AIX 5.1 and Network Authentication Service 1.3

Matthew B. Brookover mbrookov at mines.edu
Sat Apr 2 15:33:51 EST 2005 

The mkkrb5clnt tool configures the system very similar to what you
described below.  The difference was /etc/security/user set
SYSTEM=KRB5files OR compat and /usr/lib/security/methods.cfg did not
have the options=authonly.  I made both changes and kerberos still fails
to work on login.

Markus Moeller also suggested chauthent -k5.  The response was:

[root at bologna security]# chauthent -k5
Kerberos 4 permitted on SP system only.
Kerberos 5 requires DCE version 2.2 or greater.
[root at bologna security]#


I looked around for DCE but could not find in on the AIX 5.1 CDROMs.  I
also looked on the IBM Scholars Program software offerings and did not
see DCE there either.  Is DCE still offered by TransArc?

Out of curiosity, I put a packet sniffer on the KDC.  There was no
connection from AIX.  There were several exchanges between the AIX host
and the KDC when I ran kinit, kadmin, and mkkrb5clnt with the KDC which
leads me to believe that the system is configured correctly.

While grasping at straws, I downloaded and installed the patches
suggested by compare_report.  It did not help.

krb.conf:

[libdefaults]
        default_realm = MINES.EDU
        default_keytab_name = FILE:/etc/krb5/krb5.keytab
        default_tkt_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc
        default_tgs_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc
 
[realms]
        MINES.EDU = {
                kdc = eightoften.mines.edu:88
                admin_server = eightoften.mines.edu:749
                default_domain = mines.edu
        }
 
[domain_realm]
        .mines.edu = MINES.EDU
        eightoften.mines.edu = MINES.EDU
 
[logging]
        kdc = FILE:/var/krb5/log/krb5kdc.log
        admin_server = FILE:/var/krb5/log/kadmin.log
        default = FILE:/var/krb5/log/krb5lib.log

 
I am using the Kerberos client file sets provided by IBM on the
expansion pack CD:

[root at bologna security]# lslpp -p | grep krb
  krb5.client.rte 1.3.0.0
  krb5.client.samples 1.3.0.0
                        *prereq krb5.client.rte 1.3.0.0
  krb5.msg.en_US.client.rte 1.3.0.0
                        *instreq krb5.client.rte 1.3.0.0
  krb5.toolkit.adt 1.3.0.0
                        *prereq krb5.client.rte 1.3.0.0
  krb5.client.rte 1.3.0.0
[root at bologna security]#

I had originally installed all of the krb* file sets from the expansion
pack disk.  After reading the list below, I removed them and installed
only the ones listed.  

/etc/security/methods.cfg:

NIS:
        program = /usr/lib/security/NIS
        program_64 = /usr/lib/security/NIS_64
 
DCE:
        program = /usr/lib/security/DCE
 
KRB5:
        program = /usr/lib/security/KRB5
        options = authonly
 
KRB5files:
        options = db=BUILTIN,auth=KRB5


The NIS and DCE stanzas where there already.  mkkrb5clnt added the KRB5
and KRB5files stanzas.  I added the options=authonly line to the KRB5
stanza. 

The only errors that show up in any of the logs are like this one in
/var/adm/messages.

Apr  2 10:52:49 bologna syslog: pts/1: failed login attempt for test06 from merlin.Mines.EDU


After running mkkrb5clnt, I cannot log in as any user accept root.  The
system is running openssh that was not compiled with kerberos.  OpenSSH
will still let me log in using keys that were set up before kerberos. 
Even with openssh, you cannot log in using a password.  If I run
/usr/krb5/sbin/unconfig.krb5, every thing goes back to normal.  

I have not tried to use LDAP yet.  It looks like the AIX LDAP client
will not work with the schema provided with OpenLDAP, leaving a number
of issues to sort out.  For now, I need authorization from local files
and authentication from Kerberos.

I thought about upgrading to AIX 5.3, unfortunately, my development
system is not supported by AIX 5.2 and above.

Thank you


Matt Brookover
mbrookov at mines.edu


On Fri, 2005-04-01 at 16:44, Christopher D. Clausen wrote:

> Matthew B. Brookover <mbrookov at mines.edu> wrote:
> > I have MIT Kerberos 1.4 KDC on a Linux (Fedora Core 3) server.  The
> > server works with Linux, Windows, and open LDAP.  I am trying to get
> > an RS/6000 running AIX 5.1 with IBM's kerberos client (Network
> > Authentication Service 1.3) to work with the KDC on Linux.
> >
> > I ran mkkrb5clnt -c eightoften.mines.edu -r MINES.EDU -s
> > eightoften.mines.edu -d mines.edu -i files -K -T on the RS/6000.  The
> > /etc/krb5/krb5.conf and /usr/lib/sec /usr/lib/security/methods.cfg
> > files look fine.  I can use kinit, and kadmin.  The problem is I
> > cannot log in.
> 
> Using MIT binaries?  Or the ones from the krb5.client.rte fileset? 
> (probably installed in /usr/krb5/bin)
> 
> Also, I'd suggest symlinking /etc/krb5.conf to /etc/krb5/krb5.conf.
> 
> > The only user that can log is is root, all other users get '3004-007
> > You entered an invalid login name or password.'  There are no log
> > entries in /var/log/krb5/krb5kdc.log for the test user, suggesting
> > that login is not even trying to connect to the KDC.
> 
> Get Kerberos to first work with a local account (set the passwords 
> different) on the AIX box, then try to get LDAP working (assuming this 
> is what you want to do.)
> 
> > The default stanza in /etc/security/user has SYSTEM set to "KRB5files
> > OR compat"  I have also tried to set the users SYSTEM parameter to
> > KRBfiles.
> 
> I posted some info to a similar question to comp.unix.aix a month ago. 
> You might want to read the through that thread: 
> http://groups-beta.google.com/group/comp.unix.aix/browse_frm/thread/7441e04b0acc2e5/90a21cf05720edf3
> 
> Here are some parts of that message with additional info added:
> 
> I currently have an AIX 5.1 machine (enzo.acm.uiuc.edu) up that uses NIS 
> for account info and Kerberos for auth (no passwords in NIS.)  KDCs are 
> one Debian Linux sparc machine and one Solaris 9 sparc, running Kerberos 
> 1.3.6, I think.
> 
> I found this useful:
> http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/kerberos_auth_only_load_module.htm
> 
> This may also be useful for you: http://www.feep.net/PAM/AIX/
> 
> my current /lib/security/methods.cfg:
> NIS:
>         program = /usr/lib/security/NIS
>         program_64 = /usr/lib/security/NIS_64
> 
> * not sure if you need this or not, I'm guessing no
> DCE:
>         program = /usr/vice/etc/afs_dynamic_kerbauth
>         options = authonly
> 
> * you probably don't need the AFS or AFSfiles stanzas
> AFS:
>         program = /usr/vice/etc/afs_dynamic_kerbauth
>         options = authonly
> 
> AFSfiles:
>         options = db=BUILTIN,auth=AFS
> 
> KRB5:
>         program = /usr/lib/security/KRB5
>         options = authonly
> 
> KRB5files:
>         options = db=BUILTIN,auth=KRB5
> 
> KRB5NIS:
>         options = db=NIS,auth=KRB5
> 
> I don't think you need dce installed, but you do need krb5.client.rte:
> # lslpp -p | grep krb
>   krb5.client.rte 1.3.0.0
>   krb5.client.samples 1.3.0.0
>                         *prereq krb5.client.rte 1.3.0.0
>   krb5.toolkit.adt 1.3.0.0
>                         *prereq krb5.client.rte 1.3.0.0
>   krb5.client.rte 1.3.0.0
> # lslpp -p | grep dce
> #
> 
> from my /etc/security/user file:
> default:
>         SYSTEM = "KRB5 OR (KRB5[UNAVAIL] AND compat[SUCCESS])"
>         registry = NIS
> 
> Let me know if this helps!
> 
> I have not yet attempted LDAP auth.  I'm sure there are others who would 
> like to know how to get LDAP+KRB5 working, so post anything you find out 
> back to the list.
> 
> <<CDC
> Christopher D. Clausen
> ACM at UIUC SysAdmin
>

More information about the Kerberos mailing list