Plan General de Trabajo – Autenticacion en Active Directory

AIX

Ambiente de AD requerido:

This example scenario was tested using AIX 6.1 TL 6 and TL 8, and AIX 7.1 TL 1, with Active
Directory on Server 2008 R2 domain controllers running at the 2003 functional level. It is
important to note that the domain controllers must be Windows Server 2003 R2 or later in order
to include the UNIX® LDAP attributes out-of-the-box. If you have Server 2003 domain
controllers, the LDAP schema can be extended to include the UNIX attributes using Microsoft
Windows Services for UNIX addition.

Requisitos de AD requeridos:

Pre-requisitos:

- Domain Name System (DNS) records (A and PTR) for your AIX hosts in your Windows DNS
server.
- Computer object matching the AIX host name in Active Directory.
- An organizational unit (OU) that contains AIX objects.
- At least one UNIX-enabled user in the target OU.
- A service account in AD that can be used for LDAP binds to AD.
- The service account should have full read rights on any OU that will have UNIX-enabled users.
- Ensure that the hostname command returns the fully qualified domain name (FQDN) of the AIX
server.
- /etc/hosts entry for host should be {IP} {FQDN} {Short Name}
- Ensure that the AIX host is using the domain controllers for DNS.
- Configure Network Time Protocol (NTP) on the AIX server. (Kerberos fails if the clock is more
than 5 minutes off.)
- Configure syslog or verify that it is working as expected.

Tiempos y tareas

Instalar los siguientes paquetes (tiempo 30 minutos)

idsldap.clt32bit61.rte.6.1.0.40.bff
idsldap.clt64bit61.rte.6.1.0.40.bff
idsldap.cltbase61.rte.6.1.0.40.bff
 idsldap.cltjava61.rte.6.1.0.40.bff
idsldap.msg61.en_US.6.1.0.40.bff

Validar conectividad LDAP (tiempo 10 minutos)

/opt/IBM/ldap/V6.1/bin/ldapsearch -h pdc1.test.local -D aixservice@test.local -w \? -b

DC=test,DC=local -v sAMAccountName=aixtest

donde

- pdc1.test.local is the IP address of the domain controller.

- aixservice@test.local is the name and realm (domain) of your AD service account.
- -w \? prompts for the password.
- DC=test,DC=local is the distinguished name of the OU where your search begins.
sAMAccountName=aixtest is the search filter. sAMAccountName was chosen for simplicity.

Configuracion de ldap cliente (tiempo 15 minutos)

mksecldap -c -h pdc1.test.local -a "CN=AIX Service,OU=Service Accounts,DC=TEST,DC=LOCAL"

-d OU=AIX,DC=test,DC=local -p examplePassword

Donde

- pdc1.test.local is the hostname of a domain controller.

- CN=AIX Service,OU=Service Accounts,DC=TEST,DC=LOCAL is the distinguished name of the
service account.
- OU=AIX,DC=test,DC=local is the distinguished name of the OU where your AIX objects reside in
AD.
- examplePassword is the password for the service account. mksecldap may encrypt the password in
the configuration file.

Verificar la configuracion ldap (tiempo 5 mintos)

grep '^[:a-z:]' /etc/security/ldap/ldap.cfg

Editar el archivo y agregar ldaps servers contingencia (tiempo 5 minutos)

Editar el archivo :/etc/security/ldap/ldap.cfg y asegurarse que las siguientes lineas son correctas
(tiempo 5 muntos)

- userattrmappath:/etc/security/ldap/sfur2user.map
- groupattrmappath:/etc/security/ldap/sfur2group.map
- serverschematype:sfur2

Iniciar los servicios ldap cliente (tiempo 5 minutos)

restart-secldapclntd

Output

Verificar la resolucion ldap (tiempo 5 minutos)

lsuser -R LDAP ALL

Output
Instalar los siguientes paquetes para el soporte kerberos (tiempo 30 minutos)

krb5.client.rte
krb5.client.samples
krb5.doc.en_US.html
krb5.doc.en_US.pdf
krb5.lic
krb5.client.rte

Configurar Kerberos (tiempo 15 minutos)

mkkrb5clnt -c pdc1.test.local -r TEST.LOCAL -s pdc1.test.local -d TEST.LOCAL -i LDAP -D

donde

- pdc1.test.local is the FQDN of a domain controller (in two switches).

- TEST.LOCAL is the realm name, FQDN of domain, in all caps (in two switches)
- LDAP is the source for user registry information. This triggers the creation of the KRB5LDAP
stanza in /etc/methods.cfg.

Output

Editar el file /etc/krb5/krb5.conf y modificar lo siguiente: (tiempo 5 minutos)

- Set both enctypes to arcfour-hmac.

- Add the dns_lookup_kdc and dns_lookup_realm lines and set them to true.
- Add additional kdc entries for domain controllers local to the AIX box. (Avoid WAN traversal.)
- Add the master_kdc entry, pointing to your primary local domain controller.
- Make sure that there are resolvers for the upper and lower case domain and dotted domain.

Test a la conexion kerberos (tiempo 5 minutos)

/usr/krb5/bin/kinit jgeiger@TEST.LOCAL (usar cualquier cuenta AD valida)

Validar si se genero ticket kerberos (tiempo 5 minutos)

/usr/krb5/bin/klist

Output
Destruir ticket kerberos (tiempo 5 minutos)

/usr/krb5/bin/kdestroy

Generar host principal key tab en el Domain Controler (debe de ejecutsarse con usuario con
privilegios de administrador de dominio). (tiempo 15 minutos)

ktpass /princ host/aix1.test.local@TEST.LOCAL /ptype KRB5_NT_PRINCIPAL /out aix1.keytab

/pass examplePassword /crypto RC4-HMAC-NT /mapuser TEST\aix1 /kvno 2

donde :

- host/aix1.test.local@TEST.LOCAL is the FQDN of the AIX host. Make a note of the host/ suffix.
- KRB5_NT_PRINCIPAL is the Kerberos principal type. This would not change.
- aix1.keytab is the keytab file that will be created. This file will be transferred to the AIX host and is
named as {hostname}.keytab for clarity.
- examplePassword is the password that will be set for the host principal. This should be complex, but
you might not ever use it.
- RC4-HMAC-NT is the encryption type used. RC4 is the default for Kerberos on 2008 R2.
- TEST\aix1 is the {domain}\{hostname} for the computer object in AD.
- /kvno 2 is the key version number.

Output

Copiar el keytab generado al servidor AIX (tiempo 5 minutos)

Remover cualquier keytab existente. Abrir ktutil y leer el keytab existente (rkt), listar las llaves (l),
escribir el keytab (wkt) al default keytab file /etc/krb5/krb5.keytab (tiempo 10 minutos)

Output

Verificar el keytab (tiempo 5 mintuos)

/usr/krb5/bin/klist –ke

Output

Probar el keytab (tiempo 5 minutos)

/usr/krb5/bin/kinit -k

NO DEBE DE PEDIR PASSWORD

Verificar la existencia del ticket kerberos (tiempo 5 minutos)

/usr/krb5/bin/klist

Output

Configuracion de AIX para usar Kerberos y ldap como metodos de autenticacion

Editar /etc/methods.cfg (tiempo 5 minutos)

Asegurarse de:
- Ensure that the KRB5 options include:
authonly,is_kadmind_compat=no,tgt_verify=no,allow_expired_pwd=yes
- Make sure that the KRB5LDAP stanza includes the auth and db options.

Modificar el file /etc/security/user: (tiempo 5 minutos)

chsec -f /etc/security/user -s default -a SYSTEM="KRB5LDAP OR compat"

Output

Añadir a kerberos como entidad valida de autenticacion (tiempo 5 minutos)

chauthent -k5 –std

#Verify
lsauthent

Output

Validar que la autenticacion de usuarios es funcional (tiempo 5 minutos)

lsuser –R KRB5LDAP aixtest

Output

Realizar su al usuario (tiempo 5 minutos)

su – aixtest
Debe de funcionar

Validar autenticacion de usuario AD via ssh y validar el auth state (tiempo 5 minutos)

ssh aixtest@localhost

Output

Tiempo total de la implementacion: 3 horas 20 minutos