Topic
2 replies Latest Post - ‏2013-03-07T04:19:57Z by SystemAdmin
SystemAdmin
SystemAdmin
6902 Posts
ACCEPTED ANSWER

Pinned topic KRB5ALDAP Module won't allow login or su, all other facets seem functional

‏2013-01-17T22:01:25Z |
Goal:
Integrate AIX host with Active Directory using a KRB5ALDAP compound load module so that users can be created in AD and used in AIX, with unix attributes (registry values) being pulled from AD. Eliminate the need to manage user accounts on a per-server basis.

Issue:
User attributes are visible with lsuser and returned with ldapsearch. Kerberos authentication shows successful at the domain controller, but a "permission denied" or "invalid login or password" message is displayed when trying to login. Files can be chown-ed to the user accounts, but SU fails.

I have attached a detailed listing of the configs, test commands, and output.

Any and all help or pointers are greatly appreciated.
Updated on 2013-03-07T04:19:57Z at 2013-03-07T04:19:57Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    6902 Posts
    ACCEPTED ANSWER

    Re: KRB5ALDAP Module won't allow login or su, all other facets seem functional

    ‏2013-01-21T21:28:04Z  in response to SystemAdmin
    Got it!

    2 small things:

    1: The primary group of the AD user needed to be a group defined in AD.
    (This fixed the su issue.)

    2: Changed methods.cfg, added tgt_verify=no to the options.

    KRB5A:
    program = /usr/lib/security/KRB5A
    program_64 = /usr/lib/security/KRB5A_64
    options = authonly,is_kadmind_compat=no,tgt_verify=no
    • SystemAdmin
      SystemAdmin
      6902 Posts
      ACCEPTED ANSWER

      Re: KRB5ALDAP Module won't allow login or su, all other facets seem functional

      ‏2013-03-07T04:19:57Z  in response to SystemAdmin
      I've been deploying this in production for awhile now and I made a cheat sheet in case someone stumbles across it.

      https://gist.github.com/jeffgeiger/4997611