banners
From Free IPA
Back to Client Configuration Guide
Contents |
Introduction
This document describes the procedures required to configure AIX 5.3 as an IPA client.
Prerequisites
Before you begin the configuration phase, you need to ensure that the following software is installed and up to date on your system. This can be installed from your AIX media:
- v5.3 OS
- v5.3 Updates
- krb5 client packages
- openssh
- wget
- bash
- krb5 server
- ldap.client
- openssl
- modcrypt.base (for gssd)
Configuring the IPA Client on AIX 5.3
The following instructions describe how to configure AIX 5.3 as an IPA client. The following hostnames are used as examples only; you need to replace these with the hostnames that apply to your deployment.
REALM = EXAMPLE.COM
IPA server = ipaserver.example.com
IPA client = ipaclient.example.com
Configuring Kerberos and LDAP
1. Configure the krb5 client settings as follows:
# mkkrb5clnt -r EXAMPLE.COM -d example.com -c ipaclient.example.com -s ipaserver.example.com
2. Configure the LDAP client settings as follows:
# mksecldap -c -h ipaserver.example.com -d cn=accounts,dc=example,dc=com -a uid=nss,cn=sysaccounts,cn=etc,dc=example,dc=com -p secret
3. Start the ldap client daemon.
# start-secldapclntd
4. Test the LDAP client connection to the IPA server.
# lsldap -a passwd
5. Get a Kerberos ticket.
# kinit admin
Configuring Client SSH Access
You can configure the IPA client to accept incoming SSH requests and authenticate with the user's Kerberos credentials. After configuring the IPA client, use the following procedure to configure the IPA client for SSH connections. Remember to replace the example host and domain names with your own host and domain names:
1. SSH syslog Configuration
auth.info /var/log/sshd.log
auth.info /var/log/sshd.log
auth.crit /var/log/sshd.log
auth.warn /var/log/sshd.log
auth.notice /var/log/sshd.log
auth.err /var/log/sshd.log
2. SSH Logging Configuration
SyslogFacility AUTH
LogLevel INFO
3. Configure sshd for GSSAPI (/etc/ssh/sshd_config)
# Kerberos options
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
UsePAM yes
4. Restart sshd
# stopsrc -s sshd
# startsrc -s sshd
5. Restart syslogd
# stopsrc -s syslogd
# startsrc -s syslogd
Note:
6. Add a host service principal.
- The ipa-admintools package is not available for AIX. Consequently, you need to perform the following commands on the IPA server.
# ipa-addservice host/ipaclient.example.com7. Retrieve the host keytab.
# ipa-getkeytab -s ipaserver -p host/ipaclient.example.com -k /tmp/krb5.keytab -e des-cbc-crc8. Copy the keytab from the server to the client.
# scp /tmp/krb5.keytab root@ipaclient.example.com:/tmp/krb5.keytab
9. On the IPA client, use the ktutil command to import the keytab.
# ktutil
ktutil: read_kt /tmp/krb5.keytab
ktutil: write_kt /etc/krb5/krb5.keytab
ktutil: q
10. Add a user that is only used for authentication. (This can be substituted with krb5 authentication if that works from the ldap client). Otherwise go to the IPA server and use ldapmodify, bind as Directory Manager and create this user.
dn: uid=nss,cn=sysaccounts,cn=etc,dc=example,dc=com
objectClass: account
objectClass: simplesecurityobject
objectClass: top
uid: nss
userPassword: Your own shared password here
11. On the IPA server, get a ticket for the admin user.
# kinit admin
You should be able to log in as admin using ssh without providing a password.
# ssh admin@ipaclient.example.com
System Login
On the AIX machine console, enter the admin username and password. You should be able to log in.
Use the id command to verify user and group information.
- By default, admin is given /bin/bash as the shell to use and /home/admin as the home directory. You may need to install bash (or link sh to /bin/bash or modify admin to use /bin/sh or a shell available in all of your systems) to be able to log in.
