[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]

Security Guide

Authenticating to AIX Using Kerberos

AIX provides the following Kerberos authentication load modules: KRB5 and KRB5A. Even though both modules do Kerberos authentication, the KRB5 load module performs Kerberos principal management, whereas the KRB5A load module does not. The KRB5 load module uses the IBM Network Authentication Services' Kerberos database interface to manipulate the Kerberos identities and principals. Using the KRB5 load module, an AIX system administrator can manage Kerberos-authenticated users and their associated Kerberos principals by using the existing AIX user-administration commands without any change. For example, to create an AIX user, as well as a Kerberos principal associated with that user, run the mkuser command.

The KRB5A load module performs only authentication. The Kerberos principal management is done separately by using Kerberos principal-management tools. The KRB5A load module is used in an environment where Kerberos principals are stored on a non-AIX system and cannot be managed from AIX by using the Kerberos database interface. For example, you can have a Windows 2000 Active Directory server where Kerberos principal management is performed using the Active Directory account management tools and API's.

Installing and Configuring the System for Kerberos Integrated Login Using KRB5

Network Authentication Services (IBM Kerberos implementation) is shipped on the Expansion Pack. To install the Kerberos Version 5 client package, install the krb5.client.rte fileset. To install the Kerberos Version 5 server package, install the krb5.server.rte fileset. To install the entire Kerberos Version 5 package, install the krb5 package.

To avoid namespace collisions between DCE and Kerberos commands (that is, between the klist, kinit, and kdestroy commands), the Kerberos commands are installed in the /usr/krb5/bin and the /usr/krb5/sbin directories. You can add these directories to your PATH definition. Otherwise, to execute the Kerberos commands, you must specify fully qualified command path names.

Network Authentication Services documentation is provided in the krb5.doc.lang.pdf|html package, where lang represents the supported language.

Configuring the Kerberos Version 5 KDC and kadmin Servers

Notes:
  1. It is not recommended that both DCE and Kerberos server software be installed on the same physical system. If you must do so, the default operational internet port numbers must be changed for either the DCE clients and server or for the Kerberos clients and server. In either case, such a change can affect interoperability with existing DCE and Kerberos deployments in your environment. For information about co-existence of DCE and Kerberos, refer to Network Authentication Services documentation.
  2. Kerberos Version 5 is set up to reject ticket requests from any host whose clock is not within the specified maximum clock skew of the KDC. The default value for maximum clock skew is 300 seconds (five minutes). Kerberos requires that some form of time synchronization is configured between the servers and the clients. It is recommended that you use the xntpd or timed daemons for time synchronization. To use the timed daemon, do the following:
    1. Set up the KDC server as a time server by starting the timed daemon, as follows: 
      timed -M
    2. Start the timed daemon on each Kerberos client. 
      timed -t
      To configure the Kerberos KDC and kadmin servers, run the mkkrb5srv command. For example, to configure Kerberos for the MYREALM realm, the sundial server, and the xyz.com domain, type the following: 
      mkkrb5srv -r MYREALM -s sundial.xyz.com -d xyz.com -a admin/admin
      Wait a few minutes for the kadmind and krb5kdc commands to start from /etc/inittab.

Running the mkkrb5srv command results in the following actions:

  1. Creates the /etc/krb5/krb5.conf file. Values for realm name, Kerberos admin server, and domain name are set as specified on the command line. The /etc/krb5/krb5.conf file also sets the paths for the default_keytab_name, kdc, and admin_server log files.
  2. Creates the /var/krb5/krb5kdc/kdc.conf file. The /var/krb5/krb5kdc/kdc.conf file sets the values for the kdc_ports, kadmin_port, max_life, max_renewable_life, master_key_type, and supported_enctypes variables. This file also sets the paths for the database_name, admin_keytab, acl_file, dict_file, and key_stash_file variables.
  3. Creates the /var/krb5/krb5kdc/kadm5.acl file. Sets up the access control for admin, root, and host principals.
  4. Creates the database and one admin principal. You are asked to set a Kerberos master key and to name and set the password for a Kerberos administrative principal identity. For disaster-recovery purposes, it is critical that the master key and administrative principal identity and password are securely stored away.

For more information, refer to Sample Runs and Error Messages and Recovery Actions.

Configuring the Kerberos Version 5 Clients

After Kerberos installation is complete, it is not apparent to normal users that the Kerberos technology is in use. The login process to the operating system remains unchanged. However, users now have Kerberos ticket-granting tickets (TGTs) associated with their running processes. To configure systems to use Kerberos as the primary means of user authentication, run the mkkrb5clnt command with the following parameters:

mkkrb5clnt -c KDC -r realm -a admin -s server -d domain -A -i database -K -T

For example, to configure the sundial.xyz.com KDC with the MYREALM realm, sundial.xyz.com admin server, the xyz.com domain, and the files database, type the following:

mkkrb5clnt -c sundial.xyz.com -r MYREALM -s sundial.xyz.com -d xyz.com -A -i files -K -T

The previous example results in the following actions:

  1. Creates the /etc/krb5/krb5.conf file. Values for realm name, Kerberos admin server, and domain name are set as specified on the command line. Also, updates the paths for default_keytab_name, kdc, and kadmin log files.
  2. The -i flag configures fully integrated login. The database entered is the location where Kerberos principals are stored.
  3. The -K flag configures Kerberos as the default authentication scheme. This allows the users to become authenticated with Kerberos at login time.
  4. The -A flag adds an entry in the Kerberos Database to make root an admin user for Kerberos.
  5. The -T flag acquires the server admin TGT-based admin ticket.

If a system is installed that is located in a different DNS domain than the KDC, the following additional actions must be performed:

  1. Edit the /etc/krb5/krb5.conf file and add another entry after [domain realm].
  2. Map the different domain to your realm.

For example, if you want to include a client that is in the abc.xyz.com domain into your MYREALM realm , the /etc/krb5/krb5.conf file includes the following additional entry:

[domain realm]
     .abc.xyz.com = MYREALM

Error Messages and Recovery Actions

Errors that can occur when using the mkkrb5srv command include the following:

Errors that can occur when using the mkkrb5clnt command include the following:

Files Created

The mkkrb5srv command creates the following files:

The mkkrb5clnt command creates the following file:

The mkkrb5clnt -i files option adds the following stanza to the /usr/lib/security/methods.cfg file:

KRB5:
		program =
		options =
KRB5files:
		options =

Sample Runs

The following is an example of the mkkrb5srv command:

# mkkrb5srv -r MYREALM -s sundial.xyz.com -d xyz.com -a admin/admin

Output similar to the following displays:

  Fileset                      Level  State      Description         
  ----------------------------------------------------------------------------
Path: /usr/lib/objrepos
  krb5.server.rte            1.3.0.0  COMMITTED  Network Authentication Service
                                                 Server

Path: /etc/objrepos
  krb5.server.rte            1.3.0.0  COMMITTED  Network Authentication Service
                                                 Server
The -s option is not supported.
The administration server will be the local host.
Initializing configuration...
Creating /etc/krb5/krb5.conf...
Creating /var/krb5/krb5kdc/kdc.conf...
Creating database files...
Initializing database '/var/krb5/krb5kdc/principal' for realm 'MYREALM'
master key name 'K/M@MYREALM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter database Master Password:
Re-enter database Master Password to verify:
WARNING: no policy specified for admin/admin@MYREALM;
  defaulting to no policy. Note that policy may be overridden by
  ACL restrictions.
Enter password for principal "admin/admin@MYREALM": 
Re-enter password for principal "admin/admin@MYREALM": 
Principal "admin/admin@MYREALM" created.
Creating keytable...
Creating /var/krb5/krb5kdc/kadm5.acl...
Starting krb5kdc...
krb5kdc was started successfully.
Starting kadmind...
kadmind was started successfully.
The command completed successfully.
Restarting kadmind and krb5kdc

The following is an example of the mkkrb5clnt command:

mkkrb5clnt -r MYREALM -c sundial.xyz.com -s sundial.xyz.com \
           -a admin/admin -d xyz.com -i files -K -T -A

Output similar to the following displays:

Initializing configuration...
Creating /etc/krb5/krb5.conf...
The command completed successfully.
Password for admin/admin@MYREALM: 
Configuring fully integrated login
Authenticating as principal admin/admin with existing credentials.
WARNING: no policy specified for host/diana.xyz.com@MYREALM;
  defaulting to no policy. Note that policy may be overridden by
  ACL restrictions.
Principal "host/diana.xyz.com@MYREALM" created.

Administration credentials NOT DESTROYED.
Authenticating as principal admin/admin with existing credentials.

Administration credentials NOT DESTROYED.
Authenticating as principal admin/admin with existing credentials.
Principal "kadmin/admin@MYREALM" modified.

Administration credentials NOT DESTROYED.
Configuring Kerberos as the default authentication scheme
Making root a Kerberos administrator
Authenticating as principal admin/admin with existing credentials.
WARNING: no policy specified for root/diana.xyz.com@MYREALM;
  defaulting to no policy. Note that policy may be overridden by
  ACL restrictions.
Enter password for principal "root/diana.xyz.com@MYREALM": 
Re-enter password for principal "root/diana.xyz.com@MYREALM": 
Principal "root/diana.xyz.com@MYREALM" created.

Administration credentials NOT DESTROYED.
Cleaning administrator credentials and exiting.

Installing and Configuring the System for Kerberos Integrated Login Using KRB5A

When the KRB5A load module is used for authentication, a series of steps, such as creation of Kerberos principals, must be performed.

The following section explains how to authenticate an AIX Network Authentication Service client against an Active Directory KDC.

Install the krb5.client.rte file set from the Expansion Pack.

Configuring the AIX Kerberos Version 5 Clients with a Windows 2000 Active Directory Server

Use the config.krb5 command to configure an AIX Kerberos client. Configuring the client requires Kerberos Server information. If a Windows 2000 Active Directory server is chosen as the Kerberos server, the following options can be used with the config.krb5 command:

-r realm = Windows 2000 Active Directory server domain name
-d domain = Domain name of the machine hosting the Windows 2000 Active Directory server
-c KDC = Host name of the Windows 2000 Server
-s server = Host name of the Windows 2000 Server
  1. Use the config.krb5 command as shown in the following example: 
    config.krb5 -C -r MYREALM -d xyz.com -c w2k.xyz.com -s w2k.xyz.com
  2. Windows 2000 supports DES-CBC-MD5 and DES-CBC-CRC encryption types. Change the krb5.conf file to contain information similar to the following: 
     [libdefaults]
      default_realm = MYREALM
      default_keytab_name = FILE:/etc/krb5/krb5.keytab
      default_tkt_enctypes = des-cbc-crc des-cbc-md5
      default_tgs_enctypes = des-cbc-crc des-cbc-md5
  3. Add the following stanzas in the methods.cfg file: 
    KRB5A:
		program = /usr/lib/security/KRB5A
		options = authonly
KRB5Afiles:
		options = db=BUILTIN,auth=KRB5A
  4. On a Windows 2000 Active Directory server, do the following:
    1. Use the Active Directory Management tool to create a new user account for the krbtest AIX host, as follows:
      1. Select the Users folder.
      2. Use the mouse to right-click on New.
      3. Choose user.
      4. Type the name krbtest.
    2. Use the Ktpass command from the command line to create a keytab file and set up the account for the AIX host. For example, to create a keytab file called krbtest.keytab, type: 
      Ktpass -princ host/krbtest.xyz.com@MYREALM -mapuser krbtest -pass password -out krbtest.keytab
    3. Copy the keytab file to the AIX host system.
    4. Merge the keytab file into the /etc/krb5/krb5.keytab file as follows: 
      $ ktutil
ktutil: rkt krbtest.keytab
ktutil: wkt /etc/krb5/krb5.keytab
ktutil: q
    5. Create Windows 2000 domain accounts using the Active Directory user-management tools.
    6. Create AIX accounts corresponding to the Windows 2000 domain accounts so that the login process uses Kerberos authentication, as follows: 
        mkuser registry=KRB5Afiles SYSTEM=KRB5Afiles user0

[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]