- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Prevent creation of TCB DB entry when ldap/win act...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2020 10:58 AM
03-03-2020 10:58 AM
Prevent creation of TCB DB entry when ldap/win active directory user first logs on trusted system
Hi
I am configuring ldapux, kerberos, and pam on a trusted 11.31 hp-ux server to allow users to log on with their Windows Active Directory ids. The configuration is working, because users can log in using their Win AD id and password. I noticed that a TCB entry is created the first time a Win AD user logs on the system. I would like to disable that behavior as the entry will become something that should be removed when a user's access to the system is revoked.
I am using the PAMmkdir product, but the entry gets create even when the PAMmkdir product isn't configured in the pam.conf. I've included my pam.conf and ldapclientd.conf files. Any information on this would be appreciated
Thanks
Bob
Here are the versions of the various pieces to this puzzle I've installed:
KRB5-Client B.11.31 Kerberos V5 Client Version 1.3.5.03
LdapUxClient B.05.03 LDAP-UX Client Services
NisLdapServer B.05.03 The NIS/LDAP Gateway (ypldapd)
PAM-Kerberos D.01.26 PAM-Kerberos Version 1.26
PAM-NTLM A.02.02.02 HP NTLM Pluggable Authentication Module
PAMmkdir A.20.00-1.0.001 Home Directory creator
PAMpasswd A.20.00-1.0.5.001 PAM Password Strength Checking Module
PHCO_39619 1.0 libpam_hpsec Japanese manpage cumulative patch
PHCO_40072 1.0 libpam_hpsec cumulative patch
PHCO_40521 1.0 libpam cumulative patch
PHCO_42662 1.0 libpam_unix cumulative patch
PHCO_43875 1.0 libpam_updbe patch
PHSS_41775 1.0 KRB5-Client Version 1.3.5.03 Cumulative patch
krb5client E.1.6.2.10 Kerberos V5 Client Version 1.6.2.10
here is my pam.conf:
# Authentication management
#
login auth required libpam_hpsec.so.1
login auth sufficient libpam_krb5.so.1
login auth required libpam_unix.so.1 try_first_pass
su auth required libpam_hpsec.so.1
su auth sufficient libpam_krb5.so.1
su auth required libpam_unix.so.1 try_first_pass
dtlogin auth required libpam_hpsec.so.1
dtlogin auth sufficient libpam_krb5.so.1
dtlogin auth required libpam_unix.so.1 try_first_pass
dtaction auth required libpam_hpsec.so.1
dtaction auth sufficient libpam_krb5.so.1
dtaction auth required libpam_unix.so.1 try_first_pass
ftp auth required libpam_hpsec.so.1
ftp auth sufficient libpam_krb5.so.1
ftp auth required libpam_unix.so.1 try_first_pass
sshd auth required libpam_hpsec.so.1
sshd auth sufficient libpam_krb5.so.1
sshd auth required libpam_unix.so.1 try_first_pass
OTHER auth required libpam_unix.so.1
#
# Account management
#
login account required libpam_hpsec.so.1
login account sufficient libpam_krb5.so.1
login account required libpam_unix.so.1
su account required libpam_hpsec.so.1
su account sufficient libpam_krb5.so.1
su account required libpam_unix.so.1
dtlogin account required libpam_hpsec.so.1
dtlogin account sufficient libpam_krb5.so.1
dtlogin account required libpam_unix.so.1
dtaction account required libpam_hpsec.so.1
dtaction account sufficient libpam_krb5.so.1
dtaction account required libpam_unix.so.1
ftp account required libpam_hpsec.so.1
ftp account sufficient libpam_krb5.so.1
ftp account required libpam_unix.so.1
sshd account required libpam_hpsec.so.1
sshd account sufficient libpam_krb5.so.1
sshd account required libpam_unix.so.1
OTHER account required libpam_unix.so.1
#
# Session management
#
login session required libpam_hpsec.so.1
login session required libpam_mkdir.so.1 skel=/etc/skel/ umask=0022
login session required libpam_krb5.so.1
login session required libpam_unix.so.1
dtlogin session required libpam_hpsec.so.1
dtlogin session required libpam_krb5.so.1
dtlogin session required libpam_unix.so.1
dtaction session required libpam_hpsec.so.1
dtaction session required libpam_krb5.so.1
dtaction session required libpam_unix.so.1
sshd session required libpam_hpsec.so.1
sshd session required libpam_mkdir.so.1 skel=/etc/skel/ umask=0022
sshd session sufficient libpam_krb5.so.1
sshd session required libpam_unix.so.1
OTHER session required libpam_unix.so.1
#
# Password management
#
login password required libpam_hpsec.so.1
login password sufficient libpam_krb5.so.1
login password required libpam_unix.so.1 try_first_pass
passwd password required libpam_hpsec.so.1
passwd password sufficient libpam_krb5.so.1
passwd password required libpam_unix.so.1 try_first_pass
dtlogin password required libpam_hpsec.so.1
dtlogin password sufficient libpam_krb5.so.1
dtlogin password required libpam_unix.so.1 try_first_pass
dtaction password required libpam_hpsec.so.1
dtaction password sufficient libpam_krb5.so.1
dtaction password required libpam_unix.so.1 try_first_pass
OTHER password required libpam_unix.so.1 try_first_pass
here is my ldapclientd.conf:
[StartOnBoot]
enable=yes
[general]
proxy_is_restricted=1
max_conn=100
connection_ttl=300
num_threads=10
socket_cleanup_time=300
cache_cleanup_time=10
update_ldapux_conf_time=600
cache_size=10000000
state_dump_time=300
max_enumeration_states=80%
flush_compat_info_time=86400
[passwd]
enable=yes
[group]
enable=yes
[netgroup]
enable=no
[uiddn]
enable=no
[domain_pwd]
enable=no
[domain_grp]
enable=no
[automount]
enable=no
[automountmap]
enable=no
[dynamic_group]
[longterm_cache]
[printers]
start=no
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2020 03:06 AM
03-06-2020 03:06 AM
Re: Prevent creation of TCB DB entry when ldap/win active directory user first logs on trusted syste
HP-UX Internet Express Product includes a product called PAM_mkhomedir. This product will create a users home directory on HP-UX system if it does no exist when the user session begins. This product allows users to be present in central database such as LDAP, NIS, or Kerberos without using a distributed file system or pre-creating a large number of directories.
The HP PAM_mkhomedir product once installed will display as:
The PAM_mkhomedir product is installed in the /opt/iexpress/pammkdir directory. The /opt/iexpress/pammkdir/README.hp file provides the libpam_mkdir library reference required to be added to /etc/pam.conf depending on HP-UX System specifications (PA or IA, 32 bit or 64 bit and OS version). The libpam_mkdir library is added under Session Management; to the appropriate Service that Users home directory check and creation will be used.
Details
Examples of modification to /etc/pam.conf adding pam_mkdir library using 'sshd' service for libpam_ldap and libpam_krb5 environments;
Example pam.conf using libpam_ldap library
# Session Management
...
sshd session required libpam_hpsec.so.1
sshd session required libpam_mkdir.so.1 skel=/etc/skel/ umask=0022
sshd session sufficient libpam_unix.so.1
sshd session required libpam_ldap.so.1
Example pam.conf using libpam_krb5 library adding pam_mkdir library using 'sshd' service;
# Session Management
...
sshd session required libpam_hpsec.so.1
sshd session required /usr/lib/security/hpux64/libpam_mkdir.so.1 skel=/etc/skel/ umask=0022
sshd session sufficient libpam_krb5.so.1
sshd session required libpam_unix.so.1
No restarts are required changes to pam.conf are dynamic.
SSH connection test using LDAP account pamtest, the /home/pamtest did not initially exist, then with login using SSH Users the home directory for pamtest is created;
HP-UX nsquery command shows LDAP user (pamtest) with Home Directory attribute, this verifies what the Users home directory will be created as upon login;
# nsquery passwd pamtest ldap
Using "ldap" for the passwd policy.
Searching ldap for pamtest
User name: pamtest
User Id: 5505
Group Id: 20
Gecos:
Home Directory: /home/pamtest
Shell: /sbin/sh
# pwd
/home
# ll /home/pamtest
/home/pamtest not found
Test invoking SSH login, libpam_mkdir library is specified on sshd service in example
pam.conf above. After successful SSH login home directory is created successfully
using the homedirectory attribute from LDAP account;
# ssh pamtest@ibiza
Password:
Last successful login: Tue Oct 11 23:09:00 EDT 2011 localhost
Creating directory /home/pamtest.
Last login: Tue Oct 11 23:11:07 2011
...
# pwd
/home/pamtest
# id
uid=5505(pamtest) gid=20(users)
# ll /home/pamtest
-rw-r--r-- 1 pamdir users 832 Oct 11 23:19 .cshrc
-rw-r--r-- 1 pamdir users 347 Oct 11 23:19 .exrc
-rw-r--r-- 1 pamdir users 334 Oct 11 23:19 .login
-rw-r--r-- 1 pamdir users 700 Oct 11 23:19 .profile
-rw------- 1 pamdir users 76 Oct 11 23:24 .sh_history
I am a HPE Employee