- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Problem setting up LDAP-UX with AD - continued...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-10-2010 08:07 PM
тАО08-10-2010 08:07 PM
Re: Problem setting up LDAP-UX with AD - continued...
On the same note, libpam_ldap.so doesn't know about that stuff either (nor do any PAM auth modules). They only check to see if the user exists or not (by querying the NSS libraries).
A good way to think about all of this is to break it into three pieces. There's user information, provided by the "passwd", "group", and "shadow" entries in /etc/nsswitch.conf. In our example here we're using LDAP-UX to get that information. NSS-LDAP is used everywhere else.
The next piece is authentication, handled by PAM (/etc/pam.conf). Folks can use Kerberos, LDAP, local Unix, etc, individually or in combination.
The last piece is authorization, handled also by PAM. A method I've used for using LDAP group-based authorization on HP-UX is to use the pam_authz module that comes with LDAP-UX, it's very similar to the pam_access module on other systems, and is very flexible.
I would point out that you should use some kind of access restriction for your LDAP users, as otherwise EVERY LDAP user with unix attributes will be visible to your Unix systems and thus able to log in.
Finally, in regards to your problem with libpam_krb5.so, have you applied the latest PAM_KRB5 patch? I had problems with the older versions as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-11-2010 09:57 AM
тАО08-11-2010 09:57 AM
Re: Problem setting up LDAP-UX with AD - continued...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-11-2010 10:16 PM
тАО08-11-2010 10:16 PM
Re: Problem setting up LDAP-UX with AD - continued...
Can you do a 'kinit
Kerberos is very simple to configure and works very reliably. If you're having trouble with it I'd imagine it's because of one of three reasons:
1) You have your /etc/krb5.conf misconfigured. Please post it here (sans private info) so we can look at it.
2) There's a firewall in between, or you're using DNS to find KDCs and DNS is serving up SRV records to unreachable KDCs. (I've run into this one before).
3) You don't have the requisite patches installed. Please give a list of the patches on those servers matching the strings "PAM" and "Kerb".
As far as Winbind goes, in general it's an inferior solution. It's "easier", but has other, more subtle issues that generally make it unsuitable for enterprise use. That's a discussion for another time, though.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-12-2010 11:35 PM
тАО08-12-2010 11:35 PM
Re: Problem setting up LDAP-UX with AD - continued...
# kinit doug
doug@EXAMPLE.COM's Password:
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: doug@EXAMPLE.COM
Issued Expires Principal
Aug 13 03:10:35 Aug 13 03:20:35 krbtgt/EXAMPLE.COM@EXAMPLE.COM
I am confused in why ldap authenticates to AD but not kerberos? Seems like if it can find the correct user/password for one method, it would for the other? I have attached relevant file contents. Many thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-13-2010 06:53 AM
тАО08-13-2010 06:53 AM
Re: Problem setting up LDAP-UX with AD - continued...
Since Kerberos clearly works, your problem is most likely somewhere in your /etc/pam.conf. Can you provide that, along with any relevant output in the logs?
By the way, you have your krb5.conf configured for DES only. That may cause you problems with newer versions of Windows and Kerberos, as it seems that everyone is moving away from it as a technology. I recommend you use the following line in your /etc/krb5.conf instead for your encoding types:
rc4-hmac des-cbc-md5 DES-CBC-CRC
Finally, telnet sucks. I'd recommend using SSH instead. Make sure usePAM is on in /etc/ssh/sshd_config. :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-13-2010 08:11 AM
тАО08-13-2010 08:11 AM
Re: Problem setting up LDAP-UX with AD - continued...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-13-2010 08:16 AM
тАО08-13-2010 08:16 AM
Re: Problem setting up LDAP-UX with AD - continued...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-13-2010 08:21 AM
тАО08-13-2010 08:21 AM
Re: Problem setting up LDAP-UX with AD - continued...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-13-2010 02:50 PM
тАО08-13-2010 02:50 PM
Re: Problem setting up LDAP-UX with AD - continued...
OTHER doesn't have anything else defined except libpam_unix.so.1, so Kerberos won't ever be checked. (don't change this by the way)
My #1 recommendation would be to stop using telnet and to add the libpam_krb5.so.1 line to the sshd blocks (that should be in there anyway). If you must use telnet, add a "telnet" stack (just cut and paste the "ftp" lines) in the appropriate places.
Good luck.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-16-2010 10:22 AM
тАО08-16-2010 10:22 AM