version 1.0.0, 2013-10-15 : Initial revision
Kerberos authentication configuration for AIX servers
This document describes how to configure Kerberos authentication on AIX 5.3, 6.1 and 7.1 working with Windows 2008 R2 Active Directory servers.1. Introduction
This document explains how to configure the authentication (for locally defined users) through an Active Directory 2008 R2 using Kerberos on AIX 5.3 and 7.1.
It is explained for the MyDomain.MyForest environment but is easily transposable to any other domains of the MyForest Active Directory forest.
kinit <user.name>
can become
kinit joseph.herlant
in some environements. 2. Procedure
2.1. Preparing environment
Install Kerberos filesets (aka NAS software). On AIX 5.3 as well as on AIX 7.1
there are 3 filesets to install: the client (krb5.client.rte
), the localized
(english here) messages (krb5.msg.en_US.client.rte
) and the license (krb5.lic
).
# Install filesets from NIM using the commands bellow /usr/sbin/nim -o allocate -a lpp_source='<LPPSOURCE_CONTAINING_FILESETS>' <SERVER_NAME> /usr/sbin/nim -o cust -a installp_flags='-acgXNY' -a filesets='krb5.client.rte krb5.lic krb5.msg.en_US.client.rte' <SERVER_NAME> /usr/sbin/nim -o deallocate -a lpp_source='<LPPSOURCE_CONTAINING_FILESETS>' <SERVER_NAME> # or use smit and install these packages: # Alternatively you can use this command on a server # where the installation packages are available in/mnt" installp -ac -SvYXgd /mnt krb5.client.rte krb5.msg.en_US.client.rte krb5.lic
Check if the installation is successfull using installp -s all
(to check
all packages applied but not commited) and lslpp -l krb5*
(to check whether
the package is installed or not. Correct output example:
# installp -s all installp: No filesets were found in the Software Vital Product Database in the APPLIED state. # lslpp -l krb5* Fileset Level State Description ---------------------------------------------------------------------------- Path: /usr/lib/objrepos krb5.client.rte 1.5.0.2 COMMITTED Network Authentication Service Client krb5.lic 1.5.0.2 COMMITTED Network Authentication Service License krb5.msg.en_US.client.rte 1.5.0.2 COMMITTED Network Auth Service Client Msgs - U.S. English Path: /etc/objrepos krb5.client.rte 1.5.0.2 COMMITTED Network Authentication Service Client
Add Kerberos binaries to the PATH variable and in /etc/environment:
# In current environment export PATH=$PATH:/usr/krb5/bin:/usr/krb5/sbin # And for further configuration, add those to the PATH declaration in /etc/environment. # The lines bellow can do it for you automatically: cp /etc/environment /etc/environment.bak awk '{ if($1 ~ /^PATH=.*/ && $0 !~ /.*:\/usr\/krb5\/bin.*/) {printf("%s:/usr/krb5/bin:/usr/krb5/sbin\n",$0);} else { print $0;} }' /etc/environment.bak > /etc/environment
Change max_logname for login length:
chdev -l sys0 -a max_logname=64 # Requires a restart shutdown -Fr
2.2. Configuring Kerberos
Generate Kerberos client configuration files using the config.krb5
as
following. Here we choose to have the realm name the same name as the domain.
But notice that the realm name MUST be UPPER CASE!
Generally speaking, the kdc is on the active directory server, but that is not
mandatory.
# The value of the "-r" argument must be written in UPPER CASE! config.krb5 -C -r MYDOMAIN.MYFOREST -d mydomain.myforest -s my_active_directory_server_name -c my_kdc_server_name
Adapt kerberos configuration files "/etc/krb5/krb5.conf" to change the
default_tkt_enctypes
and default_tgs_enctypes
to match the windows 2008 R2
Kerberos supported encrption types (cf.
http://technet.microsoft.com/en-us/library/dd560670%28v=WS.10%29.aspx).
This would determine which algorithm to use when exchaning informations with the
Active Directory. By default, AES256 is available on Active Directory 2008 R2,
so this configuration will use it to encrypt the communication channel.
It should look like this (Be careful to the order, it determines which algorithm is used first. It MUST be THIS ordering):
default_tkt_enctypes = aes256-cts aes128-cts arcfour-hmac default_tgs_enctypes = aes256-cts aes128-cts arcfour-hmac
For AIX 7.1 and AIX 6.1 (not tested for 6.1), add the following block to the "/etc/methods.cfg" file:
KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,tgt_verify=no,is_kadmind_compat=no KRB5files: options = db=BUILTIN,auth=KRB5
For AIX 5.3, add the following block to the "/usr/lib/security/methods.cfg" file:
KRB5: program = /usr/lib/security/KRB5A options = tgt_verify=no KRB5files: options = db=BUILTIN,auth=KRB5
Setup "Kerberos 5" as a valid authentication type for AIX to use:
# lsauthent Standard Aix # chauthent -k5 -std # lsauthent Kerberos 5 Standard Aix
3. Adapt the environment
3.1. Enable AD users to connect to the server
To enable Active directory users to log to the server, you should create a local account by doing the following.
Create a user locally with a login name that exists on the Active Directory (and that will be able to connect to the server in the future) using the following command (you should have a matrix of corresponding AD users and local userid):
mkuser registry=KRB5files SYSTEM=KRB5files id=<user_id> <user.name>
Test an SSH connection on the lookup adress (to avoid any other network issue):
ssh 127.0.0.1 -l <user.name>
kinit
locally on the target
server to check if the user can be authenticated against the Kerberos server
(i.e: kinit <user.name>
). 3.2. Integration of existing local users
To change the authentication parameters for your local users to use KRB5files (Kerberos):
chuser registry=KRB5files SYSTEM=KRB5files <user.name>
3.3. Mapping a local login to a different AD login
First of all, add the kerberos authentication mode to the user using
chuser registry=KRB5files SYSTEM=KRB5files <user.name>
command explained
in the previous step.
It is possible to map a local login with an Active Directory account that
is using another login name. For this, use the auth_name
attribute of
the local user like this :
chuser auth_name=<active.directory.login> <local.user.name>
For example, to map the "joseph" local user to the remote "joseph.herlant" user,
use the following (after the execution of the chuser registry=KRB5files
SYSTEM=KRB5files <user.name>
command explained in the previous step) :
chuser auth_name=joseph.herlant joseph
4. Cross domains authentication
The following procedure explains the integration of MySecondDomain.MyForest user authentication in an environment where MyDomain.MyForest is the default authentication domain.
In the /etc/methods file, verify that the "tgl_verify=no" option is set:
KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,tgt_verify=no,is_kadmind_compat=no KRB5files: options = db=BUILTIN,auth=KRB5
Then add the "dns_lookup_kdc = true" and "dns_lookup_realm = false" lines to the libdefaults stanza of the "/etc/krb5/krb5.conf" file and add your new realm and domain realms as follow (the following is to enable MySecondDomain domain users for a server configured for MyDomain):
[libdefaults] default_realm = MYDOMAIN.MYFOREST default_keytab_name = FILE:/etc/krb5/krb5.keytab default_tkt_enctypes = arcfour-hmac aes256-cts aes128-cts default_tgs_enctypes = arcfour-hmac aes256-cts aes128-cts dns_lookup_kdc = true dns_lookup_realm = false [realms] MYDOMAIN.MYFOREST = { kdc = <my_kdc_server_name>:88 admin_server = <my_active_directory_server>:749 default_domain = <MyDomain> } MYSECONDDOMAIN.MYFOREST = { kdc = <my_kdc_for_mySecodaryDomain>:88 admin_server = <my_ad_server>:749 default_domain = <mySecondDomain> } [domain_realm] .mydomain.myforest = MYDOMAIN.MYFOREST mydomain.myforest = MYDOMAIN.MYFOREST .myseconddomain.myforest = MYSECONDDOMAIN.MYFOREST myseconddomain.myforest = MYSECONDDOMAIN.MYFOREST [logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log kadmin_local = FILE:/var/krb5/log/kadmin_local.log default = FILE:/var/krb5/log/krb5lib.log
Then change the auth_name
and auth_domain
attribute to match the realm corresponding to you. For example:
chuser auth_domain=MYSECONDDOMAIN.MYFOREST auth_name=<active.directory.login> <local.user.name>