Skip to content

Instantly share code, notes, and snippets.

@jeffgeiger

jeffgeiger/AIX_KRB5LDAP_In_A_Nutshell

Last active May 18, 2017 09:59
Show Gist options
  • Save jeffgeiger/4997611 to your computer and use it in GitHub Desktop.
Save jeffgeiger/4997611 to your computer and use it in GitHub Desktop.
Download ZIP
Rough outline of how I set up Kerberos and LDAP integration between Active Directory and IBM AIX using the KRB5LDAP load module.
Raw
AIX_KRB5LDAP_In_A_Nutshell
Environment:
Tested with AIX 6.1 TL 8(6100-08-00-0000) and TL 6 (6100-06-01-1043) with Active Directory on 2008R2 domain controllers at the 2003 functional level.
Prerequisites:
DNS: A and PTR records for AIX host in Windows DNS server.
AD: Computer object matching AIX hostname in Active Directory.
AD: A target OU that will contain AIX objects.
AD: At least one “Unix enabled” user in the target OU. (Separate document)
AD: A service account user that will be used for LDAP binds to AD.
AIX: Ensure that the `hostname` command returns the FQDN of the AIX server.
(/etc/hosts entry for host should be {ip} {FQDN} {short host})
AIX: Ensure that the AIX server is using the domain controllers as DNS servers. (ONLY domain controllers.)
AIX: Configure NTP (/etc/ntpd.conf) so your server time doesn't drift. Kerberos will have kittens once you get to 5 minutes out of sync.
Setup:
Servers-
Domain Controller: pdc1.test.local 10.10.0.5
AIX Server: aix1.test.local 10.20.0.20
OU-
OU=AIX,DC=TEST,DC=LOCAL
Account-
Service Account: aixservice CN=AIX Service,OU=Service Accounts,DC=TEST,DC=LOCAL
AD Unix User: aixtest CN=AIX Test,OU=AIX,DC=TEST,DC=LOCAL
Group-
Group: AIXUsers CN=AIXUsers,OU=AIX,DC=TEST,DC=LOCAL
#Notes on AD:
# Group:
AD Attribute Unix usage
============= ===========
cn (not changed) groupname
gidNumber gid
memberUID uidNumber(s) of user(s)
# You can generate a sorted list of local gid's with:
lsgroup -a id ALL | awk '{print $2}' | sed 's/id=//g' | sort -n
# User(s):
AD Attribute Unix usage
============= ===========
uid username
uidNumber uid
loginShell shell
unixhomeDirectory home
gidNumber primary group id (gidNumber from above)
gecos Description field
# You can generate a sorted list of local gid's with:
lsuser -a id ALL | awk '{print $2}' | sed 's/id=//g' | sort -n
NOTE: You may need to set the
Service account should have full read rights on the OU for AIX objects.
Install LDAP client filesets (using ‘smit install’):
idsldap.clt32bit61.rte.6.1.0.40.bff
idsldap.clt64bit61.rte.6.1.0.40.bff
idsldap.cltbase61.rte.6.1.0.40.bff
idsldap.cltjava61.rte.6.1.0.40.bff
idsldap.msg61.en_US.6.1.0.40.bff
Verify installation:
lslpp -L | grep ldap
v======================OUTPUT======================v
idsldap.clt32bit61.rte 6.1.0.40 C F Directory Server - 32 bit
idsldap.clt64bit61.rte 6.1.0.40 C F Directory Server - 64 bit
idsldap.cltbase61.adt 6.1.0.40 C F Directory Server - Base Client
idsldap.cltbase61.rte 6.1.0.40 C F Directory Server - Base Client
idsldap.cltjava61.rte 6.1.0.40 C F Directory Server - Java Client
idsldap.msg61.en_US 6.1.0.40 C F Directory Server - Messages -
^==================================================^
ls -l /opt/IBM/ldap/V6.1/
v======================OUTPUT======================v
total 64
drwxr-xr-x 4 root system 4096 Jan 25 13:26 bin
drwxr-xr-x 2 root system 8192 Apr 08 2011 codeset
drwxr-xr-x 2 root system 256 Jan 25 13:26 etc
drwxr-xr-x 3 root system 4096 Apr 08 2011 examples
drwxr-xr-x 2 root system 4096 Apr 08 2011 include
drwxr-xr-x 8 bin bin 4096 Jan 25 13:25 java
drwxr-xr-x 2 bin bin 256 Apr 08 2011 javalib
drwxr-xr-x 2 root system 4096 Jan 25 13:26 lib
drwxr-xr-x 2 root system 4096 Jan 25 13:26 lib64
drwxr-xr-x 3 root system 256 Apr 08 2011 nls
^==================================================^
Test LDAP Client:
/opt/IBM/ldap/V6.1/bin/ldapsearch -h pdc1.test.local -D [email protected] -w \? -b DC=test,DC=local -v sAMAccountName=aixtest
Where:
“pdc1.test.local” is the IP address of the domain controller.
[email protected]” is the name and realm (domain) of your AD service account.
“-w \?” will prompt for the password.
“DC=test,DC=local” is the Distinguished Name of the OU where your search will start from.
“sAMAccountName=aixtest” is the search filter. sAMAccountName was chosen for simplicity.
v======================OUTPUT======================v
Enter password ==>
ldap_init(pdc1.test.local, 389)
filter pattern: sAMAccountName=aixtest
returning: ALL
filter is: (sAMAccountName=aixtest)
CN=AIX TEST,OU=AIX,DC=test,DC=local
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=user
cn=AIX TEST
sn=TEST
description=User to Test AIX LDAP Integration
givenName=AIX
distinguishedName=CN=AIX TEST,OU=AIX,DC=test,DC=local
instanceType=4
whenCreated=20130124211358.0Z
whenChanged=20130125174941.0Z
displayName=AIX TEST
uSNCreated=24337388
uSNChanged=24435474
name=AIX TEST
objectGUID=NOT ASCII
userAccountControl=4194816
codePage=0
countryCode=0
lastLogon=130036097814205000
pwdLastSet=130035356383925796
primaryGroupID=513
objectSid=NOT ASCII
accountExpires=130061592000000000
logonCount=1
sAMAccountName=aixtest
sAMAccountType=805306368
[email protected]
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=test,DC=local
dSCorePropagationData=16010101000000.0Z
lastLogonTimestamp=130036097814205000
msDS-SupportedEncryptionTypes=0
uid=aixtest
manager=CN=Jeff Geiger,OU=IT,DC=test,DC=local
uidNumber=50001
gidNumber=10001
gecos=AIX Test User
unixHomeDirectory=/home/aixtest
loginShell=/usr/bin/ksh
1 matches
^==================================================^
Configure the AIX LDAP Client:
mksecldap -c -h pdc1.test.local -a "CN=AIX Service,OU=Service Accounts,DC=TEST,DC=LOCAL" -d OU=AIX,DC=test,DC=local -p aSimplePassword
Where:
“pdc1.test.local” is the hostname of a domain controller.
“CN=AIX Service,OU=Service Accounts,DC=TEST,DC=LOCAL” is the distinguished name of the service account.
“OU=AIX,DC=test,DC=local” is the distinguished name of the OU where your AIX objects will reside in AD.
“aSimplePassword” is the password for the service account. mksecldap may encrypt the password in the config file.
- NOTE: It was encrypted on 6.1TL8, but not on 6.1TL6
v======================OUTPUT======================v
NONE...
^==================================================^
Verify the ldap.cfg file:
grep '^[:a-z:]' /etc/security/ldap/ldap.cfg
NOTE: Output will return all uncommented lines from the ldap.cfg file.
v======================OUTPUT======================v
ldapservers:pdc1.test.local
binddn:CN=AIX Service,OU=Service Accounts,DC=test,DC=local
bindpwd:aSimplePassword
authtype:unix_auth
useSSL:no
userattrmappath:/etc/security/ldap/sfur2user.map
groupattrmappath:/etc/security/ldap/sfur2group.map
userbasedn:OU=AIX,DC=test,DC=local
groupbasedn:OU=AIX,DC=test,DC=local
userclasses:user,person,organizationalperson
groupclasses:group
ldapport:389
searchmode:ALL
defaultentrylocation:LDAP
serverschematype:sfur2
^==================================================^
Modify the LDAP -> AD mappings:
Edit the LDAP.cfg file and change the following lines:
From: userattrmappath:/etc/security/ldap/sfu30user.map
To: userattrmappath:/etc/security/ldap/sfur2user.map
From: groupattrmappath:/etc/security/ldap/sfu30group.map
To: groupattrmappath:/etc/security/ldap/sfur2group.map
From: serverschematype:sfu30
To: serverschematype:sfur2
Explanation: Windows Server 2008R2 Active Directory already contains the “R2” Unix attributes without installing the Microsoft Services For Unix package. The “sfur2” mappings are best suited to this environment.
NOTE: On 6.1TL8, I had to change the mappings from sfu30 to sfur2, on TL6 I did not.
See the example ldap.cfg in the example configs in APPENDIX A.
Start LDAP Client services:
restart-secldapclntd
v======================OUTPUT======================v
The secldapclntd daemon terminated successfully.
Starting the secldapclntd daemon.
The secldapclntd daemon started successfully.
^==================================================^
Verify LDAP Client services are running:
ls-secldapclntd
v======================OUTPUT======================v
ldapservers=pdc1.test.local
ldapport=389
active connections=1
ldapversion=3
userbasedn=OU=AIX,DC=test,DC=local
groupbasedn=OU=AIX,DC=test,DC=local
idbasedn=
usercachesize=1000
usercacheused=1
groupcachesize=100
groupcacheused=2
usercachetimeout=300
groupcachetimeout=300
heartbeatT=300
numberofthread=10
connectionsperserver=10
alwaysmaster=no
authtype=UNIX_AUTH
searchmode=ALL
defaultentrylocation=LDAP
ldaptimeout=60
serverschematype=SFUR2
userobjectclass=user,person,organizationalperson
groupobjectclass=group
^==================================================^
Test LDAP Resolution:
lsuser -R LDAP ALL
Output should return the user you created with Unix attributes.
v======================OUTPUT======================v
aixtest id=50001 pgrp=AIXLDAP groups=AIXLDAP home=/home/aixtest shell=/usr/bin/ksh gecos=AIX Test User login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=LDAP SYSTEM=KRB5LDAP or compat logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=-1 time_last_login=1359144648 tty_last_login=/dev/pts/1 host_last_login=pc42.test.local unsuccessful_login_count=0 roles=
^==================================================^
Download the AIX NAS package (contains Kerberos):
https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=aixbp&lang=en_US
(NAS version 1.5.0.4 for AIX 6.1 TL8 and 1.5.0.2 for AIX 6.1 TL6.)
Check if Kerberos client is installed:
lslpp -l | grep krb
v======================OUTPUT======================v
If Kerberos is not installed, there should be no output.
^==================================================^
Untar and install the NAS package:
#list contents:
tar tf NAS_1.5.0.x_aix_image.tar
#untar
tar xf NAS_1.5.0.x_aix_image.tar
#rename folder
mv images AIX_NAS
#install
smitty install
Install the following packages:
krb5.client.rte
krb5.client.samples
krb5.doc.en_US.html
krb5.doc.en_US.pdf
krb5.lic
krb5.msg.en_US.client.rte
krb5.client.rte
NOTE: Selecting client, doc, and lic packages in smit will give you the above.
Configure Kerberos:
mkkrb5clnt -c pdc1.test.local -r TEST.LOCAL -s pdc1.test.local -d TEST.LOCAL -i LDAP -D
Where:
“pdc1.test.local” is the FQDN of a domain controller. (in two switches)
“TEST.LOCAL” is the realm name, FQDN of domain, all caps. (in two switches)
“LDAP” is the source for user registry information.
v======================OUTPUT======================v
Initializing configuration...
Creating /etc/krb5/krb5_cfg_type
Creating /etc/krb5/krb5.conf
The command mkkrb5clnt completed successfully.
^==================================================^
Edit /etc/krb5/krb5.conf:
Open the generated krb5.conf and modify it, using the krb5.conf in the example configs (APPENDIX A) as a template.
Key points:
Set both “enctypes” to “arcfour-hmac”.
Add the “dns_lookup_kdc” and “dns_lookup_realm” lines and set them to “true”.
Add additional “kdc” entries for domain controllers local to the AIX box. (No WAN traversal.)
Make sure there are resolvers for the upper and lower case domain and dotted domain.
Test Kerberos with /usr/krb5/bin/kinit:
/usr/krb5/bin/kinit [email protected]
Should prompt for a password then return no output. (Use any valid AD account.)
v======================OUTPUT======================v
Password for [email protected]:
^==================================================^
/usr/krb5/bin/klist
Should return a valid ticket with expiration and “Renew until” dates.
v======================OUTPUT======================v
Default principal: [email protected]
Valid starting Expires Service principal
01/25/13 13:56:23 01/25/13 23:56:20 krbtgt/[email protected]
Renew until 01/26/13 13:56:23
^==================================================^
/usr/krb5/bin/kdestroy
Clear out the ticket cache. No output.
Generate the host principal keytab:
NOTE: The command “ktpass” is run on a domain controller by an account with administrative credentials.
ktpass /princ host/[email protected] /ptype KRB5_NT_PRINCIPAL /out aix1.keytab /pass aSimplePassword /crypto RC4-HMAC-NT /mapuser TEST\aix1 /kvno 2
Where:
“host/[email protected]” is the FQDN of the AIX host with the “host/” suffix.
“KRB5_NT_PRINCIPAL” is the Kerberos principal type. This won’t change.
“aix1.keytab” is the keytab file that will be transferred to the AIX host. Named {hostname}.keytab for clarity.
“aSimplePassword” is the password that will be set for the host principal. Should be complex, but won’t ever use it.
“RC4-HMAC-NT” is the encryption type used. RC4 is the default for Kerberos on 2008R2.
“TEST\aix1” is the {domain}\{hostname} for the computer object in AD.
“/kvno 2” is the key version number. This was found through trial, error, and packet captures.
Answer yes when prompted to change the objects password. Make a note of the password used.
v======================OUTPUT======================v
Screenshot...
^==================================================^
Copy and import the keytab file in AIX:
SFTP your keytab file to the AIX server. (For this example, /tmp/aix1.keytab)
rm /etc/krb5/krb5.keytab
/usr/krb5/sbin/ktutil
ktutil: rkt /tmp/aix1.keytab
ktutil: l
slot KVNO Principal
------ ------ ------------------------------------------------------
1 2 host/[email protected]
ktutil: wkt /etc/krb5/krb5.keytab
ktutil: q
First remove any existing keytabs. Open “ktutil” and read the keytab (rkt), list the keys (l), then write the keytab (wkt) to the default Kerberos keytab file (/etc/krb5/krb5.keytab).
Verify and test the keytab:
/usr/krb5/bin/klist –ke
Should output the key(s) generated by ktpass on the domain controller.
v======================OUTPUT======================v
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- ---------
2 host/[email protected] (ArcFour with HMAC/md5)
^==================================================^
/usr/krb5/bin/kinit -k
Should run without output. If you get errors, you most likely have DNS issues. I spent a great deal of time at this step troubleshooting KVNO, encryption type, and DNS errors. I captured packets destined to or from the domain ccontroller with tcpdump (tcpdump -i en0 -s 65535 -w krb5ldap_ts.pcap host 10.10.0.5) and loaded the pcap file in Wireshark to see what was going on.
/usr/krb5/bin/klist
Should show the ticket for the host principal.
v======================OUTPUT======================v
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: host/[email protected]
Valid starting Expires Service principal
01/25/13 13:59:10 01/25/13 23:59:03 krbtgt/[email protected]
Renew until 01/26/13 13:59:10
^==================================================^
Edit /etc/methods.cfg:
Edit methods.cfg to match the example in APPENDIX A.
Key points:
Ensure the KRB5 options include: “authonly,is_kadmind_compat=no,tgt_verify=no,allow_expired_pwd=yes”
Make sure the KRB5LDAP stanza includes the “auth” and “db” options.
Edit /etc/security/user:
Edit /etc/security/user and change the “SYSTEM” option under the “default” stanza to read:
SYSTEM = "KRB5LDAP OR compat"
NOTE: Also possible with:
chsec -f /etc/security/user -s default -a SYSTEM="KRB5LDAP OR compat"
v======================OUTPUT======================v
# lssec -f /etc/security/user -s default -a SYSTEM
default SYSTEM="compat"
# chsec -f /etc/security/user -s default -a SYSTEM="KRB5LDAP or compat"
# lssec -f /etc/security/user -s default -a SYSTEM
default SYSTEM="KRB5LDAP or compat"
^==================================================^
Add Kerberos to authorized authentication entities:
chauthent -k5 –std
#Verify
lsauthent
Should return “Kerberos 5” and “Standard AIX”.
v======================OUTPUT======================v
Kerberos 5
Standard Aix
^==================================================^
Testing:
lsuser –R KRB5LDAP aixtest
Should return details about the AD user.
v======================OUTPUT======================v
aixtest id=50001 pgrp=AIXLDAP groups=AIXLDAP home=/home/aixtest shell=/usr/bin/ksh gecos=AIX Test User login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=KRB5LDAP SYSTEM=KRB5LDAP or compat logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=-1 roles=
^==================================================^
su – aixtest
Should work. May spit errors about inability to change directory to the user’s home dir. (Because it doesn't exist.) This can be remedied by setting the option to auto create home directories.
v======================OUTPUT======================v
3004-614 Unable to change directory to "/home/aixtest".
You are in "/home/guest" instead.
^==================================================^
ssh aixtest@localhost
Should be able login. 
v======================OUTPUT======================v
aixtest@localhost's password:
*******************************************************************************
* *
* *
* Welcome to AIX Version 6.1! *
* *
* *
* Please see the README file in /usr/lpp/bos for information pertinent to *
* this release of the AIX Operating System. *
* *
* *
*******************************************************************************
Could not chdir to home directory /home/aixtest: The file access permissions do not allow the specified action.
$ pwd
/
$ echo $AUTHSTATE
KRB5LDAP
$ /usr/krb5/bin/klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_x0000000000000001
Default principal: [email protected]
Valid starting Expires Service principal
01/25/13 14:02:59 01/26/13 00:02:52 krbtgt/[email protected]
Renew until 01/26/13 14:02:59
$ exit
Connection to localhost closed.
^==================================================^
###################################
# Additional Notes
###################################
Lots of issues with secldapclntd not responding/dying/hanging?
Try this script in cron: https://github.com/keymon/snippets/blob/master/scripts/aix/check-secldapclntd.sh
If supporting multiple AIX users per AD user, e.g. using kerberos name mapping, to support password changes
you need to add the following line to /etc/security/ldap/sfur2user.map:
v====================snip==========================v
auth_name SEC_CHAR sAMAccountName s na yes
^====================/snip=========================^
v==================================================v
APPENDIX A - Example config files:
/etc/krb5/krb5.conf:
[libdefaults]
default_realm = TEST.LOCAL
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = arcfour-hmac
default_tgs_enctypes = arcfour-hmac
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
TEST.LOCAL = {
kdc = PDC1.TEST.LOCAL:88
kdc = PDC2.TEST.LOCAL:88
admin_server = PDC1.TEST.LOCAL:749
master_kdc = PDC1.TEST.LOCAL
default_domain = TEST.LOCAL
}
[domain_realm]
.TEST.LOCAL = TEST.LOCAL
TEST.LOCAL = TEST.LOCAL
ADCTW4701.TEST.LOCAL = TEST.LOCAL
test.local = TEST.LOCAL
.test.local = TEST.LOCAL
[logging]
default = SYSLOG:debug:local1
/etc/security/ldap/ldap.cfg:
ldapservers:pdc1.test.local
binddn:CN=AIX Service,OU=AIX,DC=test,DC=local
bindpwd:{DESv2}AAAAAAAAAAAABBBBBBBBBBCCCCCCCCCCCDDDDDDDDDDEEEEEEEEEEEE
authtype:unix_auth
useSSL:no
userattrmappath:/etc/security/ldap/sfur2user.map
groupattrmappath:/etc/security/ldap/sfur2group.map
userbasedn:OU=AIX,DC=test,DC=local
groupbasedn:OU=AIX,DC=test,DC=local
userclasses:user,person,organizationalperson
groupclasses:group
ldapport:389
searchmode:ALL
defaultentrylocation:LDAP
serverschematype:sfur2
/etc/methods.cfg:
LDAP:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64
NIS:
program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64
DCE:
program = /usr/lib/security/DCE
KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,is_kadmind_compat=no,tgt_verify=no,allow_expired_pwd=yes
KRB5LDAP:
options = auth=KRB5,db=LDAP
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment