Online Expert Day - HPE Data Storage - Live Now
April 24/25 - Online Expert Day - HPE Data Storage - Live Now
Read more
System Administration
Showing results for 
Search instead for 
Did you mean: 

LDAP-UX (Win ADS Kerberos) + sshd

Sander Reiche (HVS)
Occasional Visitor

LDAP-UX (Win ADS Kerberos) + sshd

Hi guys,


I'm at a loss here.

I've followed the LDAP-UX Administrator's Guide (HP Part Number: 5900-1479) and I have Kerberos working fine with the Windows ADS Domain. `kinit(1)' even nicely gets a ticket after authentication, but for the life of me, I can't seem to get `sshd' to play nice with the whole thing. I still can't connect to my HP/UX 11iv3 machine (HP-UX hvs11 B.11.31 U ia64) via `ssh' using an ADS account.


What am I missing here? Any takers?


Some configuration files and feedback from my system:


# /opt/ldapux/config/netjoin

Scanning DNS domain "" for any registered Active Directory servers...

Please enter the DN of a user that has sufficient privilege to add this host
to the "" domain.  Note also that if this is the first
time adding an HP-UX host to this directory server, LDAP-UX may also need to
extend the server's schema.  Please enter the DN of an Administrator with
these privileges or press Return for the default value
[CN=Administrator,CN=Users,DC=intern,DC=hilversum,DC=nl]: cn=root,ou=Beheerders,ou=Gebruikers-zonder-Zarafa,ou=Hilversum,dc=intern,dc=hilversum,dc=nl

Please enter the administrator's password:

Found profile entry CN=ldapuxprofile,CN=system,DC=intern,DC=hilversum,DC=nl.

Successfully downloaded profile entry from AD server.

Created "" computer account.

Modified UserAccountControl of "" computer account.

Backing up all the default krb5 log files.

The Kerberos configuration file /etc/krb5.conf has been created.

Configured "" as LDAP-UX proxy.

Your LDAP-UX client has been successfully configured and
is now a member of the "" domain.

 The Kerberos configuration:

# cat /etc/krb5.conf
    default_realm = INTERN.HILVERSUM.NL
    default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
    default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
    ccache_type = 2

        kdc =
        kpasswd =

[domain_realm] = INTERN.HILVERSUM.NL

    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log

 `kinit(1)' working:

# kinit sre
Password for sre@INTERN.HILVERSUM.NL:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sre@INTERN.HILVERSUM.NL

Valid starting     Expires            Service principal
12/12/11 14:16:42  12/13/11 00:16:42  krbtgt/INTERN.HILVERSUM.NL@INTERN.HILVERSUM.NL

 The sshd rules in `/etc/pam.conf':

# grep sshd pam.conf
sshd         auth       required
sshd         auth       sufficient
sshd         auth       required try_first_pass
sshd         account    required
sshd         account    sufficient
sshd         account    required
sshd         session    required
sshd         session    sufficient
sshd         session    required
sshd         password   required
sshd         password   sufficient
sshd         password   required try_first_pass

 And the `nsswitch.conf' entries concerning ldap:

# grep ldap nsswitch.conf
passwd:       files ldap
group:        files ldap


~~ UNIX is very simple, it just needs a genius to understand its simplicity.
dmr ~~