Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Trouble with Kerberos/LDAP and AIX 6.1
Operating Systems AIX Trouble with Kerberos/LDAP and AIX 6.1 Post 302759083 by jgeiger on Monday 21st of January 2013 11:08:43 AM
Old 01-21-2013
IBM [Solved] Trouble with Kerberos/LDAP and AIX 6.1
The KRB5ALDAP compound load module is giving me fits. Everything looks like it should be working, but no.

Goal: Integrate AIX host with Active Directory using a KRB5ALDAP compound load module so that users can be created in AD and used in AIX, with unix attributes (registry values) being pulled from AD. Eliminate the need to manage user accounts on a per-server basis.

Issue: User attributes are visible with lsuser and returned with ldapsearch. Kerberos authentication shows successful at the domain controller, but a "permission denied" or "invalid login or password" message is displayed. Files can be chown-ed to the user accounts, but SU fails.

I attached a doc with the pertinent configs and troubleshooting steps. Since making that doc, I have also chased the enctype (switched to solely RC4) and the KVNO (tried 2, 3, 4). But no love.

Any help would be greatly appreciated.
AIX_KRB5ALDAP.txt (12.2 KB) 
 

10 More Discussions You Might Find Interesting

1. HP-UX

LDAP/Kerberos Issue

I am getting the following error message when trying to login to the client: while verifying tgt If I move the /etc/krb5.keytab out of /etc, it works fine. This is HP-UX v23 Does anyone have any ideas? (1 Reply)
Discussion started by: dhernand
1 Replies

2. AIX

ldap for aix

hello i look for a ldap for Aix, do know it ? thank you (0 Replies)
Discussion started by: pascalbout
0 Replies

3. UNIX for Advanced & Expert Users

ldap+samba+gdm trouble

I'm having troubles setting up a client(with Ubuntu 8.10) for a ldap+samba server. I can't authenticate through the client with gdm, the messages I have in /etc/auth.log at the client is Dec 4 14:21:56 myuser-mydesktop gdm: nss_ldap: failed to bind to LDAP server ldap://192.168.0.1: Invalid... (5 Replies)
Discussion started by: capibolso
5 Replies

4. AIX

Kerberos and LDAP Auth

Good day I am trying to configure Kerberos and LDAP authentication on AIX 5.3 with Windows 2003 R2 but something is not quite right. When I ran kinit username I get a ticket and I can display it using klist. When the user login I can see the ticket request on Windows 2003, but the user... (1 Reply)
Discussion started by: mariusb
1 Replies

5. UNIX for Advanced & Expert Users

Compiling Samba from Source on AIX, Active Directory, LDAP, Kerberos

Hello, I asked this question in the AIX subforum but never received an answer, probably because the AIX forum is not that heavily trafficked. Anyway, here it is.. I have never had any issues like this when compiling applications from source. When I try to compile samba-3.5.0pre2, configure runs... (9 Replies)
Discussion started by: raidzero
9 Replies

6. Solaris

LDAP Problem during Kerberos setting for Win server 03 Active Directory

Hi, FYI, I'm new in Solaris I'm trying to use Kerberos on authenticating LDAP Client with the Active Directory on Windows Server 2003 on both Solaris 10 5/08 and Solaris 10 9/10 by referring to the pdf file kerberos_s10.pdf available at sun official site. ... (0 Replies)
Discussion started by: chongzh
0 Replies

7. AIX

SSH and kerberos authentication problem AIX 5.3

I've configured an AIX 5.3 client to use our Windows AD for user authentication via Kerberos. When I try to ssh to the server using the AD credentials, I eventually get access but not after getting prompted for a password 3 times (which doesn't work) followed by an accepted login on the 4th... (3 Replies)
Discussion started by: jmroderick
3 Replies

8. AIX

AIX 5.2 ldap client AD

I have been able to configure on an AIX 5.2 ldap.cfg so service starts correctly. but when I try to log on with a windows user after entering the password login hangs and get no response. I have set it up on Aix 5.3 with no problem but in Aix 5.2 I have not been able to log in. ldap.cfg... (1 Reply)
Discussion started by: laxtnog
1 Replies

9. AIX

Samba 3.6.22 on AIX 7.1 with Windows AD (Kerberos and winbind)

Hi all, I have installed samba 3.6.22 on AIX 7.1 and join a windows AD with success. All seem to work fine, I have configured smb.conf, methods.cfg, kerberos, user .... the following command work fine wbinfo -u, wbinfo -g, wbinfo -i, wbinfo -s, wbinfo -S, lsuser, id... The unique... (20 Replies)
Discussion started by: PhilippeA
20 Replies

10. UNIX for Advanced & Expert Users

AD Group Policy Management and Kerberos / LDAP

Has anyone attempted to define GPO / HBAC policies in Windows Server 2012 that could be respected by Kerberos/LDAP on AIX? I'm looking to associate servers to groups so that when a user part of a group tries to login to a host not associated with that group, it would be denied. This would allow... (3 Replies)
Discussion started by: Devyn
3 Replies

LEARN ABOUT OPENSOLARIS

pam_krb5_migrate

pam_krb5_migrate(5)					Standards, Environments, and Macros				       pam_krb5_migrate(5)

NAME

       pam_krb5_migrate - authentication PAM module for the KerberosV5 auto-migration of users feature

SYNOPSIS

       /usr/lib/security/pam_krb5_migrate.so.1

DESCRIPTION

       The KerberosV5 auto-migrate service module for PAM provides functionality for the PAM authentication component. The service module helps in
       the automatic migration of PAM_USER to the client's local Kerberos realm, using PAM_AUTHTOK (the PAM authentication token  associated  with
       PAM_USER) as the new Kerberos principal's password.

   KerberosV5 Auto-migrate Authentication Module
       The  KerberosV5 auto-migrate authentication component provides the pam_sm_authenticate(3PAM) function to migrate a user who does not have a
       corresponding krb5 principal account to the default Kerberos realm of the client.

       pam_sm_authenticate(3PAM) uses a host-based client service principal, present in the local keytab (/etc/krb5/krb5.keytab)  to  authenticate
       to  kadmind(1M) (defaults to the host/nodename.fqdn service principal), for the principal creation operation. Also, for successful creation
       of the krb5 user principal account, the host-based client service principal being used needs to be assigned the	appropriate  privilege	on
       the  master  KDC's kadm5.acl(4) file. kadmind(1M) checks for the appropriate privilege and validates the user password using PAM by calling
       pam_authenticate(3PAM) and pam_acct_mgmt(3PAM) for the k5migrate service.

       If migration of the user to the KerberosV5 infrastructure is successful, the module will inform users about it by means of a  PAM_TEXT_INFO
       message, unless instructed otherwise by the presence of the quiet option.

       The  authentication  component  always returns PAM_IGNORE and is meant to be stacked in pam.conf with a requirement that it be listed below
       pam_authtok_get(5) in the authentication stack. Also, if pam_krb5_migrate is used in the authentication stack of a particular  service,	it
       is mandatory that pam_krb5(5) be listed in the PAM account stack of that service for proper operation (see EXAMPLES).

OPTIONS

       The following options can be passed to the KerberosV5 auto-migrate authentication module:

       debug

	   Provides syslog(3C) debugging information at LOG_DEBUG level.

       client_service=<service name>

	   Name  of  the service used to authenticate to kadmind(1M) defaults to host. This means that the module uses host/<nodename.fqdn> as its
	   client service principal name, KerberosV5 user principal creation operation or <service>/<nodename.fqdn> if this option is provided.

       quiet

	   Do not explain KerberosV5 migration to the user.

	   This has the same effect as passing the PAM_SILENT flag to pam_sm_authenticate(3PAM) and is useful  where  applications  cannot  handle
	   PAM_TEXT_INFO messages.

	   If  not  set,  the  authentication component will issue a PAM_TEXT_INFO message after creation of the Kerberos V5 principal, indicating
	   that it has done so.

       expire_pw

	   Causes the creation of KerberosV5 user principals with password expiration set to now (current time).

EXAMPLES

       Example 1 Sample Entries from pam.conf

       The following entries from pam.conf(4) demonstrate the use of the pam_krb5_migrate.so.1 module:

	 login	     auth requisite	     pam_authtok_get.so.1
	 login	     auth required	     pam_dhkeys.so.1
	 login	     auth required	     pam_unix_cred.so.1
	 login	     auth sufficient	     pam_krb5.so.1
	 login	     auth requisite	     pam_unix_auth.so.1
	 login	     auth optional	     pam_krb5_migrate.so.1 expire_pw
	 login	     auth required	     pam_dial_auth.so.1

	 other	 account requisite	 pam_roles.so.1
	 other	 account required	 pam_krb5.so.1
	 other	 account required	 pam_unix_account.so.1

       The pam_krb5_migrate module can generally be present on the authentication stack of any service where the application calls  pam_sm_authen-
       ticate(3PAM)  and  an authentication token (in the preceding example, the authentication token would be the user's Unix password) is avail-
       able for use as a Kerberos V5 password.

       Example 2 Sample Entries from kadm5.acl

       The following entries from kadm5.acl(4) permit or deny privileges to the host client service principal:

	 host/*@ACME.COM U root
	 host/*@ACME.COM ui *

       The preceding entries permit the pam_krb5_migrate add privilege to the host client service principal of any machine in  the  ACME.COM  Ker-
       berosV5 realm, but denies the add privilege to all host service principals for addition of the root user account.

       Example 3 Sample Entries in pam.conf of the Master KDC

       The  entries  below  enable  kadmind(1M)  on  the  master KDC to use the k5migrate PAM service in order to validate Unix user passwords for
       accounts that require migration to the Kerberos realm.

	 k5migrate	  auth	  required	  pam_unix_auth.so.1
	 k5migrate	  account required	  pam_unix_account.so.1

ATTRIBUTES

       See attributes(5) for a description of the following attribute:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Evolving			   |
       +-----------------------------+-----------------------------+

SEE ALSO

       kadmind(1M), syslog(3C), pam_authenticate(3PAM), pam_acct_mgmt(3PAM), pam_sm_authenticate(3PAM), kadm5.acl(4), pam.conf(4),  attributes(5),
       pam_authtok_get(5), pam_krb5(5)

SunOS 5.11							    Jul 29 2004 					       pam_krb5_migrate(5)
All times are GMT -4. The time now is 05:55 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy