LDAP-UX (Win ADS Kerberos) + sshd

Sander Reiche (HVS) · ‎12-12-2011

Hi guys,

I'm at a loss here.

I've followed the LDAP-UX Administrator's Guide (HP Part Number: 5900-1479) and I have Kerberos working fine with the Windows ADS Domain. `kinit(1)' even nicely gets a ticket after authentication, but for the life of me, I can't seem to get `sshd' to play nice with the whole thing. I still can't connect to my HP/UX 11iv3 machine (HP-UX hvs11 B.11.31 U ia64) via `ssh' using an ADS account.

What am I missing here? Any takers?

Some configuration files and feedback from my system:

# /opt/ldapux/config/netjoin

Scanning DNS domain "intern.hilversum.nl" for any registered Active Directory servers...

Please enter the DN of a user that has sufficient privilege to add this host
to the "intern.hilversum.nl" domain.  Note also that if this is the first
time adding an HP-UX host to this directory server, LDAP-UX may also need to
extend the server's schema.  Please enter the DN of an Administrator with
these privileges or press Return for the default value
[CN=Administrator,CN=Users,DC=intern,DC=hilversum,DC=nl]: cn=root,ou=Beheerders,ou=Gebruikers-zonder-Zarafa,ou=Hilversum,dc=intern,dc=hilversum,dc=nl

Please enter the administrator's password:


Found profile entry CN=ldapuxprofile,CN=system,DC=intern,DC=hilversum,DC=nl.

Successfully downloaded profile entry from AD server.

Created "hvs11.intern.hilversum.nl" computer account.

Modified UserAccountControl of "hvs11.intern.hilversum.nl" computer account.

Backing up all the default krb5 log files.

The Kerberos configuration file /etc/krb5.conf has been created.

Configured "hvs11.intern.hilversum.nl" as LDAP-UX proxy.

Your LDAP-UX client has been successfully configured and
is now a member of the "intern.hilversum.nl" domain.

The Kerberos configuration:

# cat /etc/krb5.conf
[libdefaults]
    default_realm = INTERN.HILVERSUM.NL
    default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
    default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
    ccache_type = 2

[realms]
    INTERN.HILVERSUM.NL = {
        kdc = sdc01.intern.hilversum.nl:88
        kpasswd = sdc02.intern.hilversum.nl:464
    }

[domain_realm]
    .intern.hilversum.nl = INTERN.HILVERSUM.NL

[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log

`kinit(1)' working:

# kinit sre
Password for sre@INTERN.HILVERSUM.NL:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sre@INTERN.HILVERSUM.NL

Valid starting     Expires            Service principal
12/12/11 14:16:42  12/13/11 00:16:42  krbtgt/INTERN.HILVERSUM.NL@INTERN.HILVERSUM.NL
#

The sshd rules in `/etc/pam.conf':

# grep sshd pam.conf
sshd         auth       required        libpam_hpsec.so.1
sshd         auth       sufficient      libpam_krb5.so.1
sshd         auth       required        libpam_unix.so.1 try_first_pass
sshd         account    required        libpam_hpsec.so.1
sshd         account    sufficient      libpam_krb5.so.1
sshd         account    required        libpam_unix.so.1
sshd         session    required        libpam_hpsec.so.1
sshd         session    sufficient      libpam_krb5.so.1
sshd         session    required        libpam_unix.so.1
sshd         password   required        libpam_hpsec.so.1
sshd         password   sufficient      libpam_krb5.so.1
sshd         password   required        libpam_unix.so.1 try_first_pass

And the `nsswitch.conf' entries concerning ldap:

# grep ldap nsswitch.conf
passwd:       files ldap
group:        files ldap

~~ UNIX is very simple, it just needs a genius to understand its simplicity.
dmr ~~

LDAP-UX (Win ADS Kerberos) + sshd

LDAP-UX (Win ADS Kerberos) + sshd

Hewlett Packard Enterprise International