×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Trouble with Kerberos/LDAP and AIX 6.1

Trouble with Kerberos/LDAP and AIX 6.1

Trouble with Kerberos/LDAP and AIX 6.1

(OP)
The KRB5ALDAP compound load module is giving me fits. Everything looks like it should be working, but no.

Goal: Integrate AIX host with Active Directory using a KRB5ALDAP compound load module so that users can be created in AD and used in AIX, with unix attributes (registry values) being pulled from AD. Eliminate the need to manage user accounts on a per-server basis.

Issue: User attributes are visible with lsuser and returned with ldapsearch. Kerberos authentication shows successful at the domain controller, but a "permission denied" or "invalid login or password" message is displayed. Files can be chown-ed to the user accounts, but SU fails.

I attached a doc with the pertinent configs and troubleshooting steps. Since making that doc, I have also chased the enctype (switched to solely RC4) and the KVNO (tried 2, 3, 4). But no love.

RE: Trouble with Kerberos/LDAP and AIX 6.1

I see you are using LDAP as well. Kerberos + LDAP + AIX = 'hard nut to crack', its not that easy for the three to work together.

What I suggest is completely eliminate LDAP, meaning just use kerberos for Authentication and Authorization. See if you can get in to the system.

RE: Trouble with Kerberos/LDAP and AIX 6.1

(OP)
Got it!

2 small things:

1: The primary group of the AD user needed to be a group defined in AD.
(This fixed the su issue.)

2: Changed methods.cfg, added tgt_verify=no to the options.

CODE

KRB5A:
        program = /usr/lib/security/KRB5A
        program_64 = /usr/lib/security/KRB5A_64
        options = authonly,is_kadmind_compat=no,tgt_verify=no 

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close