Authenticate AIX using MS DC’s kerberos servers (Active Directory)

In your environment, it’s critical for auditors to have only one centralized source of users/passwords. There are tons of ways AIX can do this. The way I use is using Windows active directory’s kerberos servers. Here’s what I do:

1- First, install kerberos5 from any source (DVD, NIM server or other. If remember well it’s on the expansion DVD for AIX):

1
2
3
4
5
6
7
# lslpp -l | grep krb5
krb5.client.rte           1.5.0.1 COMMITTED Network Authentication Service
krb5.client.samples       1.5.0.1 COMMITTED Network Authentication Service
krb5.doc.en_US.html       1.5.0.1 COMMITTED Network Auth Service HTML
krb5.doc.en_US.pdf         1.5.0.1 COMMITTED Network Auth Service PDF
krb5.msg.en_US.client.rte 1.5.0.1 COMMITTED Network Auth Service Client
krb5.client.rte           1.5.0.1 COMMITTED Network Authentication Service

2- Unconfigure any old kerberos configuration on your AIX.

1
2
3
4
5
6
# /usr/sbin/unconfig.krb5
 Warning: All configuration information will be removed.
 Do you wish to continue? [y/n]
  y
 Removing configuration...
 The command completed successfully

3- Let’s configure kerberos on our AIX:

1
2
3
4
5
6
7
8
9
10
11
# config.krb5 -C -r DOMAIN.NET -d domain.net -c dc0.domain.net -s dc0.domain.net
Initializing configuration...
Creating /etc/krb5/krb5_cfg_type...
Creating /etc/krb5/krb5.conf...
The command completed successfully.
 
WHERE:
-r realm = Windows 2003/2008 Active Directory server domain name
-d domain = Domain name of the machine hosting the Windows 2003/2008 Active Directory server
-c KDC = Host name of the Windows 2003/2008 server
-s server = Host name of the Windows 2003/2008 server

4- Edit manually  /etc/krb5/krb5.conf as shown below:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[libdefaults]
        default_realm = DOMAIN.NET
        dns_lookup_kdc = false
        dns_lookup_realm = false
        default_keytab_name = FILE:/etc/krb5/krb5.keytab
        default_tkt_enctypes = arcfour-hmac des-cbc-md5 des-cbc-crc
        default_tgs_enctypes = arcfour-hmac des-cbc-md5 des-cbc-crc
[realms]    
        DOMAIN.NET = {
                kdc = domain.net:88
                admin_server = domain.net:749
                default_domain = domain.net
        }
[domain_realm]
        .DOMAIN.NET = DOMAIN.NET
        dc0.domain.net = DOMAIN.NET
        dc1.domain.net = DOMAIN.NET
        dc2.domain.net = DOMAIN.NET
        dc3.domain.net = DOMAIN.NET
        dc4.domain.net = DOMAIN.NET
[logging]
        kdc = FILE:/var/krb5/log/krb5kdc.log
        admin_server = FILE:/var/krb5/log/kadmin.log
        kadmin_local = FILE:/var/krb5/log/kadmin_local.log
        default = FILE:/var/krb5/log/krb5lib.log

5- Change /usr/lib/security/methods.cfg depending of version of AIX (5.3, 6.1 or 7.1) you have:

If AIX5.3 add:

1
2
3
4
5
KRB5A:
        program = /usr/lib/security/KRB5A
        options = authonly,tgt_verify=no
KRB5Afiles:
      options = db=BUILTIN,auth=KRB5A

at the end of the file /usr/lib/security/methods.cfg

If AIX6.1 add:

1
2
3
4
5
6
KRB5A:
       program = /usr/lib/security/KRB5A
       program_64 = /usr/lib/security/KRB5A_64
       options = authonly,tgt_verify=no, kadmind=no,is_kadmind_compat=no
KRB5Afiles:
     options = db=BUILTIN,auth=KRB5A

at the end of the file /usr/lib/security/methods.cfg

If AIX6.1 add:

1
2
3
4
5
6
KRB5:
        program = /usr/lib/security/KRB5
        program_64 = /usr/lib/security/KRB5_64
        options = authonly,tgt_verify=no, kadmind=no,is_kadmind_compat=no
KRB5Afiles:
        options = db=BUILTIN,auth=KRB5

at the end of the file /usr/lib/security/methods.cfg

6- Verify if kerberos authentication is working properly:

1
2
# /usr/krb5/bin/kinit userKERBEROS
Password for userKERBEROS@DOMAIN.NET:

Validate if the kerberos ticket was loaded correctly using command klist:

1
2
3
4
5
6
7
#/usr/krb5/bin/klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  userKERBEROS@DOMAIN.NET
 
Valid starting     Expires            Service principal
10/29/14 12:15:58  10/30/14 08:16:05  krbtgt/DOMAIN.NET@DOMAIN.NET
        Renew until 10/30/14 12:15:58

7- Change attributes registry and SYSTEM of the user who wants to log using kerberos:

1
2
# lsuser userKERBEROS
userKERBEROS id=210 pgrp=system groups=system home=/home/userKERBEROS shell=/usr/bin/ksh auditclasses=general,objects,cron,files,rbac,audit,lvm,aixpert,tcpwrapper,src,setuid,smit,sshd login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=77 registry=KRB5Afiles SYSTEM=KRB5Afiles logintimes= loginretries=3 pwdwarntime=5 account_locked=false minage=1 maxage=13 maxexpired=2 minalpha=2 minloweralpha=0 minupperalpha=0 minother=2 mindigit=0 minspecialchar=0 mindiff=4 maxrepeats=2 minlen=8 histexpire=13 histsize=20 pwdchecks= dictionlist= default_roles= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 time_last_login=1414581349 time_last_unsuccessful_login=1413535346 tty_last_login=ssh tty_last_unsuccessful_login=ssh host_last_login=172.41.10.50 host_last_unsuccessful_login=172.41.10.50 unsuccessful_login_count=0 roles=

Just thanks if the post was helpful

0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
Epoch & Unix Timestamp Conversion Tools
Viewed 62782 times since Fri, Jun 22, 2018
0516-404 allocpThis system cannot fulfill the allocation
Viewed 10154 times since Thu, Sep 20, 2018
0516-787 extendlv: Maximum allocation for logical volume error
Viewed 9069 times since Tue, Mar 12, 2019
Oslevel shows wrong AIX’s level. Why
Viewed 4835 times since Thu, Feb 21, 2019
LVM: Display basic information about Physical Volumes, Volume Groups and Logical Volumes
Viewed 3010 times since Sun, Jun 3, 2018
Getting list users and groups in AIX
Viewed 3777 times since Mon, May 28, 2018
AIX Net How to check VLAN ID number on AIX?
Viewed 15887 times since Thu, Nov 29, 2018
Unlock User ID in IBM AIX
Viewed 15361 times since Mon, May 28, 2018
n a perfect world....rootvg would always reside on hdisk0
Viewed 2363 times since Thu, Jun 6, 2019
Setup private yum repository for AIX clients
Viewed 11301 times since Thu, Feb 21, 2019