Home » Categories » AIX

Authenticate AIX using MS DC’s kerberos servers (Active Directory)

Article Number: 511 | Rating: Unrated | Last Updated: Thu, Feb 21, 2019 8:04 PM

In your environment, it’s critical for auditors to have only one centralized source of users/passwords. There are tons of ways AIX can do this. The way I use is using Windows active directory’s kerberos servers. Here’s what I do:

1- First, install kerberos5 from any source (DVD, NIM server or other. If remember well it’s on the expansion DVD for AIX):

1
2
3
4
5
6
7
# lslpp -l | grep krb5
krb5.client.rte           1.5.0.1 COMMITTED Network Authentication Service
krb5.client.samples       1.5.0.1 COMMITTED Network Authentication Service
krb5.doc.en_US.html       1.5.0.1 COMMITTED Network Auth Service HTML
krb5.doc.en_US.pdf         1.5.0.1 COMMITTED Network Auth Service PDF
krb5.msg.en_US.client.rte 1.5.0.1 COMMITTED Network Auth Service Client
krb5.client.rte           1.5.0.1 COMMITTED Network Authentication Service

2- Unconfigure any old kerberos configuration on your AIX.

1
2
3
4
5
6
# /usr/sbin/unconfig.krb5
 Warning: All configuration information will be removed.
 Do you wish to continue? [y/n]
  y
 Removing configuration...
 The command completed successfully

3- Let’s configure kerberos on our AIX:

1
2
3
4
5
6
7
8
9
10
11
# config.krb5 -C -r DOMAIN.NET -d domain.net -c dc0.domain.net -s dc0.domain.net
Initializing configuration...
Creating /etc/krb5/krb5_cfg_type...
Creating /etc/krb5/krb5.conf...
The command completed successfully.
 
WHERE:
-r realm = Windows 2003/2008 Active Directory server domain name
-d domain = Domain name of the machine hosting the Windows 2003/2008 Active Directory server
-c KDC = Host name of the Windows 2003/2008 server
-s server = Host name of the Windows 2003/2008 server

4- Edit manually  /etc/krb5/krb5.conf as shown below:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[libdefaults]
        default_realm = DOMAIN.NET
        dns_lookup_kdc = false
        dns_lookup_realm = false
        default_keytab_name = FILE:/etc/krb5/krb5.keytab
        default_tkt_enctypes = arcfour-hmac des-cbc-md5 des-cbc-crc
        default_tgs_enctypes = arcfour-hmac des-cbc-md5 des-cbc-crc
[realms]    
        DOMAIN.NET = {
                kdc = domain.net:88
                admin_server = domain.net:749
                default_domain = domain.net
        }
[domain_realm]
        .DOMAIN.NET = DOMAIN.NET
        dc0.domain.net = DOMAIN.NET
        dc1.domain.net = DOMAIN.NET
        dc2.domain.net = DOMAIN.NET
        dc3.domain.net = DOMAIN.NET
        dc4.domain.net = DOMAIN.NET
[logging]
        kdc = FILE:/var/krb5/log/krb5kdc.log
        admin_server = FILE:/var/krb5/log/kadmin.log
        kadmin_local = FILE:/var/krb5/log/kadmin_local.log
        default = FILE:/var/krb5/log/krb5lib.log

5- Change /usr/lib/security/methods.cfg depending of version of AIX (5.3, 6.1 or 7.1) you have:

If AIX5.3 add:

1
2
3
4
5
KRB5A:
        program = /usr/lib/security/KRB5A
        options = authonly,tgt_verify=no
KRB5Afiles:
      options = db=BUILTIN,auth=KRB5A

at the end of the file /usr/lib/security/methods.cfg

If AIX6.1 add:

1
2
3
4
5
6
KRB5A:
       program = /usr/lib/security/KRB5A
       program_64 = /usr/lib/security/KRB5A_64
       options = authonly,tgt_verify=no, kadmind=no,is_kadmind_compat=no
KRB5Afiles:
     options = db=BUILTIN,auth=KRB5A

at the end of the file /usr/lib/security/methods.cfg

If AIX6.1 add:

1
2
3
4
5
6
KRB5:
        program = /usr/lib/security/KRB5
        program_64 = /usr/lib/security/KRB5_64
        options = authonly,tgt_verify=no, kadmind=no,is_kadmind_compat=no
KRB5Afiles:
        options = db=BUILTIN,auth=KRB5

at the end of the file /usr/lib/security/methods.cfg

6- Verify if kerberos authentication is working properly:

1
2
# /usr/krb5/bin/kinit userKERBEROS
Password for userKERBEROS@DOMAIN.NET:

Validate if the kerberos ticket was loaded correctly using command klist:

1
2
3
4
5
6
7
#/usr/krb5/bin/klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  userKERBEROS@DOMAIN.NET
 
Valid starting     Expires            Service principal
10/29/14 12:15:58  10/30/14 08:16:05  krbtgt/DOMAIN.NET@DOMAIN.NET
        Renew until 10/30/14 12:15:58

7- Change attributes registry and SYSTEM of the user who wants to log using kerberos:

1
2
# lsuser userKERBEROS
userKERBEROS id=210 pgrp=system groups=system home=/home/userKERBEROS shell=/usr/bin/ksh auditclasses=general,objects,cron,files,rbac,audit,lvm,aixpert,tcpwrapper,src,setuid,smit,sshd login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=77 registry=KRB5Afiles SYSTEM=KRB5Afiles logintimes= loginretries=3 pwdwarntime=5 account_locked=false minage=1 maxage=13 maxexpired=2 minalpha=2 minloweralpha=0 minupperalpha=0 minother=2 mindigit=0 minspecialchar=0 mindiff=4 maxrepeats=2 minlen=8 histexpire=13 histsize=20 pwdchecks= dictionlist= default_roles= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 time_last_login=1414581349 time_last_unsuccessful_login=1413535346 tty_last_login=ssh tty_last_unsuccessful_login=ssh host_last_login=172.41.10.50 host_last_unsuccessful_login=172.41.10.50 unsuccessful_login_count=0 roles=

Just thanks if the post was helpful
Posted - Thu, Feb 21, 2019 8:04 PM. This article has been viewed 2148 times.
Filed Under: AIX
0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
Script to download TL and SP for AIX using NIM and SUMA
Viewed 9109 times since Thu, Feb 21, 2019
Online Backups and Recovery in a Snap AIX
Viewed 5063 times since Wed, May 30, 2018
AIX, Red Hat, Security, System Admin↑ System-wide separated shell history files for each user and session
Viewed 2213 times since Fri, Apr 19, 2019
Setting new device attributes with chdef
Viewed 2188 times since Mon, Jun 3, 2019
LVM: Extend an existing Volume Group by adding a new disk
Viewed 5554 times since Sat, Jun 2, 2018
Using Shell Redirection: All About the Here-Doc
Viewed 10244 times since Wed, May 30, 2018
AIX lspath Missing path
Viewed 9750 times since Fri, Oct 5, 2018
Part 2, Monitoring memory usage (ps, sar, svmon, vmstat) and analyzing the results AIX7
Viewed 12586 times since Wed, Jun 19, 2019
A Unix Utility You Should Know About: lsof
Viewed 1913 times since Tue, Apr 16, 2019
List STALE partitions across Volume Groups for each Logical Volume in AIX
Viewed 2490 times since Tue, Jul 17, 2018