 | Level: Intermediate Vipin Rathor (vrathor1@in.ibm.com), System Software Engineer,
IBM
Sandeep Patil (rsandeep@in.ibm.com), Advisory Software Engineer, IBM
31 Dec 2007 Implement effective ways to configure IBM® Network
Authentication Service (IBM NAS) with Lightweight Directory Access Protocol (LDAP)
on AIX® to get the maximum reliability and scalability in your Kerberos
environment. This article shows you different ways of setting up the dynamic, yet
consistent, Kerberos environment.
Introduction
LDAP (Lightweight Directory Access Protocol) has already become an industry
standard to store all possible look-up data. Most of the products have already
integrated with LDAP to store static data, metadata, or the less frequently
changing but highly referred information. IBM® AIX Version 5.3 also makes
use of LDAP to store information relating to user management, authentication, and
so forth (see Resources). IBM AIX Version 5.3 login
modules featuring Kerberos integrated login and other kerberized utilities like
FTP, OpenSSH, rlogin, and the AIX NFS Version 4 filesystem, which uses the IBM
Network Authentication Service (IBM NAS) for kerberized authentication with LDAP,
can be configured to integrate with LDAP as well.
IBM NAS is featured with two LDAP-based facilities:
- Use of LDAP for IBM NAS server discovery by the IBM NAS clients
- Use of LDAP directory plug-in for storing IBM NAS authentication data
This article focuses on the use of LDAP for IBM NAS server discovery with IBM NAS
clients. The article takes you through the LDAP-based features of IBM NAS, which
allow the IBM NAS clients to discover the IBM NAS servers (namely the KDC and the
administration server) through LDAP lookup. It elaborates on the different methods
of NAS client configuration. Finally, it illustrates the use of IBM NAS
configuration using LDAP lookup enlisting its advantages over the default native
method, which should encourage and help you to take advantage of it.
Different methods
for configuration of the IBM NAS client
IBM NAS 1.4 provides three different kinds of configurations for clients,
including:
- Default configuration of the IBM NAS client
- IBM NAS server discovery using IBM Tivoli® Directory Server Version 5.2
(TDS).
- IBM NAS server discovery using TDS, including the default configuration as a
fallback mechanism
In the following sections, you will visit each configuration type in detail, but
let's first go through the configuration command provided by IBM NAS.
In order to configure the IBM NAS client of any desired configuration type, use
the /usr/krb5/sbin/config.krb5 command that comes with
the IBM NAS client setup. AIX also ships with a similar command called
/usr/sbin/mkkrb5clnt (a wrapper around the basic
config.krb5 command), which you can also use for
configuration purposes. For more information on the
mkkrb5clnt command, please refer to the AIX 5.3
Commands Reference that shipped with AIX 5.3. You will use the
config.krb5 command for all your configuration
illustrations here.
The following example provides the usage syntax for the
config.krb5 command:
bash-2.05b# /usr/krb5/sbin/config.krb5
To configure a Server:
Usage: /usr/krb5/sbin/config.krb5 -h | -S [-a admin] -d domain -r realm [[-l
{ ldapserver | ldapserver:port }] [-u ldap_DN -p ldap_DN_pw] [-f {keyring |
keyring:entry_dn} -k keyring_pw] [-m masterkey_location] [-b bind_type]
[-R ldap_replica_list]]
To configure a slave KDC:
On a slave KDC machine:
Usage: /usr/krb5/sbin/config.krb5 -h | -E -d domain -r realm -s server { [-a admin] | -l
{ ldapserver | ldapserver:port } -u ldap_DN -p ldap_DN_PW [-f {keyring |
keyring:entry_dn} -k keyring_pw] [-b bind_type]
[-R ldap_replica_list] }
On a master server machine:
Usage: /usr/krb5/sbin/config.krb5 -h | -P -r realm -d domain -e slave_KDC -g
To configure a Client:
Usage: /usr/krb5/sbin/config.krb5 -h | [-C] -r realm -d domain { -c KDC -s server | -l
{ ldapserver | ldapserver:port_number } [-c KDC -s server] }
|
You can configure both the IBM NAS client as well as the IBM NAS server using the
same command. You will be concentrating on the client configuration part in this
article. For details on the config.krb5 command, please
refer to the IBM NAS 1.4 Administrator's and User's Guide on the AIX Version 5.3
Expansion Pack CD. The following sections illustrate each type of IBM NAS client
configurations in detail and list their advantages over each other.
The following definitions and configurations are used in this article:
TDS Version 5.2
Hostname: fsaix11.in.ibm.com Port:389
OS: AIX
Version 5.3
Kerberos realm name
ISL.IN.IBM.COM
Kerberos administrator name
admin/admin
IBM NAS 1.4 KDC
Hostname: huntcup.in.ibm.com Port : 88
OS: AIX
V5.3
LDAP client: TDS Version 5.2
IBM NAS 1.4.0.6 administration server
Hostname: huntcup.in.ibm.com
Port: 749
OS: AIX Version 5.3
LDAP client: TDS Version 5.2
IBM NAS 1.4.0.6 client
Hostname: land.in.ibm.com
OS: AIX Version
5.3
LDAP client: TDS Version 5.2
Note:
- IBM NAS 1.4 server is only supported on AIX, and the client is available on
Solaris, Linux®, and Windows®. (IBM NAS client install software
for Linux and Solaris are shipped with IBM DB2® Universal Database. To
find out more about IBM DB2 UDB Security, see the
Resources section.)
- IBM NAS 1.4 currently supports IBM Tivoli Directory Server Version 5.1 and
5.2 and SunONE Directory Server Version 5.1 and 5.2 only. In this article, we
use IBM Tivoli Directory Server 5.2 as the LDAP for our examples.
- For detailed information on TDS installation and configuration, please refer
to the IBM Tivoli Directory Server Version 5.2 documentation.
Default configuration of
IBM NAS client for server lookup
The most common and default configuration of IBM NAS client is to directly
configure NAS to the Kerberos KDC and administration server by explicitly stating
the hostname and IP address of the machine on which the servers are running. This
is done by specifying the server machine's host name in the
/etc/krb5/krb5.conf file either manually or using the
config.krb5 command. The /etc/krb5/krb5.conf file is
the configuration file where the entire IBM NAS client-side configuration resides.
This particular configuration file is referred each time when the IBM NAS client
(or the applications running on it like AIX integrated login, kerberized ftp, and
so forth) makes any kind of request to the Kerberos servers.
In the following scenario, you configure an IBM NAS client (land.in.ibm.com) to
IBM NAS server (huntcup.in.ibm.com) by the default configuration method using the
config.krb5 command:
bash-2.05b# hostname
land.in.ibm.com
bash-2.05b# /usr/krb5/sbin/config.krb5 -C -d in.ibm.com -r ISL.IN.IBM.COM
-c huntcup.in.ibm.com -s huntcup.in.ibm.com
Initializing configuration...
Creating /etc/krb5/krb5_cfg_type...
Creating /etc/krb5/krb5.conf...
The command completed successfully.
|
On the successful execution, config.krb5 generates the
/etc/krb5/krb5.conf configuration file. Let's view the /etc/krb5/krb5.conf file on
land.in.ibm.com:
bash-2.05b# hostname
land.in.ibm.com
bash-2.05b# cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = ISL.IN.IBM.COM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes =\
des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
default_tgs_enctypes =\
des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
[realms]
ISL.IN.IBM.COM = {
kdc = huntcup.in.ibm.com:88
admin_server = huntcup.in.ibm.com:749
default_domain = in.ibm.com
}
[domain_realm]
.in.ibm.com = ISL.IN.IBM.COM
huntcup.in.ibm.com = ISL.IN.IBM.COM
[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log
|
Notice the entries under [realm] stanza. The [realm] stanza of the
/etc/krb5/krb5.conf file contains the information that the NAS client uses when
looking for the IBM NAS servers. In this case, you can see that the KDC server
("kdc" entry in the [realm] stanza) and the administration server ("admin_server"
entry in the [realm] stanza) are explicitly pointing to the hostname and port
number on which the servers are running, which is the default native
configuration.
Now let' see if the configured client is able to contact the KDC server
by running IBM NAS commands to acquire the Kerberos credentials:
bash-2.05b# hostname
land.in.ibm.com
bash-2.05b# /usr/krb5/bin/kinit admin/admin
Password for admin/admin@ISL.IN.IBM.COM:
bash-2.05b# /usr/krb5/bin/klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: admin/admin@ISL.IN.IBM.COM
Valid starting Expires Service principal
08/01/07 22:28:27 08/02/07 22:28:27 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
Renew until 08/03/07 03:52:47
|
Since you were able to acquire the Kerberos ticket, it confirms that the client
was able to successfully contact the KDC server.
Also, let's check if the configured client is able to contact the NAS
administration sever by running the IBM NAS kadmin
utility and listing all the principals:
bash-2.05b# hostname
land.in.ibm.com
bash-2.05b# /usr/krb5/sbin/kadmin -p admin/admin
Authenticating as principal admin/admin with password.
Password for admin/admin@ISL.IN.IBM.COM:
kadmin: getprincs
K/M@ISL.IN.IBM.COM
admin/admin@ISL.IN.IBM.COM
admin/sales@ISL.IN.IBM.COM
john@ISL.IN.IBM.COM
kadmin/admin@ISL.IN.IBM.COM
kadmin/changepw@ISL.IN.IBM.COM
kadmin/history@ISL.IN.IBM.COM
kadmin/huntcup.in.ibm.com@ISL.IN.IBM.COM
krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
mack_correct@ISL.IN.IBM.COM
one-minute-sandy@ISL.IN.IBM.COM
sachin/guest@ISL.IN.IBM.COM
tester@ISL.IN.IBM.COM
vipin@ISL.IN.IBM.COM
kadmin:q
|
Hence, you have successfully set up the IBM NAS client with the default
configuration where the IBM NAS server entries are hard-coded in the client
configuration file (/etc/krb5/krb5.conf).
So if things work well with the default configuration of the IBM NAS client, why
is there a need for having IBM NAS client configuration with LDAP lookup for
server discovery?
Need for KDC and
administration servers discovery using TDS
Consider a production environment scenario where there are thousands of IBM NAS
client machines configured to the IBM NAS server machine using the default
configuration previously described. In such a case, if you plan to move or migrate
the NAS server to another high-end machine or plan to rename the hostname of the
NAS server machine, then you would have to manually change the configuration
settings (in the /etc/krb5/krb5.conf file) on all the configured IBM NAS client
machines.
In such scenarios, using IBM NAS server discovery by TDS feature, you are only
required to do minimal changes, such as updating the new IBM NAS server's hostname
in the LDAP database. Unlike in the default method of IBM NAS client
configuration, no client-side configuration changes are required for this
technique. All the IBM NAS clients continue to work seamlessly, as if nothing has
changed.
In the following sections, you will go through the configuration steps required
for such a setup and the details on how the clients can achieve this seamless
configuration.
Configuration of IBM NAS
feature of server discovery using TDS
In this method of configuration, the location information of IBM NAS servers is
centrally stored in the LDAP database. All the IBM NAS clients are configured to
lookup the centralized LDAP database to locate the IBM NAS servers. Hence, in
scenarios where the hostname of the IBM NAS server changes, you need to only
update the changes in the LDAP while the IBM NAS clients continue to work
seamlessly. This method of configuration consists of two steps:
-
Server-side configuration steps for enrolling IBM NAS KDC and Administration server information in TDS
-
Client-side configuration for enabling IBM NAS
server discovery using TDS
Server-side configuration steps for enrolling IBM NAS KDC and Administration server information in TDS
- The first configuration step is to add the IBM NAS schema definitions to the
LDAP directory. These schema definitions are used by TDS for IBM NAS KDC and
administration server lookup. The schema definition files are shipped in LDAP
Data Interchange format (LDIF) format with IBM NAS 1.4 and installed under the
/usr/krb5/ldif directory. The /usr/krb5/ldif/IBM.service.schema.ldif file
contains the schema required by IBM NAS 1.4 to work with IBM Tivoli Directory
Server Version 5.2.
To add the schema definitions, use the
ldapmodify TDS command, as shown below:
#hostname
huntcup.in.ibm.com
#ldapmodify -h fsaix11.in.ibm.com -D cn=root -w secret
-f /usr/krb5/ldif/IBM.service.schema.ldif -v -c
ldap_init(fsaix11.in.ibm.com, 389)
add attributetypes:
BINARY (93 bytes) ( 1.3.18.0.2.4.818 NAME 'ibmCom1986-Krb-kerberosRealm' SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 )
add ibmattributetypes:
BINARY (63 bytes) ( 1.3.18.0.2.4.818 DBNAME( 'kerberosRealm' 'kerberosRealm' ) )
modifying entry cn=schema
ldap_modify: Type or value exists
ldap_modify: additional info: attribute type '1.3.18.0.2.4.818' already exists,
add operation failed.
replace attributetypes:
BINARY (202 bytes) ( 1.3.18.0.2.4.818 NAME ('ibmCom1986-Krb-kerberosRealm'
'KerberosRealm' )
DESC 'Kerberos realm name' EQUALITY caseExactMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE USAGE userApplications )
replace ibmattributetypes:
BINARY (94 bytes) ( 1.3.18.0.2.4.818 DBNAME( 'kerberosRealm' 'kerberosRealm'
) ACCESS-CLASS
normal LENGTH 256 )
modifying entry cn=schema
add objectclasses:
BINARY (69 bytes) ( 1.3.18.0.2.6.173 NAME 'ibmCom1986-Krb-kerberosService'
STRUCTURAL )
modifying entry cn=schema
ldap_modify: Type or value exists
ldap_modify: additional info: object class '1.3.18.0.2.6.173' already exists, add
operation failed.
replace objectclasses:
BINARY (258 bytes) ( 1.3.18.0.2.6.173 NAME (
'ibmCom1986-Krb-kerberosService' 'KerberosService'
) DESC 'A kerberosService object is created for each host system within the
realm.' SUP eService
STRUCTURAL MUST ( ibmCom1986-Krb-kerberosRealm ) MAY ( ipServicePort
$ seeAlso ) )
modifying entry cn=schema
|
While adding schema definitions from the LDIF file, you might receive errors
saying the attributes and OIDs already exists. These errors can be safely
ignored. You are not required to make any changes to the
/usr/krb5/ldif/IBM.service.schema.ldif LDIF file.
For detailed information on the ldapmodify command
and usage, please refer to the IBM Tivoli Directory Server V5.2
documentation.
- Once the required schema is loaded, you need to add a suffix for your root
domain name in the LDAP directory. In the example, you have ISL.IN.IBM.COM as
your Kerberos realm; therefore, you need to add a suffix "COM" as a domain
component. For this, log in to the TDS machine (in the example, it's
fsaix11.in.ibm.com), stop the TDS server, add the suffix, and restart the TDS
server, as shown below:
[root@fsaix11 ldif ]# hostname
fsaix11.in.ibm.com
[root@fsaix11 ldif ]# ibmdirctl -D cn=root -w secret stop
Stop operation succeeded
[root@fsaix11 ldif ]# ldapcfg -s dc=COM -n
You have chosen the following actions:
Suffix 'dc=COM' will be added to the configuration file.
Adding suffix: 'dc=COM'.
Added suffix: 'dc=COM'.
IBM Tivoli Directory Server Configuration complete.
[root@fsaix11 ldif ]# ibmdirctl -D cn=root -w secret start
Start operation succeeded
|
- Next, add the Kerberos realm information to the LDAP directory. Each
component of the Kerberos realm corresponds to a domain component entry in the
LDAP directory. So let's define the domain components for your
"ISL.IN.IBM.COM" Kerberos realm. For this, modify the
/usr/krb5/ldif/service_add.ldif file, which is shipped with the IBM NAS fileset
on the IBM NAS server machine (huntcup.in.ibm.com in our case) and make the
following changes:
dn: dc=COM
dc: COM
objectClass: top
objectClass: domain
description: Domain realm COM
dn: dc=IBM, dc=COM
dc: IBM
objectClass: domain
description: Domain realm IBM.COM
dn: dc=IN, dc=IBM, dc=COM
dc: IN
objectClass: domain
description: Domain realm IN.IBM.COM
dn: dc=ISL, dc=IN, dc=IBM, dc=COM
dc: ISL
objectClass: domain
description: Domain realm ISL.IN.IBM.COM
|
To add the above LDIF file information to the LDAP directory, use the
ldapmodify command from the IBM NAS server machine,
as shown below:
#hostname
huntcup.in.ibm.com
#ldapmodify -h fsaix11.in.ibm.com -D cn=root -w secret -f
/usr/krb5/ldif/service_add.ldif -v -c -a
ldap_init(fsaix11.in.ibm.com, 389)
add dc:
BINARY (3 bytes) COM
add objectClass:
BINARY (3 bytes) top
BINARY (6 bytes) domain
add description:
BINARY (16 bytes) Domain realm COM
adding new entry dc=COM
add dc:
BINARY (3 bytes) IBM
add objectClass:
BINARY (6 bytes) domain
add description:
BINARY (20 bytes) Domain realm IBM.COM
adding new entry dc=IBM, dc=COM
add dc:
BINARY (2 bytes) IN
add objectClass:
BINARY (6 bytes) domain
add description:
BINARY (23 bytes) Domain realm IN.IBM.COM
adding new entry dc=IN, dc=IBM, dc=COM
add dc:
BINARY (3 bytes) ISL
add objectClass:
BINARY (6 bytes) domain
add description:
BINARY (27 bytes) Domain realm ISL.IN.IBM.COM
adding new entry dc=ISL, dc=IN, dc=IBM, dc=COM
|
- Add the IBM NAS KDC and administration server entries in the LDAP directory
for your Kerberos realm. To accomplish this, use the IBM NAS
/usr/krb5/sbin/ksetup command. The
ksetup command deals with NAS entries in the LDAP
directory for a NAS realm. It has various subcommands to add, remove, and list
the entries. For complete information on ksetup,
please refer to the IBM NAS 1.4 Administrator's and User's Guide shipped with
the AIX Version 5.3 Expansion Pack CD. By using the
ksetup command, you add huntcup.in.ibm.com as the
KDC and administration server for your ISL.IN.IBM.COM realm. Then, you verify
the addition by listing the servers, as follows:
#hostname
huntcup.in.ibm.com
# /usr/krb5/sbin/ksetup -h fsaix11.in.ibm.com -n cn=root -p secret
ksetup>
addadmin huntcup.in.ibm.com ISL.IN.IBM.COM
ksetup>
addkdc huntcup.in.ibm.com ISL.IN.IBM.COM
ksetup>
listkdc
huntcup.in.ibm.com:88
ksetup>
listadmin
huntcup.in.ibm.com:749
ksetup>
exit
|
Please note that ksetup has assigned default port
numbers for the KDC and administration server. If you want to override the
default port number, specify the port numbers using the
addadmin and addkdc
subcommands. For example, try
addadmin huntcup.in.ibm.com:99 ISL.IN.IBM.COM.
This completes server-side configuration steps for IBM NAS server lookup. Now
you are all set to configure an IBM NAS client, which discovers the location
of the NAS servers using IBM Directory Server.
Client-side
configuration for enabling IBM NAS server discovery using TDS
First and foremost, you need to make sure that you have installed the TDS client
on each IBM NAS client machine. To configure the IBM NAS client with the IBM NAS
server discovery using the LDAP method, use the
/usr/krb5/sbin/config.krb5 command, but this time with
different arguments, as shown below:
bash-2.05b# hostname
land.in.ibm.com
bash-2.05b# config.krb5 -C -r ISL.IN.IBM.COM -d in.ibm.com -l fsaix11.in.ibm.com
Initializing configuration...
Creating /etc/krb5/krb5_cfg_type...
Creating /etc/krb5/krb5.conf...
The command completed successfully.
|
For reconfiguring the IBM NAS client with a different configuration method, you
need to first unconfigure the existing client configuration by running the
/usr/krb5/sbin/unconfig.krb5 command on the client
machine.
Please notice that this time you have used the
-l
<ldap_server> option to indicate to
the IBM NAS client to use the specified TDS server for KDC and administration
server lookup. Let's see how the IBM NAS client configuration file looks
like:
bash-2.05b# hostname
land.in.ibm.com
bash-2.05b# cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = ISL.IN.IBM.COM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = \
des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
default_tgs_enctypes = \
des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
use_ldap_lookup = 1
ldap_server = fsaix11.in.ibm.com
[realms]
ISL.IN.IBM.COM = {
default_domain = in.ibm.com
}
[domain_realm]
.in.ibm.com = ISL.IN.IBM.COM
[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log
|
Notice the use_ldap_server = 1 configuration file entry. This indicates that the
IBM NAS client uses the TDS server for the lookup on NAS servers, and the
ldap_server = fsaix11.in.ibm.com entry tells you which TDS server to contact.
Note: There is no "kdc" or "admin_server" entry for this type of
configuration under the [realm] stanza, unlike in the default case.
Verify your setup by running the kinit command
followed by the klist command:
bash-2.05b# hostname
land.in.ibm.com
bash-2.05b# /usr/krb5/bin/kinit admin/admin
Password for admin/admin@ISL.IN.IBM.COM:
bash-2.05b# /usr/krb5/bin/klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: admin/admin@ISL.IN.IBM.COM
Valid starting Expires Service principal
08/17/07 07:04:53 08/18/07 07:04:53 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
Renew until 08/18/07 07:05:02
|
As you can see, you successfully contacted your KCD using TDS and get the initial
ticket. You will also verify if the client setup can contact the administration
server using TDS:
bash-2.05b# hostname
land.in.ibm.com
bash-2.05b# /usr/krb5/sbin/kadmin -p admin/admin
Authenticating as principal admin/admin with password.
Password for admin/admin@ISL.IN.IBM.COM:
kadmin: getprincs
K/M@ISL.IN.IBM.COM
admin/admin@ISL.IN.IBM.COM
admin/sales@ISL.IN.IBM.COM
john@ISL.IN.IBM.COM
kadmin/admin@ISL.IN.IBM.COM
kadmin/changepw@ISL.IN.IBM.COM
kadmin/history@ISL.IN.IBM.COM
kadmin/huntcup.in.ibm.com@ISL.IN.IBM.COM
krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
mack_correct@ISL.IN.IBM.COM
one-minute-sandy@ISL.IN.IBM.COM
sachin/guest@ISL.IN.IBM.COM
tester@ISL.IN.IBM.COM
vipin@ISL.IN.IBM.COM
kadmin:q
|
You successfully contacted both the NAS servers using TDS seamlessly.
The utilities that use the administration server and KDC discovery using LDAP
feature include:
-
kadmin: This utility obtains the name and port of
the kadmin server from the LDAP server.
-
kinit: This utility obtains the name and port of
the KDC from the LDAP server.
-
kpasswd: This utility obtains the name and port
of the password change service from the LDAP server.
-
ksetup: This utility puts the administration and
the information of the KDC servers in the LDAP directory.
One of the limitations with the above configuration is that when the TDS server
goes down, the IBM NAS clients are unable to discover and contact any of the IBM
NAS servers. To overcome this problem, IBM NAS provides another kind of client
configuration where the IBM NAS client primarily uses TDS for NAS server
discovery. If IBM NAS cannot resolve the TDS server connection, then it falls back
to use the local configuration file for the NAS lookup. Let's have a look at how
this configuration type works.
Configuration of IBM NAS
client for server discovery using TDS with the fallback mechanism
As explained in the previous IBM NAS client configuration, please make sure you
have TDS client and IBM NAS filesets installed on the client machine.
Now
let's configure the IBM NAS client for server discovery using TDS with
the fallback mechanism:
bash-2.05b# hostname
land.in.ibm.com
bash-2.05b# /usr/krb5/sbin/config.krb5 -C -r ISL.IN.IBM.COM -d in.ibm.com -l
fsaix11.in.ibm.com -c huntcup.in.ibm.com
-s huntcup.in.ibm.com
Initializing configuration...
Creating /etc/krb5/krb5_cfg_type...
Creating /etc/krb5/krb5.conf...
The command completed successfully.
|
Please notice that this time you have specified both the
-l, -c, and
-s options in the
config.krb5 command while configuring the IBM NAS
client.
Let's see how the local IBM NAS client configuration file looks like this time:
bash-2.05b# hostname
land.in.ibm.com
bash-2.05b# cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = ISL.IN.IBM.COM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = \
des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
default_tgs_enctypes = \
des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
use_ldap_lookup = 1
ldap_server = fsaix11.in.ibm.com
[realms]
ISL.IN.IBM.COM = {
kdc = huntcup.in.ibm.com:88
admin_server = huntcup.in.ibm.com:749
default_domain = in.ibm.com
}
[domain_realm]
.in.ibm.com = ISL.IN.IBM.COM
huntcup.in.ibm.com = ISL.IN.IBM.COM
[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log
|
In this configuration method, you have your LDAP server information plus the
"kdc" and "admin_server" entries in the configuration file. Use the
kinit and klist commands to
resolve the KDC location using TDS:
bash-2.05b# hostname
land.in.ibm.com
bash-2.05b# /usr/krb5/bin/kinit admin/admin
Password for admin/admin@ISL.IN.IBM.COM:
bash-2.05b# /usr/krb5/bin/klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: admin/admin@ISL.IN.IBM.COM
Valid starting Expires Service principal
08/17/07 07:08:32 08/18/07 07:08:32 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
|
You can successfully acquire the initial ticket using the TDS server. Also,
verify if you can contact the IBM NAS administration server:
bash-2.05b# hostname
land.in.ibm.com
bash-2.05b# /usr/krb5/sbin/kadmin -p admin/admin
Authenticating as principal admin/admin with password.
Password for admin/admin@ISL.IN.IBM.COM:
kadmin: getprincs
K/M@ISL.IN.IBM.COM
admin/admin@ISL.IN.IBM.COM
admin/sales@ISL.IN.IBM.COM
john@ISL.IN.IBM.COM
kadmin/admin@ISL.IN.IBM.COM
kadmin/changepw@ISL.IN.IBM.COM
kadmin/history@ISL.IN.IBM.COM
kadmin/huntcup.in.ibm.com@ISL.IN.IBM.COM
krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
mack_correct@ISL.IN.IBM.COM
one-minute-sandy@ISL.IN.IBM.COM
sachin/guest@ISL.IN.IBM.COM
tester@ISL.IN.IBM.COM
vipin@ISL.IN.IBM.COM
kadmin: q
|
Until now, you have configured the IBM NAS client for the NAS server discovery
using the TDS with a fallback mechanism. To check to see if the fallback mechanism
is working or not, shutdown the TDS server on the TDS server machine, as shown
below:
[root@fsaix11 ldif ]# hostname
fsaix11.in.ibm.com
[root@fsaix11 ldif ]# ibmdirctl -D cn=root -w secret stop
Stop operation succeeded
|
Now, go to your IBM NAS client machine that you just configured using the
fallback mechanism and try to get an initial ticket, as shown below:
bash-2.05b# hostname
land.in.ibm.com
bash-2.05b# /usr/krb5/bin/kinit admin/admin
connect: A remote host refused an attempted connect operation.
The ldap_simple_bind_s system function detects an error. LDAP_CONNECT_ERROR.
connect: A remote host refused an attempted connect operation.
The ldap_simple_bind_s system function detects an error. LDAP_CONNECT_ERROR.
Password for admin/admin@ISL.IN.IBM.COM:
connect: A remote host refused an attempted connect operation.
The ldap_simple_bind_s system function detects an error. LDAP_CONNECT_ERROR.
connect: A remote host refused an attempted connect operation.
The ldap_simple_bind_s system function detects an error. LDAP_CONNECT_ERROR.
bash-2.05b# /usr/krb5/bin/klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: admin/admin@ISL.IN.IBM.COM
Valid starting Expires Service principal
08/17/07 07:12:01 08/18/07 07:11:54 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
|
Notice that you are able to do kinit, even when the
TDS server is down. You can also see the same behavior at the time of connecting
to the IBM NAS administration server:
bash-2.05b# /usr/krb5/sbin/kadmin -p admin/admin
Authenticating as principal admin/admin with password.
connect: A remote host refused an attempted connect operation.
The ldap_simple_bind_s system function detects an error. LDAP_CONNECT_ERROR.
connect: A remote host refused an attempted connect operation.
The ldap_simple_bind_s system function detects an error. LDAP_CONNECT_ERROR.
connect: A remote host refused an attempted connect operation.
The ldap_simple_bind_s system function detects an error. LDAP_CONNECT_ERROR.
Password for admin/admin@ISL.IN.IBM.COM:
connect: A remote host refused an attempted connect operation.
The ldap_simple_bind_s system function detects an error. LDAP_CONNECT_ERROR.
connect: A remote host refused an attempted connect operation.
The ldap_simple_bind_s system function detects an error. LDAP_CONNECT_ERROR.
kadmin: getprincs
K/M@ISL.IN.IBM.COM
admin/admin@ISL.IN.IBM.COM
admin/sales@ISL.IN.IBM.COM
john@ISL.IN.IBM.COM
kadmin/admin@ISL.IN.IBM.COM
kadmin/changepw@ISL.IN.IBM.COM
kadmin/history@ISL.IN.IBM.COM
kadmin/huntcup.in.ibm.com@ISL.IN.IBM.COM
krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
mack_correct@ISL.IN.IBM.COM
one-minute-sandy@ISL.IN.IBM.COM
sachin/guest@ISL.IN.IBM.COM
tester@ISL.IN.IBM.COM
vipin@ISL.IN.IBM.COM
kadmin: q
|
You have successfully configured the IBM NAS client to look up the NAS servers
using TDS, along with a fallback mechanism.
Conclusion
In this article, you have examined all the necessary steps required to set up the
IBM NAS KDC and administration discovery using TDS. You also reviewed all the
possible IBM NAS client configuration types to enable you to configure your
Kerberos environment more effectively in order to manage the changes in IBM NAS
server configuration.
Resources Learn
Get products and technologies
Discuss
- Participate in the
developerWorks blogs
and get involved in the developerWorks community.
- Participate in the AIX and UNIX forums:
About the authors | 
| | Vipin Rathor has been working with IBM for more than a year. He is currently engaged in IBM NAS L3 support and development activities. Network security, UNIX internals, and Game development are his main areas of interest. He has a master's degree in computer applications from University of Pune, India. You can contact him at vrathor1@in.ibm.com. |
| 
| | Sandeep Ramesh Patil works as an Advisory Software Engineer for the IBM India Software Labs. He has worked for IBM for the past six years, focusing on distributed technology including DCE, SARPC, and security products, such as the IBM Network Authentication Service (IBM Kerberos). He is currently developing new features and implementing security-related RFC for the IBM Network Authentication Service, along with its product support. Sandeep holds a Bachelor of Engineering degree in computer science from the University of Pune, India. You can contact him at rsandeep@in.ibm.com. |
Rate this page
| |
