AIX 5.1 and Network Authentication Service 1.3

Christopher D. Clausen cclausen at acm.org
Fri Apr 1 18:44:01 EST 2005 

Matthew B. Brookover <mbrookov at mines.edu> wrote:
> I have MIT Kerberos 1.4 KDC on a Linux (Fedora Core 3) server.  The
> server works with Linux, Windows, and open LDAP.  I am trying to get
> an RS/6000 running AIX 5.1 with IBM's kerberos client (Network
> Authentication Service 1.3) to work with the KDC on Linux.
>
> I ran mkkrb5clnt -c eightoften.mines.edu -r MINES.EDU -s
> eightoften.mines.edu -d mines.edu -i files -K -T on the RS/6000.  The
> /etc/krb5/krb5.conf and /usr/lib/sec /usr/lib/security/methods.cfg
> files look fine.  I can use kinit, and kadmin.  The problem is I
> cannot log in.

Using MIT binaries?  Or the ones from the krb5.client.rte fileset? 
(probably installed in /usr/krb5/bin)

Also, I'd suggest symlinking /etc/krb5.conf to /etc/krb5/krb5.conf.

> The only user that can log is is root, all other users get '3004-007
> You entered an invalid login name or password.'  There are no log
> entries in /var/log/krb5/krb5kdc.log for the test user, suggesting
> that login is not even trying to connect to the KDC.

Get Kerberos to first work with a local account (set the passwords 
different) on the AIX box, then try to get LDAP working (assuming this 
is what you want to do.)

> The default stanza in /etc/security/user has SYSTEM set to "KRB5files
> OR compat"  I have also tried to set the users SYSTEM parameter to
> KRBfiles.

I posted some info to a similar question to comp.unix.aix a month ago. 
You might want to read the through that thread: 
http://groups-beta.google.com/group/comp.unix.aix/browse_frm/thread/7441e04b0acc2e5/90a21cf05720edf3

Here are some parts of that message with additional info added:

I currently have an AIX 5.1 machine (enzo.acm.uiuc.edu) up that uses NIS 
for account info and Kerberos for auth (no passwords in NIS.)  KDCs are 
one Debian Linux sparc machine and one Solaris 9 sparc, running Kerberos 
1.3.6, I think.

I found this useful:
http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/kerberos_auth_only_load_module.htm

This may also be useful for you: http://www.feep.net/PAM/AIX/

my current /lib/security/methods.cfg:
NIS:
        program = /usr/lib/security/NIS
        program_64 = /usr/lib/security/NIS_64

* not sure if you need this or not, I'm guessing no
DCE:
        program = /usr/vice/etc/afs_dynamic_kerbauth
        options = authonly

* you probably don't need the AFS or AFSfiles stanzas
AFS:
        program = /usr/vice/etc/afs_dynamic_kerbauth
        options = authonly

AFSfiles:
        options = db=BUILTIN,auth=AFS

KRB5:
        program = /usr/lib/security/KRB5
        options = authonly

KRB5files:
        options = db=BUILTIN,auth=KRB5

KRB5NIS:
        options = db=NIS,auth=KRB5

I don't think you need dce installed, but you do need krb5.client.rte:
# lslpp -p | grep krb
  krb5.client.rte 1.3.0.0
  krb5.client.samples 1.3.0.0
                        *prereq krb5.client.rte 1.3.0.0
  krb5.toolkit.adt 1.3.0.0
                        *prereq krb5.client.rte 1.3.0.0
  krb5.client.rte 1.3.0.0
# lslpp -p | grep dce
#

from my /etc/security/user file:
default:
        SYSTEM = "KRB5 OR (KRB5[UNAVAIL] AND compat[SUCCESS])"
        registry = NIS

Let me know if this helps!

I have not yet attempted LDAP auth.  I'm sure there are others who would 
like to know how to get LDAP+KRB5 working, so post anything you find out 
back to the list.

<<CDC
Christopher D. Clausen
ACM at UIUC SysAdmin

More information about the Kerberos mailing list