HPE Community
Operating System - HP-UX
1826169 Members
2658 Online
109691 Solutions
New Discussion

Kerberos authentication from XP PC (AD account) to HP-UX via telnet/ssh

 
Dan Copeland
Regular Advisor

‎01-31-2006 08:15 AM

‎01-31-2006 08:15 AM

Kerberos authentication from XP PC (AD account) to HP-UX via telnet/ssh

is this possible?

I already have SSO working for an Oracle Applications app server running on hp-ux authenticating back to AD w/ Kerberos...was hoping to be able to do the same for ssh logins, etc from desktops

Is there a kinit for windows XP, do certain terminal emulators take care of ticketing exchange?

tia,
Dan
0 Kudos
Reply
4 REPLIES 4
Steven E. Protter
Exalted Contributor

‎01-31-2006 09:32 AM

‎01-31-2006 09:32 AM

Re: Kerberos authentication from XP PC (AD account) to HP-UX via telnet/ssh

Shalom,

Quite possible.

Few strategies:

1) Samba:
Install these two depots:
Client(requires a boot)
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B8724AA
Server(does not require a boot)
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B8725AA

Chose Security=ADS in the smb.conf file

Run a command called net join primary_domain_controller password

net join is in /opt/samba/bin

This step integrates file permissions with shared filesystems into the ADS domain.

Step 1 is optional but will lead to full integration of file permissions and is worth the trouble.

The next step is to Integrate User authentication. You can use LDAP or ADS direct.
More detail:
http://www2.itrc.hp.com/service/james/dispDoc.do?docURL=http%3A%2F%2Fsearch.hp.com%2Fredirect.html%3Furl%3Dhttp%253A%2F%2Fdocs.hp.com%2Fen%2FB8725-90074%2Findex.html%26qt%3D%2Bhp%2Bux%2BADS%2BLDAP%2Bintegration%26hit%3D3&aid=SEARCH_MANUAL&pil=3&serStr=hp+ux+ADS+LDAP+integration
I'm providing how to documents below for both.

ADS:http://www2.itrc.hp.com/service/james/dispDoc.do?docURL=http%3A%2F%2Fsearch.hp.com%2Fredirect.html%3Furl%3Dhttp%253A%2F%2Fforums1.itrc.hp.com%2Fservice%2Fforums%2Fquestionanswer.do%253FthreadId%253D70242%26qt%3D%252Bhp%2B%252Bux%2B%2B%252BADS%2B%252Bintegration%2B%26hit%3D1&aid=SEARCH_FORUMS&pil=1&serStr=hp+ux+ADS+integration&pir=1
There are links in the thread. They are good links.

LDAP:http://www2.itrc.hp.com/service/james/dispDoc.do?docURL=http%3A%2F%2Fsearch.hp.com%2Fredirect.html%3Furl%3Dhttp%253A%2F%2Fforums1.itrc.hp.com%2Fservice%2Fforums%2Fquestionanswer.do%253FthreadId%253D765217%26qt%3D%252Bhp%2B%252Bux%2B%2B%252BADS%2B%252Bintegration%2B%26hit%3D3&aid=SEARCH_FORUMS&pil=3&serStr=hp+ux+ADS+integration&pir=3

ADS
http://www2.itrc.hp.com/service/james/dispDoc.do?docURL=http%3A%2F%2Fsearch.hp.com%2Fredirect.html%3Furl%3Dhttp%253A%2F%2Fdocs.hp.com%2Fen%2F1408%2FADSLDUX.pdf%26qt%3D%2Bhp%2Bux%2BADS%2BLDAP%2Bintegration%26hit%3D1&aid=SEARCH_MANUAL&pil=1&serStr=hp+ux+ADS+LDAP+integration

Kerebos required:
http://www2.itrc.hp.com/service/james/dispDoc.do?docURL=http%3A%2F%2Fsearch.hp.com%2Fredirect.html%3Furl%3Dhttp%253A%2F%2Fdocs.hp.com%2Fen%2F7213%2FHPCIFSKerberosV103.pdf%26qt%3D%2Bhp%2Bux%2BADS%2BWindows%2B2003%2BServer%2Bintegration%26hit%3D1&aid=SEARCH_MANUAL&pil=1&serStr=hp+ux+ADS+Windows+2003+Server+integration

General guide to HP-UX 11i v1
http://www2.itrc.hp.com/service/james/dispDoc.do?docURL=http%3A%2F%2Fsearch.hp.com%2Fredirect.html%3Furl%3Dhttp%253A%2F%2Fdocs.hp.com%2Fen%2Fhpux11i.html%26qt%3D%2Bhp%2Bux%2BADS%2BWindows%2B2003%2BServer%2Bintegration%26hit%3D3&aid=SEARCH_MANUAL&pil=3&serStr=hp+ux+ADS+Windows+2003+Server+integration

11i V2
http://www2.itrc.hp.com/service/james/dispDoc.do?docURL=http%3A%2F%2Fsearch.hp.com%2Fredirect.html%3Furl%3Dhttp%253A%2F%2Fdocs.hp.com%2Fen%2Fhpux11iv2.html%26qt%3D%2Bhp%2Bux%2BADS%2BWindows%2B2003%2BServer%2Bintegration%26hit%3D4&aid=SEARCH_MANUAL&pil=4&serStr=hp+ux+ADS+Windows+2003+Server+integration

LDAP
http://www2.itrc.hp.com/service/james/dispDoc.do?docURL=http%3A%2F%2Fsearch.hp.com%2Fredirect.html%3Furl%3Dhttp%253A%2F%2Fdocs.hp.com%2Fen%2FJ4269-90049%2Findex.html%26qt%3D%2Bhp%2Bux%2BADS%2BLDAP%2Bintegration%26hit%3D11&aid=SEARCH_MANUAL&pil=11&serStr=hp+ux+ADS+LDAP+integration

I think the above will suffice.

I recommend full integration with kerebos.
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Doug Lamoureux_2
Valued Contributor

‎01-31-2006 10:47 AM

‎01-31-2006 10:47 AM

Re: Kerberos authentication from XP PC (AD account) to HP-UX via telnet/ssh

Take a look at Reflections from WRQ, it supports kerberized telnet/ftp/ssh clients:
http://www.wrq.com/products/reflection/

Putty's SSH client also supports Kerberos authentication, not sure about the telnet client.

You can download Kerberos binaries for windows from MIT: http://web.mit.edu/kerberos/dist/index.html

Of course you'll need to enable Secure Internet Services (SIS) for telnet on the HP-UX side.

Cheers,
Doug
0 Kudos
Reply
Dan Copeland
Regular Advisor

‎02-01-2006 02:39 AM

‎02-01-2006 02:39 AM

Re: Kerberos authentication from XP PC (AD account) to HP-UX via telnet/ssh

What if I maintain the user account info on the HP-UX host...could I get the authentication to work w/ kerberos w/o the LDAP-UX?
0 Kudos
Reply
Doug Lamoureux_2
Valued Contributor

‎02-01-2006 03:42 AM

‎02-01-2006 03:42 AM

Re: Kerberos authentication from XP PC (AD account) to HP-UX via telnet/ssh

Yes, if your uidname in the passwd file is the same as the user name in AD (you should not have a password for the user in the passwd file otherwise they could authenticate using it instead of PAM_Kerberos). With this configuration you will only configure PAM_Kerberos and SIS if you want to enable Kerborized Internet Services (telnet, ftp, r-commands).
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.