You are currently on IBM Systems Media’s archival website. Click here to view our new website.

AIX > Administrator > Networks

Kerberos, Active Directory and AIX


You can find a lot and often conflicting information on the subject of using Kerberos with Active Directory to authenticate AIX clients. Recently, I migrated from LDAP-based authentication to one using Kerberos and Active Directory (2012); my AIX clients have more than 150 hosts running AIX 5.3, 6.1 and 7.1. While not painless, the difficulties were short-lived and not severe. This article will describe the task in detail.

If you think Kerberos file sets are all you need for this solution, you’re wrong. It also requires LDAP client file sets because Kerberos provides only authentication service whereas LDAP delivers the authorization (group membership and other user-defining info) information. Both obtain their information from the same source – Active Directory.

Installation

To install Kerberos client, download NAS (Network Authentication Service pack) compatible with your version of AIX. The following command installs it:

# /usr/sbin/installp -agYXd /path/to/apps/NAS1.6.0.1 all

In the similar fashion, install LDAP software. If you install only the LDAP client components, you’ll most likely be left without access to the ldapsearch command so load them all.

It makes sense to verify LDAP “connectivity” before proceeding any further. Your AIX client must have the ldapsearch command. If it’s missing, you’ll want to look for it as it’s not installed in /usr/bin or /usr/sbin. You may locate it with the find command:

# find  /opt –name ldapsearch –ls
/opt/IBM/ldap/V6.3/bin/32/ldapsearch
/opt/IBM/ldap/V6.3/bin/64/ldapsearch
/opt/IBM/ldap/V6.3/bin/ldapsearch
/opt/IBM/ldap/V6.3/examples/java/com/ibm/ldap/bp/client/ldapsearch

To make your life easier, I recommend you modify the PATH variable in either your ~./profile or /etc/environment file, appending to it the /opt/IBM/ldap/V6.3/bin. Or alternatively:

# export PATH=$PATH:/opt/IBM/ldap/V6.3/bin

Verification

With both Kerberos and LDAP installed, you must verify the AIX client is capable of asking for and receiving information from the Active Directory. Ask your Active Directory administrator for the fully qualified name of an account (and password) created for this purpose and for the DNS name of the Active Directory server (ldap.wmd.edu) where this account resides. For the sake of this tutorial, my account name is cn=aixldapquery,ou=ServiceAccounts,ou=Corporate Servers,dc=wmd,dc=edu, the password is ^laska^nebeska:1954 and our hostname is ldap.wmd.edu. With this information in hand, search Active Directory for some details about a user. In this case, I’ll ask for my own information:

# ldapsearch -h ldap.wmd.edu \
-D "cn=aixldapquery,ou=ServiceAccounts,ou=Corporate Servers,dc=wmd,dc=edu”\
-w ^laska^nebeska:1954 \
-s sub \
-b "dc=,dc=edu" "(cn=duszyk)" uid unixHomeDirectory loginShell

CN=duszyk,OU=Secured,OU=Corporate Users,DC=wmd,DC=edu
uid=duszyk
unixHomeDirectory=/home/duszyk
loginShell=/bin/bash 

As this response shows, at least some of the Active Directory UNIX attributes have already been set. You must ensure UNIX attributes in Active Directory of your AIX users are set before any of your AIX hosts is transitioned to use it for authentication. This is a sometimes-overlooked detail.

First, let’s set the client to authenticate purely with LDAP, which is an opportunity to validate that the client correctly translated user information from the Active Directory into the format that AIX can understand and use. Execute the mksecldap command:

# mksecldap –c –h ldap.wmd.edu \
–a “cn=aixldapquery,ou=ServiceAccounts,ou=Corporate Servers,dc=wmd,dc=edu” \
–d “dc=wmd,dc=edu”\
–p ^laska^nebeska:1954

Next, in the file /etc/security/user, find your own stanza and change both SYSTEM and registry attributes to contain the word LDAP.

registry = LDAP
SYSTEM = “LDAP”

Now, edit the /etc/security/ldap/ldap.cfg and verify that it contains the following entries:

authtype:unix_auth
useSSL:no
userattrmappath:/etc/security/ldap/sfur2user.map
groupattrmappath:/etc/security/ldap/sfur2group.map
userclasses:user,person,organizationalperson
groupclasses:group
ldapport:389
searchmode:ALL
defaultentrylocation:LDAP
serverschematype:sfur2

The “sfur2” shown identifies the data store as Active Directory. UNIX group membership in Active Directory may be specified in one of two ways and as the result you must change the following entry in the /etc/security/ldap/sfur2group.map:

users      SEC_LIST   cn                 m       na      yes

Into either:

users      SEC_LIST    msSFU30PosixMember m      na      yes

Or:

users      SEC_LIST   member              m      na      yes

Now, restart the secldapclntd executing “restart-secldapclntd” or empty its cache executing “flush-secldapclntd”. Check that you’re able to get all your AIX data from Active Directory – in my case, I executed the “lsuser –R LDAP duszyk” which delivered data I needed to see to declare it successful.

Mark Duszyk lives and works in the Delaware Valley. He has spent many years working with AIX and recently got involved with Linux. Beside his blog, his interests include fly fishing and photography.



Like what you just read? To receive technical tips and articles directly in your inbox twice per month, sign up for the EXTRA e-newsletter here.



Advertisement

Advertisement

2019 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.

AIX > ADMINISTRATOR > NETWORKS

A Primer on Power Systems 10 Gb Ethernet

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
IBMi News Sign Up Today! Past News Letters