AIX Active Directory Authentication

by Leave a Comment

I was recently asked to enable Active Directory (AD) authentication on AIX LPARs running 6.1 TL9 SP4 and AIX 7.1 TL3 SP3. Here are some notes on essentially what I did to get this working. This may not work for you, but it may provide enough clues to get stuff working.

It has to noted that there is some Windows “black magic” here that I don’t understand and I needed an experienced Windows admin person for. I hope therefore you would be in a similar position should some of the details not be exactly correct.

For the purposes of this article I will be using the following details :

domain name : troyski.co.uk
DC/AD server : DC0001
AIX LPAR hostname : eliana

Essentially the document here was used a basis for this.

My AIX install already has the LDAP filesets installed, but install them from your AIX install source if missing :

lslpp -l | grep -i ldap
  idsldap.clt32bit61.rte    6.1.0.57  COMMITTED  Directory Server - 32 bit
  idsldap.clt64bit61.rte    6.1.0.57  COMMITTED  Directory Server - 64 bit
  idsldap.clt_max_crypto32bit61.rte
  idsldap.clt_max_crypto64bit61.rte
  idsldap.cltbase61.adt     6.1.0.57  COMMITTED  Directory Server - Base Client
  idsldap.cltbase61.rte     6.1.0.57  COMMITTED  Directory Server - Base Client
  idsldap.cltjava61.rte     6.1.0.57  COMMITTED  Directory Server - Java Client
  idsldap.ent61.rte         6.1.0.26  COMMITTED  Directory Server - Entitlement
  idsldap.msg61.en_US       6.1.0.57  COMMITTED  Directory Server - Messages -
  idsldap.srv_max_cryptobase64bit61.rte
  idsldap.srvbase64bit61.rte
  idsldap.srvproxy64bit61.rte
  idsldap.webadmin61.rte    6.1.0.57  COMMITTED  Directory Server - Web
  idsldap.webadmin_max_crypto61.rte
  idsldap.clt32bit61.rte    6.1.0.57  COMMITTED  Directory Server - 32 bit
  idsldap.clt64bit61.rte    6.1.0.57  COMMITTED  Directory Server - 64 bit
  idsldap.cltbase61.rte     6.1.0.57  COMMITTED  Directory Server - Base Client
  idsldap.srvbase64bit61.rte
  idsldap.srvproxy64bit61.rte

I downloaded the Kerberos filesets from here. You’ll need an IBM login. Look for…

AIX_NAS

AIX-NAS-1.6.0.2

You need to get your Windows admin to add a service account to AD that will be used to bind LDAP and he/she should provide you with a password for this account. They also need to add a server entry for your AIX LPAR. I will assume you already have a valid user on the AD network.

AD Service Account : AIXBIND
AD Account Password : test123
AD test user : troyski
AD test passwd : today123
AIX Account : troyski

Run the following as root on your AIX LPAR to test the LPAR client is installed ok and the service account and password is ok:

/opt/IBM/ldap/V6.1/bin/ldapsearch -h DC0001.troyski.co.uk -D AIXBIND@troyski.co.uk -w \? -b DC=local -v Users=troyski

When prompted, enter the AD Account Password.

I know this command may not be exactly right, but if it returns something like the following, then at least you know you can proceed:

Enter password ==>
ldap_init(DC0001.troyski.co.uk, 389)
filter pattern: Name=troyski
returning: ALL
filter is: (Name=troyski)
0 matches

Now copy the Kerberos filesets to the AIX LPAR (/tmp) and install :

cd /tmp
gunzip NAS_1.6.0.2_aix_image.tar.tgz
tar –xvf NAS_1.6.0.2_aix_image.tar.tar
mv images AIX_NAS
cd AIX_NAS
inutoc .
smitty installp

Check the filesets look something like :

lslpp -l | grep krb5
  krb5.client.rte            1.6.0.2  COMMITTED  Network Authentication Service
  krb5.client.samples        1.6.0.2  COMMITTED  Network Authentication Service
  krb5.doc.en_US.html        1.6.0.2  COMMITTED  Network Auth Service HTML
  krb5.doc.en_US.pdf         1.6.0.2  COMMITTED  Network Auth Service PDF
  krb5.lic                   1.6.0.2  COMMITTED  Network Authentication Service
  krb5.server.rte            1.6.0.2  COMMITTED  Network Authentication Service
  krb5.toolkit.adt           1.6.0.2  COMMITTED  Network Authentication Service
  krb5.client.rte            1.6.0.2  COMMITTED  Network Authentication Service
  krb5.server.rte            1.6.0.2  COMMITTED  Network Authentication Service

Next we can configure the Kerberos client on the AIX LPAR :

config.krb5 -C -r TROYSKI.CO.UK -d troyski.co.uk –c troyski.co.uk -s troyski.co.uk
Initializing configuration...
Creating /etc/krb5/krb5_cfg_type...
Creating /etc/krb5/krb5.conf...
The command completed successfully.

There are some assumptions here, like DNS is in place and resolving correctly. Notice that first option for “-r” is IN CAPITALS.

Edit /etc/krb5/krb5.conf file to support the correct ticket encryption algorithms.

default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts
default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts

For AIX 6.1 add the following entries to the “/usr/lib/security/methods.cfg” file:

KRB5A:
        program = /usr/lib/security/KRB5A
        program_64 = /usr/lib/security/KRB5A_64
        options = authonly,tgt_verify=no,kadmin=no,is_kadmind_compat=no
 
KRB5Afiles:
        options = db=BUILTIN,auth=KRB5A

For AIX 7.1 add the following entries to the “/usr/lib/security/methods.cfg” file:

KRB5:
        program = /usr/lib/security/KRB5
        program_64 = /usr/lib/security/KRB5_64
        options = authonly,tgt_verify=no,is_kadmind_compat=no
 
KRB5files:
        options = db=BUILTIN,auth=KRB5

Request a keytab file for your AIX LPAR from the Windows admin person and when received SCP to /root of your LPAR.

Something like this is used, but this is the black magic part :

ktpass –princ host/eliana.troyski.co.uk@troyski.co.uk  -mapuser  -pass  –kvno 3 -out eliana.keytab

Back on your AIX LPAR as root :

/usr/krb5/sbin/ktutil
ktutil:  rkt HOST-eliana.keytab
ktutil:  wkt /etc/krb5/krb5.keytab
ktutil:  q

You can check the keytab values with :

klist -k /etc/krb5/krb5.keytab

Now we should be able to test authentication from the AIX LPAR to the AD server :

kinit troyski

You should be prompted for your LAN ID password, which will return nothing if it’s ok.

We need to tell AIX to use Kerberos as an authentication method next :

chauthent -k5 -std

Check with :

lsauthent
 Kerberos 5
 Standard Aix

We can further test by generating a Kerberos ticket for our test user :

kinit -f troyski
Password for troyski@TROYSKI.CO.UK
 
Done!
New ticket is stored in cache file /root/krb5cc_root

Check the ticket is listed ok :

root@eliana:logs# klist -f
 
Credentials cache: /root/krb5cc_root
Default principal: troyski@TROYSKI.CO.UK
Number of entries: 1
 
[1] Service principal: krbtgt/TROYSKI.CO.UK@TROYSKI.CO.UK
        Valid starting: Thursday, 3 December 2015 at 09:23:15
        Expires: Thursday, 3 December 2015 at 19:23:15
 
        Flags: FORWARDABLE;INITIAL;PRE-AUTHENT

Now change the user to use KRB5 authentication, e.g. :

For AIX 6.1 –

chuser registry=KRB5Afiles SYSTEM=KRB5Afiles auth_domain=TROYSKI.CO.UK troyski

For AIX 7.1 –

chuser registry=KRB5files SYSTEM=KRB5files auth_domain=TROYSKI.CO.UK troyski

Test ssh login to ensure the user now authenticates ok with the LAN password rather than the local AIX password.

Posted in: AIX, FAQs

About troyski

I'm a freelance UNIX engineer working in the UK. I'm married to Tina and between us we have six children. I'm a bit of an Apple fan boy, and all the Windows machines in the house are a thing of the past now.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Post navigation