Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

AIX 5.3: LDAP User Authentication not working after Upgrade to 5300-11-02-1007

317 views
Skip to first unread message

Bernd Nies

unread,
Mar 24, 2010, 10:09:02 AM3/24/10
to
Hi,

We have a logical partition running AIX 5.3. The os was set up to use
LDAP as naming service and authenticating users. This worked fine on
this release: 5300-11-01-0944. Today I upgraded to the latest service
pack (5300-11-02-1007) and now users can no longer login with telnet
or ssh.

At telnet prompt it says:

bernd@linuxhost:~> telnet aixhost
AIX Version 5
Copyright IBM Corporation, 1982, 2009.
login: bernd
bernd's Password:
[LDAP]: 3004-318 Error obtaining the user's password information.
3004-007 You entered an invalid login name or password.


Syslog says:
Mar 24 14:52:19 aixhost auth|security:info syslog: pts/2: failed login
attempt for bernd from linuxhost.example.com

The LDAP connection works:

# ls-secldapclntd
ldapservers=123.123.123.123
ldapport=389
active connections=1
ldapversion=3
userbasedn=ou=people,dc=example,dc=com
groupbasedn=ou=group,dc=example,dc=com
idbasedn=
usercachesize=1000
usercacheused=0
groupcachesize=100
groupcacheused=0
usercachetimeout=300
groupcachetimeout=300
heartbeatT=300
numberofthread=10
connectionsperserver=10
alwaysmaster=no
authtype=UNIX_AUTH
searchmode=ALL
defaultentrylocation=LDAP
ldaptimeout=60
serverschematype=RFC2307
userobjectclass=posixaccount,account,shadowaccount
groupobjectclass=posixgroup

# lsldap -a passwd bernd
dn: uid=bernd,ou=people,dc=example,dc=com
userPassword: {crypt}EnCryPtEdPaSsWoRd
sn: Nies
homeDirectory: /home/bernd
gecos: Bernd Nies
gidNumber: 102
loginShell: /bin/bash
cn: Bernd Nies
uid: bernd
uidNumber: 3031
shadowLastChange: 13411
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowaccount
givenName: Bernd
shadowExpire: -1

# lsuser bernd
bernd id=3031 pgrp=staff groups=staff,syseng home=/home/bernd shell=/
bin/bash gecos=Bernd Nies login=true su=true rlogin=true daemon=true
admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0
auth1=SYSTEM auth2=NONE umask=22 registry=LDAP SYSTEM=LDAP logintimes=
loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0
maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0
histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=2097151 cpu=-1
data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000
time_last_login=1269429859 time_last_unsuccessful_login=1269438739
tty_last_login=/dev/pts/1 tty_last_unsuccessful_login=/dev/pts/2
host_last_login=linuxhost.example.com
host_last_unsuccessful_login=linuxhost.example.com
unsuccessful_login_count=31 roles=


I did the setup according to this guide:
http://www-03.ibm.com/systems/power/software/aix/whitepapers/ldap_client.html

mksecldap -c \
-h ldap.example.com \
-a cn=proxyagent,ou=special_users,dc=example,dc=com \
-p mysecretpasswordhere \
-d dc=example,dc=com \
-S RFC2307 -A unix_auth -u ALL

# egrep -v "^#" /etc/security/ldap/ldap.cfg
ldapservers:ldap.example.com
binddn:cn=proxyagent,ou=special_users,dc=example,dc=com
bindpwd:{DESv2}MYENCRYPTEDPASSWORDHERE
authtype:unix_auth
useSSL:no
pwdalgorithm:crypt
userattrmappath:/etc/security/ldap/2307user.map
groupattrmappath:/etc/security/ldap/2307group.map
userbasedn:ou=people,dc=example,dc=com
groupbasedn:ou=group,dc=example,dc=com
servicebasedn:ou=services,dc=example,dc=com
protocolbasedn:ou=protocols,dc=example,dc=com
networkbasedn:ou=networks,dc=example,dc=com
netgroupbasedn:ou=group,dc=example,dc=com
rpcbasedn:ou=rpc,dc=example,dc=com
automountbasedn:ou=zh,dc=example,dc=com
userclasses:posixaccount,account,shadowaccount
groupclasses:posixgroup
ldapversion:3
ldapport:389
searchmode:ALL
defaultentrylocation:LDAP
ldaptimeout:60
serverschematype:rfc2307

# cat /etc/security/user
default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups = ALL
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
umask = 022
expires = 0
SYSTEM = LDAP
registry = LDAP
logintimes =
pwdwarntime = 0
account_locked = false
loginretries = 0
histexpire = 0
histsize = 0
minage = 0
maxage = 0
maxexpired = -1
minalpha = 0
minother = 0
minlen = 0
mindiff = 0
maxrepeats = 8
dictionlist =
pwdchecks =

root:
admin = true
SYSTEM = files
registry = files
loginretries = 0
account_locked = false
...

That worked fine before applying the new service pack. What's going
wrong here? New bug or freature?

Thanks in advance.
Best regards,
Bernd

Hajo Ehlers

unread,
Mar 24, 2010, 10:19:19 AM3/24/10
to
Its looks like you encounter:

IZ69977: LDAP USERS ARE UNABLE TO LOGIN 10/02/26 PTF PECHANGE

http://www-01.ibm.com/support/docview.wss?rs=1207&uid=isg1IZ69977

Efix available from
ftp://public.dhe.ibm.com/aix/efixes/iz69977/

hth
hajo

Bernd Nies

unread,
Mar 24, 2010, 10:32:34 AM3/24/10
to
Hi Hajo,

Wow, thanks for that quick answer. You made my day! That was it. It
works now. While googling around I only found a fix for AIX 6.1:

http://www.ibm.com/developerworks/forums/thread.jspa?messageID=14430656

Best regards,
Bernd

Thomas Braunbeck

unread,
Mar 24, 2010, 6:29:03 PM3/24/10
to
This got you IZ68635. Then go to www.ibm.com and search for IZ68635.
This gets you to the APAR:
<http://www-01.ibm.com/support/docview.wss?uid=isg1SSRVAIX61HIPER081503_587>

and this gets you all the APAR# for the other Release/TLs:
APAR is sysrouted TO one or more of the following:
IZ69910 IZ69937 IZ69939 IZ69977 IZ70047 IZ70051

Two links you should look at
http://www.ibm.com/support/subscriptions/us/
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
On the first you can set subscriptions. There was a notification
about this issue.
On the 2nd link you can view alerts. AIX 5.3, high impact and
in Feb 2010 you should find
<http://www14.software.ibm.com/webapp/set2/subscriptions/ijhifoe?mode=7&heading=AIX53&path=/201002/HIPER/20100227/HIPER&label=High
Impact/Highly Pervasive>

Bernd Nies

unread,
Mar 25, 2010, 3:08:47 AM3/25/10
to
On 24 Mrz., 23:29, Thomas Braunbeck <Thomas.Braunb...@t-online.de>
wrote:

> Am 24.03.2010 15:32, schrieb Bernd Nies:> Hi Hajo,
>
> > Wow, thanks for that quick answer. You made my day! That was it. It
> > works now. While googling around I only found a fix for AIX 6.1:
>
> >http://www.ibm.com/developerworks/forums/thread.jspa?messageID=14430656
>
> > Best regards,
> > Bernd
>
> This got you IZ68635. Then go towww.ibm.comand search for IZ68635.

> This gets you to the APAR:
> <http://www-01.ibm.com/support/docview.wss?uid=isg1SSRVAIX61HIPER08150...>

>
> and this gets you all the APAR# for the other Release/TLs:
> APAR is sysrouted TO one or more of the following:
> IZ69910 IZ69937 IZ69939 IZ69977 IZ70047 IZ70051
>
> Two links you should look athttp://www.ibm.com/support/subscriptions/us/http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd

> On the first you can set subscriptions. There was a notification
> about this issue.
> On the 2nd link you can view alerts. AIX 5.3, high impact and
> in Feb 2010 you should find
> <http://www14.software.ibm.com/webapp/set2/subscriptions/ijhifoe?mode=...
> Impact/Highly Pervasive>

Thanks for that hints. I'm not so familiar with IBM AIX. We have only
two of these systems for development ... besides some hundred Solaris
and Linux boxes.

Best regards,
Bernd

0 new messages