SEO

Hi all,

I need some help here!
I'm trying to integrate an AIX 5.3 ML4 machine with a MS Win 2003 AD
server using MS SFU 3.5 and IBM LDAP Client 5.2.0.0 and Kerberos 5
Client 1.4.0.2.

I've read IBM's redbook "Integrating AIX into Heterogeneous LDAP
Environments" (SG247165) and did everything like it is there.

Kerberos an LDAP client are running good isolated, as you can see below
(names have been changed):

======= KRB5 ==================
HOST01:/etc/krb5>kinit -k host/host01.example.com
riscf50:/etc/krb5>klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: host/host01.example.com@EXAMPLE.COM

Valid starting Expires Service principal
08/04/06 15:56:37 08/05/06 01:56:38 krbtgt/EXAMPLE.COM@EXAMPLE.COM
Renew until 08/05/06 15:56:37

======= LDAP Client and queries ==========
HOST01:/etc/krb5>lsldap -a passwd aixuser01
Cannot contact the secldapclntd daemon

HOST01:/etc/krb5>start-secldapclntd
Starting the secldapclntd daemon.
The secldapclntd daemon started successfully.

HOST01:/etc/krb5>lsuser aixuser01
aixuser01 id=71118 pgrp=testeaix1 groups=testeaix1 home=/home/aixuser01
shell=/usr/bin/ksh gecos=aixuser01 login=true su=true rlogin=true
daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL
expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=KRB5ALDAP
SYSTEM=KRB5ALDAP logintimes= loginretries=0 pwdwarntime=0
account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0
minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0
pwdchecks= dictionlist= fsize=2097151 cpu=-1 data=262144 stack=65536
core=2097151 rss=65536 nofiles=2000 roles=

HOST01:/etc/krb5>cd /etc/security/ldap

HOST01:/etc/security/ldap>ls-secldapclntd
ldapservers=w2003server.example.com
ldapport=389
ldapversion=3
userbasedn=cn=Users,dc=example,dc=com
groupbasedn=cn=Users,dc=example,dc=com
idbasedn=
usercachesize=1000
usercacheused=1
groupcachesize=100
groupcacheused=1
cachetimeout=300
heartbeatT=300
numberofthread=10
connectionsperserver=10
alwaysmaster=no
authtype=UNIX_AUTH
searchmode=ALL
defaultentrylocation=LDAP
ldaptimeout=60
userobjectclass=User
groupobjectclass=Group

HOST01:/etc/security/ldap>lsldap -a passwd aixuser01
dn: CN=aixuser01,CN=Users,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: aixuser01
givenName: aixuser01
distinguishedName: CN=aixuser01,CN=Users,DC=example,DC=com
instanceType: 4
whenCreated: 20060802194350.0Z
whenChanged: 20060802194747.0Z
displayName: aixuser01
uSNCreated: 1531721
memberOf: CN=testeaix2,CN=Users,DC=example,DC=com
uSNChanged: 1531754
name: aixuser01
objectGUID: Â4c¦2F¿j=sS§U©
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 127990216676718750
primaryGroupID: 513
objectSid:
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: aixuser01
sAMAccountType: 805306368
userPrincipalName: aixuser01@example.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC =com
msSFU30Name: aixuser01
msSFU30UidNumber: 71118
msSFU30GidNumber: 70001
msSFU30LoginShell: /usr/bin/ksh
msSFU30Password: <PASSWD GOES HERE>
msSFU30NisDomain: example
msSFU30HomeDirectory: /home/aixuser01
msSFU30PosixMemberOf: CN=testeaix2,CN=Users,DC=example,DC=com

HOST01:/etc/security/ldap>ldapsearch -D
'cn=user-ldap,cn=Users,dc=example,dc=com' -b
'cn=Users,dc=example,dc=com' -h w2003server.example.com -w '?'
'(cn=aixuser01)'
Enter password ==>
CN=aixuser01,CN=Users,DC=example,DC=com
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=user
cn=aixuser01
givenName=aixuser01
distinguishedName=CN=aixuser01,CN=Users,DC=example ,DC=com
instanceType=4
whenCreated=20060802194350.0Z
whenChanged=20060802194747.0Z
displayName=aixuser01
uSNCreated=1531721
memberOf=CN=testeaix2,CN=Users,DC=example,DC=com
uSNChanged=1531754
name=aixuser01
objectGUID=NOT ASCII
userAccountControl=512
badPwdCount=0
codePage=0
countryCode=0
badPasswordTime=0
lastLogoff=0
lastLogon=0
pwdLastSet=127990216676718750
primaryGroupID=513
objectSid=NOT ASCII
accountExpires=9223372036854775807
logonCount=0
sAMAccountName=aixuser01
sAMAccountType=805306368
userPrincipalName=aixuser01@example.com
objectCategory=CN=Person,CN=Schema,CN=Configuratio n,DC=example,DC=com
msSFU30Name=aixuser01
msSFU30UidNumber=71118
msSFU30GidNumber=70001
msSFU30LoginShell=/usr/bin/ksh
msSFU30Password=<PASSWD GOES HERE>
msSFU30NisDomain=example
msSFU30HomeDirectory=/home/aixuser01
msSFU30PosixMemberOf=CN=testeaix2,CN=Users,DC=exam ple,DC=com
================================================== ===================

As you can see, kerberos and LDAP are functioning correctly.
The I changed ldap.cfg to use kerberos bind:

### ldap.cfg altered options ###
useKRB5:yes
krbprincipal:host/host01.example.com
krbkeypath:/etc/krb5/krb5.keytab
krbcmddir:/usr/krb5/bin/
################################################## ##

After that, I issued "kdestroy", "kinit -k host/host01.example.com" and
then the commands below, as seen in the redbook:

================================================== ========
HOST01:/etc/security/ldap>ldapsearch -b "cn=Users,dc=example,dc=com" -h
w2003server.example.com -m GSSAPI -s one '(cn=aixuser01)' dn
ldap_search: Operations error
ldap_search: additional info: 00000000: LdapErr: DSID-0C090627,
comment: In order to perform this operation a successful bind must be
completed on the connection., data 0, vece

HOST01:/etc/security/ldap>klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: host/host01.example.com@EXAMPLE.COM

Valid starting Expires Service principal
08/04/06 16:40:06 08/05/06 02:40:06
krbtgt/host01.example.com@EXAMPLE.COM
Renew until 08/05/06 16:40:06
08/04/06 16:48:32 08/05/06 02:40:06
ldap/w2003server.example.com@EXAMPLE.COM
Renew until 08/05/06 16:40:06
================================================== ==============

Something strange happened, for me at least. The ldapsearch command
returned an error but a kerberos ticket was granted.

So, I'm stucked at this point. I need to make this query execute
succesfully to integrate AIX login to MS AD. Can anyone help ?

I saw APAR IY79120 at IBM's AIX support web site, but it does not have
a reasonable explanation for me. I'm also trying local IBM support, but
they didn't answer me yet.

Thanks in advance and sorry for my english.

Anderson