I was recently asked to enable Active Directory (AD) authentication on AIX LPARs running 6.1 TL9 SP4 and AIX 7.1 TL3 SP3. Here are some notes on essentially what I did to get this working. This may not work for you, but it may provide enough clues to get stuff working.
It has to noted that there is some Windows “black magic” here that I don’t understand and I needed an experienced Windows admin person for. I hope therefore you would be in a similar position should some of the details not be exactly correct.
For the purposes of this article I will be using the following details :
domain name : troyski.co.uk
DC/AD server : DC0001
AIX LPAR hostname : eliana
Essentially the document here was used a basis for this.
My AIX install already has the LDAP filesets installed, but install them from your AIX install source if missing :
lslpp -l | grep -i ldap idsldap.clt32bit61.rte 6.1.0.57 COMMITTED Directory Server - 32 bit idsldap.clt64bit61.rte 6.1.0.57 COMMITTED Directory Server - 64 bit idsldap.clt_max_crypto32bit61.rte idsldap.clt_max_crypto64bit61.rte idsldap.cltbase61.adt 6.1.0.57 COMMITTED Directory Server - Base Client idsldap.cltbase61.rte 6.1.0.57 COMMITTED Directory Server - Base Client idsldap.cltjava61.rte 6.1.0.57 COMMITTED Directory Server - Java Client idsldap.ent61.rte 6.1.0.26 COMMITTED Directory Server - Entitlement idsldap.msg61.en_US 6.1.0.57 COMMITTED Directory Server - Messages - idsldap.srv_max_cryptobase64bit61.rte idsldap.srvbase64bit61.rte idsldap.srvproxy64bit61.rte idsldap.webadmin61.rte 6.1.0.57 COMMITTED Directory Server - Web idsldap.webadmin_max_crypto61.rte idsldap.clt32bit61.rte 6.1.0.57 COMMITTED Directory Server - 32 bit idsldap.clt64bit61.rte 6.1.0.57 COMMITTED Directory Server - 64 bit idsldap.cltbase61.rte 6.1.0.57 COMMITTED Directory Server - Base Client idsldap.srvbase64bit61.rte idsldap.srvproxy64bit61.rte |
I downloaded the Kerberos filesets from here. You’ll need an IBM login. Look for…
You need to get your Windows admin to add a service account to AD that will be used to bind LDAP and he/she should provide you with a password for this account. They also need to add a server entry for your AIX LPAR. I will assume you already have a valid user on the AD network.
AD Service Account : AIXBIND
AD Account Password : test123
AD test user : troyski
AD test passwd : today123
AIX Account : troyski
Run the following as root on your AIX LPAR to test the LPAR client is installed ok and the service account and password is ok:
/opt/IBM/ldap/V6.1/bin/ldapsearch -h DC0001.troyski.co.uk -D AIXBIND@troyski.co.uk -w \? -b DC=local -v Users=troyski |
When prompted, enter the AD Account Password.
I know this command may not be exactly right, but if it returns something like the following, then at least you know you can proceed:
Enter password ==> ldap_init(DC0001.troyski.co.uk, 389) filter pattern: Name=troyski returning: ALL filter is: (Name=troyski) 0 matches |
Now copy the Kerberos filesets to the AIX LPAR (/tmp) and install :
cd /tmp gunzip NAS_1.6.0.2_aix_image.tar.tgz tar –xvf NAS_1.6.0.2_aix_image.tar.tar mv images AIX_NAS cd AIX_NAS inutoc . smitty installp |
Check the filesets look something like :
lslpp -l | grep krb5 krb5.client.rte 1.6.0.2 COMMITTED Network Authentication Service krb5.client.samples 1.6.0.2 COMMITTED Network Authentication Service krb5.doc.en_US.html 1.6.0.2 COMMITTED Network Auth Service HTML krb5.doc.en_US.pdf 1.6.0.2 COMMITTED Network Auth Service PDF krb5.lic 1.6.0.2 COMMITTED Network Authentication Service krb5.server.rte 1.6.0.2 COMMITTED Network Authentication Service krb5.toolkit.adt 1.6.0.2 COMMITTED Network Authentication Service krb5.client.rte 1.6.0.2 COMMITTED Network Authentication Service krb5.server.rte 1.6.0.2 COMMITTED Network Authentication Service |
Next we can configure the Kerberos client on the AIX LPAR :
config.krb5 -C -r TROYSKI.CO.UK -d troyski.co.uk –c troyski.co.uk -s troyski.co.uk Initializing configuration... Creating /etc/krb5/krb5_cfg_type... Creating /etc/krb5/krb5.conf... The command completed successfully. |
There are some assumptions here, like DNS is in place and resolving correctly. Notice that first option for “-r” is IN CAPITALS.
Edit /etc/krb5/krb5.conf file to support the correct ticket encryption algorithms.
default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts |
For AIX 6.1 add the following entries to the “/usr/lib/security/methods.cfg” file:
KRB5A: program = /usr/lib/security/KRB5A program_64 = /usr/lib/security/KRB5A_64 options = authonly,tgt_verify=no,kadmin=no,is_kadmind_compat=no KRB5Afiles: options = db=BUILTIN,auth=KRB5A |
For AIX 7.1 add the following entries to the “/usr/lib/security/methods.cfg” file:
KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,tgt_verify=no,is_kadmind_compat=no KRB5files: options = db=BUILTIN,auth=KRB5 |
Request a keytab file for your AIX LPAR from the Windows admin person and when received SCP to /root of your LPAR.
Something like this is used, but this is the black magic part :
ktpass –princ host/eliana.troyski.co.uk@troyski.co.uk -mapuser -pass –kvno 3 -out eliana.keytab |
Back on your AIX LPAR as root :
/usr/krb5/sbin/ktutil ktutil: rkt HOST-eliana.keytab ktutil: wkt /etc/krb5/krb5.keytab ktutil: q |
You can check the keytab values with :
klist -k /etc/krb5/krb5.keytab |
Now we should be able to test authentication from the AIX LPAR to the AD server :
kinit troyski |
You should be prompted for your LAN ID password, which will return nothing if it’s ok.
We need to tell AIX to use Kerberos as an authentication method next :
chauthent -k5 -std |
Check with :
lsauthent Kerberos 5 Standard Aix |
We can further test by generating a Kerberos ticket for our test user :
kinit -f troyski Password for troyski@TROYSKI.CO.UK Done! New ticket is stored in cache file /root/krb5cc_root |
Check the ticket is listed ok :
root@eliana:logs# klist -f Credentials cache: /root/krb5cc_root Default principal: troyski@TROYSKI.CO.UK Number of entries: 1 [1] Service principal: krbtgt/TROYSKI.CO.UK@TROYSKI.CO.UK Valid starting: Thursday, 3 December 2015 at 09:23:15 Expires: Thursday, 3 December 2015 at 19:23:15 Flags: FORWARDABLE;INITIAL;PRE-AUTHENT |
Now change the user to use KRB5 authentication, e.g. :
For AIX 6.1 –
chuser registry=KRB5Afiles SYSTEM=KRB5Afiles auth_domain=TROYSKI.CO.UK troyski |
For AIX 7.1 –
chuser registry=KRB5files SYSTEM=KRB5files auth_domain=TROYSKI.CO.UK troyski |
Test ssh login to ensure the user now authenticates ok with the LAN password rather than the local AIX password.