AIX5.3 authentication with Microsoft Active Directory

[DonDavisFCB]

This was originally referenced in thread52-745587

I have user logins working using the krb5 client from the expansion pack. I now have problems with how to handle DB2 logins. For example :
db2 connect to <instance> user <userid> using <password>
This does not work using this methodology.

I also have issues with Tivoli Remote Control with similar issues. It will not authenticate to AD.
I've been told that I need PAM but don't think there is PAM for AIX. Has anyone else got this working?
This is all being driven by audit/SOX because AIX does not have password options to force mixed case and numeric values in the password.

 

[khalidaaa]

What you are trying to do is intresting!

Why don't you take the advice from IBM Support? They would give you some more directions on what you want to do!

I never tried to do this so i will be waiting for your success

Regards,
Khalid

 

[hfaix]

I think this is what you're looking for. I got it working about 6 months ago. I don't actually use it, but I wanted to know that I could. Here are the notes I took.

Installing and Configuring Kerberos
1. Modify the default stanza in /etc/security/user by adding “registry = files”

2. Install the following Kerberos filesets from the AIX Expansion Pack

krb5.client
krb5.lic
krb5.toolkit

3.Configure the AIX server as a Kerberos client by running:

config.krb5 –C –r DOMAIN –d domain –c domainserver1 –s domainserver1

This will configure the /etc/krb5/krb5_cfg_type file and the /etc/krb5.conf file

4. Edit /etc/krb5.conf and add more kdc’s to the realm. These will be backups incase the server in step 3 is not available.

Add something like:
kdc = domainserver2:88
kdc = < any additional Active Directory Server >:88

At this point you are ready to “test” the kerb5 configuration.

Get a ticket with /usr/krb5/bin/kinit ADUsername (then enter your password)
View your ticket by running /usr/krb5/bin/klist.
Destroy your ticket with /usr/krb5/bin/kdestroy.

5. Add the following stanzas to /usr/lib/security/methods.cfg :

KRB5A:
program = /usr/lib/security/KRB5A
options = authonly,tgt_verify=no

KRB5Afiles:
options = db=BUILTIN,auth=KRB5A


The system is now ready to use Kerberos for authentication. Switch your account to use Kerberos with one of the following:

If your AIX and NT usernames are the same, run (as root):
chuser registry=KRB5Afiles SYSTEM=KRB5Afiles AIXUsername


If your AIX and NT usernames are not the same, run (as root):
chuser registry=KRB5Afiles SYSTEM=KRB5Afiles auth_name=ADUsername
AIXUsername
# NOTICE : After some testing this(different AD and AIX usernames) works fine over telnet, but to get it to work over SSH the server must have OpenSSH_4.4p1 running with OpenSSL 0.9.7l (our systems currently are running a lower version : OpenSSH_4.1p1 with OpenSSL 0.9.7d )


Next you need to configure SSH to accept Kerberos

6.Modify /etc/ssh/sshd_config by uncommenting/changing these:
KerberosAuthentication yes
KerberosTicketCleanup yes

GSSAPIAuthentication yes

7. Stop and start the ssh daemon (stopsrc –g ssh and starsrc –g ssh )

You are now reading to login to AIX by supplying your Active Directory Password. You can also change your Active Directory password from AIX.

## I think you could use PAM to "pass" the password

 

[Breslau]

i've seen PAM implemented on AIX, so it can be done.

the files come with bos.rte.security in AIX 5.3.