Networking
cancel
Showing results for 
Search instead for 
Did you mean: 

HP-UX authentication to Active Directory

Chris Clonch
Occasional Visitor

HP-UX authentication to Active Directory

I can't seem to get it working... I'm only trying to do authentication against AD, not user management, so no LDAP. This is on a newly installed 11.23 with the latest patches installed.

swlist -l product | grep -i -e krb -e kerb
KRB5-Client B.11.23 Kerberos V5 Client Version 1.0
PAM-Kerberos C.01.26 PAM-Kerberos Version 1.26
PHSS_39765 1.0 KRB5-Client Version 1.0 Cumulative patch

I copied over the /etc/pam.krb5 to /etc/pam.conf. I've verified everything is setup:

pamkrbval -a pa64

Validating the pam configuration files
---------- --- --- ------------- -----

Validating the /etc/pam.conf file
[PASS] : The validation of config file: /etc/pam.conf passed

[NOTICE] : The validation of config file: /etc/pam_user.conf is not done
as libpam_updbe library is not configured

Validating the kerberos config file
---------- --- -------- ------ -----
[PASS] : Initialization of kerberos passed

Connecting to default Realm
---------- -- ------- -----
[PASS] : Default Realm is issuing tickets

Validating the keytab entry for the host service principal
---------- --- ------ ----- --- --- ---- ------- ---------
[WARNING] : Keytab file /etc/krb5.keytab is not present
[IGNORE] : The keytab validation is ignored,assuming success

Validating the rc_host file for ownership
-------- ------ ---- -------- ------ -----
[PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful


Using kinit and klist, I can verify ticket granting.

With debug enable in sshd and pam.conf I get:

Mar 12 16:20:37 cocbhpuhlat1 sshd[7674]: debug1: PAM: initializing for "testuser"
Mar 12 16:20:37 cocbhpuhlat1 sshd[7674]: debug1: PAM: setting PAM_RHOST to "testhost.domain.com"
Mar 12 16:20:37 cocbhpuhlat1 sshd[7674]: Failed none for testuser from 192.168.1.99 port 3452 ssh2
Mar 12 16:20:37 cocbhpuhlat1 sshd[7674]: debug1: audit event euid 0 user testuser event 3 (AUTH_FAIL_NONE)
Mar 12 16:20:47 cocbhpuhlat1 sshd[7674]: pam_authenticate: error Authentication failed
Mar 12 16:20:49 cocbhpuhlat1 sshd[7674]: error: PAM: Authentication failed for testuser from testhost.domain.com
Mar 12 16:20:49 cocbhpuhlat1 sshd[7674]: Failed keyboard-interactive/pam for testuser from 192.168.1.99 port 3452 ssh2
Mar 12 16:20:49 cocbhpuhlat1 sshd[7674]: debug1: Entering record_failed_login uid 0
Mar 12 16:20:49 cocbhpuhlat1 sshd[7674]: debug1: audit event euid 0 user testuser event 5 (AUTH_FAIL_KBDINT)
Mar 12 16:21:02 cocbhpuhlat1 sshd[7674]: pam_authenticate: error Authentication failed
Mar 12 16:21:04 cocbhpuhlat1 sshd[7674]: error: PAM: Authentication failed for testuser from testhost.domain.com
Mar 12 16:21:04 cocbhpuhlat1 sshd[7674]: Failed keyboard-interactive/pam for testuser from 192.168.1.99 port 3452 ssh2
Mar 12 16:21:04 cocbhpuhlat1 sshd[7674]: debug1: Entering record_failed_login uid 0
Mar 12 16:21:04 cocbhpuhlat1 sshd[7674]: debug1: audit event euid 0 user testuser event 5 (AUTH_FAIL_KBDINT)
Mar 12 16:21:17 cocbhpuhlat1 sshd[7674]: debug1: do_pam_account: called


Any ideas? I know this can work as I have Linux hosts authenticating.
2 REPLIES
Chris Clonch
Occasional Visitor

Re: HP-UX authentication to Active Directory

Sorry, seems I didn't have pam debugging enabled properly.


Mar 12 17:01:35 cocbhpuhlat1 sshd[9882]: debug1: rexec start in 6 out 6 newsock 6 pipe 8 sock 9
Mar 12 17:01:35 cocbhpuhlat1 sshd[7664]: debug1: Forked child 9882.
Mar 12 17:01:35 cocbhpuhlat1 sshd[9882]: debug1: inetd sockets after dupping: 5, 5
Mar 12 17:01:35 cocbhpuhlat1 sshd[9882]: debug1: audit connection from 192.168.1.99 port 3797 euid 0
Mar 12 17:01:35 cocbhpuhlat1 sshd[9882]: Connection from 192.168.1.99 port 3797
Mar 12 17:01:35 cocbhpuhlat1 sshd[9882]: debug1: HPN Disabled: 0, HPN Buffer Size: 65536
Mar 12 17:01:35 cocbhpuhlat1 sshd[9882]: debug1: Client protocol version 2.0; client software version PuTTY_Release_0.60
Mar 12 17:01:35 cocbhpuhlat1 sshd[9882]: SSH: Server;Ltype: Version;Remote: 192.168.1.99-3797;Protocol: 2.0;Client: PuTTY_Release_0.60
Mar 12 17:01:35 cocbhpuhlat1 sshd[9882]: debug1: no match: PuTTY_Release_0.60
Mar 12 17:01:35 cocbhpuhlat1 sshd[9882]: debug1: Enabling compatibility mode for protocol 2.0
Mar 12 17:01:35 cocbhpuhlat1 sshd[9882]: debug1: Local version string SSH-1.99-OpenSSH_5.3p1+sftpfilecontrol-v1.3-hpn13v5
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: debug1: Config token is protocol
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: debug1: Config token is syslogfacility
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: debug1: Config token is loglevel
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: debug1: Config token is kerberosauthentication
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: debug1: Config token is usepam
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: debug1: Config token is x11forwarding
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: debug1: Config token is subsystem
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: debug1: PAM: initializing for "testuser"
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: pam_start(sshd testuser)
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: pam_set_item(1)
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: pam_set_item(2)
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: pam_set_item(5)
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: debug1: PAM: setting PAM_RHOST to "testhost.domain.com"
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: pam_set_item(4)
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: Failed none for testuser from 192.168.1.99 port 3797 ssh2
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: debug1: audit event euid 0 user testuser event 3 (AUTH_FAIL_NONE)
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: pam_set_item(5)
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: pam_authenticate()
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: load_modules: /usr/lib/security/pa20_64/libpam_unix.so.1
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: load_function: successful load of pam_sm_authenticate
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: pam_get_username(ux)
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: pam_mapping_in_use()
Mar 12 17:02:02 cocbhpuhlat1 sshd[9882]: pam_set_item(6)
Mar 12 17:02:02 cocbhpuhlat1 sshd[9882]: pam_authenticate: error Authentication failed
Mar 12 17:02:04 cocbhpuhlat1 sshd[9882]: error: PAM: Authentication failed for testuser from testhost.domain.com
Mar 12 17:02:04 cocbhpuhlat1 sshd[9882]: Failed keyboard-interactive/pam for testuser from 192.168.1.99 port 3797 ssh2
Mar 12 17:02:04 cocbhpuhlat1 sshd[9882]: debug1: Entering record_failed_login uid 0
Mar 12 17:02:02 cocbhpuhlat1 sshd[9882]: pam_set_item(6)
Mar 12 17:02:04 cocbhpuhlat1 sshd[9882]: debug1: audit event euid 0 user testuser event 5 (AUTH_FAIL_KBDINT)
Mar 12 17:02:04 cocbhpuhlat1 sshd[9882]: pam_set_item(5)
Mar 12 17:02:04 cocbhpuhlat1 sshd[9882]: pam_authenticate()
Mar 12 17:02:04 cocbhpuhlat1 sshd[9882]: load_modules: /usr/lib/security/pa20_64/libpam_unix.so.1
Mar 12 17:02:04 cocbhpuhlat1 sshd[9882]: pam_get_username(ux)
Mar 12 17:02:04 cocbhpuhlat1 sshd[9882]: pam_mapping_in_use()
Chris Clonch
Occasional Visitor

Re: HP-UX authentication to Active Directory

Bump.