HPE Community
Operating System - HP-UX
1751883 Members
5415 Online
108783 Solutions
New Discussion юеВ

HP-UX authentication to Active Directory

 
Chris Clonch
New Member

тАО03-12-2010 01:50 PM

тАО03-12-2010 01:50 PM

HP-UX authentication to Active Directory

I can't seem to get it working... I'm only trying to do authentication against AD, not user management, so no LDAP. This is on a newly installed 11.23 with the latest patches installed.

swlist -l product | grep -i -e krb -e kerb
KRB5-Client B.11.23 Kerberos V5 Client Version 1.0
PAM-Kerberos C.01.26 PAM-Kerberos Version 1.26
PHSS_39765 1.0 KRB5-Client Version 1.0 Cumulative patch

I copied over the /etc/pam.krb5 to /etc/pam.conf. I've verified everything is setup:

pamkrbval -a pa64

Validating the pam configuration files
---------- --- --- ------------- -----

Validating the /etc/pam.conf file
[PASS] : The validation of config file: /etc/pam.conf passed

[NOTICE] : The validation of config file: /etc/pam_user.conf is not done
as libpam_updbe library is not configured

Validating the kerberos config file
---------- --- -------- ------ -----
[PASS] : Initialization of kerberos passed

Connecting to default Realm
---------- -- ------- -----
[PASS] : Default Realm is issuing tickets

Validating the keytab entry for the host service principal
---------- --- ------ ----- --- --- ---- ------- ---------
[WARNING] : Keytab file /etc/krb5.keytab is not present
[IGNORE] : The keytab validation is ignored,assuming success

Validating the rc_host file for ownership
-------- ------ ---- -------- ------ -----
[PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful


Using kinit and klist, I can verify ticket granting.

With debug enable in sshd and pam.conf I get:

Mar 12 16:20:37 cocbhpuhlat1 sshd[7674]: debug1: PAM: initializing for "testuser"
Mar 12 16:20:37 cocbhpuhlat1 sshd[7674]: debug1: PAM: setting PAM_RHOST to "testhost.domain.com"
Mar 12 16:20:37 cocbhpuhlat1 sshd[7674]: Failed none for testuser from 192.168.1.99 port 3452 ssh2
Mar 12 16:20:37 cocbhpuhlat1 sshd[7674]: debug1: audit event euid 0 user testuser event 3 (AUTH_FAIL_NONE)
Mar 12 16:20:47 cocbhpuhlat1 sshd[7674]: pam_authenticate: error Authentication failed
Mar 12 16:20:49 cocbhpuhlat1 sshd[7674]: error: PAM: Authentication failed for testuser from testhost.domain.com
Mar 12 16:20:49 cocbhpuhlat1 sshd[7674]: Failed keyboard-interactive/pam for testuser from 192.168.1.99 port 3452 ssh2
Mar 12 16:20:49 cocbhpuhlat1 sshd[7674]: debug1: Entering record_failed_login uid 0
Mar 12 16:20:49 cocbhpuhlat1 sshd[7674]: debug1: audit event euid 0 user testuser event 5 (AUTH_FAIL_KBDINT)
Mar 12 16:21:02 cocbhpuhlat1 sshd[7674]: pam_authenticate: error Authentication failed
Mar 12 16:21:04 cocbhpuhlat1 sshd[7674]: error: PAM: Authentication failed for testuser from testhost.domain.com
Mar 12 16:21:04 cocbhpuhlat1 sshd[7674]: Failed keyboard-interactive/pam for testuser from 192.168.1.99 port 3452 ssh2
Mar 12 16:21:04 cocbhpuhlat1 sshd[7674]: debug1: Entering record_failed_login uid 0
Mar 12 16:21:04 cocbhpuhlat1 sshd[7674]: debug1: audit event euid 0 user testuser event 5 (AUTH_FAIL_KBDINT)
Mar 12 16:21:17 cocbhpuhlat1 sshd[7674]: debug1: do_pam_account: called


Any ideas? I know this can work as I have Linux hosts authenticating.
0 Kudos
Reply
2 REPLIES 2
Chris Clonch
New Member

тАО03-12-2010 02:06 PM

тАО03-12-2010 02:06 PM

Re: HP-UX authentication to Active Directory

Sorry, seems I didn't have pam debugging enabled properly.


Mar 12 17:01:35 cocbhpuhlat1 sshd[9882]: debug1: rexec start in 6 out 6 newsock 6 pipe 8 sock 9
Mar 12 17:01:35 cocbhpuhlat1 sshd[7664]: debug1: Forked child 9882.
Mar 12 17:01:35 cocbhpuhlat1 sshd[9882]: debug1: inetd sockets after dupping: 5, 5
Mar 12 17:01:35 cocbhpuhlat1 sshd[9882]: debug1: audit connection from 192.168.1.99 port 3797 euid 0
Mar 12 17:01:35 cocbhpuhlat1 sshd[9882]: Connection from 192.168.1.99 port 3797
Mar 12 17:01:35 cocbhpuhlat1 sshd[9882]: debug1: HPN Disabled: 0, HPN Buffer Size: 65536
Mar 12 17:01:35 cocbhpuhlat1 sshd[9882]: debug1: Client protocol version 2.0; client software version PuTTY_Release_0.60
Mar 12 17:01:35 cocbhpuhlat1 sshd[9882]: SSH: Server;Ltype: Version;Remote: 192.168.1.99-3797;Protocol: 2.0;Client: PuTTY_Release_0.60
Mar 12 17:01:35 cocbhpuhlat1 sshd[9882]: debug1: no match: PuTTY_Release_0.60
Mar 12 17:01:35 cocbhpuhlat1 sshd[9882]: debug1: Enabling compatibility mode for protocol 2.0
Mar 12 17:01:35 cocbhpuhlat1 sshd[9882]: debug1: Local version string SSH-1.99-OpenSSH_5.3p1+sftpfilecontrol-v1.3-hpn13v5
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: debug1: Config token is protocol
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: debug1: Config token is syslogfacility
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: debug1: Config token is loglevel
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: debug1: Config token is kerberosauthentication
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: debug1: Config token is usepam
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: debug1: Config token is x11forwarding
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: debug1: Config token is subsystem
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: debug1: PAM: initializing for "testuser"
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: pam_start(sshd testuser)
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: pam_set_item(1)
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: pam_set_item(2)
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: pam_set_item(5)
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: debug1: PAM: setting PAM_RHOST to "testhost.domain.com"
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: pam_set_item(4)
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: Failed none for testuser from 192.168.1.99 port 3797 ssh2
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: debug1: audit event euid 0 user testuser event 3 (AUTH_FAIL_NONE)
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: pam_set_item(5)
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: pam_authenticate()
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: load_modules: /usr/lib/security/pa20_64/libpam_unix.so.1
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: load_function: successful load of pam_sm_authenticate
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: pam_get_username(ux)
Mar 12 17:01:41 cocbhpuhlat1 sshd[9882]: pam_mapping_in_use()
Mar 12 17:02:02 cocbhpuhlat1 sshd[9882]: pam_set_item(6)
Mar 12 17:02:02 cocbhpuhlat1 sshd[9882]: pam_authenticate: error Authentication failed
Mar 12 17:02:04 cocbhpuhlat1 sshd[9882]: error: PAM: Authentication failed for testuser from testhost.domain.com
Mar 12 17:02:04 cocbhpuhlat1 sshd[9882]: Failed keyboard-interactive/pam for testuser from 192.168.1.99 port 3797 ssh2
Mar 12 17:02:04 cocbhpuhlat1 sshd[9882]: debug1: Entering record_failed_login uid 0
Mar 12 17:02:02 cocbhpuhlat1 sshd[9882]: pam_set_item(6)
Mar 12 17:02:04 cocbhpuhlat1 sshd[9882]: debug1: audit event euid 0 user testuser event 5 (AUTH_FAIL_KBDINT)
Mar 12 17:02:04 cocbhpuhlat1 sshd[9882]: pam_set_item(5)
Mar 12 17:02:04 cocbhpuhlat1 sshd[9882]: pam_authenticate()
Mar 12 17:02:04 cocbhpuhlat1 sshd[9882]: load_modules: /usr/lib/security/pa20_64/libpam_unix.so.1
Mar 12 17:02:04 cocbhpuhlat1 sshd[9882]: pam_get_username(ux)
Mar 12 17:02:04 cocbhpuhlat1 sshd[9882]: pam_mapping_in_use()
0 Kudos
Reply
Chris Clonch
New Member

тАО03-30-2010 10:22 AM

тАО03-30-2010 10:22 AM

Re: HP-UX authentication to Active Directory

Bump.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.