Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Users not authenticating via Kerberos on MS AD
Operating Systems AIX Users not authenticating via Kerberos on MS AD Post 302478701 by kah00na on Wednesday 8th of December 2010 04:31:07 PM
Old 12-08-2010
Users not authenticating via Kerberos on MS AD
I have AD (active directory) user, "asdf", created and a matching local AIX user name. Using "kinit", I can successfully authenticate it against the MS AD but when they I try to login via SSH with the same user name, it doesn't work. How can I get AIX to allow kerberos authentication as a valid means of letting users on the box? It feels like I am one step away from getting this mess to work.
Code:
localhost:/(697)$ lsuser asdf
asdf registry=files SYSTEM=KRB5files
localhost:/(692)$ lsauthent
Kerberos 5
Standard Aix
localhost:/(693)$

In my debug syslogs, I see this:
Code:
Dec  8 15:15:55 localhost auth|security:info syslog: pts/2: failed login attempt for UNKNOWN_USER from remote_server

It is like AIX doesn't see the KRB5 users as valid user IDs.
 

9 More Discussions You Might Find Interesting

1. HP-UX

HP-UX authenticating to Active Directory

Hey, I've asked questions about this project here before and gotten lots of help so I figured I'd give it another try. I've recently set up my HP-UX environment to authenticate to a Windows Active Directory server (Windows Server 2003 R2). I setup an account on Active Directory which works... (2 Replies)
Discussion started by: Rike255
2 Replies

2. Red Hat

Samba: Authenticating and joining AD domain as a member

Hi all, I'm having some problems with joining an active directory domain as a member. My Linux servers using the same configuration across the board are all joining as domain controllers, which is bad. I am running Samba 3.0.25b-0.4E.6 on all of my RHEL servers. Here is my global... (1 Reply)
Discussion started by: Bert
1 Replies

3. AIX

Authenticating users to ADS

It is possible to authenticate AIX-users to the Windows 2003 Active Directory. But is it also possible to do full useradministration in the ADS without also adding users to the local AIX-server? I have the following working: 1. Add user to the ADS 2. Add user to AIX with 'mkuser... (2 Replies)
Discussion started by: jacco
2 Replies

4. Solaris

Solaris 10 authenticating to AD

Hi all. A while back i began looking a using Sun One JDS for our S10 environment which subsequently fell by the wayside as other more pressing things cropped up :-) Now its ugly head has popped up again but with the prerequisite that we authenticate against AD. So, i have a few questions. ... (6 Replies)
Discussion started by: boneyard
6 Replies

5. Shell Programming and Scripting

Authenticating user ID and Password

Hi, Can any one please tell me the way to Authenticate success or failure of the login. Here is my req: I have to telnet to multiple unix servers and execute the a script there which will give me an integer output. This output should be directed to a txt file. i dont want to provide... (1 Reply)
Discussion started by: csekhar05
1 Replies

6. Solaris

Key not authenticating to another machine

I've tried everything from changing permissions on the public and private keys to creating new keys and I still cannot authenticate my private key to another machines public key. Here is the ssh -vvv output: ssh -vvv -i id_dsa account@x.x.45.137 OpenSSH_5.5p1, OpenSSL 1.0.0a 1 Jun 2010... (8 Replies)
Discussion started by: jastanle84
8 Replies

7. Red Hat

Not authenticating in apache server site for a folder

hi , Im configuring web site with authencation to a folder but the authentication is not happening. below is the conf file of /etc/httpd/conf/httpd.conf <VirtualHost 192.168.1.4:80> DocumentRoot /var/www/html/ ServerName redhatclient.example.com <directory... (0 Replies)
Discussion started by: redhatlbug
0 Replies

8. UNIX for Advanced & Expert Users

Authenticating with SSSD / Kerberos against Windows Server 2012 R2

I'm authenticating with SSSD / Kerberos against Windows Server 2012 R2. I've setup credentails delegation using these options: Host * GSSAPIAuthentication yes GSSAPIDelegateCredentials yes GSSAPITrustDns yes For both client/server but no luck. I've read online that I need to run... (2 Replies)
Discussion started by: Devyn
2 Replies

9. Solaris

Authenticating UNIX (Solaris 11) to Windows 2012R2 / Active Directory

Gentleman, i am trying to setup Authentication for my Solaris 11 Server through Active Directory (Server 2012 R2). At least some things are already working, for example a getent passwd mydomainuser and ldapsearch command comes back with a correct result. So not everything i did was wrong. ... (1 Reply)
Discussion started by: bahnhasser83
1 Replies

LEARN ABOUT ULTRIX

kerberos

kerberos(8krb)															    kerberos(8krb)

Name
       kerberos - the kerberos daemon

Syntax
       /usr/etc/kerberos [ -p pause_seconds ] [ -a max_age ]
       [ -l log_file ] [ -r realm ] [ -s ] [ -n ] [ -m ]

Description
       The  daemon is used by a Kerberos principal, X, to assist it in authenticating its identity to another Kerberos principal Y.  In the ULTRIX
       environment, X would typically be an application running on one machine while Y	would  be  an  application  running  on  another  machine.
       Because X and Y run on separate machines, the authentication of X by Y and Y by X is not an easy task.  If they ran on a single machine, A,
       the authentication of X could be performed easily by Y.	All Y need do is ask A for the user ID of X.  Since Y trusts the local machine, if
       the user ID of X is the user ID Y expects, then X must be X.

       If  Y  were  to	authenticate  X  when X runs on a different machine, B, using the same user ID method, then Y would be forced to trust the
       machine B to provide a correct answer.  The security of this method breaks down as soon as any one machine that Y is willing  to  trust	is
       subverted  by  a hostile user.  In addition, it breaks as soon as any machines that cannot be trusted by Y are allowed on the physical net-
       work to which A and B are connected.  Hostile users that have control over these rogue machines can force them  to  produce  messages  that
       look as though they come from machine B.

       The  daemon serves as a single point of trust in a local area network (LAN).  The authentication of X to Y depends upon the trust that both
       X and Y have in the daemon.  X trusts the daemon to give Y only enough information to authenticate itself as Y to X, and Y trusts to give X
       only enough information to authenticate itself as X to Y.  Y no longer needs to trust B to authenticate X.

       If X were to authenticate itself to Y, X would first communicate with the daemon in order to obtain a ticket that would allow it to authen-
       ticate to Y.  The ticket can be defined as the data that X needs to authenticate itself to Y.  X passes the ticket to Y, along  with  other
       information, to authenticate itself to Y.  Y then has the ability to send a message back to X in order to authenticate its identity to X.

       There  is one master daemon per LAN.  The difference between a Kerberos master daemon and a Kerberos slave daemon is apparent in the way in
       which the Kerberos database on the machines on which they run is updated.  The Kerberos database stores information about Kerberos  princi-
       pals.  It stores, for instance, the Data Encryption Standard (DES) encryption key that is associated with each principal.

       There  is  only	one Kerberos database per LAN, to which updates to individual principal entries should be performed.  This is the Kerberos
       master database.  The daemon that runs on the machine which stores the Kerberos master database is the master daemon.  All the  other  Ker-
       beros  databases  in the LAN are periodically updated by and based upon the data stored in the Kerberos master database.  The machines that
       store this type of database run slave daemons.

       A realm is the common name given to a group of principals.  All principals stored in one Kerberos database belong to a single realm, and an
       individual  daemon  uses only one Kerberos database.  So, a daemon only allows one principal in the realm to authenticate another principal
       in the realm.  Inter-realm authentication is not supported in the ULTRIX version of Kerberos.

Options
       -p     Allows the user to select the number of seconds that the daemon will pause, pause_seconds, after it has encountered an unrecoverable
	      error, and before it exits.  This time interval must be between five minutes(300), and one hour(3600).	If neither this option nor
	      the -s option is used, the daemon will pause forever before exiting.

       -a     Allows the user to specify the age in seconds, max_age, above which the Kerberos database should be considered too old  for  a  Ker-
	      beros  slave  server  to use.  The daemon determines the age of the Kerberos database by comparing the last modification time of the
	      file with the current time.  The file is modified every time the database is changed.  Since a Kerberos slave  server  receives  its
	      database	in  whole  from  the Kerberos master, this option specifies the maximum amount of time allowed between database transfers.
	      The time value must be between one hour(3600) and three days(259200).  If neither this option nor the -s option is used, the maxi-
	      mum age of the database is infinite.

       -l     Allows  the  user  to  select  a	different file, log_file, into which the daemon will place Kerberos log messages.  If neither this
	      option nor the -s option is used, the log_file value is set to

       -r     Allows the user to change the name of the realm, realm, for which the daemon will serve information.  If no realm name is  specified
	      with the -r option, the daemon will server the realm of which the local host is a member.

       -s     Allows the user to tell the daemon to use the default values for pause_seconds, max_age, and log_file of a slave server.	If max_age
	      has not been set with the -a option, the max_age value is set to the slave server default of one day(86400).  If the  pause_seconds
	      value  has  not  been set with the -p option, the pause_seconds value is set to the slave server default of 5 minutes(300).  If the
	      log_file value has not been set with the -l option, the log_file value is set to the slave server default, Use of the -s	option	is
	      equivalent to using the following list of options with the daemon:
	      -a 86400 -p 300 -l /var/dss/kerberos/log/kerberos_slave.log

       -n     Allows  the user to tell the daemon that the maximum age of the Kerberos database should be infinite.  This option is only useful if
	      the -s option has been selected by the user, but the maximum age of the database should not be equal to the slave default(300), but
	      should be infinite.  This option also overrides the -a option.

       -m     Allows  the  user to run the daemon in manual mode.  This implies that the master key of the Kerberos database will be input from If
	      this option is not used, the master key of the Kerberos database is read from the data file placed in the system.

See Also
       kdb_init(8krb), kdb_util(8krb), kdb_edit(8krb), kdb_destroy(8krb), kerberos(3krb), kprop(8krb) kpropd(8krb)

																    kerberos(8krb)
All times are GMT -4. The time now is 03:10 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy