ConfiguringAixClients#
Introduction#
This document describes the procedures required to configure AIX 5.3 as an IPA client, hints for later AIX versions are also included.
Prerequisites#
Before you begin the configuration phase, you need to ensure that the following software is installed and up to date on your system. This can be installed from your AIX media:
v5.3 OS
v5.3 Updates
krb5 client packages
openssh
wget
bash
ldap.client (idsldap)
openssl
modcrypt.base (for gssd)
Configuring the IPA Client on AIX 5.3#
The following instructions describe how to configure AIX 5.3 as an IPA client. The following hostnames are used as examples only; you need to replace these with the hostnames that apply to your deployment.
REALM = EXAMPLE.COM
IPA server = ipaserver.example.com
IPA client = ipaclient.example.com
Configuring Kerberos and LDAP#
Configure the krb5 client settings as follows:
`` # mkkrb5clnt -r EXAMPLE.COM -d example.com -c ipaserver.example.com -s ipaserver.example.com``
Get a Kerberos ticket.
`` # kinit admin``
Configure the LDAP client settings as follows:
`` # mksecldap -c -h ipaserver.example.com -d cn=accounts,dc=example,dc=com -a uid=nss,cn=sysaccounts,cn=etc,dc=example,dc=com -p secret``
Add custom settings for the LDAP client.
Under /etc/security/ldap create 2 new map files:
#IPAuser.map file keyobjectclass SEC_CHAR posixaccount s # The following attributes are required by AIX to be functional username SEC_CHAR uid s id SEC_INT uidnumber s pgrp SEC_CHAR gidnumber s home SEC_CHAR homedirectory s shell SEC_CHAR loginshell s gecos SEC_CHAR gecos s spassword SEC_CHAR userpassword s lastupdate SEC_INT shadowlastchange s
#IPAgroup.map file groupname SEC_CHAR cn s id SEC_INT gidNumber s users SEC_LIST member m
userbasedn:cn=users,cn=accounts,dc=example,dc=com
groupbasedn:cn=groups,cn=accounts,dc=example,dc=com
userattrmappath:/etc/security/ldap/IPAuser.map
groupattrmappath:/etc/security/ldap/IPAgroup.map
userclasses:posixaccount
Start the ldap client daemon.
`` # start-secldapclntd``
Test the LDAP client connection to the IPA server.
`` # lsldap -a passwd``
Configure the system login to use Krberos and LDAP
Add the following sections to the file /usr/lib/security/methods.cfg
KRB5A: program = /usr/lib/security/KRB5A program_64 = /usr/lib/security/KRB5A_64 options = authonly KRB5ALDAP: options = auth=KRB5A,db=LDAP
For AIX 6.1 the line
options = authonly
should be changed into
options = authonly,kadmind=no
SYSTEM = "KRB5ALDAP"
regisrty = LDAP
Please note: due to these changes to /etc/security/user LDAP is configured, leading to local users with no individual entry not beeing able to login. According to previous testing not setting registry to LDAP is not preventing IPA users to login, but is preventing them to change passwords.
Configuring Client SSH Access#
You can configure the IPA client to accept incoming SSH requests and authenticate with the user’s Kerberos credentials. After configuring the IPA client, use the following procedure to configure the IPA client for SSH connections. Remember to replace the example host and domain names with your own host and domain names:
SSH syslog Configuration
auth.info /var/log/sshd.log
auth.info /var/log/sshd.log
auth.crit /var/log/sshd.log
auth.warn /var/log/sshd.log
auth.notice /var/log/sshd.log
auth.err /var/log/sshd.log
SSH Logging Configuration
SyslogFacility AUTH
LogLevel INFO
Configure sshd for GSSAPI (
/etc/ssh/sshd_config)
# GSSAPI options
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
Restart sshd
# stopsrc -s sshd
# startsrc -s sshd
Restart syslogd
# stopsrc -s syslogd
# startsrc -s syslogd
Note:
The ipa-admintools package is not available for AIX. Consequently, you need to perform the following commands on the IPA server.
Add a host service principal on IPA v2:
# ipa service-add host/ipaclient.example.com
Please note: adding the service principal should no longer be required, but host-add and a host-add-managedby should be enough:
# ipa host-add ipaclient.example.com
# ipa host-add-managedby --hosts=ipaserver.example.com ipaclient.example.com
Retrieve the host keytab.
# ipa-getkeytab -s ipaserver -p host/ipaclient.example.com -k /tmp/krb5.keytab
Copy the keytab from the server to the client.
# scp /tmp/krb5.keytab root@ipaclient.example.com:/tmp/krb5.keytab
On the IPA client, use the ktutil command to import the keytab.
# ktutil
ktutil: read_kt /tmp/krb5.keytab
ktutil: write_kt /etc/krb5/krb5.keytab
ktutil: q
10. Add a user that is only used for authentication. (This can be substituted with krb5 authentication if that works from the ldap client). Otherwise go to the IPA server and use ldapmodify, bind as Directory Manager and create this user.
dn: uid=nss,cn=sysaccounts,cn=etc,dc=example,dc=com
objectClass: account
objectClass: simplesecurityobject
objectClass: top
uid: nss
userPassword: Your own shared password here
On the IPA server, get a ticket for the admin user.
# kinit admin
You should be able to log in as admin using ssh without providing a password.
# ssh admin@ipaclient.example.com
System Login#
On the AIX machine console, enter the admin username and password. You should be able to log in.
Use the id command to verify user and group information.
By default, admin is given /bin/bash as the shell to use and
/home/adminas the home directory. You may need to install bash (or link sh to /bin/bash or modify admin to use /bin/sh or a shell available in all of your systems) to be able to log in.
netgroup#
Some words of caution. The comment-line in most of these files in * and not # as is usual for *nix configuration files. I found that deleting values rather than trying to comment then out was more helpful.
The order in some files seems to be important for some reason. Simply
moving SYSTEM and registry in /etc/security/user once solved getting
netgroup working. My advice would be to maintain the existing formatting
and order as much as possible.
This example assumes we are going to be granting access to the machine to users in the netgroup mygroup. To add this group to IPA and allow the user admin do the following on the IPA server:
$ kinit admin
$ ipa netgroup-add --desc='AIX users' mygroup
$ ipa netgroup-add-member --users=admin mygroup
1. On the AIX client, add the netgroup basedn to
/etc/security/ldap/ldap.cfg:
netgroupbasedn: cn=ng,cn=compat,dc=example,dc=com
Restart the LDAP client:
# /usr/sbin/restart-secldapclntd
Test that a netgroup is visible
# lsldap -a netgroup mygroup
4. Add the netgroup option to LDAP and KRB5ALDAP in /usr/lib/security/methods.cfg:
LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64 options = netgroup ... KRB5ALDAP: options = auth=KRB5A,db=LDAP,netgroup
Configure
/etc/irs.conffor netgroups:
# cat /etc/irs.conf
netgroup nis_ldap
6. Either modify the default user in /etc/security/user to use
SYSTEM = compat and registry = compat or create a user admin
entry and configure that for compat:
This is what it looks like if you create a separate user:
default: ... SYSTEM = compat registry = compat ...
OR
admin: SYSTEM = compat registry = compat
Add our netgroup to
/etc/passwd:
echo "+@mygroup" >> /etc/passwd
Configure
/etc/groupfor netgroups:
# echo "+:" >> /etc/group
Test the admin user:
# lsuser -R compat admin admin id=155000000 pgrp=admins groups=admins home=/home/admin...
A full test is to su to the user or log in via ssh.
For users not found in the netgroup you’ll get a log entry like this in
/var/log/sshd.log
Aug 24 10:38:29 ipaaix auth|security:info sshd[348394]: Invalid user admin from x.x.x.x
Aug 24 10:38:30 ipaaix auth|security:info syslog: ssh: failed login attempt for UNKNOWN_USER from x.x.x.x
Aug 24 10:38:30 ipaaix auth|security:info sshd[348394]: Failed none for invalid user admin from x.x.x.x port 34085 ssh2
Additional help#
Some additional AIX configuration pages that may be relevant and helpful.