If you select this method to authenticate/authorise you may notice that a user group membership is missing – a user with multiple groups will be shown to belong to only one group!
# lsuser -a pgrp groups mannt mannt pgrp=lawson groups=lawson
mannt user belongs to more than one group, really. So why when we ask (using AIX LDAP client) Active Directory to deliver this information it does come to us truncated?
It could be that the Active Directory administrator did not follow this procedure:
Active Directory object management As is the case with any other authentication mechanism, we need to configure the user objects for the users that are to use the system. However, if you are implementing this solution, more than likely your users already have Windows accounts. In that case, all we need to do is to modify the objects to be POSIX compliant. 1. Open the Active Directory Users and Groups management tool. a.) Modify a group object to function as a POSIX group. b.) Right-click on the user group for assignment of a GID. c.) Click on the Unix Attributes tab. d.) Populate the NIS Domain dropdown and the GID number as appropriate. 2. Modify a user object to function as a POSIX user. a.) Locate and activate the tab that says Unix Settings. b.) Under Unix Settings, set the UID and GID for the user, as well as the home directory location (on the Linux filesystem /home/). Note: You will need to ensure that the directory exists with the appropriate user object having access to the directory. c.) Reset the user's password. This causes the AD password and the Unix password attributes to synchronize. 3. Add the user as a Unix member of the group. a.) After you have added the user as a Unix user, you will also need to come back to the group properties and add the user as a member on the Unix Attributes tab. Otherwise, the user will not be populated in the msSFU30PosixMember attribute.
Next, you have to modify the
/etc/security/ldap/sfur2group.map file, which default is presented bellow:
groupname SEC_CHAR cn s na yes id SEC_INT gidNumber s na yes users SEC_LIST cn m na yes
Depending how your user group membership is declared in Active directory, you have to replace the last line of this file so it looks either like this:
users SEC_LIST msSFU30PosixMember m na yes
or like this
users SEC_LIST member m na yes
Follow this modifications with execution of the
restart-secldapclntd command and list the user again. Now, his full group membership is really shown.
# lsuser -a pgrp groups mannt mannt pgrp=lawson groups=lawson,shell,payroll,operator,printq
I will be able to provide you with the Active Directory “side” of this procedure as soon as my college Igor Zilberman (the greatest AD/CITRIX administrator I have been lucky to work with! 🙂 ) documents this process – Igor thanks in advance!
These two different attributes (
msSFU30PosixMember) you use in
sfur2group.map do really have an effect on how you assign UNIX attributes to AD users….
Tu Vo (IBM) just told me that the default
*.map files may be overwritten the next time AIX is patched!!! With this knowledge at hand, I copied the original
sfur2AD2012group.map (am I creative or not?), edited it as described above and next, I modified the appropriate entry in the
/etc/security/ldap/ldap.cfg so know it looks like that:
After a few days, a user tried to use the
sftp command and failed. Fixing his issues, I noticed a “strange” behavior (AIX 7.1 host) – for a casual user the
id command did not work:
# id uid=934960 gid=4141 groups=216(operator)
The host/user lost the ability to translate (to show) the user login name and his/her groups names – it just showed their numerals. When the same user tried to
ssh to another host he would receive this pleasant message:
# ssh markd@hostB You don't exist, go away!
Well, tell it to the user that he does not exist! How dare you? Tu Vo (IBM) delivered the resolution to this issue letting me know that KRB5A is “depreciated” (on its way out….). Tu Vo advise was to replace in
/etc/methods.cfg file every KRB5A with just KRB like that
KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,is_kadmind_compat=no,tgt_verify=no LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64 KRB5LDAP: options = auth=KRB5,db=LDAP
next, you must do the same in the
/etc/security/user file – make sure that
SYSTEM also show
KRB5LDAP instead of
After the change, you either has to restart the
secldapclntd or to flush its cache (
flush-secldapclntd). Now, login as the ordinary user and execute the
id command, does it work? YES!!!! Now it is time to do
sftp do they work? YES!!!
Thanks Tu Vo!
What about the earlier
ssh issue? Well, it was not just
KRB5 it was also the key in his