[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]

Security Guide

KRB5A Authentication Load Module Questions and Troubleshooting Information

The following section provides answers to KRB5A Authentication Load Module questions and troubleshooting information.

How do I Configure an AIX Kerberos Client that Authenticates Against an Active Directory Server KDC

Use the config.krb5 command to configure an AIX Kerberos client. Configuring the client requires Kerberos Server information. If a Windows 2000 Active Directory server is chosen as the Kerberos server, then use the config.krb5 command with the following options:

-r realm
Active Directory domain name
-d domain
Domain name of the machine hosting the Active Directory directory service
-c KDC
The host name of the Windows 2000 server
-s server
The host name of the Windows 2000 server

Use the config.krb5 command as shown in the following example:

config.krb5 -C -r MYREALM -d xyz.com -c w2k.xyz.com -s w2k.xyz.com

Windows 2000 supports DES-CBC-MD5 and DES-CBC-CRC encryption types. Change the krb5.conf file to contain information similar to the following:

 [libdefaults]
      default_realm = MYREALM
      default_keytab_name = FILE:/etc/krb5/krb5.keytab
      default_tkt_enctypes = des-cbc-crc des-cbc-md5
      default_tgs_enctypes = des-cbc-crc des-cbc-md5
    

Add the following stanzas in the methods.cfg file:

KRB5A:
		program = /usr/lib/security/KRB5A
		options = authonly
KRB5Afiles:
		options = db=BUILTIN,auth=KRB5A

On the Active Directory server, do the following:

  1. Use the Active Directory Management tool to create a new user account for the krbtest AIX host.
  2. Use the Ktpass command from the command line to create a krbtest.keytab file and set up the account for the AIX host as follows:
    Ktpass -princ host/krbtest.xyz.com@MYREALM -mapuser krbtest -pass password \
           -out krbtest.keytab
  3. Copy the krbtest.keytab file to the AIX host system.
  4. Merge the krbtest.keytab file into the /etc/krb5/krb5.keytab file as follows:
    $ ktutil
    ktutil: rkt krbtest.keytab
    ktutil: wkt /etc/krb5/krb5.keytab
    ktutil: q
    
    
  5. Create Windows 2000 domain accounts using the Active Directory user management tools.
  6. Create AIX accounts corresponding to the Windows 2000 domain accounts such that login process will know to use Kerberos authentication, as follows:
    mkuser registry=KRB5Afiles SYSTEM=KRB5Afiles user0 

How do I Modify AIX Configuration for Kerberos Integrated Login

To enable Kerberos integrated login, modify the methods.cfg file. The compound load-module entry must be added to the methods.cfg file. The authentication side is KRB5A. The database side can be chosen as either BUILTIN or LDAP. BUILTIN is the standard AIX user account repository that uses ASCII files. For example, if you choose BUILTIN as the AIX user account repository, then modify the methods.cfg file as follows:

Example: Local file system is chosen as the AIX user account repository.

KRB5A:
	program = /usr/lib/security/KRB5A
	options=authonly

KRB5Afiles:
	options = db=BUILTIN,auth=KRB5A


Example: LDAP is chosen as the AIX user account repository.

KRB5A:
	program = /usr/lib/security/KRB5A
	options=authonly

LDAP:
	program = /usr/lib/security/LDAP

KRB5ALDAP:
	options = auth=KRB5A,db=LDAP

How do I Create an AIX User for Kerberos Integrated Login with the KRB5A Load Module

To create an AIX user for Kerberos integrated login with the KRB5A load module, use the mkuser command as follows:

mkuser registry=KRB5Afiles SYSTEM=KRB5Afiles auth_domain=MYREALM foo 

For information on the use of the auth_name and auth_domain attributes, refer to What is the Purpose of the auth_name and auth_domain Attributes.

How do I Create Kerberos Principals on Active Directory

Creating Windows 2000 user accounts implicitly creates the principals. For example, if you create a user account named foo on Active Directory then the principal foo@MYREALM associated with the foo user is also created. For information on creating users on Active Directory, see the Active Directory user management documentation.

How do I Change the Password of Kerberos Authenticated User

To change the password of a Kerberos authenticated user, use the passwd command, as follows:

passwd -R KRB5Afiles foo

How do I Remove a Kerberos Authenticated User

To remove a Kerberos authenticated user, use the rmuser command. However, this only removes the user from AIX. The user must also be removed from Active Directory using the Active Directory user management tools.

passwd -R KRB5Afiles foo 

How do I Migrate an AIX User to a Kerberos Authenticated User

If the user already has an account on Active Directory, then the chuser command converts the user into an Kerberos authenticated user, as shown in the following example:

chuser registry=KRB5Afiles SYSTEM=KRB5Afiles auth_domain=MYREALM foo

If the user does not have an account in Active Directory then create an account on Active Directory. Then use the chuser command. The Active Directory account may or may not have the same AIX user name. If a different name is chosen, then use the auth_name attribute to map to the Active Directory name. For example, to map the chris AIX user name to the christopher Active Directory user name, type the following:

chuser registry=KRB5Afiles SYSTEM=KRB5Afiles auth_name=christopher auth_domain=MYREALM chris

What do I do if the Password is Forgotten

On Active Directory, the password must be changed by the administrator. On AIX, the root user can not set the password of a Kerberos principal.

What is the Purpose of the auth_name and auth_domain Attributes

The auth_name and auth_domain attributes are used to map AIX user names into Kerberos principal names on Active Directory. For example, if the chris AIX user has auth_name=christopher and auth_domain=SOMEREALM, the Kerberos principal name is christopher@SOMEREALM. The SOMEREALM realm name is not the same as the MYREALM default realm name. This allows the chris user to authenticate to the SOMEREALM realm instead of to the MYREALM realm.

Can a Kerberos-Authenticated User Become Authenticated Using Standard AIX Authentication

The answer is yes. Perform the following actions to authenticate the Kerberos-authenticated user using AIX authentication:

  1. The user sets the AIX password (/etc/security/passwd) using the passwd command, as follows:
    passwd -R files foo
  2. Change the SYSTEM attribute of the user, as follows:
    chuser -R KRB5Afiles SYSTEM=compat foo.
    This changes the authentication from Kerberos to crypt.

If you want to use crypt authentication as a backup mechanism, the SYSTEM attribute is changed as follows:

chuser -R KRB5Afiles SYSTEM="KRB5Afiles or compat" foo.

Do I Need to Set up Kerberos Server (KDC) on AIX When Using a Windows 2000 Active Directory Server

No, because users are authenticating against an Active Directory KDC, there is no need to configure the KDC on AIX. If you want to use AIX Network Authentication Services KDC as the Kerberos server instead, then the Kerberos server needs to be configured.

AIX Does not Accept my Password

Check that the password meets the requirements of AIX as well as Kerberos. KDC must also be configured and running correctly.

Cannot Log Into the System

[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]