And, actually, I think the only element missing is the registry to point to LDAP - as the server is suppossed to be able to go to LDAP for the information otherwise in /etc/passwd, /etc/group and all the needed information in /etc/security files.
Under AIX 5.3L, this is true only for user names 8 characters or less. If the user name is greater than 8 characters, even with the sys0 setting increased (in my case to as high as 30 characters), something falls apart and authentication fails for those users with names greater than 8 characters only when those user names reside in LDAP.
Either do it user by user (that are LDAP), or user by user that are local. Set the default: stanza in /etc/security/user to what you want to be default for the system.
I originally did it for every local user and updated the "SYSTEM" setting in the default stanza in /etc/security/user to be set to "LDAP", but I had problems with our >8 character user names. Specifically, since both "SYSTEM" and "registry" need to be set to LDAP, AIX seemed to ignore the "registry" setting when I put that in the default stanza.
Not a problem for me. Often I use a "Ask a question" tactic to try to get more focus on what I am seeing - to define the problem.
And, actually, I think the only element missing is the registry to point to LDAP - as the server is suppossed to be able to go to LDAP for the information otherwise in /etc/passwd, /etc/group and all the needed information in /etc/security files.
Either do it user by user (that are LDAP), or user by user that are local. Set the default: stanza in /etc/security/user to what you want to be default for the system.
As always seems to be the case, when I finally break down and either post the question or I send my question off to a mailing list, I realize what the error is and manage to correct it. Sorry about that...
In this particular case, a couple of different things collided here. For one, even though the user account information is held in LDAP (Active Directory, in this case), there needed to be an entry for the user in /etc/passwd on the AIX 5.3L box. There also needed to be a registry entry in /etc/security/user to point to LDAP. And, finally, the UID of the user in /etc/password needs to match the UID of the user in LDAP... duh. That's the piece I somehow missed in the fray.
OK. So by local, you mean local user repository, rather than LDAP repository.
Question: have you verified that someone could login using telnet (to make sure it is not a LDAP setting, or a PAM setting).
There is also a setting in LDAP to limit hosts that be logged onto. You need to check this. Also, you need to verify that all the settings for SYSTEM, auth1 and registry are correct for working with LDAP.
We have a (relatively) new AIX 5.3 P55 installed and I've got SSH installed and running on it.
It is listening and accepting connections, and local accounts can successfully log in. However, having just gotten LDAP authentication working, I've discovered that non-local users (accounts that are authenticating against active directory) get immediately booted out after the successful login.
In other words, a normal session looks like:
ssh myacccount@aix53 myaccount@aix53's password: Connection to aix53 closed by remote host. Connection to aix53 closed.
In the logs, I see:
Nov 5 14:32:10 aix53 auth|security:crit sshd327852: fatal: setuid 233: Operation not permitted.
root@x121:[/home/root]lsfilt -v 4 -n 6,7 Rule 6: Rule action : permit Source Address : 192.168.129.121 Source Mask : 255.255.255.0 Destination Address : 192.168.129.121 Destination Mask : 255.255.255.0 Source Routing : no Protocol : tcp Source Port : eq 22 Destination Port : any 0 Scope : both Direction : both Logging control : no Fragment control : all packets Tunnel ID number : 0 Interface : en0 Auto-Generated : no
Rule 7: Rule action : permit Source Address : 192.168.129.121 Source Mask : 255.255.255.0 Destination Address : 192.168.129.121 Destination Mask : 255.255.255.0 Source Routing : no Protocol : tcp Source Port : any 0 Destination Port : eq 22 Scope : both Direction : both Logging control : no Fragment control : all packets Tunnel ID number : 0 Interface : en0 Auto-Generated : no
Basically, these two rules permit incoming and outgoing traffic on tcp port 22 for the network 192.168.129.0/24. If I would add two deny rules for everything (else), i.e. from 0.0.0.0 and to 0.0.0.0 after these rules, ssh (port 22) would only be permitted on this single network.
I have not experimented with this yet, but I am guessing that the intended way would be to run the WPAR update command after it is installed on the global system - assuming it was not installed on the global system.
I have not run that command enough, so I will have to look it up - unless you find the command, and update the forum before I do.
Another experiment, still assuming it is not installed on global system is: install on global, retry install in WPAR.
Another experiment, that may fail when running from the WPAR (because the library MUST be loaded in the hosting "RAM" memory, would be to just "restore" the fileset using the restore command. installp files are just bff (backup file format files).
Some programs are only looking for /lib (or /usr/lib) /libm.a - others are looking for the fileset in the ODM.
i have some trouble with this library. I tried to install bos.adt.libm in a system-wpar with it's own /usr and /opt filesystems but i got this message:
* * * ATTENTION * * * installp has halted this operation because the following filesets are designated as managed by the global system and may not be changed:
bos.adt.libm
Does anybody know if it is possible to install it anyway?
many thanks for your help, but I cant find the TCP_wrapper on Bull for AIX 5.3 where can i download it and how to install it please..... one thing the 2x Server are clustered through GPFS my etc/hosts
I have disabled telnet on the servers through inetd and enabled only ssh how this will this effect my configuration on the hosts.allow having the above /etc/hosts
