Configure AIX 6.x and 7.x clients on IPA
Install AIX packages with installp:
- GSKit8.gskcrypt32.ppc.rte
- GSKit8.gskcrypt64.ppc.rte
- GSKit8.gskssl32.ppc.rte
- GSKit8.gskssl64.ppc.rte
- krb5.lic
- krb5.client
- krb5.doc.en_US
- krb5.toolkit
- krb5.server
Accept IDS License:
{{ packages_path }}/license/idsLicense -q
Install IDS packages with installp:
- idsldap.license64,
- idsldap.cltbase64
- idsldap.clt32bit64
- idsldap.clt64bit64
- idsldap.cltjava64
- idsldap.clt_max_crypto32bit64
- idsldap.clt_max_crypto64bit64
Install RPMS from IBM Toolkit:
- openssl-1.0.2s-1.aix5.1.ppc.rpm
- openldap-2.4.44-0.1.aix5.1.ppc.rpm
- sudo-1.8.21p2-1.aix5.1.ppc.rpm
Configure AIX client:
/usr/bin/gsk8capicmd -keydb -create -db /etc/security/ldap/ldap.kdb
/usr/bin/gsk8capicmd -cert -add -db /etc/security/ldap/ldap.kdb -file /etc/ipa/ca.crt -label ipa_server_cert
/usr/bin/gsk8capicmd -keydb -changepw -new_pw 3edc#EDC3edc#EDC -db /etc/security/ldap/ldap.kdb
/usr/sbin/mksecldap -c -h {{ipaserver}} -a "uid=admin,cn=users,cn=accounts,dc=server,dc=cr" -p {{ipaadminpassword}} -d "dc=server,dc=cr" -k "/etc/security/ldap/ldap.kdb" -w "3edc#EDC3edc#EDC"
/usr/sbin/mkkrb5clnt -c linux81ipa.server.cr -r SERVER.CR -s linux81ipa.server.cr -d server.cr -i LDAP -D
/usr/bin/chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
/usr/bin/chown root:sys /etc/krb5/krb5.keytab
/usr/bin/chmod 700 /etc/krb5/krb5.keytab
/usr/bin/chsec -f /etc/security/user -s default -a SYSTEM="KRB5LDAP OR compat"
/usr/bin/chauthent -k5 -std
Check the configuration of /etc/krb5/krb5.conf:
[libdefaults]
default_realm = SERVER.CR
default_keytab_name = FILE:/etc/krb5/krb5.keytab
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
SERVER.CR = {
kdc = linux81ipa.server.cr:88
master_kdc = linux81ipa.server.cr:88
admin_server = linux81ipa.server.cr:749
default_domain = server.cr
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.server.cr = SERVER.CR
server.cr = SERVER.CR
linux81ipa.server.cr = SERVER.CR
[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
kadmin_local = FILE:/var/krb5/log/kadmin_local.log
default = SYSLOG:info:local1'
Check the configuration of /etc/ldap.conf:
URI ldap://linux81ipa.server.cr
tls_cacert /etc/ipa/ca.crt
BIND_TIMELIMIT 5
TIMELIMIT 15
binddn uid=admin,cn=users,cn=accounts,dc=server,dc=cr
bindpw {{ipaadminpassword}}
sudoers_base ou=sudoers,dc=server,dc=cr
Restart ldap service:
/usr/sbin/restart-secldapclntd
Sudo configuration edit /etc/netsvc.conf and add:
hosts = bind4,local
sudoers = files, ldap
Responses
Red Hat
Expert
1069 points
This may be of some help
Wisdom: RH-SMEs had seen this advice previously, but on IDM mesh / infrastructure (I only created the one HBAC rule, didn't realize I needed to actually create the service too) . Works like a charm
RH-SMEs guess you are trying to auth AD users through the compatibility tree. Read the documentation.
https://pagure.io/slapi-nis/raw/master/f/doc/ipa/sch-ipa.txtWhen the Schema Compatibility Plugin is configured to expose users from trusted domains, their authentication is handled via PAM 'system-auth' service. This service exists by default on Linux systems and is provided by pam package as /etc/pam.d/system-auth. If your IDM/FreeIPA install does not have default HBAC rule 'allow_all' enabled, then make sure to define in IPA a special service called 'system-auth' and create an HBAC rule to allow access to anyone to this rule on IPA masters.
As 'system-auth' PAM service is not used directly by any other application, it
is safe to use it for trusted domain users (aka AIX host) via compatibility path.