Operating System - HP-UX
1748201 Members
3038 Online
108759 Solutions
New Discussion юеВ

Kerberos setup issue [HPUX---->AD(KDC)]

 
Rupinder Sandhu
Occasional Advisor

Kerberos setup issue [HPUX---->AD(KDC)]

Hi there,

Could anyone please help me with the Kerberos setup.

I am trying to autheticate HPUX login requests from Active Directory KDC.

This is what I have done so far.

insatalled latest Kerberos products on hpux client
$ swlist | grep -i kerber
KRB5CLIENT D.1.6.2 Kerberos V5 Client Version 1.6.2
PAMKerberos C.01.24 PAM-Kerberos Version 1.24

Setup the KDC on AD server

setup test user (test)and passwd on KDC

imported certificate from KDC to hpux client created using ktpass on KDC

updated the keytab file on hpux client and configurations in /etc/krb5.conf for the REALM

created a same test user on hpux client
and replaced passwd field with "x"

and then
kinit test@REALM works well and gets the ticket from the KDC

klist lists the tickets


#pamkrbval runs well without an error

NOW I want to test this test user first before going for the whole system,
I have updated the pam.conf with following entires
login auth suffcient libpam_krb5.so.1
su auth sufficient libpam_krb5.so.1
sshd auth sufficient libpam_krb5.so.1

then updated /etc/opt/ssh/sshd_confg
to include
KerberosAuthentication yes

but I am getting nowhere when I try to test this user (test).

Thanks in Advance
Any help will be much appreciated.


NOW;






6 REPLIES 6
Steven E. Protter
Exalted Contributor

Re: Kerberos setup issue [HPUX---->AD(KDC)]

Shalom,

LDAP-UX ships with a setup script that must be run to configure ADC connectivity.

Have you successfully completed this step?

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Rupinder Sandhu
Occasional Advisor

Re: Kerberos setup issue [HPUX---->AD(KDC)]

Hi Steven,

Thanks for replying, But I could not undrstand why should I use LDAP-UX setup script,

I believe I have already got ADC connectivity as I am getting TGT from KDC.

i am following below mentioned link to make it work:
http://www12.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01250837-3&docLocale=en&admit=109447627+1217947780651+28353475

Please let me know if something is missing in it according to you.

Thanks

Rupinder Sandhu
Occasional Advisor

Re: Kerberos setup issue [HPUX---->AD(KDC)]

This is what I get in the debug logs for authentication:

Nov 26 09:24:36 vmhost sshd[2638]: pam_start(sshd test)
Nov 26 09:24:36 vmhost sshd[2638]: pam_set_item(1)
Nov 26 09:24:36 vmhost sshd[2638]: pam_set_item(2)
Nov 26 09:24:36 vmhost sshd[2638]: pam_set_item(5)
Nov 26 09:24:36 vmhost sshd[2638]: invalid flag: resuired
Nov 26 09:24:36 vmhost sshd[2638]: pam_set_item(4)
Nov 26 09:24:36 vmhost sshd[2638]: pam_authenticate()
Nov 26 09:24:36 vmhost sshd[2638]: load_modules: /usr/lib/security/hpux32/libpam_hpsec.so.1
Nov 26 09:24:36 vmhost sshd[2638]: load_function: successful load of pam_sm_authenticate
Nov 26 09:24:36 vmhost sshd[2638]: pam_set_item(5)
Nov 26 09:24:36 vmhost sshd[2638]: load_modules: /usr/lib/security/hpux32/libpam_unix.so.1
Nov 26 09:24:36 vmhost sshd[2638]: pam_get_username(ux)
Nov 26 09:24:36 vmhost sshd[2638]: pam_mapping_in_use()
Nov 26 09:24:39 vmhost inetd[2640]: registrar/tcp: Connection from vmhost (111.222.333.444) at Wed Nov 26 09:24:39 2008
Nov 26 09:24:36 vmhost sshd[2638]: load_function: successful load of pam_sm_authenticate
Nov 26 09:24:39 vmhost sshd[2638]: pam_set_item(6)
Nov 26 09:24:39 vmhost sshd[2638]: pam_authenticate: error Authentication failed
Nov 26 09:24:41 vmhost sshd[2638]: error: PAM: Authentication failed for test from vmhost.domain.com
Nov 26 09:24:41 vmhost sshd[2638]: pam_set_item(5)
Nov 26 09:24:41 vmhost sshd[2638]: pam_authenticate()
Nov 26 09:24:39 vmhost sshd[2638]: pam_set_item(6)
Nov 26 09:24:41 vmhost sshd[2638]: load_modules: /usr/lib/security/hpux32/libpam_hpsec.so.1
Nov 26 09:24:41 vmhost sshd[2638]: pam_get_username(ux)
Nov 26 09:24:41 vmhost sshd[2638]: pam_mapping_in_use()
Nov 26 09:24:50 vmhost sshd[2638]: pam_set_item(6)
Nov 26 09:24:50 vmhost sshd[2638]: pam_authenticate: error Authentication failed
Nov 26 09:24:52 vmhost sshd[2638]: error: PAM: Authentication failed for test from vmhost.domain.com


Any Ideas....why

pam_authenticate:<--- fails?
Nov 26 09:24:36 vmhost sshd[2638]: invalid flag: resuired <--means what?


Looking forward to hear from you guys
thanks
Heironimus
Honored Contributor

Re: Kerberos setup issue [HPUX---->AD(KDC)]

I would guess that "invalid flag: resuired" means that somewhere in your PAM configuration somebody mistyped "required".
Rupinder Sandhu
Occasional Advisor

Re: Kerberos setup issue [HPUX---->AD(KDC)]

Thanks for that, I managed to pick that up this morning, I fixed it to be "required" , but i am still not able to login.

Wim Rombauts
Honored Contributor

Re: Kerberos setup issue [HPUX---->AD(KDC)]

I wonder if your /etc/pam.conf is correctly configured to activate kerberos authentication. Could you post the contents of pam.conf ?

Further, to see if all necessary software is installed, you should run "swlist -l product | grep -i -e krb -e kerb".
This should return 4 lines = KRB5-Client, PAM-Kerberos, krb5client, PHSS_34991 (or later).