HPE Community
Operating System - HP-UX
1832529 Members
7893 Online
110043 Solutions
New Discussion

Need AD authentication for HP-UX user

 
Christ 33
Advisor

‎02-14-2007 12:39 AM

‎02-14-2007 12:39 AM

Need AD authentication for HP-UX user

Hello

We have an HP-UX server 11.11
We have an Active Directory Windows 2000 controler.
Each time an HP-UX user need to log on the server, HP-UX must check with the AD if this user is authorized to logon. Nothing else to do.
Do yo know the best way to do it?
We want to have only the AD to administrate the users.
Do we need SFU (3.0) on the AD? Is it mandatory?
Do we need to configure LDAP? Is there another way?

Thanks for your help.
0 Kudos
8 REPLIES 8
Ivan Ferreira
Honored Contributor

‎02-14-2007 12:50 AM

‎02-14-2007 12:50 AM

Re: Need AD authentication for HP-UX user

>>Do yo know the best way to do it?

You can use SAMBA/CIFS with winbind

>> We want to have only the AD to administrate the users.

You wont need anything else

>> Do we need SFU (3.0) on the AD? Is it mandatory?

I think you don't need it

>> Do we need to configure LDAP? Is there another way?

No, you could but is not needed. Active Directory (LDAP) is enough.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Steven E. Protter
Exalted Contributor

‎02-14-2007 01:12 AM

‎02-14-2007 01:12 AM

Re: Need AD authentication for HP-UX user

Shalom,

Depends on what you want to do.

SFU 3.5 has limited shell support.

LDAP is challenging to configure but it works well.

CIFS/Samba seems worth a try.

ADS seems based on the limited information provided to be the best option.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
TEC-HP
Frequent Advisor

‎02-14-2007 08:41 PM

‎02-14-2007 08:41 PM

Re: Need AD authentication for HP-UX user

if only Authentication = kerberos (meaning users still reside in /etc/passwd but same account in AD)
Quite straithforward and standard:
for 11.11:
install PAMKerberos
on AD generate a keytab and install it with ktutil
adapt your /etc/krb5.conf
adapt you pam.conf (and perhaps pam_user.conf to exclude root)
change password hash field in /etc/passwd or /etc/shadow by "x": meaning those users have no local valid passwd and of you go

Remark: If you don't use kerberized clients to connect to you HPUX host than I advvise you to only enable kerberos authentication for ssh in pam: otherwise windows passwd in clear text over network!

If you want to centralise authorisation: if your AD could be upgraded to Windows 2003 R2: it contains all the nesc. POSIX attributes: you don't need to install th MSSFU stuff and are compliant to RFC... (don't know by heart). I don't know if the latest LDAPUX client is aware of this ?
Fot centralised authorisation you can work with nisnetgroups or the pam_authz.policy (as from ldapux version B.4...). But the client can't handle nested groups!


do you need SFU? No: check if you can adapt your AD scheme according the rfc's (AD 2003 R2 does)
Do you need to configure LDAP: proxy-user, configure the attributes ,.....

Hope this helps a bit. Annyway Check the docs.hp.com site for the latest ldapux client docs: there are docs for integration towards AD

0 Kudos
TEC-HP
Frequent Advisor

‎02-14-2007 08:50 PM

‎02-14-2007 08:50 PM

Re: Need AD authentication for HP-UX user

addendum:

Of coures: once you have your ldapclient configured: then you no longer need the local user accounts (except the system-accounts).

Further centralisation could be:
LDAP aware sudo: needs recompilation (check the sudo site) + again AD scheme change. Problem sudo ldap scheme is not a standard (? RFC ?) + development for sudo seems stopped (latest version from 2005)

RBAC is emerging but are there already (cross-platform) standards defined (roles, ldap scheme, ....)?
0 Kudos
Christ 33
Advisor

‎02-15-2007 12:27 AM

‎02-15-2007 12:27 AM

Re: Need AD authentication for HP-UX user

Hello,

Thanks for your answers.

We decide to use CIFS/SAMBA
First step, I try to configure Kerberos.
We provide informationâ s in the krb5.conf file and smb.conf.
I followed this exemple, changing domain name by cutomer name.
[libdefaults]
default_realm = HPATC2003.HP.COM
default_tkt_enctypes = DES-CBC-MD5
default_tgs_enctypes = DES-CBC-MD5
default_keytab_name = "WRFILE:/etc/krb5.keytab"

[realms]
HPATC2003.HP.COM = {
kdc = HPATCWIN2K4.HPATC2003.HP.COM:88
admin_server = HPATCWIN2K4.HPATC2003.HP.COM
}
[domain_realm]
.hp.com = HPATC2003.HP.COM
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

Second step, I try to create the keytab file with this command:
/opt/samba/bin/net ads keytab create -U administrator
I got an â authentication failedâ error message.

If I read â Integrating HP-UX 11.x Account Management and Authentication with Microsoft Windows 2000 » they talk about Kerberos configuration, they use ktpass tool to generate the keytab file.
What do you think about this?
Which one is the right way?

In the CIFS/SAMBA configuration document, I donâ t see any thing about pam_authz file or the pam.conf file. Do we need to configure them?

Thanks for your answer
0 Kudos
TEC-HP
Frequent Advisor

‎02-15-2007 12:35 AM

‎02-15-2007 12:35 AM

Re: Need AD authentication for HP-UX user

Even before you have a keytab:
If your krb5.conf is OK. Try this one first on you HPUX host: kinit
you should be prompted for your windows passwd. after authentication, check with klist if you received a ticket.

On the AD node: creating a keytab is done with ktpas. The Unix host must be created as a user. Be sure to use the fqdn of your host when creating the keytab
0 Kudos
Christ 33
Advisor

‎04-03-2007 04:27 AM

‎04-03-2007 04:27 AM

Re: Need AD authentication for HP-UX user

Thanks for your help.

We change CIFS server version, we download the latest version. Itâ s working fine now.
0 Kudos
Christ 33
Advisor

‎04-05-2007 03:18 AM

‎04-05-2007 03:18 AM

Re: Need AD authentication for HP-UX user

We configure it with SSH, Kerberos, CIFS
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.