LDAP-UX (Win ADS Kerberos) + sshd

Sander Reiche (HVS) · ‎12-12-2011

Hi guys,

I'm at a loss here.

I've followed the LDAP-UX Administrator's Guide (HP Part Number: 5900-1479) and I have Kerberos working fine with the Windows ADS Domain. `kinit(1)' even nicely gets a ticket after authentication, but for the life of me, I can't seem to get `sshd' to play nice with the whole thing. I still can't connect to my HP/UX 11iv3 machine (HP-UX hvs11 B.11.31 U ia64) via `ssh' using an ADS account.

What am I missing here? Any takers?

Some configuration files and feedback from my system:

# /opt/ldapux/config/netjoin

Scanning DNS domain "intern.hilversum.nl" for any registered Active Directory servers...

Please enter the DN of a user that has sufficient privilege to add this host
to the "intern.hilversum.nl" domain.  Note also that if this is the first
time adding an HP-UX host to this directory server, LDAP-UX may also need to
extend the server's schema.  Please enter the DN of an Administrator with
these privileges or press Return for the default value
[CN=Administrator,CN=Users,DC=intern,DC=hilversum,DC=nl]: cn=root,ou=Beheerders,ou=Gebruikers-zonder-Zarafa,ou=Hilversum,dc=intern,dc=hilversum,dc=nl

Please enter the administrator's password:


Found profile entry CN=ldapuxprofile,CN=system,DC=intern,DC=hilversum,DC=nl.

Successfully downloaded profile entry from AD server.

Created "hvs11.intern.hilversum.nl" computer account.

Modified UserAccountControl of "hvs11.intern.hilversum.nl" computer account.

Backing up all the default krb5 log files.

The Kerberos configuration file /etc/krb5.conf has been created.

Configured "hvs11.intern.hilversum.nl" as LDAP-UX proxy.

Your LDAP-UX client has been successfully configured and
is now a member of the "intern.hilversum.nl" domain.

The Kerberos configuration:

# cat /etc/krb5.conf
[libdefaults]
    default_realm = INTERN.HILVERSUM.NL
    default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
    default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
    ccache_type = 2

[realms]
    INTERN.HILVERSUM.NL = {
        kdc = sdc01.intern.hilversum.nl:88
        kpasswd = sdc02.intern.hilversum.nl:464
    }

[domain_realm]
    .intern.hilversum.nl = INTERN.HILVERSUM.NL

[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log

`kinit(1)' working:

# kinit sre
Password for sre@INTERN.HILVERSUM.NL:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sre@INTERN.HILVERSUM.NL

Valid starting     Expires            Service principal
12/12/11 14:16:42  12/13/11 00:16:42  krbtgt/INTERN.HILVERSUM.NL@INTERN.HILVERSUM.NL
#

The sshd rules in `/etc/pam.conf':

# grep sshd pam.conf
sshd         auth       required        libpam_hpsec.so.1
sshd         auth       sufficient      libpam_krb5.so.1
sshd         auth       required        libpam_unix.so.1 try_first_pass
sshd         account    required        libpam_hpsec.so.1
sshd         account    sufficient      libpam_krb5.so.1
sshd         account    required        libpam_unix.so.1
sshd         session    required        libpam_hpsec.so.1
sshd         session    sufficient      libpam_krb5.so.1
sshd         session    required        libpam_unix.so.1
sshd         password   required        libpam_hpsec.so.1
sshd         password   sufficient      libpam_krb5.so.1
sshd         password   required        libpam_unix.so.1 try_first_pass

And the `nsswitch.conf' entries concerning ldap:

# grep ldap nsswitch.conf
passwd:       files ldap
group:        files ldap

~~ UNIX is very simple, it just needs a genius to understand its simplicity.
dmr ~~

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

LDAP-UX (Win ADS Kerberos) + sshd

LDAP-UX (Win ADS Kerberos) + sshd