Authenticate AIX using MS DC’s kerberos servers (Active Directory)

In your environment, it’s critical for auditors to have only one centralized source of users/passwords. There are tons of ways AIX can do this. The way I use is using Windows active directory’s kerberos servers. Here’s what I do:

1- First, install kerberos5 from any source (DVD, NIM server or other. If remember well it’s on the expansion DVD for AIX):

1
2
3
4
5
6
7
# lslpp -l | grep krb5
krb5.client.rte           1.5.0.1 COMMITTED Network Authentication Service
krb5.client.samples       1.5.0.1 COMMITTED Network Authentication Service
krb5.doc.en_US.html       1.5.0.1 COMMITTED Network Auth Service HTML
krb5.doc.en_US.pdf         1.5.0.1 COMMITTED Network Auth Service PDF
krb5.msg.en_US.client.rte 1.5.0.1 COMMITTED Network Auth Service Client
krb5.client.rte           1.5.0.1 COMMITTED Network Authentication Service

2- Unconfigure any old kerberos configuration on your AIX.

1
2
3
4
5
6
# /usr/sbin/unconfig.krb5
 Warning: All configuration information will be removed.
 Do you wish to continue? [y/n]
  y
 Removing configuration...
 The command completed successfully

3- Let’s configure kerberos on our AIX:

1
2
3
4
5
6
7
8
9
10
11
# config.krb5 -C -r DOMAIN.NET -d domain.net -c dc0.domain.net -s dc0.domain.net
Initializing configuration...
Creating /etc/krb5/krb5_cfg_type...
Creating /etc/krb5/krb5.conf...
The command completed successfully.
 
WHERE:
-r realm = Windows 2003/2008 Active Directory server domain name
-d domain = Domain name of the machine hosting the Windows 2003/2008 Active Directory server
-c KDC = Host name of the Windows 2003/2008 server
-s server = Host name of the Windows 2003/2008 server

4- Edit manually  /etc/krb5/krb5.conf as shown below:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[libdefaults]
        default_realm = DOMAIN.NET
        dns_lookup_kdc = false
        dns_lookup_realm = false
        default_keytab_name = FILE:/etc/krb5/krb5.keytab
        default_tkt_enctypes = arcfour-hmac des-cbc-md5 des-cbc-crc
        default_tgs_enctypes = arcfour-hmac des-cbc-md5 des-cbc-crc
[realms]    
        DOMAIN.NET = {
                kdc = domain.net:88
                admin_server = domain.net:749
                default_domain = domain.net
        }
[domain_realm]
        .DOMAIN.NET = DOMAIN.NET
        dc0.domain.net = DOMAIN.NET
        dc1.domain.net = DOMAIN.NET
        dc2.domain.net = DOMAIN.NET
        dc3.domain.net = DOMAIN.NET
        dc4.domain.net = DOMAIN.NET
[logging]
        kdc = FILE:/var/krb5/log/krb5kdc.log
        admin_server = FILE:/var/krb5/log/kadmin.log
        kadmin_local = FILE:/var/krb5/log/kadmin_local.log
        default = FILE:/var/krb5/log/krb5lib.log

5- Change /usr/lib/security/methods.cfg depending of version of AIX (5.3, 6.1 or 7.1) you have:

If AIX5.3 add:

1
2
3
4
5
KRB5A:
        program = /usr/lib/security/KRB5A
        options = authonly,tgt_verify=no
KRB5Afiles:
      options = db=BUILTIN,auth=KRB5A

at the end of the file /usr/lib/security/methods.cfg

If AIX6.1 add:

1
2
3
4
5
6
KRB5A:
       program = /usr/lib/security/KRB5A
       program_64 = /usr/lib/security/KRB5A_64
       options = authonly,tgt_verify=no, kadmind=no,is_kadmind_compat=no
KRB5Afiles:
     options = db=BUILTIN,auth=KRB5A

at the end of the file /usr/lib/security/methods.cfg

If AIX6.1 add:

1
2
3
4
5
6
KRB5:
        program = /usr/lib/security/KRB5
        program_64 = /usr/lib/security/KRB5_64
        options = authonly,tgt_verify=no, kadmind=no,is_kadmind_compat=no
KRB5Afiles:
        options = db=BUILTIN,auth=KRB5

at the end of the file /usr/lib/security/methods.cfg

6- Verify if kerberos authentication is working properly:

1
2
# /usr/krb5/bin/kinit userKERBEROS
Password for userKERBEROS@DOMAIN.NET:

Validate if the kerberos ticket was loaded correctly using command klist:

1
2
3
4
5
6
7
#/usr/krb5/bin/klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  userKERBEROS@DOMAIN.NET
 
Valid starting     Expires            Service principal
10/29/14 12:15:58  10/30/14 08:16:05  krbtgt/DOMAIN.NET@DOMAIN.NET
        Renew until 10/30/14 12:15:58

7- Change attributes registry and SYSTEM of the user who wants to log using kerberos:

1
2
# lsuser userKERBEROS
userKERBEROS id=210 pgrp=system groups=system home=/home/userKERBEROS shell=/usr/bin/ksh auditclasses=general,objects,cron,files,rbac,audit,lvm,aixpert,tcpwrapper,src,setuid,smit,sshd login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=77 registry=KRB5Afiles SYSTEM=KRB5Afiles logintimes= loginretries=3 pwdwarntime=5 account_locked=false minage=1 maxage=13 maxexpired=2 minalpha=2 minloweralpha=0 minupperalpha=0 minother=2 mindigit=0 minspecialchar=0 mindiff=4 maxrepeats=2 minlen=8 histexpire=13 histsize=20 pwdchecks= dictionlist= default_roles= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 time_last_login=1414581349 time_last_unsuccessful_login=1413535346 tty_last_login=ssh tty_last_unsuccessful_login=ssh host_last_login=172.41.10.50 host_last_unsuccessful_login=172.41.10.50 unsuccessful_login_count=0 roles=

Just thanks if the post was helpful

0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
How to Maintain a Virtual I/O Server With FBO Part II
Viewed 10452 times since Wed, Jun 5, 2019
Control Your Logs AIX
Viewed 18677 times since Wed, May 30, 2018
IVM and VLAN Tagging
Viewed 10109 times since Mon, May 28, 2018
HOWTO: Copy a filesystem on AIX
Viewed 2275 times since Mon, May 28, 2018
Online Backups and Recovery in a Snap AIX
Viewed 4733 times since Wed, May 30, 2018
Mount CD/DVD & ISO image in AIX 6.1
Viewed 3810 times since Tue, Jul 17, 2018
To do a quick check on the number of path present (does not mean all are Enabled] using for loop
Viewed 3586 times since Fri, Jun 8, 2018
Configure log file for cron daemon on AIX
Viewed 10245 times since Thu, Feb 21, 2019
Rootvg Mirroring in AIX
Viewed 2440 times since Mon, May 21, 2018
AIX Errpt - Diag - Alog
Viewed 3358 times since Wed, Mar 20, 2019