Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1
As far as I found out, it is not possible to integrate sudo rules from IPA into AIX. sudo on aix does not support that. You will have to maintain /etc/sudoers by som other means. Thats where you are mistaken. It is possible to integrate sudo rules into AIX, I've done it and have documented it here: https://www.freeipa.org/page/SUDO_Integration_for_AIX Give it a try, its a fairly simple procedure. P.S. IBM has recently pimped the AIX toolbox RPMs and even implemented it as a YUM server. I haven't tried using these new RPMs yet to see if they work with sudo integration. If you want to keep it safe, user perzl RPMs as I describe on the documentation. If you want, and I would appreciate it if you would, give the new RPMs from toolbox a go and if it works please update the documentaion, or send me your notes and I'll update it. Atenciosamente/Best Regards __ Luiz Fernando Vianna da Silva Em 15-05-2017 02:53, Bjarne Blichfeldt escreveu: We have a working setup on three aix servers and by comparing our config with yours, I see the following differences: LDAP: /etc/security/ldap/ldap.cfg : userattrmappath:/etc/security/ldap/FreeIPAuser.map groupattrmappath:/etc/security/ldap/FreeIPAgroup.map userclasses:posixaccount /etc/security/ldap/FreeIPAuser.map: #FreeIPAuser.map file # https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_AIX.html keyobjectclass SEC_CHARposixaccounts # The following attributes are required by AIX to be functional usernameSEC_CHARuid s id SEC_INT uidnumber s pgrpSEC_CHARgidnumber s homeSEC_CHARhomedirectory s shell SEC_CHARloginshell s gecos SEC_CHARgecos s spassword SEC_CHARuserpasswords lastupdate SEC_INT shadowlastchanges /etc/security/ldap/FreeIPAgroup.map: #FreeIPAgroup.map file # https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_AIX.html groupname SEC_CHARcn s id SEC_INT gidNumber s users SEC_LISTmember m To test if the ldap is working: ls-secldapclntd lsldap -a passwd lsuser -R LDAP ALL KERBEROS: /etc/methods.cfg: KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,is_kadmind_compat=no,tgt_verify=no,allow_expired_pwd=yes Add Kerberos to authorized authentication entities and verify: chauthent -k5 -std #Verify lsauthent Kerberos 5 Standard Aix To test: lsuser -R KRB5LDAP Configure aix to create homedir during login: /etc/security/login.cfg: mkhomeatlogin = true usw: shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/ usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/sliplogin,/usr/sbin/uucp/uucico,/usr/sbin/snappd maxlogins = 32767 logintimeout = 30 maxroles = 8 auth_type = STD_AUTH mkhomeatlogin = true Also remember: user can be locked in AIX so use smitty to unlock user and reset login attempts. As far as I found out, it is not possible to integrate sudo rules from IPA into AIX. sudo on aix does not support that. You will have to maintain /etc/sudoers by som other means. Hope that helps, good luck. Regards Bjarne Blichfeldt. From: wouter.hummel...@kpn.com<mailto:wouter.hummel...@kpn.com> [mailto:wouter.hummel...@kpn.com] Sent: 12. maj 2017 16:03 To: iulian.ro...@gmail.com<mailto:iulian.ro...@gmail.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 Yes, kinit works with IPA users. GSSAPI authentication is not keeping it simple, since we want passwords to work before trying TGS based logins over GSSAPI. The keytab works sinds lsuser is still able to get user data. (Documentation specifies that enabling krb5 in ldap.cfg makes the bind user and password moot, secldapclntd uses krb5 to identify itself to IPA) Also we are able to kinit host/aixlpar.example@example.org<mailto:host/aixlpar.example@example.org> -kt /etc/krb5/krb5.keytab We van try using su from an unprivileged user, but su has some different issues altogether, it doesn’t like @ in usernames which we need at the next stage (integrating AD Trust) From: Iulian Roman [mailto:iulian.ro...@gmail.com] Sent: vrijdag 12 mei 2017 15:56 To: Hummelink, Wouter Cc: luiz.via...@tivit.com.br<mailto:luiz.via...@tivit.com.br>; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 On Fri, May 12, 2017 at 3:31 PM, <wouter.hummel...@kpn.com<mailto:wouter.hummel...@kpn.com>
Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1
"Why don't you just use the /bin/sh as default shell in IPA ? In aix /bin/sh is the same as /bin/ksh and in linux it is a symlink to /bin/bash ." Wow, never thought of that, very elegant solution! Atenciosamente/Best Regards __ Luiz Fernando Vianna da Silva Em 12-05-2017 10:27, Iulian Roman escreveu: On Fri, May 12, 2017 at 2:32 PM, <wouter.hummel...@kpn.com<mailto:wouter.hummel...@kpn.com>> wrote: Hi All, We’re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module. All the moving parts seem to be working on their own, however logging in doesn’t work with SSH on AIX reporting Failed password for user We’re using ID views to overwrite the user shell and home dirs. (Since AIX will refuse a login with a nonexisting shell (like bash)) Why don't you just use the /bin/sh as default shell in IPA ? In aix /bin/sh is the same as /bin/ksh and in linux it is a symlink to /bin/bash . AIXs lsuser command is able to find all of the users it’s supposed to and su to IPA users works. Also when a user tries to log in I can see a successful Kerberos conversation to our IPA server. Tips for troubleshooting would be much appreciated, increasing SSH log level did not produce any meaningful logging. === Configuration Excerpt /etc/security/ldap/ldap.cfg: ldapservers:ipaserver.example.org binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org bindpwd:{DESv2} authtype:ldap_auth useSSL:TLS ldapsslkeyf:/etc/security/ldap/example.kdb ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 932F219867AA7C2C552A12BEEC0CC67 useKRB5:yes krbprincipal:host/aixlpar.example.org<http://example.org> krbkeypath:/etc/krb5/krb5.keytab userattrmappath:/etc/security/ldap/2307user.map groupattrmappath:/etc/security/ldap/2307group.map userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org automountbasedn:cn=default,cn=automount,dc=example,dc=org etherbasedn:cn=computers,cn=accounts,dc=example,dc=org userclasses:posixaccount,account,shadowaccount groupclasses:posixgroup ldapport:389 searchmode:ALL defaultentrylocation:LDAP /etc/security/user default: SYSTEM = KRB5LDAP or compat I am using the following settings in in /etc/security/user: SYSTEM = KRB5LDAP registry = KRB5LDAP it works for AIX5,6 and 7 in my setup. /etc/methods.cfg LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64 NIS: program = /usr/lib/security/NIS program_64 = /usr/lib/security/NIS_64 DCE: program = /usr/lib/security/DCE KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,keep_creds=yes,allow_expired_pwd=no KRB5LDAP: options = auth=KRB5,db=LDAP Met vriendelijke groet, Wouter Hummelink Technical Consultant - Enterprise Webhosting / Tooling & Automation T: +31-6-12882447 E: wouter.hummel...@kpn.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1
Hello Wouter. It may seem silly, but try installing bash on one AIX server and test authenticating against that one. Its a single rpm with no dependencies. For me it did the trick and I ended up doing that on all my AIX servers. Let me know how it goes or if you have any issues. Best Regards __ Luiz Fernando Vianna da Silva Em 12-05-2017 09:47, wouter.hummel...@kpn.com<mailto:wouter.hummel...@kpn.com> escreveu: Hi All, We’re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module. All the moving parts seem to be working on their own, however logging in doesn’t work with SSH on AIX reporting Failed password for user We’re using ID views to overwrite the user shell and home dirs. (Since AIX will refuse a login with a nonexisting shell (like bash)) AIXs lsuser command is able to find all of the users it’s supposed to and su to IPA users works. Also when a user tries to log in I can see a successful Kerberos conversation to our IPA server. Tips for troubleshooting would be much appreciated, increasing SSH log level did not produce any meaningful logging. === Configuration Excerpt /etc/security/ldap/ldap.cfg: ldapservers:ipaserver.example.org binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org bindpwd:{DESv2} authtype:ldap_auth useSSL:TLS ldapsslkeyf:/etc/security/ldap/example.kdb ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 932F219867AA7C2C552A12BEEC0CC67 useKRB5:yes krbprincipal:host/aixlpar.example.org krbkeypath:/etc/krb5/krb5.keytab userattrmappath:/etc/security/ldap/2307user.map groupattrmappath:/etc/security/ldap/2307group.map userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org automountbasedn:cn=default,cn=automount,dc=example,dc=org etherbasedn:cn=computers,cn=accounts,dc=example,dc=org userclasses:posixaccount,account,shadowaccount groupclasses:posixgroup ldapport:389 searchmode:ALL defaultentrylocation:LDAP /etc/security/user default: SYSTEM = KRB5LDAP or compat /etc/methods.cfg LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64 NIS: program = /usr/lib/security/NIS program_64 = /usr/lib/security/NIS_64 DCE: program = /usr/lib/security/DCE KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,keep_creds=yes,allow_expired_pwd=no KRB5LDAP: options = auth=KRB5,db=LDAP Met vriendelijke groet, Wouter Hummelink Technical Consultant - Enterprise Webhosting / Tooling & Automation T: +31-6-12882447 E: wouter.hummel...@kpn.com<mailto:wouter.hummel...@kpn.com> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] RES: Who uses FreeIPA?
Hello Alexandre. FreeIPA is the open source project, or as Red Hat calls it the upstream project, that fuels Red Hat IDM [1]. As to IDM, there are many large corporations that use it on production and mission critical environments. Due to non-disclosure agreements I cannot give you fine details about the customers I support that have Red Hat IDM deployed on their environments. For instance, one of my customers, which is largest Latin American credit and debit card operator (in terms of financial transaction volume), uses Red Hat IDM, which is based on the FreeIPA project [2], on pretty much 100% of its Linux and Unix production environments. I suggest you reach out to your Red Hat's commercial representative and ask for IDM success cases. I bet he would be glad to help you. [1] https://access.redhat.com/products/identity-management [2] https://www.redhat.com/archives/rh-community-de-berlin/2012-November/pdfOlwXB8dm7U.pdf Best Regards __ Luiz Fernando Vianna da Silva -Mensagem original- De: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] Em nome de Alexandre de Verteuil Enviada em: terça-feira, 3 de maio de 2016 16:10 Para: freeipa-users@redhat.com Assunto: [Freeipa-users] Who uses FreeIPA? Hello all, I've deployed FreeIPA in my home lab and I'm happy to have single sign-on for all my Archlinux virtual machines and Fedora laptops :) It took me lots of research and conversations before hearing about FreeIPA for the first time while searching for a libre SSO solution. I think FreeIPA needs much more exposure. I am really impressed with it. Tomorrow I am giving a short presentation at my workplace to talk about it and invite other sysadmins to try it. I would like to make a slide showing the current adoption of FreeIPA. I read that Red Hat uses it internally, but do they actually deploy it in their client's infrastructures? Are there any big companies that use it? Even if I only have reports of schools and small businesses would be good enough to say it's production ready and it has traction. Whether you are reporting about your own use or you know where I can find out more would be greatly appreciated! I have not found a "Who uses FreeIPA" page on the Internet. Best regards, -- Alexandre de Verteuil <alexan...@deverteuil.net> public key ID : 0xDD237C00 http://alexandre.deverteuil.net/ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] RES: RES: FreeIPA integration with AIX and sudo
Hello Dmitri. I finally managed to write the wiki article on configuring sudo on AIX! Here is the URL: http://www.freeipa.org/page/SUDO_Integration_for_AIX I also added a reference to it on the http://www.freeipa.org/page/HowTos#General page as well as a topic on the http://www.freeipa.org/page/ConfiguringUnixClients page pointing to the article. I hope its format is up to code with FreeIPA’s formatting standards and that the language used is clear. Atenciosamente/Best Regards __ Luiz Fernando Vianna da Silva ITM-I - Operação Cielo +55 (11) 3626-7126 luiz.via...@tivit.com.brmailto:luiz.via...@tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar São Paulo - SP - CEP 05804-900 www.tivit.com.brhttp://www.tivit.com.br/ Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você a tenha recebido por engano, queira, por favor, retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta informação. De: Luiz Fernando Vianna da Silva Enviada em: quinta-feira, 2 de abril de 2015 14:41 Para: 'd...@redhat.com'; freeipa-users@redhat.com Assunto: RES: [Freeipa-users] RES: FreeIPA integration with AIX and sudo Hi Dmitri. Working on it right now. :) Atenciosamente/Best Regards __ Luiz Fernando Vianna da Silva ITM-I - Operação Cielo +55 (11) 3626-7126 luiz.via...@tivit.com.brmailto:luiz.via...@tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar São Paulo - SP - CEP 05804-900 www.tivit.com.brhttp://www.tivit.com.br/ Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você a tenha recebido por engano, queira, por favor, retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta informação. De: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] Em nome de Dmitri Pal Enviada em: quinta-feira, 2 de abril de 2015 10:23 Para: freeipa-users@redhat.commailto:freeipa-users@redhat.com Assunto: Re: [Freeipa-users] RES: FreeIPA integration with AIX and sudo On 04/01/2015 01:58 PM, Luiz Fernando Vianna da Silva wrote: Hi Yves. First a little background information regarding sudo on AIX: Most sudo packages compiled for AIX are _NOT_ compiled with LDAP support. Although sudo’s documentation states that sudo supports different LDAP implementations, other than OpenLDAP, I suppose it doesn’t work well with AIX’s LDAP fileset. That’s my guess why most sudo packages for AIX aren’t compiled with LDAP support. [BTW, you can check this by running, as root, sudo -V | grep -i ldap]. The good news is that Michel Perzl, has successfully compiled a sudo package with LDAP support, although its compiled against OpenLDAP and not AIX’s LDAP fileset. So, here is how I did it: (1) Go to http://www.perzl.org/aix/ and download the following RPM packages on their latest versions: #61623 sudo = 1.8.11 #61623 gettext = 0.10.40 #61623 openldap = 2.4.23 #61623 openssl = 1.0.1j-1 #61623 zlib Make sure you don’t have the sudo fileset installed or another sudo rpm package. Don’t worry about openssl from this RPM package conflicting with the OpenSSL fileset from AIX, they won’t. Don’t worry about openldap from this RPM package conflicting with the ldap fileset from AIX, they won’t. (2) Upload the rpm packages to you AIX LPAR and put them all in a directory, I used /tmp/sudopack. [From here on I assume you are root on your LPAR]. (3) From the directory where you put your packages run a “rpm -ivh *.rpm --test” and if all goes well proceed without the “--test”, otherwise sort out the dependencies and conflicts like the grown man you are :). (4) Once the rpms are installed, add the following line to the bottom of your /etc/netsvc.conf file: sudoers = files, ldap I know this is not expected syntax according to IBM’s netsvc.conf documentation, but sudo requires it to work with ldap. According to sudo’s documentation it uses that line on netsvc.conf to emulate what sudo would expect to find on /etc/nsswitch.conf on a Linux machine [hack much?]. (5) Create a file called /etc/ldap.conf . This has nothing to do with the /etc/security/ldap/ldap.cfg file you use to configure AIX’s LDAP, this is OpenLdap’s config only used by sudo. Don’t worry, this won’t conflict with AIX’s LDAP functionality. Add this to your /etc/ldap.conf: tls_cacert /etc/ipa/ca.crt uri ldap://youripaserver.domain.com binddn uid=sudo,cn=sysaccounts,cn=etc,dc
[Freeipa-users] RES: RES: FreeIPA integration with AIX and sudo
Hi Dmitri. Working on it right now. :) Atenciosamente/Best Regards __ Luiz Fernando Vianna da Silva ITM-I - Operação Cielo +55 (11) 3626-7126 luiz.via...@tivit.com.brmailto:luiz.via...@tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar São Paulo - SP - CEP 05804-900 www.tivit.com.brhttp://www.tivit.com.br/ Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você a tenha recebido por engano, queira, por favor, retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta informação. De: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] Em nome de Dmitri Pal Enviada em: quinta-feira, 2 de abril de 2015 10:23 Para: freeipa-users@redhat.com Assunto: Re: [Freeipa-users] RES: FreeIPA integration with AIX and sudo On 04/01/2015 01:58 PM, Luiz Fernando Vianna da Silva wrote: Hi Yves. First a little background information regarding sudo on AIX: Most sudo packages compiled for AIX are _NOT_ compiled with LDAP support. Although sudo’s documentation states that sudo supports different LDAP implementations, other than OpenLDAP, I suppose it doesn’t work well with AIX’s LDAP fileset. That’s my guess why most sudo packages for AIX aren’t compiled with LDAP support. [BTW, you can check this by running, as root, sudo -V | grep -i ldap]. The good news is that Michel Perzl, has successfully compiled a sudo package with LDAP support, although its compiled against OpenLDAP and not AIX’s LDAP fileset. So, here is how I did it: (1) Go to http://www.perzl.org/aix/ and download the following RPM packages on their latest versions: #61623 sudo = 1.8.11 #61623 gettext = 0.10.40 #61623 openldap = 2.4.23 #61623 openssl = 1.0.1j-1 #61623 zlib Make sure you don’t have the sudo fileset installed or another sudo rpm package. Don’t worry about openssl from this RPM package conflicting with the OpenSSL fileset from AIX, they won’t. Don’t worry about openldap from this RPM package conflicting with the ldap fileset from AIX, they won’t. (2) Upload the rpm packages to you AIX LPAR and put them all in a directory, I used /tmp/sudopack. [From here on I assume you are root on your LPAR]. (3) From the directory where you put your packages run a “rpm -ivh *.rpm --test” and if all goes well proceed without the “--test”, otherwise sort out the dependencies and conflicts like the grown man you are :). (4) Once the rpms are installed, add the following line to the bottom of your /etc/netsvc.conf file: sudoers = files, ldap I know this is not expected syntax according to IBM’s netsvc.conf documentation, but sudo requires it to work with ldap. According to sudo’s documentation it uses that line on netsvc.conf to emulate what sudo would expect to find on /etc/nsswitch.conf on a Linux machine [hack much?]. (5) Create a file called /etc/ldap.conf . This has nothing to do with the /etc/security/ldap/ldap.cfg file you use to configure AIX’s LDAP, this is OpenLdap’s config only used by sudo. Don’t worry, this won’t conflict with AIX’s LDAP functionality. Add this to your /etc/ldap.conf: tls_cacert /etc/ipa/ca.crt uri ldap://youripaserver.domain.com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=domain,dc=com bindpw yourclientpassword sudoers_base ou=sudoers,dc=domain,dc=com (6) Create a directory called /etc/ipa and download your ca certificate file and place it there. Make sure to permission the directory 755 and the ca.crt file 644. (7) And that’s pretty much it, no need to edit a single line on /etc/sudoers. The /etc/sudoers file I have on my LPARs is the one that comes with the rpm, unchanged. Log into your LPAR with a domain user and try running “sudo -l”, it should output the sudo rules you set on the IPA server. I hope this helps you and other AIX client users out there. Would you mind creating a howto page on the IPA wiki? Atenciosamente/Best Regards __ Luiz Fernando Vianna da Silva ITM-I - Operação Cielo +55 (11) 3626-7126 luiz.via...@tivit.com.brmailto:luiz.via...@tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar São Paulo - SP - CEP 05804-900 www.tivit.com.brhttp://www.tivit.com.br/ Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você a tenha recebido por engano, queira, por favor, retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta informação. De: Yves Degauquier [mailto:y...@degauquier.net] Enviada em: quarta-feira, 1
[Freeipa-users] Expired password change on AIX Client
Hello All. I’ve searched the archives of this mailing list looking for an answer for this one, but all I found lead me nowhere. ☹ Closest thread to help me was: https://www.redhat.com/archives/freeipa-users/2014-March/msg00153.html Has anyone figured out a way to have expired password changes work on AIX clients? I have tried adding “kpasswd_protocol = SET_CHANGE” as well as “kpasswd_protocol = RPCSEC_GSS” to the [realms] section but none of them worked. Here is the output from an ssh test session for user “teste” on a AIX 7.1 machine: -bash-4.2$ ssh teste@localhost # NICE MOTD teste@localhost's password: [KRB5]: 3004-332 Your password has expired. 3004-333 A password change is required. [KRB5]: 3004-332 Your password has expired. *** * * * * * Welcome to AIX Version 7.1!* * * * * * Please see the README file in /usr/lpp/bos for information pertinent to* * this release of the AIX Operating System. * * * * * *** # NICE MOTD WARNING: Your password has expired. You must change your password now and login again! Changing password for teste teste's Old password: teste's New password: Enter the new password again: 3004-604 Your entry does not match the old password. Connection to localhost closed. -bash-4.2$ Atenciosamente/Best Regards __ Luiz Fernando Vianna da Silva ITM-I - Operação Cielo +55 (11) 3626-7126 luiz.via...@tivit.com.brmailto:luiz.via...@tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar São Paulo - SP - CEP 05804-900 www.tivit.com.brhttp://www.tivit.com.br/ Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você a tenha recebido por engano, queira, por favor, retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta informação. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] RES: [Marketing Mail] Re: Expired password change on AIX Client
Hello Dmitri. Server is running: ipa-server-3.0.0-37.el6.x86_64 My kerberos configuration looks like this on a client: # cat /etc/krb5.conf [libdefaults] default_realm = DOMAIN.COM default_keytab_name = FILE:/etc/krb5/krb5.keytab default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts [realms] DOMAIN.COM = { kdc = ldap.domain.com:88 admin_server = ldap.domain.com:749 default_domain = domain.com } [domain_realm] .domain.com = DOMAIN.COM ldap.domain.com = DOMAIN.COM [logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log kadmin_local = FILE:/var/krb5/log/kadmin_local.log default = FILE:/var/krb5/log/krb5lib.log # What does the KDC log show?: Where do I get this log from? Atenciosamente/Best Regards __ Luiz Fernando Vianna da Silva ITM-I - Operação Cielo +55 (11) 3626-7126 luiz.via...@tivit.com.brmailto:luiz.via...@tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar São Paulo - SP - CEP 05804-900 www.tivit.com.brhttp://www.tivit.com.br/ Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você a tenha recebido por engano, queira, por favor, retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta informação. De: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] Em nome de Dmitri Pal Enviada em: quarta-feira, 1 de abril de 2015 13:27 Para: freeipa-users@redhat.com Assunto: [Marketing Mail] Re: [Freeipa-users] Expired password change on AIX Client On 04/01/2015 11:14 AM, Luiz Fernando Vianna da Silva wrote: Hello All. I’ve searched the archives of this mailing list looking for an answer for this one, but all I found lead me nowhere. ☹ Closest thread to help me was: https://www.redhat.com/archives/freeipa-users/2014-March/msg00153.html Has anyone figured out a way to have expired password changes work on AIX clients? I have tried adding “kpasswd_protocol = SET_CHANGE” as well as “kpasswd_protocol = RPCSEC_GSS” to the [realms] section but none of them worked. Here is the output from an ssh test session for user “teste” on a AIX 7.1 machine: -bash-4.2$ ssh teste@localhost # NICE MOTD teste@localhost's password: [KRB5]: 3004-332 Your password has expired. 3004-333 A password change is required. [KRB5]: 3004-332 Your password has expired. *** * * * * * Welcome to AIX Version 7.1!* * * * * * Please see the README file in /usr/lpp/bos for information pertinent to* * this release of the AIX Operating System. * * * * * *** # NICE MOTD WARNING: Your password has expired. You must change your password now and login again! Changing password for teste teste's Old password: teste's New password: Enter the new password again: 3004-604 Your entry does not match the old password. Connection to localhost closed. -bash-4.2$ So you are setting up AIX client using kerberos against IPA server and trying to log with a user that has expired password. Did I get it right? What version of the server you are using? How your kerberos configuration looks on a client? What does the KDC log show? Atenciosamente/Best Regards __ Luiz Fernando Vianna da Silva ITM-I - Operação Cielo +55 (11) 3626-7126 luiz.via...@tivit.com.brmailto:luiz.via...@tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar São Paulo - SP - CEP 05804-900 www.tivit.com.brhttp://www.tivit.com.br/ Esta mensagem, incluindo seus
Re: [Freeipa-users] FreeIPA integration with AIX and sudo
Hello Yves. I was browsing the mailing list archives and found your email from December 2013 (https://www.redhat.com/archives/freeipa-users/2013-December/msg00083.html). I have successfully found a way to have sudo on AIX work with the sudo rules on IPA, just like Linux clients. Give me a reply if you haven’t figured out a way to make this work and I’ll send you the solution I came up with. Atenciosamente/Best Regards __ Luiz Fernando Vianna da Silva ITM-I - Operação Cielo +55 (11) 3626-7126 luiz.via...@tivit.com.brmailto:luiz.via...@tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar São Paulo - SP - CEP 05804-900 www.tivit.com.brhttp://www.tivit.com.br/ Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você a tenha recebido por engano, queira, por favor, retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta informação. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] RES: FreeIPA integration with AIX and sudo
Hi Yves. First a little background information regarding sudo on AIX: Most sudo packages compiled for AIX are _NOT_ compiled with LDAP support. Although sudo’s documentation states that sudo supports different LDAP implementations, other than OpenLDAP, I suppose it doesn’t work well with AIX’s LDAP fileset. That’s my guess why most sudo packages for AIX aren’t compiled with LDAP support. [BTW, you can check this by running, as root, sudo -V | grep -i ldap]. The good news is that Michel Perzl, has successfully compiled a sudo package with LDAP support, although its compiled against OpenLDAP and not AIX’s LDAP fileset. So, here is how I did it: (1) Go to http://www.perzl.org/aix/ and download the following RPM packages on their latest versions: · sudo = 1.8.11 · gettext = 0.10.40 · openldap = 2.4.23 · openssl = 1.0.1j-1 · zlib Make sure you don’t have the sudo fileset installed or another sudo rpm package. Don’t worry about openssl from this RPM package conflicting with the OpenSSL fileset from AIX, they won’t. Don’t worry about openldap from this RPM package conflicting with the ldap fileset from AIX, they won’t. (2) Upload the rpm packages to you AIX LPAR and put them all in a directory, I used /tmp/sudopack. [From here on I assume you are root on your LPAR]. (3) From the directory where you put your packages run a “rpm -ivh *.rpm --test” and if all goes well proceed without the “--test”, otherwise sort out the dependencies and conflicts like the grown man you are :). (4) Once the rpms are installed, add the following line to the bottom of your /etc/netsvc.conf file: sudoers = files, ldap I know this is not expected syntax according to IBM’s netsvc.conf documentation, but sudo requires it to work with ldap. According to sudo’s documentation it uses that line on netsvc.conf to emulate what sudo would expect to find on /etc/nsswitch.conf on a Linux machine [hack much?]. (5) Create a file called /etc/ldap.conf . This has nothing to do with the /etc/security/ldap/ldap.cfg file you use to configure AIX’s LDAP, this is OpenLdap’s config only used by sudo. Don’t worry, this won’t conflict with AIX’s LDAP functionality. Add this to your /etc/ldap.conf: tls_cacert /etc/ipa/ca.crt uri ldap://youripaserver.domain.com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=domain,dc=com bindpw yourclientpassword sudoers_base ou=sudoers,dc=domain,dc=com (6) Create a directory called /etc/ipa and download your ca certificate file and place it there. Make sure to permission the directory 755 and the ca.crt file 644. (7) And that’s pretty much it, no need to edit a single line on /etc/sudoers. The /etc/sudoers file I have on my LPARs is the one that comes with the rpm, unchanged. Log into your LPAR with a domain user and try running “sudo -l”, it should output the sudo rules you set on the IPA server. I hope this helps you and other AIX client users out there. Atenciosamente/Best Regards __ Luiz Fernando Vianna da Silva ITM-I - Operação Cielo +55 (11) 3626-7126 luiz.via...@tivit.com.brmailto:luiz.via...@tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar São Paulo - SP - CEP 05804-900 www.tivit.com.brhttp://www.tivit.com.br/ Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você a tenha recebido por engano, queira, por favor, retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta informação. De: Yves Degauquier [mailto:y...@degauquier.net] Enviada em: quarta-feira, 1 de abril de 2015 14:03 Para: Luiz Fernando Vianna da Silva Assunto: Re: [Freeipa-users] FreeIPA integration with AIX and sudo Hi Luiz, I was not able to make it running, I was a bit lost with the LDAP, PAM, LAM configuration, and didn't found any idea with Google... If you can share the solution or point me to some important point to do, I will be happy. Thanks in advance, Best regards, Yves On 01/04/15 18:57, Luiz Fernando Vianna da Silva wrote: Hello Yves. I was browsing the mailing list archives and found your email from December 2013 (https://www.redhat.com/archives/freeipa-users/2013-December/msg00083.html). I have successfully found a way to have sudo on AIX work with the sudo rules on IPA, just like Linux clients. Give me a reply if you haven’t figured out a way to make this work and I’ll send you the solution I came up with. Atenciosamente/Best Regards __ Luiz Fernando Vianna da Silva ITM-I - Operação Cielo +55 (11) 3626-7126 luiz.via...@tivit.com.brmailto:luiz.via...@tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar São Paulo - SP - CEP 05804-900 www.tivit.com.brhttp
Re: [Freeipa-users] Expired password change on AIX Client
Hello Dmitri. Server is running: ipa-server-3.0.0-37.el6.x86_64 My kerberos configuration looks like this on a client: # cat /etc/krb5.conf [libdefaults] default_realm = DOMAIN.COM default_keytab_name = FILE:/etc/krb5/krb5.keytab default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts [realms] DOMAIN.COM = { kdc = ldap.domain.com:88 admin_server = ldap.domain.com:749 default_domain = domain.com } [domain_realm] .domain.com = DOMAIN.COM ldap.domain.com = DOMAIN.COM [logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log kadmin_local = FILE:/var/krb5/log/kadmin_local.log default = FILE:/var/krb5/log/krb5lib.log # What does the KDC log show?: Where do I get this log from? Atenciosamente/Best Regards __ Luiz Fernando Vianna da Silva ITM-I - Operação Cielo +55 (11) 3626-7126 luiz.via...@tivit.com.brmailto:luiz.via...@tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar São Paulo - SP - CEP 05804-900 www.tivit.com.brhttp://www.tivit.com.br/ Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você a tenha recebido por engano, queira, por favor, retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta informação. De: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] Em nome de Dmitri Pal Enviada em: quarta-feira, 1 de abril de 2015 13:27 Para: freeipa-users@redhat.commailto:freeipa-users@redhat.com Assunto: [Marketing Mail] Re: [Freeipa-users] Expired password change on AIX Client On 04/01/2015 11:14 AM, Luiz Fernando Vianna da Silva wrote: Hello All. I’ve searched the archives of this mailing list looking for an answer for this one, but all I found lead me nowhere. ☹ Closest thread to help me was: https://www.redhat.com/archives/freeipa-users/2014-March/msg00153.html Has anyone figured out a way to have expired password changes work on AIX clients? I have tried adding “kpasswd_protocol = SET_CHANGE” as well as “kpasswd_protocol = RPCSEC_GSS” to the [realms] section but none of them worked. Here is the output from an ssh test session for user “teste” on a AIX 7.1 machine: -bash-4.2$ ssh teste@localhost # NICE MOTD teste@localhost's password: [KRB5]: 3004-332 Your password has expired. 3004-333 A password change is required. [KRB5]: 3004-332 Your password has expired. *** * * * * * Welcome to AIX Version 7.1!* * * * * * Please see the README file in /usr/lpp/bos for information pertinent to* * this release of the AIX Operating System. * * * * * *** # NICE MOTD WARNING: Your password has expired. You must change your password now and login again! Changing password for teste teste's Old password: teste's New password: Enter the new password again: 3004-604 Your entry does not match the old password. Connection to localhost closed. -bash-4.2$ So you are setting up AIX client using kerberos against IPA server and trying to log with a user that has expired password. Did I get it right? What version of the server you are using? How your kerberos configuration looks on a client? What does the KDC log show? Atenciosamente/Best Regards __ Luiz Fernando Vianna da Silva ITM-I - Operação Cielo +55 (11) 3626-7126 luiz.via...@tivit.com.brmailto:luiz.via...@tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar São Paulo - SP - CEP 05804-900