I'm fairly new to UNIX-land, and one of my first assigned tasks was to try to set up Kerberos authentication on an unused partition. Hopefully everything makes sense, but please let me know if any clarification is needed with any of it.
AIX 7.1, and while I found various docs on the subject, a lot of them are different. That said, I've tried various methods without success. As it sits, the packages are installed, the krb5.conf file is populated with the usual info, the new keytab is merged with krb5.keytab, I've tried various enctypes (based on different docs) etc. When I do anything at all, the logs remain empty, although they exist.
When I try to generate a ticket, below is the result.
Code:
#/usr/krb5/bin/kinit PassLine@HDQ.123.COM
Password for PassLine@HDQ.123.COM:
root@ unused01 /etc
#/usr/krb5/bin/klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: PassLine@HDQ.123.COM
Valid starting Expires Service principal
10/21/13 11:21:52 10/21/13 21:22:10 krbtgt/HDQ.123.COM@HDQ.123.COM
Renew until 10/21/13 21:21:52
root@ unused01 /etc
#/usr/krb5/bin/kinit PassLine@LDAP.123.COM
Unable to obtain initial credentials.
Status 0x96c73adc - Cannot resolve network address for KDC in requested realm.
When I created a user and set authentication methods to KRB5files, I wasn't able to log in. The server is on ABC.123.com and it only seems to be able to hit HDQ.123.com (kinit fails against all domains except HDQ.) The AD admins asked me to use the LDAP.123.com alias.
I don't know if perhaps this is an issue with /etc/resolv.conf or if I have something outright wrong elsewhere.
Let me know what information is needed, and I'll provide it. I suppose I didn't want to clutter the OP with "unnecessary" config files and such, but will certainly post anything needed.
Hmm,
Since you are not using LDAP, I assume you need to modify as below
I had intregrated kerberos+LDAP (not a good combination) for one of my client back in 2011.
Code:
KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = is_kadmind_compat=no,authonly,tgt_verify=no --> make sure you add this
KRB5LDA:
options = auth=KRB5,db=BUILTIN
Have you checked the windows AD server (running kerberos) is behind the firewall?
Code:
telnet <AD server> 88, as kerberos service runs on port 88
I assume you have installed the below
Code:
# lslpp –L | grep krb5
krb5.client.rte 1.5.0.1 C F Network Authentication Service
krb5.client.samples 1.5.0.1 C F Network Authentication Service
krb5.lic 1.5.0.1 C F Network Authentication Service
Also, make sure you have the correct hostname
Code:
nslookup <AD server>
Ping it
Code:
ping <AD server>
Make sure you are changing setting correctly and restarting the service
Code:
like /etc/security/user, /etc/methods.cfg etcc.,
Look at the system log file, where it is blocking the connecting, we need to know whether your local AIX is connecting to your AD server for authentication.
Some times the problem could be on AD.
Can you paste what command you are using to configure kerberos?
Code:
like your "mkkrb5clnt" command
Code:
mkkrb5clnt -r <YOUR DOMAIN NAME> -c <your windows AD server> -s <your windows AD server> -d <your domain name> -D : note that after '-r' I have domain name in CAPS
Now run
Code:
/usr/krb5/bin/kinit <username>
followed by
Code:
/usr/krb5/bin/klist
, whats the output?
If you want to reinstall 'kerberos'
Code:
mkkrb5clnt -U, hit 'y' to unconfigure
Also, copy your /etc/security/user file for default stanza and your methods.cfg file
let me know once you are done with those.
Also, if you want to do it simple and straight, here is the IBM method of doing it.
If I just use kinit <username> (not against any server) I get different responses.
Code:
#/usr/krb5/bin/kinit PassLine
Unable to obtain initial credentials.
Status 0x96c73a44 - KRB5 error code 68.
(In that example, PassLine is a valid user within AD)
Code:
#/usr/krb5/bin/kinit testunix
Unable to obtain initial credentials.
Status 0x96c73a06 - Client not found in Network Authentication Service database or client locked out.
(In that example, testunix is a user created by the AD admin. The user is not locked out.)
---------------
I've reinstalled a few times, without change. I believe I've used that doc before, but maybe I'll wipe everything and try again.
I am installing Authen::Krb5::Easy and during make test I am getting the follwing error :
kinit not ok 2
error was: could not get initial credentials: Cannot contact any KDC for requested realm
we are stroring krb5.conf in diff location ( not in /etc/krb5.conf) , but, PERL is... (1 Reply)
Our Network Security folks have mandated that we "Kerberize" our systems to allow them to perform an authenticated scan. This consists of instructions to change /etc/pam.d/sshd from:
# sshd: auth account password session
auth optional pam_krb5.so use_kcminit
auth optional ... (0 Replies)
Hi,
I have a simple Apache setup that works fine when I create a keytab on a domain level authentication works fine. When I create a keytab at the forest level authentication does not work. I get the following error message. Does anyone know what I am doing wrong here? I validated there is the... (0 Replies)
@kah00na and all others,
i have done al steps of the HowTo "Authenticate AIX users from MSActive Directory", found in this forum, but it still does not work.
The test with kinit USERNAME works fine. But if i try to login i get the "UNKNOWN_USER" error in the debug.log.All steps to change... (11 Replies)
I am in the process of developing a application that needs to be able to authenticate users details with a kerberos server, which is proving to be rather difficult. There seems to be a lack of good information on how to do this using the MIT kerberos api.
Can anyone point me in the right... (0 Replies)
I was wondering if any of you have used NFS4 with KERBEROS in a HACMP setup and environment with more than 1 resourcegroup that has NFS mount in them.
I Configures the host keys for an Network File System (NFS) server I get stuck with the nfshostkey
I can only add one at a time per system so... (0 Replies)
I have 2 servers (lft1 and lft3) running AIX 5.3 ML 5. Both are installed with krb5.client.rte 1.4.0.4 and openssh.base.server 4.3.0.5300.
I have configured some of the users on both servers to authenticate against our Windows 2003 Active Directory. From my PC, I can use telnet to login... (1 Reply)
I have installed Kerberos security in my UNIX system but I need to disable because of an application conflict with Kerberos.
So Anybody ca tell me how can I disable it?
Thank you (1 Reply)