Operating System - HP-UX
1748093 Members
5925 Online
108758 Solutions
New Discussion

Prevent creation of TCB DB entry when ldap/win active directory user first logs on trusted system

 
BobV12
Regular Visitor

Prevent creation of TCB DB entry when ldap/win active directory user first logs on trusted system

Hi

I am configuring ldapux, kerberos, and pam on a trusted 11.31 hp-ux server to allow users to log on with their Windows Active Directory ids. The configuration is working, because users can log in using their Win AD id and password. I noticed that a TCB entry is created the first time a Win AD user logs on the system. I would like to disable that behavior as the entry will become something that should be removed when a user's access to the system is revoked.

I am using the PAMmkdir product, but the entry gets create even when the PAMmkdir product isn't configured in the pam.conf. I've included my pam.conf and ldapclientd.conf files. Any information on this would be appreciated

Thanks

Bob

Here are the versions of the various pieces to this puzzle I've installed:

KRB5-Client B.11.31 Kerberos V5 Client Version 1.3.5.03
LdapUxClient B.05.03 LDAP-UX Client Services
NisLdapServer B.05.03 The NIS/LDAP Gateway (ypldapd)
PAM-Kerberos D.01.26 PAM-Kerberos Version 1.26
PAM-NTLM A.02.02.02 HP NTLM Pluggable Authentication Module
PAMmkdir A.20.00-1.0.001 Home Directory creator
PAMpasswd A.20.00-1.0.5.001 PAM Password Strength Checking Module
PHCO_39619 1.0 libpam_hpsec Japanese manpage cumulative patch
PHCO_40072 1.0 libpam_hpsec cumulative patch
PHCO_40521 1.0 libpam cumulative patch
PHCO_42662 1.0 libpam_unix cumulative patch
PHCO_43875 1.0 libpam_updbe patch
PHSS_41775 1.0 KRB5-Client Version 1.3.5.03 Cumulative patch
krb5client E.1.6.2.10 Kerberos V5 Client Version 1.6.2.10

 

here is my pam.conf:

# Authentication management
#
login auth required libpam_hpsec.so.1
login auth sufficient libpam_krb5.so.1
login auth required libpam_unix.so.1 try_first_pass
su auth required libpam_hpsec.so.1
su auth sufficient libpam_krb5.so.1
su auth required libpam_unix.so.1 try_first_pass
dtlogin auth required libpam_hpsec.so.1
dtlogin auth sufficient libpam_krb5.so.1
dtlogin auth required libpam_unix.so.1 try_first_pass
dtaction auth required libpam_hpsec.so.1
dtaction auth sufficient libpam_krb5.so.1
dtaction auth required libpam_unix.so.1 try_first_pass
ftp auth required libpam_hpsec.so.1
ftp auth sufficient libpam_krb5.so.1
ftp auth required libpam_unix.so.1 try_first_pass
sshd auth required libpam_hpsec.so.1
sshd auth sufficient libpam_krb5.so.1
sshd auth required libpam_unix.so.1 try_first_pass
OTHER auth required libpam_unix.so.1
#
# Account management
#
login account required libpam_hpsec.so.1
login account sufficient libpam_krb5.so.1
login account required libpam_unix.so.1
su account required libpam_hpsec.so.1
su account sufficient libpam_krb5.so.1
su account required libpam_unix.so.1
dtlogin account required libpam_hpsec.so.1
dtlogin account sufficient libpam_krb5.so.1
dtlogin account required libpam_unix.so.1
dtaction account required libpam_hpsec.so.1
dtaction account sufficient libpam_krb5.so.1
dtaction account required libpam_unix.so.1
ftp account required libpam_hpsec.so.1
ftp account sufficient libpam_krb5.so.1
ftp account required libpam_unix.so.1
sshd account required libpam_hpsec.so.1
sshd account sufficient libpam_krb5.so.1
sshd account required libpam_unix.so.1
OTHER account required libpam_unix.so.1
#
# Session management
#
login session required libpam_hpsec.so.1
login session required libpam_mkdir.so.1 skel=/etc/skel/ umask=0022
login session required libpam_krb5.so.1
login session required libpam_unix.so.1
dtlogin session required libpam_hpsec.so.1
dtlogin session required libpam_krb5.so.1
dtlogin session required libpam_unix.so.1
dtaction session required libpam_hpsec.so.1
dtaction session required libpam_krb5.so.1
dtaction session required libpam_unix.so.1
sshd session required libpam_hpsec.so.1
sshd session required libpam_mkdir.so.1 skel=/etc/skel/ umask=0022
sshd session sufficient libpam_krb5.so.1
sshd session required libpam_unix.so.1
OTHER session required libpam_unix.so.1
#
# Password management
#
login password required libpam_hpsec.so.1
login password sufficient libpam_krb5.so.1
login password required libpam_unix.so.1 try_first_pass
passwd password required libpam_hpsec.so.1
passwd password sufficient libpam_krb5.so.1
passwd password required libpam_unix.so.1 try_first_pass
dtlogin password required libpam_hpsec.so.1
dtlogin password sufficient libpam_krb5.so.1
dtlogin password required libpam_unix.so.1 try_first_pass
dtaction password required libpam_hpsec.so.1
dtaction password sufficient libpam_krb5.so.1
dtaction password required libpam_unix.so.1 try_first_pass
OTHER password required libpam_unix.so.1 try_first_pass

 

here is my ldapclientd.conf:

[StartOnBoot]
enable=yes

[general]
proxy_is_restricted=1

max_conn=100

connection_ttl=300

num_threads=10

socket_cleanup_time=300

cache_cleanup_time=10

update_ldapux_conf_time=600

cache_size=10000000

state_dump_time=300

max_enumeration_states=80%

flush_compat_info_time=86400

[passwd]
enable=yes

[group]
enable=yes

[netgroup]
enable=no

[uiddn]
enable=no

[domain_pwd]
enable=no

[domain_grp]
enable=no

[automount]
enable=no

[automountmap]
enable=no

[dynamic_group]

[longterm_cache]

[printers]
start=no

1 REPLY 1
Saajan_d
HPE Pro

Re: Prevent creation of TCB DB entry when ldap/win active directory user first logs on trusted syste

HP-UX Internet Express Product includes a product called PAM_mkhomedir. This product will create a users home directory on HP-UX system if it does no exist when the user session begins. This product allows users to be present in central database such as LDAP, NIS, or Kerberos without using a distributed file system or pre-creating a large number of directories.

The HP PAM_mkhomedir product once installed will display as:

The PAM_mkhomedir product is installed in the /opt/iexpress/pammkdir directory. The /opt/iexpress/pammkdir/README.hp file provides the libpam_mkdir library reference required to be added to /etc/pam.conf depending on HP-UX System specifications (PA or IA, 32 bit or 64 bit and OS version). The libpam_mkdir library is added under Session Management; to the appropriate Service that Users home directory check and creation will be used.

Details
Examples of modification to /etc/pam.conf adding pam_mkdir library using 'sshd' service for libpam_ldap and libpam_krb5 environments;

Example pam.conf using libpam_ldap library


# Session Management
...
sshd session required libpam_hpsec.so.1
sshd session required libpam_mkdir.so.1 skel=/etc/skel/ umask=0022
sshd session sufficient libpam_unix.so.1
sshd session required libpam_ldap.so.1

Example pam.conf using libpam_krb5 library adding pam_mkdir library using 'sshd' service;


# Session Management
...
sshd session required libpam_hpsec.so.1
sshd session required /usr/lib/security/hpux64/libpam_mkdir.so.1 skel=/etc/skel/ umask=0022
sshd session sufficient libpam_krb5.so.1
sshd session required libpam_unix.so.1

No restarts are required changes to pam.conf are dynamic.

SSH connection test using LDAP account pamtest, the /home/pamtest did not initially exist, then with login using SSH Users the home directory for pamtest is created;

HP-UX nsquery command shows LDAP user (pamtest) with Home Directory attribute, this verifies what the Users home directory will be created as upon login;

# nsquery passwd pamtest ldap
Using "ldap" for the passwd policy.
Searching ldap for pamtest
User name: pamtest
User Id: 5505
Group Id: 20
Gecos:
Home Directory: /home/pamtest
Shell: /sbin/sh

# pwd
/home

# ll /home/pamtest
/home/pamtest not found

Test invoking SSH login, libpam_mkdir library is specified on sshd service in example
pam.conf above. After successful SSH login home directory is created successfully
using the homedirectory attribute from LDAP account;

# ssh pamtest@ibiza
Password:
Last successful login: Tue Oct 11 23:09:00 EDT 2011 localhost
Creating directory /home/pamtest.
Last login: Tue Oct 11 23:11:07 2011
...

# pwd
/home/pamtest

# id
uid=5505(pamtest) gid=20(users)

# ll /home/pamtest
-rw-r--r-- 1 pamdir users 832 Oct 11 23:19 .cshrc
-rw-r--r-- 1 pamdir users 347 Oct 11 23:19 .exrc
-rw-r--r-- 1 pamdir users 334 Oct 11 23:19 .login
-rw-r--r-- 1 pamdir users 700 Oct 11 23:19 .profile
-rw------- 1 pamdir users 76 Oct 11 23:24 .sh_history


I am a HPE Employee

Accept or Kudo