Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: kinit auditing
Top Forums UNIX for Advanced & Expert Users kinit auditing Post 302559871 by jabberwocky on Wednesday 28th of September 2011 10:55:06 AM
Old 09-28-2011
kinit auditing
I have implemented solaris login authenticating against an active directory server, using solaris x86 on a Dell R810 8xXeon CPUs and 262Gb RAM.

The actual OS is:
Code:
# uname -a
SunOS ms-svr012 5.10 Generic_142910-17 i86pc i386 i86pc
# cat /etc/release
                    Oracle Solaris 10 9/10 s10x_u9wos_14a X86
     Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
                            Assembled 11 August 2010
#

The steps in:

Solaris Authentication Login with Active Directory|Seeds of Genius

were followed successfully.

It was found that there wasn't a need to create home directories for the logons.

The point of validating non-software owning users against Active Directory is to simplify audits.

This has led to investigate how I can audit the actual users that can login.

In order to be able to logon using the instructions I used, I need to use:
Code:
kinit <surnameinitial>@DOMAIN.CO.UK

before the user surnameinitial can logon.

Checking man for kinit I can see that the kinit command produced a file:
Code:
/tmp/krbcc<uid>

where uid is specified in the Unix Attributes tab on the AD server.

This is a ticket stored in a file.

If I reboot the server, that will clear the contents of /tmp, so will I have to run the command:
Code:
kinit <surnameinitial>@DOMAIN.CO.UK

again to get the user to login?

Until the point of reboot, can use the /tmp/krbcc<uid> files as an audit of users that login authenticating against AD?

The man page for kinit says that the tickets expire after a specified lifetime. Where is this lifetime defined?

Are the users that login authenticating against AD held elsewhere in an auditable format?

Thanks,

Jay
Last edited by Scott; 09-28-2011 at 01:06 PM.. Reason: Code tags, please...
 

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Auditing

:)I need a little help. I have sent all of our logs to our log server, but I can't send the audit logs that are in /var/log/audit.log. Can someone give me some type of idea to transfer these logs. Thank You (2 Replies)
Discussion started by: aojmoj
2 Replies

2. AIX

Auditing events

Hi there, I want to enable auditing for the following events in a critical AIX UNIX server by editing the /etc/syslog.conf file: Authentication events (login success, login failure, logout) Privilege use events (change to another user etc.) ... (1 Reply)
Discussion started by: venksel
1 Replies

3. Cybersecurity

bash auditing

Hi dear friends I have an RHEL5 installed and I gave all users on it rbash shell, Now I want to audit all commands that they did in there shell once they enter them, Can any guide me to the way Thanks (2 Replies)
Discussion started by: reaky
2 Replies

4. UNIX for Dummies Questions & Answers

kinit

Hi, I have tried a lot online to find about this command. I coudnt find a satisfactory explanation. I need some background on kinit command. Can someone please explain it? (2 Replies)
Discussion started by: grep_me
2 Replies

5. Shell Programming and Scripting

Automate Kerboer kinit password

Hi, I just wonder if anyone know how to auto encode the kerberos kinit password at prompt. kinit command is inside the one of the script called runscript.sh so ./runscript.sh ...... kinit username Password for username@example.com: How do I auto input the password without need to... (5 Replies)
Discussion started by: netlink
5 Replies

6. Solaris

BSM auditing

Hi , I don't want logs from a particular "library" to get recorded in the audit.log file. Is that possible with BSM? Please guide. Thanks. (2 Replies)
Discussion started by: chinchao
2 Replies

7. SCO

Auditing: how to enable?

edit: solution found Auditing Quick Start and Compatibility Notes (1 Reply)
Discussion started by: Linusolaradm1
1 Replies

8. AIX

AIX auditing

In our customer place somebody removed and PV from the server. I want the information like which user removed this PV. Is there any way to get PV removal information. When did the PV removed from the server ? Whether AIX auding will help ? Where i can get these information ? Thank... (2 Replies)
Discussion started by: sunnybee
2 Replies

9. Shell Programming and Scripting

How to view the cron jobs that ran on kinit i keep getting must be privileged to use -u?

How to view the cron jobs that ran on kinit i keep getting must be privileged to use -u this is the control used, echo 'cat /usr/local/bin/tpthadoop/secret/hadoop.txt' | kinit hdfs what happens with above command kinit is using kerberos and the account used to run the processes jobs are... (1 Reply)
Discussion started by: cplusplus1
1 Replies

10. AIX

Testing Kerberos with kinit comand

I am working on an AIX 6.1 system with Kerberos 1.5.0.8. I am attempting to execute the kinit command but after I execute the command and put in a password I get the following error message: Unable to obtain initial credentials Status 0x96c73a18 - Preauthentication failed. I have found... (0 Replies)
Discussion started by: kstalder
0 Replies

LEARN ABOUT LINUX

kerberos

KERBEROS(1)						      General Commands Manual						       KERBEROS(1)

NAME

       kerberos - introduction to the Kerberos system

DESCRIPTION

       The  Kerberos  system authenticates individual users in a network environment.  After authenticating yourself to Kerberos, you can use net-
       work utilities such as rlogin, rcp, and rsh without having to present passwords to remote hosts and without having to bother  with  .rhosts
       files.  Note that these utilities will work without passwords only if the remote machines you deal with support the Kerberos system.

       If you enter your username and kinit responds with this message:

       kinit(v5): Client not found in Kerberos database while getting initial credentials

       you haven't been registered as a Kerberos user.	See your system administrator.

       A  Kerberos  name  usually contains three parts.  The first is the primary, which is usually a user's or service's name.  The second is the
       instance, which in the case of a user is usually null.  Some users may have privileged instances, however, such as ``root''  or	``admin''.
       In  the	case  of  a service, the instance is the fully qualified name of the machine on which it runs; i.e. there can be an rlogin service
       running on the machine ABC, which is different from the rlogin service running on the machine XYZ.  The third part of a	Kerberos  name	is
       the realm.  The realm corresponds to the Kerberos service providing authentication for the principal.

       When  writing  a Kerberos name, the principal name is separated from the instance (if not null) by a slash, and the realm (if not the local
       realm) follows, preceded by an ``@'' sign.  The following are examples of valid Kerberos names:

	       david
	       jennifer/admin
	       joeuser@BLEEP.COM
	       cbrown/root@FUBAR.ORG

       When you authenticate yourself with Kerberos you get an initial Kerberos ticket.  (A Kerberos ticket is an encrypted protocol message  that
       provides authentication.)  Kerberos uses this ticket for network utilities such as rlogin and rcp.  The ticket transactions are done trans-
       parently, so you don't have to worry about their management.

       Note, however, that tickets expire.  Privileged tickets, such as those with the instance ``root'', expire in a few minutes,  while  tickets
       that  carry more ordinary privileges may be good for several hours or a day, depending on the installation's policy.  If your login session
       extends beyond the time limit, you will have to re-authenticate yourself to Kerberos to get new tickets.  Use  the  kinit  command  to  re-
       authenticate yourself.

       If  you use the kinit command to get your tickets, make sure you use the kdestroy command to destroy your tickets before you end your login
       session.  You should put the kdestroy command in your .logout file so that your tickets will be destroyed automatically	when  you  logout.
       For more information about the kinit and kdestroy commands, see the kinit(1) and kdestroy(1) manual pages.

       Kerberos  tickets  can be forwarded.  In order to forward tickets, you must request forwardable tickets when you kinit.	Once you have for-
       wardable tickets, most Kerberos programs have a command line option to forward them to the remote host.

       Currently, Kerberos support is available for the following network services: rlogin, rsh, rcp, telnet, ftp, krdist (a Kerberized version of
       rdist), ksu (a Kerberized version of su), login, and Xdm.

SEE ALSO

       kdestroy(1),  kinit(1),	klist(1),  kpasswd(1),	rsh(1),  rcp(1),  rlogin(1),	telnet(1),  ftp(1), krdist(1), ksu(1), sclient(1), xdm(1),
       des_crypt(3), hash(3), krb5strings(3), krb5.conf(5), kdc.conf(5), kadmin(8),  kadmind(8),  kdb5_util(8),  telnetd(8),  ftpd(8),	rdistd(8),
       sserver(8), klogind(8c), kshd(8c), login(8c)

BUGS

AUTHORS

       Steve Miller, MIT Project Athena/Digital Equipment Corporation
       Clifford Neuman, MIT Project Athena

HISTORY

       Kerberos  was developed at MIT.	OpenVision rewrote and donated the administration server, which is used in the current version of Kerberos
       5.

RESTRICTIONS

       Copyright 1985,1986,1989-1996,2002 Massachusetts Institute of Technology

																       KERBEROS(1)
All times are GMT -4. The time now is 01:18 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy