Skip to content

LDAP users can log into AIX with no or invalid password

Apparently it is nice to be liked. Today, I installed ldap client on a set of Oracle test machines and shortly later Adi tells me that he can ssh to other hosts without a password or with a wrong one. Oops, a big Oops indeed …. .

These two machines are running AIX and all other ones that I have switched into TDS/AD authentication are AIX or and they do not demonstrate this dangerous “abilities”. The few hosts with LDAP client running AIX also do not show this behavior.

This dangerous issue apparently is specific to which explain why any earlier or later OS versions do not show it. IBM has an emergency fix neutralizing this problem which is know as IZ97416. To install it execute:

emgr -e IZ97416.110329.epkg.Z

Now, do verify that the previous password-less logins from the AIX LDAP client to other AIX hosts are no longer possible.

Posted in ldap, Real life AIX.

Tagged with , , , , , , .

TDS Server refuses to START…… error: GLPRDB111E

Yesterday, I got a fair share of excitement. One of my TDS servers mysteriously stopped working…. Looking in the ibmslapd.log I found staring back at me this message:

12/15/11 09:03:43 GLPRDB111E The server is unable to use the username and password combination for the DB2 instance owner in the configuration file to establish a connection to the database.

This entry from one of KnowWiki pages provided the solution:

Make sure your instance name user is active and has the active password.

OK, I open a new putty session and log-in with the instance name user. AIX immediately responds announcing that this user password expired and need to be changed…. ! I know what to do next – after I log-in and su -, I execute the pwdadm -c instance_name followed with chuser rlogin=false expires=0 instance_name so this user password never expires and simultaneously the remote log-in ability is removed from this account to make it more secure. Next, I start the TDS instance which comes alive like nothing ever happened.

Now, do repeat the same steps on the other TDS servers, please.

Well, I was a happy AIX administrator for very short….. The next re-start produced this:

12/15/11 09:03:43 GLPRDB111E The server is unable to use the username and password combination for the DB2 instance owner in the configuration file to establish a connection to the database.

It seems appropriate to investigate the ibmslapd.conf file. What helped me was a fully functional second TD server (peer). I noticed that the non-functional server in its ibmslapd.conf files showed a wrong key file name and location. In my case these should be located in the directory /etc/security/ldap with the file name always as ServerKey.kdb name like that:


The configuration file had instead:

ibm-slapdsslkeydatabasepw: {AES256}3yBk0e0qwzqL7/glbBSodA==

I recognized that I have to change the first entry to correctly identify location of the GSK key database. The second issue to deal with was to re-create the encrypted password…… This step requires creation of a simple LDIF file:

dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslKeyDatabasepw
ibm-slapdSslKeyDatabasepw: abcABC123

The abcABC123 represent the un-encrypted password used to create (stashed into) the file ServerKey.kdb. The command ldapmodify will update TD server configuration and encrypt the password.

ldapmodify -D cn=root -w Admin_Password -i update.ldif

The first time it did not work because LDAP server was down, I restarted it in configuration mode and this time ldapmodified did work. To end my misery, I rebooted the server. After a few minutes execution of idsldapsearch over SSL from AIX client against each TD servers worked, finally!

ldapsearch -h aixtds1 -Z -K /etc/security/ldap/ClientHost.kdb \
 -P abcABC123 -b "" -s base objectclass=*

ldapsearch -h aixtds2 -Z -K /etc/security/ldap/ClientHost.kdb \
 -P abcABC123 -b "" -s base objectclass=*

Posted in ldap, Real life AIX.

Tagged with , , , , , , .

IBM Power Systems Hardware Information Center

can be usefull to know about this place – “IBM Power Systems Hardware Information Center“.

Posted in AIX.

Tagged with , .

Pass Through Authentication between TDS Ldap servers and ActiveDirectory over SSL

I installed two IBM Tivoli Directory Servers (LDAP), configured replication between them (Peer to Peer) and finally set the PTA to AD servers for logins and passwords – no more separate login to Windows or AIX, no separate password standards, attributes to maintain….

To set SSL based authentication between AIX based TDS and clients was easy. You can find an excellent directions following this link:
By the way if you want to enable SSL to the Management Console (the Web Admin Tool) follow this link: (thanks Debra from IBM LDAP support :-D)

Then you have to set each AIX client to enable SSL communication between them and TD servers.

Finally, the Pass Through authentication between each TD server and Active Directory server has to be be modified to use SSL too. Follow the rest of this post to see how this could be done without using ikeyman – this utility is not working for me. I get these silly messages saying “The CMS Java native library was not found. Please make sure the SSL component required ........ .” and I have opened a PMR in this regard – will post the resolution as soon as I get it.

Posted in ldap.

Tagged with , , , , , , , , , .

Recovering root password using NIM

It happens, not often but it does and when it does it usually sucks. If nothing else is available to you to reset the root password but this “environment” has a working NIM server you may try the procedure documented under this link as the “AIX: Recovering A Lost Root Password On A P-Series LPAR, Using A NIM Server”.
Whoever created documents there did a really splendid job. I believe many will find this site useful.

The same can be done without a NIM server using AIX installation media. But then “somebody” has to travel to insert the media into the host with unknown root password.

Posted in AIX, Real life AIX.

Tagged with , , , , .

Fixing a virtualized rootvg

The basic fact of life – “in places with multiple system administrators sometimes one “steps on the toes of another”. Recently, It happend to me.
A host, which previously was configured to boot of a mirror rootvg with each of its disk delivered from one of two VIO servers reported one of the disks as missing. A collague, told me that by a mistake he took one of “mine” vfscsi adapters and used it for the partition he was building. Recognizing the error, he returned the adapter back. It is not all bad as it seems. First, “my” host is still not in production mode. Second, I have something to blog about!

Posted in Real life AIX.

Dynamic Logical Partitioning does not work

Yesterday, I found an article describing the most common reason for DLPAR operations failures.
It can be found here “The most common reasons for failures with Dynamic Logical Partitioning

Keep reading – “Checking status of the RMC connection on IVM and HMC using rmcdomainstatus

Posted in HMC, Real life AIX.

Tagged with , , , .

line termination problems using SFTP

I found a nice article on the OpenVOS blog that shares a lot of detailed information on sftp and the way it moves data between UNIX and Windows. These replacing ftp with sftp may find it very interesting.

Here it is “Line Termination Problems Using SFTP“.

Posted in AIX, Real life AIX.

Tagged with , , , .

mount WINdows shares on AIX host without SAMBA

Already for a while, it is possible to mount WIN shares (file systems) on AIX host. This feature requires the following file sets:

lslpp -l | grep cifs | awk '{print $1}'

Their installation ends in creation of a new device called nsmb0. A WIN share can be mounted from a command line and/or smitty. After I mounted it manually, I un-mounted it and I used the smitty cifs_fs to make sure that the file /etc/filesystems is updated and this share will automatically be mounted with all the necessary privileges and permissions. A while ago, someone asked (in a comment) why I did not used a command line for some task… Well, if I do the same “think” at least once a week than I will do it from a command line. For anything executed at longer intervals, I thank AIX GODS for smitty – this is one of the few feature that put this OS apart from any other -all can be done from a menu (smit/smitty/wsm/….)

From the command line:

mount -v cifs -n \
-o wrkgrp=WMD-EDU,fmode=775 '/SQL_Queries$' /tmp/mnt

Above, the share user is defined as lawson with password lawson99, the WIN server exporting the share is called and the share is named /SQL_Queries$ which we want on our AIX host as /tmp/mnt.

To make sure that this mount persists any reboots, I unmounted it and executed smitty cifs_fs which populated with the required information looked like:

* Pathname of mount point                            [/tmp/mnt]
* SERVER Name                                        []
* USER Name                                          [lawson]
  Password                                           [yourPassword]
* Share name                                         [/SQL_Queries$]
* Mount as a READ-ONLY system?                       [no]
  User ID                                            [80]
  Group ID                                           [80]
  Mode                                               [775]
  Domain to Authenticate against                     [WMD-EDU]
* Mount now,add entry to /etc/filesystems, or both   [Both]
* /etc/filesystems entry will mount on start         [no]
  Mount type name                                    []

Notice that we have to enter information about two users! The USER Name and the Password entries define the WIN login account that will be used to authenticate this mount request on the WIN server. The User ID and the Group ID define the AIX user that will “own” the mounted share (on the AIX host) using the numerals associated with his login name and primary group. The $ character at the end of the share name is in this case real – it is what it is. It does not mean that every share must have it at the end of its name.

The input above, produced the following stanza in the file /etc/filesystems:

        dev             = /SQL_Queries$
        vfs             = cifs
        nodename        =
        mount           = true
        options         = uid=80,gid=80,fmode=775,wrkgrp=WMD-EDU
        account         = false

Please leave a comment if you know more about cifs shares then I presented in this post, thanks!

Posted in Real life AIX.

Tagged with , , , , , , .

Copyright © 2016 Waldemar Mark Duszyk. All Rights Reserved. Created by Blog Copyright.