Professional Documents
Culture Documents
AIX
Ambiente de AD requerido:
This example scenario was tested using AIX 6.1 TL 6 and TL 8, and AIX 7.1 TL 1, with Active
Directory on Server 2008 R2 domain controllers running at the 2003 functional level. It is
important to note that the domain controllers must be Windows Server 2003 R2 or later in order
to include the UNIX® LDAP attributes out-of-the-box. If you have Server 2003 domain
controllers, the LDAP schema can be extended to include the UNIX attributes using Microsoft
Windows Services for UNIX addition.
Requisitos de AD requeridos:
Pre-requisitos:
- Domain Name System (DNS) records (A and PTR) for your AIX hosts in your Windows DNS
server.
- Computer object matching the AIX host name in Active Directory.
- An organizational unit (OU) that contains AIX objects.
- At least one UNIX-enabled user in the target OU.
- A service account in AD that can be used for LDAP binds to AD.
- The service account should have full read rights on any OU that will have UNIX-enabled users.
- Ensure that the hostname command returns the fully qualified domain name (FQDN) of the AIX
server.
- /etc/hosts entry for host should be {IP} {FQDN} {Short Name}
- Ensure that the AIX host is using the domain controllers for DNS.
- Configure Network Time Protocol (NTP) on the AIX server. (Kerberos fails if the clock is more
than 5 minutes off.)
- Configure syslog or verify that it is working as expected.
Tiempos y tareas
idsldap.clt32bit61.rte.6.1.0.40.bff
idsldap.clt64bit61.rte.6.1.0.40.bff
idsldap.cltbase61.rte.6.1.0.40.bff
idsldap.cltjava61.rte.6.1.0.40.bff
idsldap.msg61.en_US.6.1.0.40.bff
donde
Donde
Editar el archivo :/etc/security/ldap/ldap.cfg y asegurarse que las siguientes lineas son correctas
(tiempo 5 muntos)
- userattrmappath:/etc/security/ldap/sfur2user.map
- groupattrmappath:/etc/security/ldap/sfur2group.map
- serverschematype:sfur2
restart-secldapclntd
Output
Output
Instalar los siguientes paquetes para el soporte kerberos (tiempo 30 minutos)
krb5.client.rte
krb5.client.samples
krb5.doc.en_US.html
krb5.doc.en_US.pdf
krb5.lic
krb5.client.rte
donde
Output
/usr/krb5/bin/klist
Output
Destruir ticket kerberos (tiempo 5 minutos)
/usr/krb5/bin/kdestroy
Generar host principal key tab en el Domain Controler (debe de ejecutsarse con usuario con
privilegios de administrador de dominio). (tiempo 15 minutos)
donde :
- host/aix1.test.local@TEST.LOCAL is the FQDN of the AIX host. Make a note of the host/ suffix.
- KRB5_NT_PRINCIPAL is the Kerberos principal type. This would not change.
- aix1.keytab is the keytab file that will be created. This file will be transferred to the AIX host and is
named as {hostname}.keytab for clarity.
- examplePassword is the password that will be set for the host principal. This should be complex, but
you might not ever use it.
- RC4-HMAC-NT is the encryption type used. RC4 is the default for Kerberos on 2008 R2.
- TEST\aix1 is the {domain}\{hostname} for the computer object in AD.
- /kvno 2 is the key version number.
Output
Remover cualquier keytab existente. Abrir ktutil y leer el keytab existente (rkt), listar las llaves (l),
escribir el keytab (wkt) al default keytab file /etc/krb5/krb5.keytab (tiempo 10 minutos)
Output
/usr/krb5/bin/klist –ke
Output
/usr/krb5/bin/kinit -k
/usr/krb5/bin/klist
Output
Asegurarse de:
- Ensure that the KRB5 options include:
authonly,is_kadmind_compat=no,tgt_verify=no,allow_expired_pwd=yes
- Make sure that the KRB5LDAP stanza includes the auth and db options.
Output
Output
Output
su – aixtest
Debe de funcionar
Validar autenticacion de usuario AD via ssh y validar el auth state (tiempo 5 minutos)
ssh aixtest@localhost
Output