topic Re: Need AD authentication for HP-UX user in Operating System - HP-UX

Need AD authentication for HP-UX user

Christ 33 — Wed, 14 Feb 2007 08:39:53 GMT

Hello

We have an HP-UX server 11.11
We have an Active Directory Windows 2000 controler.
Each time an HP-UX user need to log on the server, HP-UX must check with the AD if this user is authorized to logon. Nothing else to do.
Do yo know the best way to do it?
We want to have only the AD to administrate the users.
Do we need SFU (3.0) on the AD? Is it mandatory?
Do we need to configure LDAP? Is there another way?

Thanks for your help.

Re: Need AD authentication for HP-UX user

Ivan Ferreira — Wed, 14 Feb 2007 08:50:50 GMT

>>Do yo know the best way to do it?

You can use SAMBA/CIFS with winbind

>> We want to have only the AD to administrate the users.

You wont need anything else

>> Do we need SFU (3.0) on the AD? Is it mandatory?

I think you don't need it

>> Do we need to configure LDAP? Is there another way?

No, you could but is not needed. Active Directory (LDAP) is enough.

Re: Need AD authentication for HP-UX user

Steven E. Protter — Wed, 14 Feb 2007 09:12:54 GMT

Shalom,

Depends on what you want to do.

SFU 3.5 has limited shell support.

LDAP is challenging to configure but it works well.

CIFS/Samba seems worth a try.

ADS seems based on the limited information provided to be the best option.

SEP

Re: Need AD authentication for HP-UX user

TEC-HP — Thu, 15 Feb 2007 04:41:47 GMT

if only Authentication = kerberos (meaning users still reside in /etc/passwd but same account in AD)
Quite straithforward and standard:
for 11.11:
install PAMKerberos
on AD generate a keytab and install it with ktutil
adapt your /etc/krb5.conf
adapt you pam.conf (and perhaps pam_user.conf to exclude root)
change password hash field in /etc/passwd or /etc/shadow by "x": meaning those users have no local valid passwd and of you go

Remark: If you don't use kerberized clients to connect to you HPUX host than I advvise you to only enable kerberos authentication for ssh in pam: otherwise windows passwd in clear text over network!

If you want to centralise authorisation: if your AD could be upgraded to Windows 2003 R2: it contains all the nesc. POSIX attributes: you don't need to install th MSSFU stuff and are compliant to RFC... (don't know by heart). I don't know if the latest LDAPUX client is aware of this ?
Fot centralised authorisation you can work with nisnetgroups or the pam_authz.policy (as from ldapux version B.4...). But the client can't handle nested groups!

do you need SFU? No: check if you can adapt your AD scheme according the rfc's (AD 2003 R2 does)
Do you need to configure LDAP: proxy-user, configure the attributes ,.....

Hope this helps a bit. Annyway Check the docs.hp.com site for the latest ldapux client docs: there are docs for integration towards AD

Re: Need AD authentication for HP-UX user

TEC-HP — Thu, 15 Feb 2007 04:50:57 GMT

addendum:

Of coures: once you have your ldapclient configured: then you no longer need the local user accounts (except the system-accounts).

Further centralisation could be:
LDAP aware sudo: needs recompilation (check the sudo site) + again AD scheme change. Problem sudo ldap scheme is not a standard (? RFC ?) + development for sudo seems stopped (latest version from 2005)

RBAC is emerging but are there already (cross-platform) standards defined (roles, ldap scheme, ....)?

Re: Need AD authentication for HP-UX user

Christ 33 — Thu, 15 Feb 2007 08:27:38 GMT

Hello,

Thanks for your answers.

We decide to use CIFS/SAMBA
First step, I try to configure Kerberos.
We provide informationâ s in the krb5.conf file and smb.conf.
I followed this exemple, changing domain name by cutomer name.
[libdefaults]
default_realm = HPATC2003.HP.COM
default_tkt_enctypes = DES-CBC-MD5
default_tgs_enctypes = DES-CBC-MD5
default_keytab_name = "WRFILE:/etc/krb5.keytab"

[realms]
HPATC2003.HP.COM = {
kdc = HPATCWIN2K4.HPATC2003.HP.COM:88
admin_server = HPATCWIN2K4.HPATC2003.HP.COM
}
[domain_realm]
.hp.com = HPATC2003.HP.COM
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

Second step, I try to create the keytab file with this command:
/opt/samba/bin/net ads keytab create -U administrator
I got an â authentication failedâ error message.

If I read â Integrating HP-UX 11.x Account Management and Authentication with Microsoft Windows 2000 Â» they talk about Kerberos configuration, they use ktpass tool to generate the keytab file.
What do you think about this?
Which one is the right way?

In the CIFS/SAMBA configuration document, I donâ t see any thing about pam_authz file or the pam.conf file. Do we need to configure them?

Thanks for your answer

Re: Need AD authentication for HP-UX user

TEC-HP — Thu, 15 Feb 2007 08:35:15 GMT

Even before you have a keytab:
If your krb5.conf is OK. Try this one first on you HPUX host: kinit
you should be prompted for your windows passwd. after authentication, check with klist if you received a ticket.

On the AD node: creating a keytab is done with ktpas. The Unix host must be created as a user. Be sure to use the fqdn of your host when creating the keytab

Re: Need AD authentication for HP-UX user

Christ 33 — Tue, 03 Apr 2007 11:27:25 GMT

Thanks for your help.

We change CIFS server version, we download the latest version. Itâ s working fine now.

Re: Need AD authentication for HP-UX user

Christ 33 — Thu, 05 Apr 2007 10:18:49 GMT

We configure it with SSH, Kerberos, CIFS