp
>> groupbasedn:cn=groups,cn=compat,dc=unix,dc=example,dc=corp
>> userclasses:posixaccount
>> groupclasses:posixgroup
>> ldapport:389
>> searchmode:ALL
>> defaultentrylocation:LDAP
>> serverschematype:rfc2307
>>
>> Map file /etc/security/ldap/IPAuser.map:
>> #IPAuser.map file
>> keyobjectclass SEC_CHAR posixaccount s
>>
>> # The following attributes are required by AIX to be functional
>> username SEC_CHAR uid s
>> id SEC_INT uidnumber s
>> pgrp SEC_CHAR gidnumber s
>> home SEC_CHAR homedirectory s
>> shell SEC_CHAR loginshell s
>> gecos SEC_CHAR gecos s
>> spassword SEC_CHAR userpassword s
>> lastupdate SEC_INT shadowlastchange s
>>
>> Map file /etc/security/ldap/IPAgroup.map:
>> #IPAgroup.map file
>> groupname SEC_CHAR cn s
>> id SEC_INT gidNumber s
>> users SEC_LIST member m
>>
>> With the current setup users created on the IPA server work, AD users not.
> The rest of configuration looks fine. Given that PAM debug output
> mentions pam_aix, can you show /etc/pam.conf and
> /etc/security/login.cfg. I suspect that you have auth_type=PAM_AUTH in
> /etc/security/login.cfg, that's why PAM authentication is in use and
> pam_aix should theoretically pick up LDAP via LAM mechanism.
> --
> / Alexander Bokovoy
Contents of pam.conf:
...
#
# Authentication
#
authexec auth required pam_aix
dtaction auth required pam_aix
dtsession auth required pam_aix
dtlogin auth required pam_aix
ftp auth required pam_aix
imap auth required pam_aix
login auth required pam_aix
rexec auth required pam_aix
rlogin auth sufficient pam_rhosts_auth
rlogin auth required pam_aix
rsh auth required pam_rhosts_auth
snapp auth required pam_aix
su auth sufficient pam_allowroot
su auth required pam_aix
swrole auth required pam_aix
telnet auth required pam_aix
xdm auth required pam_aix
sshd auth required pam_aix
OTHER auth required pam_prohibit
#
# Account Management
#
authexec account required pam_aix
dtlogin account required pam_aix
ftp account required pam_aix
login account required pam_aix
rexec account required pam_aix
rlogin account required pam_aix
rsh account required pam_aix
su account sufficient pam_allowroot
su account required pam_aix
swrole account required pam_aix
telnet account required pam_aix
xdm account required pam_aix
sshd account required pam_aix
OTHER account required pam_prohibit
#
# Password Management
#
authexec password required pam_aix
dtlogin password required pam_aix
login password required pam_aix
passwd password required pam_aix
rlogin password required pam_aix
su password required pam_aix
telnet password required pam_aix
xdm password required pam_aix
sshd password required pam_aix
OTHER password required pam_prohibit
#
# Session Management
#
dtlogin session required pam_aix
ftp session required pam_aix
imap session required pam_aix
login session required pam_aix
rexec session required pam_aix
rlogin session required pam_aix
rsh session required pam_aix
snapp session required pam_aix
su session required pam_aix
swrole session required pam_aix
telnet session required pam_aix
xdm session required pam_aix
sshd session required pam_aix
OTHER session required pam_prohibit
Contents of login.cfg:
…
usw:
shells =
/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd,/bin/bash
maxlogins = 32767
logintimeout = 60
maxroles = 8
auth_type = PAM_AUTH
So you were correct about using PAM_AUTH. I’m thinking about logging a support
case with IBM for this PAM behavior.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
