AIX 5.1 and Network Authentication Service 1.3
Markus Moeller
huaraz at moeller.plus.com
Sun Apr 3 07:18:23 EDT 2005
Matthew,
I am right now started testing on AIX 5.2 with NAS 1.4 (only clients and
server not the kdc, I use a w2k3 kdc). Most things work, but a few don't and
I put in a PMR to IBM. IBM also confirmed that for AIX 5.1 you need DCE to
get the clients/servers work as they need the chauthent -k5 setting ( I
suggest you set it initially to chauthent -k5 -std so that in the case of a
Kerberos failure you can still use the localpassword)
Regards
Markus
"Matthew B. Brookover" <mbrookov at mines.edu> wrote in message
news:1112474031.10303.49.camel at merlin.Mines.EDU...
> The mkkrb5clnt tool configures the system very similar to what you
> described below. The difference was /etc/security/user set
> SYSTEM=KRB5files OR compat and /usr/lib/security/methods.cfg did not
> have the options=authonly. I made both changes and kerberos still fails
> to work on login.
>
> Markus Moeller also suggested chauthent -k5. The response was:
>
> [root at bologna security]# chauthent -k5
> Kerberos 4 permitted on SP system only.
> Kerberos 5 requires DCE version 2.2 or greater.
> [root at bologna security]#
>
>
> I looked around for DCE but could not find in on the AIX 5.1 CDROMs. I
> also looked on the IBM Scholars Program software offerings and did not
> see DCE there either. Is DCE still offered by TransArc?
>
> Out of curiosity, I put a packet sniffer on the KDC. There was no
> connection from AIX. There were several exchanges between the AIX host
> and the KDC when I ran kinit, kadmin, and mkkrb5clnt with the KDC which
> leads me to believe that the system is configured correctly.
>
> While grasping at straws, I downloaded and installed the patches
> suggested by compare_report. It did not help.
>
> krb.conf:
>
> [libdefaults]
> default_realm = MINES.EDU
> default_keytab_name = FILE:/etc/krb5/krb5.keytab
> default_tkt_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc
> default_tgs_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc
>
> [realms]
> MINES.EDU = {
> kdc = eightoften.mines.edu:88
> admin_server = eightoften.mines.edu:749
> default_domain = mines.edu
> }
>
> [domain_realm]
> .mines.edu = MINES.EDU
> eightoften.mines.edu = MINES.EDU
>
> [logging]
> kdc = FILE:/var/krb5/log/krb5kdc.log
> admin_server = FILE:/var/krb5/log/kadmin.log
> default = FILE:/var/krb5/log/krb5lib.log
>
>
> I am using the Kerberos client file sets provided by IBM on the
> expansion pack CD:
>
> [root at bologna security]# lslpp -p | grep krb
> krb5.client.rte 1.3.0.0
> krb5.client.samples 1.3.0.0
> *prereq krb5.client.rte 1.3.0.0
> krb5.msg.en_US.client.rte 1.3.0.0
> *instreq krb5.client.rte 1.3.0.0
> krb5.toolkit.adt 1.3.0.0
> *prereq krb5.client.rte 1.3.0.0
> krb5.client.rte 1.3.0.0
> [root at bologna security]#
>
> I had originally installed all of the krb* file sets from the expansion
> pack disk. After reading the list below, I removed them and installed
> only the ones listed.
>
> /etc/security/methods.cfg:
>
> NIS:
> program = /usr/lib/security/NIS
> program_64 = /usr/lib/security/NIS_64
>
> DCE:
> program = /usr/lib/security/DCE
>
> KRB5:
> program = /usr/lib/security/KRB5
> options = authonly
>
> KRB5files:
> options = db=BUILTIN,auth=KRB5
>
>
> The NIS and DCE stanzas where there already. mkkrb5clnt added the KRB5
> and KRB5files stanzas. I added the options=authonly line to the KRB5
> stanza.
>
> The only errors that show up in any of the logs are like this one in
> /var/adm/messages.
>
> Apr 2 10:52:49 bologna syslog: pts/1: failed login attempt for test06
> from merlin.Mines.EDU
>
>
> After running mkkrb5clnt, I cannot log in as any user accept root. The
> system is running openssh that was not compiled with kerberos. OpenSSH
> will still let me log in using keys that were set up before kerberos.
> Even with openssh, you cannot log in using a password. If I run
> /usr/krb5/sbin/unconfig.krb5, every thing goes back to normal.
>
> I have not tried to use LDAP yet. It looks like the AIX LDAP client
> will not work with the schema provided with OpenLDAP, leaving a number
> of issues to sort out. For now, I need authorization from local files
> and authentication from Kerberos.
>
> I thought about upgrading to AIX 5.3, unfortunately, my development
> system is not supported by AIX 5.2 and above.
>
> Thank you
>
>
> Matt Brookover
> mbrookov at mines.edu
>
>
> On Fri, 2005-04-01 at 16:44, Christopher D. Clausen wrote:
>
>> Matthew B. Brookover <mbrookov at mines.edu> wrote:
>> > I have MIT Kerberos 1.4 KDC on a Linux (Fedora Core 3) server. The
>> > server works with Linux, Windows, and open LDAP. I am trying to get
>> > an RS/6000 running AIX 5.1 with IBM's kerberos client (Network
>> > Authentication Service 1.3) to work with the KDC on Linux.
>> >
>> > I ran mkkrb5clnt -c eightoften.mines.edu -r MINES.EDU -s
>> > eightoften.mines.edu -d mines.edu -i files -K -T on the RS/6000. The
>> > /etc/krb5/krb5.conf and /usr/lib/sec /usr/lib/security/methods.cfg
>> > files look fine. I can use kinit, and kadmin. The problem is I
>> > cannot log in.
>>
>> Using MIT binaries? Or the ones from the krb5.client.rte fileset?
>> (probably installed in /usr/krb5/bin)
>>
>> Also, I'd suggest symlinking /etc/krb5.conf to /etc/krb5/krb5.conf.
>>
>> > The only user that can log is is root, all other users get '3004-007
>> > You entered an invalid login name or password.' There are no log
>> > entries in /var/log/krb5/krb5kdc.log for the test user, suggesting
>> > that login is not even trying to connect to the KDC.
>>
>> Get Kerberos to first work with a local account (set the passwords
>> different) on the AIX box, then try to get LDAP working (assuming this
>> is what you want to do.)
>>
>> > The default stanza in /etc/security/user has SYSTEM set to "KRB5files
>> > OR compat" I have also tried to set the users SYSTEM parameter to
>> > KRBfiles.
>>
>> I posted some info to a similar question to comp.unix.aix a month ago.
>> You might want to read the through that thread:
>> http://groups-beta.google.com/group/comp.unix.aix/browse_frm/thread/7441e04b0acc2e5/90a21cf05720edf3
>>
>> Here are some parts of that message with additional info added:
>>
>> I currently have an AIX 5.1 machine (enzo.acm.uiuc.edu) up that uses NIS
>> for account info and Kerberos for auth (no passwords in NIS.) KDCs are
>> one Debian Linux sparc machine and one Solaris 9 sparc, running Kerberos
>> 1.3.6, I think.
>>
>> I found this useful:
>> http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/kerberos_auth_only_load_module.htm
>>
>> This may also be useful for you: http://www.feep.net/PAM/AIX/
>>
>> my current /lib/security/methods.cfg:
>> NIS:
>> program = /usr/lib/security/NIS
>> program_64 = /usr/lib/security/NIS_64
>>
>> * not sure if you need this or not, I'm guessing no
>> DCE:
>> program = /usr/vice/etc/afs_dynamic_kerbauth
>> options = authonly
>>
>> * you probably don't need the AFS or AFSfiles stanzas
>> AFS:
>> program = /usr/vice/etc/afs_dynamic_kerbauth
>> options = authonly
>>
>> AFSfiles:
>> options = db=BUILTIN,auth=AFS
>>
>> KRB5:
>> program = /usr/lib/security/KRB5
>> options = authonly
>>
>> KRB5files:
>> options = db=BUILTIN,auth=KRB5
>>
>> KRB5NIS:
>> options = db=NIS,auth=KRB5
>>
>> I don't think you need dce installed, but you do need krb5.client.rte:
>> # lslpp -p | grep krb
>> krb5.client.rte 1.3.0.0
>> krb5.client.samples 1.3.0.0
>> *prereq krb5.client.rte 1.3.0.0
>> krb5.toolkit.adt 1.3.0.0
>> *prereq krb5.client.rte 1.3.0.0
>> krb5.client.rte 1.3.0.0
>> # lslpp -p | grep dce
>> #
>>
>> from my /etc/security/user file:
>> default:
>> SYSTEM = "KRB5 OR (KRB5[UNAVAIL] AND compat[SUCCESS])"
>> registry = NIS
>>
>> Let me know if this helps!
>>
>> I have not yet attempted LDAP auth. I'm sure there are others who would
>> like to know how to get LDAP+KRB5 working, so post anything you find out
>> back to the list.
>>
>> <<CDC
>> Christopher D. Clausen
>> ACM at UIUC SysAdmin
>>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list