kinit auditing


 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users kinit auditing
# 1  
Old 09-28-2011
kinit auditing

I have implemented solaris login authenticating against an active directory server, using solaris x86 on a Dell R810 8xXeon CPUs and 262Gb RAM.

The actual OS is:
Code:
# uname -a
SunOS ms-svr012 5.10 Generic_142910-17 i86pc i386 i86pc
# cat /etc/release
                    Oracle Solaris 10 9/10 s10x_u9wos_14a X86
     Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
                            Assembled 11 August 2010
#

The steps in:

Solaris Authentication Login with Active Directory|Seeds of Genius

were followed successfully.

It was found that there wasn't a need to create home directories for the logons.

The point of validating non-software owning users against Active Directory is to simplify audits.

This has led to investigate how I can audit the actual users that can login.

In order to be able to logon using the instructions I used, I need to use:
Code:
kinit <surnameinitial>@DOMAIN.CO.UK

before the user surnameinitial can logon.

Checking man for kinit I can see that the kinit command produced a file:
Code:
/tmp/krbcc<uid>

where uid is specified in the Unix Attributes tab on the AD server.

This is a ticket stored in a file.

If I reboot the server, that will clear the contents of /tmp, so will I have to run the command:
Code:
kinit <surnameinitial>@DOMAIN.CO.UK

again to get the user to login?

Until the point of reboot, can use the /tmp/krbcc<uid> files as an audit of users that login authenticating against AD?

The man page for kinit says that the tickets expire after a specified lifetime. Where is this lifetime defined?

Are the users that login authenticating against AD held elsewhere in an auditable format?

Thanks,

Jay

Last edited by Scott; 09-28-2011 at 01:06 PM.. Reason: Code tags, please...
# 2  
Old 09-28-2011
That is a ticket - it has a specified lifetime which you can configure in your krb5.conf file.
But it sounds like you need to play with windows. See:

Kerberos Policy
# 3  
Old 10-21-2011
Windows based auditing

Jim,

Thanks for the feedback. At the moment we are in POC with ldap, so by organising our AD users better and specifying named folders during the ldap client install we effect the control that we need.

I'll close this thread now.

Jon
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. AIX

Testing Kerberos with kinit comand

I am working on an AIX 6.1 system with Kerberos 1.5.0.8. I am attempting to execute the kinit command but after I execute the command and put in a password I get the following error message: Unable to obtain initial credentials Status 0x96c73a18 - Preauthentication failed. I have found... (0 Replies)
Discussion started by: kstalder
0 Replies

2. Shell Programming and Scripting

How to view the cron jobs that ran on kinit i keep getting must be privileged to use -u?

How to view the cron jobs that ran on kinit i keep getting must be privileged to use -u this is the control used, echo 'cat /usr/local/bin/tpthadoop/secret/hadoop.txt' | kinit hdfs what happens with above command kinit is using kerberos and the account used to run the processes jobs are... (1 Reply)
Discussion started by: cplusplus1
1 Replies

3. AIX

AIX auditing

In our customer place somebody removed and PV from the server. I want the information like which user removed this PV. Is there any way to get PV removal information. When did the PV removed from the server ? Whether AIX auding will help ? Where i can get these information ? Thank... (2 Replies)
Discussion started by: sunnybee
2 Replies

4. SCO

Auditing: how to enable?

edit: solution found Auditing Quick Start and Compatibility Notes (1 Reply)
Discussion started by: Linusolaradm1
1 Replies

5. Solaris

BSM auditing

Hi , I don't want logs from a particular "library" to get recorded in the audit.log file. Is that possible with BSM? Please guide. Thanks. (2 Replies)
Discussion started by: chinchao
2 Replies

6. Shell Programming and Scripting

Automate Kerboer kinit password

Hi, I just wonder if anyone know how to auto encode the kerberos kinit password at prompt. kinit command is inside the one of the script called runscript.sh so ./runscript.sh ...... kinit username Password for username@example.com: How do I auto input the password without need to... (5 Replies)
Discussion started by: netlink
5 Replies

7. UNIX for Dummies Questions & Answers

kinit

Hi, I have tried a lot online to find about this command. I coudnt find a satisfactory explanation. I need some background on kinit command. Can someone please explain it? (2 Replies)
Discussion started by: grep_me
2 Replies

8. Cybersecurity

bash auditing

Hi dear friends I have an RHEL5 installed and I gave all users on it rbash shell, Now I want to audit all commands that they did in there shell once they enter them, Can any guide me to the way Thanks (2 Replies)
Discussion started by: reaky
2 Replies

9. AIX

Auditing events

Hi there, I want to enable auditing for the following events in a critical AIX UNIX server by editing the /etc/syslog.conf file: Authentication events (login success, login failure, logout) Privilege use events (change to another user etc.) ... (1 Reply)
Discussion started by: venksel
1 Replies

10. UNIX for Advanced & Expert Users

Auditing

:)I need a little help. I have sent all of our logs to our log server, but I can't send the audit logs that are in /var/log/audit.log. Can someone give me some type of idea to transfer these logs. Thank You (2 Replies)
Discussion started by: aojmoj
2 Replies
Login or Register to Ask a Question