On Thu, 11 Jun 2015, Bobby Prins wrote:
On Apr 7, 2015, at 13:41, Bobby Prins <[email protected]> wrote:
On Apr 3, 2015, at 14:40, Bobby Prins <[email protected]> wrote:
----- Oorspronkelijk bericht -----
Van: "Alexander Bokovoy" <[email protected]>
Aan: "Bobby Prins" <[email protected]>
Cc: [email protected], [email protected]
Verzonden: Vrijdag 3 april 2015 14:26:17
Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in
ipa_server_mode
On Fri, 03 Apr 2015, Bobby Prins wrote:
----- Oorspronkelijk bericht -----
Van: "Alexander Bokovoy" <[email protected]>
Aan: "Bobby Prins" <[email protected]>
Cc: [email protected], [email protected]
Verzonden: Vrijdag 3 april 2015 12:45:07
Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in
ipa_server_mode
On Fri, 03 Apr 2015, Bobby Prins wrote:
access:
[03/Apr/2015:11:58:47 +0200] conn=5950 fd=68 slot=68 connection from
192.168.140.107 to 192.168.140.133
[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 BIND dn="" method=128 version=3
[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 RESULT err=0 tag=97 nentries=0 etime=0
dn=""
[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 SRCH
base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2
filter="(&(objectClass=posixaccount)([email protected]))" attrs=ALL
[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 RESULT err=0 tag=101 nentries=1
etime=0
[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 SRCH
base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2
filter="(&(objectClass=posixaccount)(uid=bprins))" attrs=ALL
[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 RESULT err=0 tag=101 nentries=0
etime=0
Above there are two lookups:
- successful lookup for user [email protected]
- unsuccessful lookup for user bprins
What is causing to perform a lookup without @example.com? Compat tree
presents AD users fully qualified, it is the only way it knows to
trigger lookup via SSSD on IPA master for these users (because non-fully
qualified users are in IPA LDAP tree already and copied to compat tree
automatically).
This seems to be (standard?) behaviour of the AIX LDAP client. Did some
more tests with different accounts and always see the two lookups. I
doubt if I can influence that..
No, this is not standard -- I haven't seen such behavior when testing
FreeIPA with AIX last autumn.
--
/ Alexander Bokovoy
OK, with the idsldap client software and an AD trust configured? This is on
AIX7.1. I'm spinning up an AIX5.3 machine now for another test. Might try
AIX6.1 as well. What works is creating the user object in freeIPA so the lookup
succeeds. After that I can authenticate succesfully against AD. Not the
solution I'm looking for though.
Did some tests with AIX5.3 and then I don’t run into any issues. There is no
lookup to be seen after entering my username on AIX5.3 (as there was on
AIX7.1), only the authentication request which succeeds. Will test AIX6.1 later
on..
AIX6.1 also worked without any problems. In the end my methods.cfg was causing
the problems on AIX7.1. After deleting these lines authentication worked:
KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,kadmind=no
KRB5LDAP:
options = auth=KRB5,db=LDAP
So my methods.cfg now looks like this:
LDAP:
program = /usr/lib/security/LDAP
program_64 = /usr/lib/security/LDAP64
NIS:
program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64
DCE:
program = /usr/lib/security/DCE
I was not expecting this since I was not using KRB5 or KRB5LDAP in
/etc/security/user. Well, I’m glad I got this sorted out now :)
Great. Could you please write your configurations up somewhere so that
we can have an article on freeipa.org detailing the configs for future
users?
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
