Configuring an AIX client with multiple Kerberos realms

Shruthi Sharma (shrutsha@in.ibm.com), Software Engineer, IBM

Shruthi Sharma works as a Development support specialist for AIX security. She has three years experience and has gained knowledge in components of AIX security and AIX system administration. She also has experience of working with customers and handling critical situations. You can reach her at shrutsha@in.ibm.com.

Uma Chandolu (uchandol@in.ibm.com), Software Engineer, IBM

Uma M. Chandolu works as a Development Support Specialist on AIX. He is currently the team lead of the AIX Security Development Support team at IBM Bangalore.He has three years of extensive hands-on experience in AIX environments, and demonstrated expertise in AIX system administration and other subsystems. He has experience interfacing with customers and handling customer-critical situations. You can reach him at uchandol@in.ibm.com.

Summary: A typical customer environment is heterogeneous and includes AIX®, Windows®, and Linux®, which can be servers or clients. In many situations, an AIX Kerberos client needs to interact with multiple Kerberos realms hosted on a Windows or AIX Kerberos server to handle the requested services. This article explains the configuration details required to set the AIX Kerberos client to interact with multiple realms hosted on Windows Kerberos servers.

Tag this!

Date: 20 Oct 2009
Level: Intermediate
PDF: A4 and Letter (224KB | 11 pages)Get Adobe® Reader®
Activity: 1606 views

Overview

Kerberos is a network authentication protocol based on symmetric key cryptography. It is a client-server based model that provides mutual authentication. It requires a trusted third party called the Key Distribution Center (KDC), which in turn consists of an Authentication Server (AS) and Ticket Granting Server (TGS). A Kerberos "realm" consists of Kerberos principals and services that are registered within a Kerberos server.

Windows Active Directory (AD), along with LDAP, also provides Kerberos services. Windows AD forest supports multiple domains and each of them can constitute of a Kerberos realm. The multiple domains may be divided based on business unit, geography, and other variables.

Advantages of multiple realms

There are several advantages to having multiple realms. They are:

Data is distributed across different realms instead of a single database, so there will not be a single point of failure.
It is easier to manage several small independent Kerberos realms than a single huge one.
Having interoperability between different KDCs, like MIT and Windows, leads to easier integration of new Kerberos realms into an existing environment.
It provides flexibility in terms of future add-ons or developments.
It provides flexibility in that a user from a different realm can access services from another realm based on the trust relationship that resides between the realms.
Users from different Kerberos realms in a particular AD forest can log in to a single AIX Kerberos client.

Scope, assumptions, and the environment

The scope of this article is to configure AIX as a Kerberos client to multiple Kerberos realms hosted on a Windows AD server. It is assumed that the reader of this article has a medium to high level of knowledge of the Kerberos protocol and Windows Active Directory.

The steps described in this article have been tested with Microsoft Windows 2003 AD server as Kerberos servers and IBM NAS 1.4.0.7 the as Kerberos client. The same steps should work with other versions of IBM NAS.

Configuration steps

Setting up Microsoft Windows Active Directory

For information on setting up Microsoft Active Directory on Microsoft Windows Server 2003, refer to the relevant Microsoft Windows documentation. Here we configured an Active Directory forest containing a parent and child domain (refer above diagram). The Active Directory Domain is also referred as the Microsoft Kerberos Realm running on Microsoft Active Directory.

Parent Domain - IBM.COM, windows AD server: ibmad1.ibm.com
Child Domain - SEC.IBM.COM, Windows AD server: ibmad2.sec.ibm.com
AIX Kerberos client - indus28.in.ibm.com

Configuring the AIX Kerberos client

Make sure that the AIX client is configured with a FQDN (fully qualified domain name).
For example, the hostname should be "indus28.in.ibm.com".

Initially configure the AIX Kerberos client with child domain on the Windows AD server.

Use the config.krb5 command to set up the Kerberos client on AIX.

Syntax


config.krb5 -C -d (domain name ) -r (realm name) -c (windows server) 
           -s (windows server)
Ex:config.krb5 -C -d in.ibm.com -r SEC.IBM.COM -c ibmad2.sec.ibm.com -s 
ibmad2.sec.ibm.com

Change the /etc/krb5/krb5.conf file to include the details of parent domain "IBM.COM" and the Windows-supported encryption types.

[libdefaults]
       default_realm = SEC.IBM.COM
       default_keytab_name = FILE:/etc/krb5/krb5.keytab
       default_tkt_enctypes = des-cbc-md5 des-cbc-crc
       default_tgs_enctypes = des-cbc-md5 des-cbc-crc

[realms]
       SEC.IBM.COM = {
               kdc = ibmad2.sec.ibm.com:88
               admin_server = ibmad2.sec.ibm.com:749
               default_domain = in.ibm.com
       }
       IBM.COM = {
               kdc = ibmad1.ibm.com:88
               admin_server = ibmad1.ibm.com:749
               default_domain = in.ibm.com
       }  

[domain_realm]
       .in.ibm.com = SEC.IBM.COM
       ibmad2.sec.ibm.com = SEC.IBM.COM
       ibmad1.ibm.com = SEC.IBM.COM

[logging]
       kdc = FILE:/var/krb5/log/krb5kdc.log
       admin_server = FILE:/var/krb5/log/kadmin.log
       default = FILE:/var/krb5/log/krb5lib.log

Add the following KRB5A stanza in the /usr/lib/security/methods.cfg file:

KRB5A:
        program = /usr/lib/security/KRB5A 
        options = authonly 

KRB5Afiles:  
         options = db=BUILTIN,auth=KRB5A 

Note: For AIX 6.1 TL02 onwards add the Kerberos stanza as below:

KRB5: 
        program = /usr/lib/security/KRB5 
        options = authonly,is_kadmind_compat=no  

KRB5files: 
        options = db=BUILTIN,auth=KRB5

On the child domain "SEC.IBM.COM", create a user using the Active Directory users and computer snap in for the AIX machine.
For example, in this case a username, indus28, is created on the AD as the Kerberos client is being configured on indus28.in.ibm.com. While creating a user, you will be asked for information such as password. Provide a valid password for the username.

On the Active Directory server, do the following:

Use the Active Directory Management tool to create a new user corresponding to the AIX Kerberos client machine indus28.in.ibm.com.
- Select the Users folder.
- Right-click and select New.
- Select user.
- Give the name indus28.

Use the ktpass tool to generate the keytab file on the Windows machine.

ktpass -princ host/indus28.in.ibm.com@SEC.IBM.COM -mapuser indus28 -pass 123 
-out indus28.keytab -ptype KRB5_NT_PRINCIPAL

Ktpass:

-princ user@realm , The user will be the aix client box, so in our case it will be 
indus28. in.ibm.com, this has to be full domain name
-mapuser : The user name will be indus28
-pass provide the password or * if you want it to prompt for password
-out , the name of output keytab file.

Securely transfer the indus28.keytab file to the AIX Kerberos client indus28.in.ibm.com.

Similarly, create user "indus28_ibm" on the parent domain, IBM.COM (machine: ibmad1.ibm.com).

Run the ktpass command in the domain IBM.COM:

ktpass.exe -princ host/indus28.in.ibm.com@IBM.COM -mapuser indus28_ibm -pass 123 
-out indus28_ibm.keytab -ptype KRB5_NT_PRINCIPAL

Note: The map user is indus28_ibm and the keytab is indus28_ibm.keytab and the princ 
name is again host/indus28.in.ibm,com

Securely transfer the indus28_ibm.keytab file to the AIX Kerberos client.

On the AIX Kerberos client, use the ktutil function to read the keytab file, which has been copied from the Windows server, and write it to default keytab file /etc/krb5/krb5.keytab.

#/usr/krb/sbin/ktutil
ktutil:  rkt /usr/krb/sbin/indus28.keytab
ktutil:  wkt /etc/krb5/krb5.keytab
ktutil:  q

# /usr/krb5/bin/klist -ke
Keytab name:  FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- ---------
 18 host/indus28.in.ibm.com@SEC.IBM.COM (ArcFour with HMAC/md5)

#/usr/krb5/sbin/ktutil
ktutil:  rkt /usr/krb/sbin/indus28_ibm.keytab
ktutil:  wkt /etc/krb5/krb5.keytab
ktutil:  q

 #/usr/krb5/bin/klist -ke
Keytab name:  FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- ---------
 18 host/indus28.in.ibm.com@SEC.IBM.COM (ArcFour with HMAC/md5)
  4 host/indus28.in.ibm.com@IBM.COM (ArcFour with HMAC/md5)

Create a user foo on domain IBM.COM and foo1 on domain SEC.IBM.COM. Also create them locally on the AIX Kerberos client.
#mkuser -R KRB5Afiles registry= KRB5Afiles SYSTEM= KRB5Afiles foo #mkuser -R KRB5Afiles registry= KRB5Afiles SYSTEM= KRB5Afiles foo1
Make sure the lsuser command lists all the relevant user attributes.

Run kinit for both the users to make sure you are able to authenticate them using Kerberos and can get tickets from the Kerberos realm they belong to.

# /usr/krb5/bin/kinit foo1
Password for foo1@SEC.IBM.COM:
# /usr/krb5/bin/klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  foo1@SEC.IBM.COM

Valid starting     Expires            Service principal
02/27/08 15:29:37  02/28/08 01:29:40  krbtgt/SEC.IBM.COM@SEC.IBM.COM
       Renew until 02/28/08 15:29:37
# /usr/krb5/bin/kinit foo@IBM.COM
Password for foo@IBM.COM:
# /usr/krb5/bin/klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  foo@IBM.COM

Valid starting     Expires            Service principal
02/27/08 15:29:49  02/28/08 01:29:49  krbtgt/IBM.COM@IBM.COM
       Renew until 02/28/08 15:29:49

Resources

Learn

"Configuring AIX 5L for Kerberos Based Authentication Using Windows Kerberos Service.This white paper describes how to use Kerberos as an alternative authentication mechanism to AIX using Windows 2000/2003 server Kerberos Service.
In the Resources on the IBM Network Authentication Service and related technologies for AIX
Browse the technology bookstore for books on these and other technical topics.

Get products and technologies

Download IBM product evaluation versions and get your hands on application development tools and middleware products from DB2®, Lotus®, Rational®, Tivoli®, and WebSphere®.

Discuss

Check out developerWorks blogs and get involved in the developerWorks community.
Follow developerWorks on Twitter.
Get involved in the My developerWorks community.
Participate in the AIX and UNIX forums:

About the authors

Comments (Undergoing maintenance)

Trademarks | My developerWorks terms and conditions

Close [x]

Help: Update or add to My dW interests

What's this?

This little timesaver lets you update your My developerWorks profile with just one click! The general subject of this content (AIX and UNIX, Information Management, Lotus, Rational, Tivoli, WebSphere, Java, Linux, Open source, SOA and Web services, Web development, or XML) will be added to the interests section of your profile, if it's not there already. You only need to be logged in to My developerWorks.

And what's the point of adding your interests to your profile? That's how you find other users with the same interests as yours, and see what they're reading and contributing to the community. Your interests also help us recommend relevant developerWorks content to you.

View your My developerWorks profile

Return from help

Close [x]

Help: Remove from My dW interests

What's this?

Removing this interest does not alter your profile, but rather removes this piece of content from a list of all content for which you've indicated interest. In a future enhancement to My developerWorks, you'll be able to see a record of that content.

View your My developerWorks profile

Return from help

static.content.url=http://www.ibm.com/developerworks/js/artrating/

SITE_ID=1

Zone=AIX and UNIX

ArticleID=438583

ArticleTitle=Configuring an AIX client with multiple Kerberos realms

publish-date=10202009

author1-email=shrutsha@in.ibm.com

author1-email-cc=mmccrary@us.ibm.com

author2-email=uchandol@in.ibm.com

author2-email-cc=mmccrary@us.ibm.com