LDAP registry and getpw* failures

In trying to consolidate users across multiple machines and platforms, I have
setup an OpenLDAP server supporting Kerberos5 and Samba PDC/BDC.

LDAP and Kerberos auth are working fine on AIX, but I have several problems
unique to the AIX environment that are driving me nuts and preventing me
from rolling this out in production mode for AIX :(

I am using the stock AIX secldapclntd, but have also tried nss_ldap.

I am pulling common /etc/{passwd|group}, /etc/security/{user|group},
and /usr/lib/security/methods.cfg from a common source across all AIX
machines (5.1, 5.2, 5.3, and 6.1) - so there are no differences in those
files.

The getpw* calls are failing on all but one AIX systems for any user

/etc/security/user:
SYSTEM = "files or (KRB5A and AFS) or KRB5A"
registry = LDAP

telnet <host>
$ whoami
whoami: 0551-300 The user name is not recognized.
$ id
uid=2996 gid=3000
$ id coblcs
3004-820 User not found in /etc/passwd file
$ grep coblc /etc/passwd
coblcs:!:2996:3000::/autofs/cobpli/usr/coblcs:/bin/sh
$ setgroups
coblcs:
user groups = cobdev,ssh-user
process groups = cobdev,ssh-user

$ sudo id coblcs
uid=2996(coblcs) gid=3000(cobdev) groups=3999(ssh-user)

$ sudo lsuser coblcs
coblcs id=2996 pgrp=cobdev groups=cobdev,ssh-user
home=/autofs/cobpli/usr/coblcs shell=/bin/sh gecos=Download account
login=true su=true rlogin=true daemon=true admin=false sugroups=ALL
admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=77
registry=LDAP SYSTEM=files or (KRB5A and AFS) or KRB5A logintimes=
loginretries=5 pwdwarntime=14 account_locked=false minage=0 maxage=99999
maxexpired=-1 minalpha=1 minother=1 mindiff=1 maxrepeats=2 minlen=8
histexpire=0 histsize=4 pwdchecks= dictionlist= dce_export=false
fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536
nofiles=2000 roles=

Egads... it appears the following two conditions must be met for users to see
their own information (uid->name, pgrp/grp->names):
1) Information must be in *BOTH* ldap and /etc/{passwd|group}
2) The user must be the group security (ouch) !

Relevant Pages

  • Re: AIX authentication against Sun ONE/Java Directory Server
    ... > I have setup a SUN one LDAP server version 5.2 ... > But AIX 4.3.3 client doesn't seem to work. ... 4.3-5.1 LDAP client. ... IBM's (Directory Server) website. ...
    (comp.unix.aix)
  • Re: LDAP registry and getpw* failures
    ... I would check the file permissions on the files in /usr/bin ... Several of these should be setuid to root and/or setgid to security (or ... LDAP and Kerberos auth are working fine on AIX, ... $ id coblcs ...
    (AIX-L)
  • Re: LDAP client on 5.2
    ... > It's been months trying to use AIX as a client of our OpenLDAP servers ... LDAP do NOT contain passwords, ... > use kerberos. ... > AIX is the bad guy. ...
    (comp.unix.aix)
  • Re: LDAP Client Setup on Solaris 8
    ... LDAP servers etc. ... directory server, and SunONE directory server doesn't need read access for ... The native AIX LDAP client upto and including AIX 5.2 do need ... "<attribute2 you choose>" with the value of the DN of the proxyagent-account ...
    (comp.unix.solaris)
  • Re: SSH and LDAP
    ... (FWIW, the LDAP server is IBM's Directory Server, ... On an AIX 5.2.02 client, ... LDAP clients read the uid=default entry in the LDAP ...
    (comp.unix.aix)