Operating System - HP-UX
1748112 Members
3438 Online
108758 Solutions
New Discussion юеВ

Re: Problem setting up LDAP-UX with AD - continued...

 
SOLVED
Go to solution
Jeffrey W Watts
Advisor

Re: Problem setting up LDAP-UX with AD - continued...

Doug, you're a bit on the wrong track. Kerberos is an authentication service. That is, it verifies that you are who you say you are. Basically, it simply verifies by a password that UserA is actually UserA. It doesn't know about anything else (uidNumber, gidNumber, gecos, etc). As such, RFC2307 and other types of user info don't have anything to do with it. So don't worry, your LDAP configuration won't break Kerberos. :)

On the same note, libpam_ldap.so doesn't know about that stuff either (nor do any PAM auth modules). They only check to see if the user exists or not (by querying the NSS libraries).

A good way to think about all of this is to break it into three pieces. There's user information, provided by the "passwd", "group", and "shadow" entries in /etc/nsswitch.conf. In our example here we're using LDAP-UX to get that information. NSS-LDAP is used everywhere else.

The next piece is authentication, handled by PAM (/etc/pam.conf). Folks can use Kerberos, LDAP, local Unix, etc, individually or in combination.

The last piece is authorization, handled also by PAM. A method I've used for using LDAP group-based authorization on HP-UX is to use the pam_authz module that comes with LDAP-UX, it's very similar to the pam_access module on other systems, and is very flexible.

I would point out that you should use some kind of access restriction for your LDAP users, as otherwise EVERY LDAP user with unix attributes will be visible to your Unix systems and thus able to log in.

Finally, in regards to your problem with libpam_krb5.so, have you applied the latest PAM_KRB5 patch? I had problems with the older versions as well.
Doug G Williams
Advisor

Re: Problem setting up LDAP-UX with AD - continued...

Thanks Jeffrey for the info. After I had noodled a bit about those attributes mapping I pretty much reached the conclusion that they are not the reason for not being able to use krb5 library authentication. I keep coming back to needing the keytab file on the client and having the client joined to AD. I tried generating the keytab using samba net as well as mksutil, but unfortunately I do not have rights to access the AD server, and so fail. I found that our Linux admin uses winbind, but of course, he also is an AD admin, so he has the muscle to get his stuff working. :) I have made a request/ticket for them to add a hp-ux client into AD and generate a keytab for me so I can test. I will let you know how it goes. I installed the latest pam kerberos, krb5client, ldapux packages on all our servers so that probablly not the issue. Thanks again.
Jeffrey W Watts
Advisor

Re: Problem setting up LDAP-UX with AD - continued...

Doug, the keytab is not required for users to authenticate. You're having some other issue. The keytab is essentially a stored key that can be used to authenticate a given credential non-interactively. The keytab generated by 'net' would have keys in it for the computer account that 'net' would have created in AD.

Can you do a 'kinit ' successfully? Does a subsequent 'klist' show your keys?

Kerberos is very simple to configure and works very reliably. If you're having trouble with it I'd imagine it's because of one of three reasons:

1) You have your /etc/krb5.conf misconfigured. Please post it here (sans private info) so we can look at it.
2) There's a firewall in between, or you're using DNS to find KDCs and DNS is serving up SRV records to unreachable KDCs. (I've run into this one before).
3) You don't have the requisite patches installed. Please give a list of the patches on those servers matching the strings "PAM" and "Kerb".

As far as Winbind goes, in general it's an inferior solution. It's "easier", but has other, more subtle issues that generally make it unsuitable for enterprise use. That's a discussion for another time, though.
Doug G Williams
Advisor

Re: Problem setting up LDAP-UX with AD - continued...

Jeffrey, yes, I can do kinit:
# kinit doug
doug@EXAMPLE.COM's Password:
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: doug@EXAMPLE.COM

Issued Expires Principal
Aug 13 03:10:35 Aug 13 03:20:35 krbtgt/EXAMPLE.COM@EXAMPLE.COM

I am confused in why ldap authenticates to AD but not kerberos? Seems like if it can find the correct user/password for one method, it would for the other? I have attached relevant file contents. Many thanks!
Jeffrey W Watts
Advisor

Re: Problem setting up LDAP-UX with AD - continued...

Hey Doug, thanks for the info.

Since Kerberos clearly works, your problem is most likely somewhere in your /etc/pam.conf. Can you provide that, along with any relevant output in the logs?

By the way, you have your krb5.conf configured for DES only. That may cause you problems with newer versions of Windows and Kerberos, as it seems that everyone is moving away from it as a technology. I recommend you use the following line in your /etc/krb5.conf instead for your encoding types:
rc4-hmac des-cbc-md5 DES-CBC-CRC

Finally, telnet sucks. I'd recommend using SSH instead. Make sure usePAM is on in /etc/ssh/sshd_config. :)
Doug G Williams
Advisor

Re: Problem setting up LDAP-UX with AD - continued...

Hi Jeffrey. Attached pam.krb5. When testing, I just copy pam.krb5 to pam.conf, then touch pam.conf (just in case). Thanks for recommendations.
Doug G Williams
Advisor

Re: Problem setting up LDAP-UX with AD - continued...

Ah, I think I may see the problem (forcing me to actually look :) ) the sufficent/required needs to be switched between krb5 and unix
Doug G Williams
Advisor

Re: Problem setting up LDAP-UX with AD - continued...

Nope, that was not it :(
Jeffrey W Watts
Advisor

Re: Problem setting up LDAP-UX with AD - continued...

I think I may have figured it out. You're using telnet to test this, but you don't have a PAM stack for telnet specifically, it's just using OTHER.

OTHER doesn't have anything else defined except libpam_unix.so.1, so Kerberos won't ever be checked. (don't change this by the way)

My #1 recommendation would be to stop using telnet and to add the libpam_krb5.so.1 line to the sshd blocks (that should be in there anyway). If you must use telnet, add a "telnet" stack (just cut and paste the "ftp" lines) in the appropriate places.

Good luck.
Doug G Williams
Advisor

Re: Problem setting up LDAP-UX with AD - continued...

:( Still no joy. Tried with ssh, telnet, ftp, dtlogin... What version of Pam Kerberos are you using?