LDAP (Lightweight Directory Access Protocol) has already become an industry standard to store all possible look-up data. Most of the products have already integrated with LDAP to store static data, metadata, or the less frequently changing but highly referred information. IBM® AIX Version 5.3 also makes use of LDAP to store information relating to user management, authentication, and so forth (see Resources). IBM AIX Version 5.3 login modules featuring Kerberos integrated login and other kerberized utilities like FTP, OpenSSH, rlogin, and the AIX NFS Version 4 filesystem, which uses the IBM Network Authentication Service (IBM NAS) for kerberized authentication with LDAP, can be configured to integrate with LDAP as well.
IBM NAS is featured with two LDAP-based facilities:
- Use of LDAP for IBM NAS server discovery by the IBM NAS clients
- Use of LDAP directory plug-in for storing IBM NAS authentication data
This article focuses on the use of LDAP for IBM NAS server discovery with IBM NAS clients. The article takes you through the LDAP-based features of IBM NAS, which allow the IBM NAS clients to discover the IBM NAS servers (namely the KDC and the administration server) through LDAP lookup. It elaborates on the different methods of NAS client configuration. Finally, it illustrates the use of IBM NAS configuration using LDAP lookup enlisting its advantages over the default native method, which should encourage and help you to take advantage of it.
Different methods for configuration of the IBM NAS client
IBM NAS 1.4 provides three different kinds of configurations for clients, including:
- Default configuration of the IBM NAS client
- IBM NAS server discovery using IBM Tivoli® Directory Server Version 5.2 (TDS).
- IBM NAS server discovery using TDS, including the default configuration as a fallback mechanism
In the following sections, you will visit each configuration type in detail, but let's first go through the configuration command provided by IBM NAS.
In order to configure the IBM NAS client of any desired configuration type, use
the /usr/krb5/sbin/config.krb5 command that comes with
the IBM NAS client setup. AIX also ships with a similar command called
/usr/sbin/mkkrb5clnt (a wrapper around the basic
config.krb5 command), which you can also use for
configuration purposes. For more information on the
mkkrb5clnt command, please refer to the AIX 5.3
Commands Reference that shipped with AIX 5.3. You will use the
config.krb5 command for all your configuration
illustrations here.
The following example provides the usage syntax for the
config.krb5 command:
bash-2.05b# /usr/krb5/sbin/config.krb5
To configure a Server:
Usage: /usr/krb5/sbin/config.krb5 -h | -S [-a admin] -d domain -r realm [[-l
{ ldapserver | ldapserver:port }] [-u ldap_DN -p ldap_DN_pw] [-f {keyring |
keyring:entry_dn} -k keyring_pw] [-m masterkey_location] [-b bind_type]
[-R ldap_replica_list]]
To configure a slave KDC:
On a slave KDC machine:
Usage: /usr/krb5/sbin/config.krb5 -h | -E -d domain -r realm -s server { [-a admin] | -l
{ ldapserver | ldapserver:port } -u ldap_DN -p ldap_DN_PW [-f {keyring |
keyring:entry_dn} -k keyring_pw] [-b bind_type]
[-R ldap_replica_list] }
On a master server machine:
Usage: /usr/krb5/sbin/config.krb5 -h | -P -r realm -d domain -e slave_KDC -g
To configure a Client:
Usage: /usr/krb5/sbin/config.krb5 -h | [-C] -r realm -d domain { -c KDC -s server | -l
{ ldapserver | ldapserver:port_number } [-c KDC -s server] }
|
You can configure both the IBM NAS client as well as the IBM NAS server using the
same command. You will be concentrating on the client configuration part in this
article. For details on the config.krb5 command, please
refer to the IBM NAS 1.4 Administrator's and User's Guide on the AIX Version 5.3
Expansion Pack CD. The following sections illustrate each type of IBM NAS client
configurations in detail and list their advantages over each other.
The following definitions and configurations are used in this article:
TDS Version 5.2
Hostname: fsaix11.in.ibm.com Port:389
OS: AIX Version 5.3
Kerberos realm name
ISL.IN.IBM.COM
Kerberos administrator name
admin/admin
IBM NAS 1.4 KDC
Hostname: huntcup.in.ibm.com Port : 88
OS: AIX V5.3
LDAP client: TDS Version 5.2
IBM NAS 1.4.0.6 administration server
Hostname: huntcup.in.ibm.com Port: 749
OS: AIX Version 5.3
LDAP client: TDS Version 5.2
IBM NAS 1.4.0.6 client
Hostname: land.in.ibm.com
OS: AIX Version 5.3
LDAP client: TDS Version 5.2
Note:
- IBM NAS 1.4 server is only supported on AIX, and the client is available on Solaris, Linux®, and Windows®. (IBM NAS client install software for Linux and Solaris are shipped with IBM DB2® Universal Database. To find out more about IBM DB2 UDB Security, see the Resources section.)
- IBM NAS 1.4 currently supports IBM Tivoli Directory Server Version 5.1 and 5.2 and SunONE Directory Server Version 5.1 and 5.2 only. In this article, we use IBM Tivoli Directory Server 5.2 as the LDAP for our examples.
- For detailed information on TDS installation and configuration, please refer to the IBM Tivoli Directory Server Version 5.2 documentation.
Default configuration of IBM NAS client for server lookup
The most common and default configuration of IBM NAS client is to directly
configure NAS to the Kerberos KDC and administration server by explicitly stating
the hostname and IP address of the machine on which the servers are running. This
is done by specifying the server machine's host name in the
/etc/krb5/krb5.conf file either manually or using the
config.krb5 command. The /etc/krb5/krb5.conf file is
the configuration file where the entire IBM NAS client-side configuration resides.
This particular configuration file is referred each time when the IBM NAS client
(or the applications running on it like AIX integrated login, kerberized ftp, and
so forth) makes any kind of request to the Kerberos servers.
In the following scenario, you configure an IBM NAS client (land.in.ibm.com) to
IBM NAS server (huntcup.in.ibm.com) by the default configuration method using the
config.krb5 command:
bash-2.05b# hostname land.in.ibm.com bash-2.05b# /usr/krb5/sbin/config.krb5 -C -d in.ibm.com -r ISL.IN.IBM.COM -c huntcup.in.ibm.com -s huntcup.in.ibm.com Initializing configuration... Creating /etc/krb5/krb5_cfg_type... Creating /etc/krb5/krb5.conf... The command completed successfully. |
On the successful execution, config.krb5 generates the
/etc/krb5/krb5.conf configuration file. Let's view the /etc/krb5/krb5.conf file on
land.in.ibm.com:
bash-2.05b# hostname
land.in.ibm.com
bash-2.05b# cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = ISL.IN.IBM.COM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes =\
des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
default_tgs_enctypes =\
des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
[realms]
ISL.IN.IBM.COM = {
kdc = huntcup.in.ibm.com:88
admin_server = huntcup.in.ibm.com:749
default_domain = in.ibm.com
}
[domain_realm]
.in.ibm.com = ISL.IN.IBM.COM
huntcup.in.ibm.com = ISL.IN.IBM.COM
[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log
|
Notice the entries under [realm] stanza. The [realm] stanza of the /etc/krb5/krb5.conf file contains the information that the NAS client uses when looking for the IBM NAS servers. In this case, you can see that the KDC server ("kdc" entry in the [realm] stanza) and the administration server ("admin_server" entry in the [realm] stanza) are explicitly pointing to the hostname and port number on which the servers are running, which is the default native configuration.
Now let' see if the configured client is able to contact the KDC server by running IBM NAS commands to acquire the Kerberos credentials:
bash-2.05b# hostname
land.in.ibm.com
bash-2.05b# /usr/krb5/bin/kinit admin/admin
Password for admin/admin@ISL.IN.IBM.COM:
bash-2.05b# /usr/krb5/bin/klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: admin/admin@ISL.IN.IBM.COM
Valid starting Expires Service principal
08/01/07 22:28:27 08/02/07 22:28:27 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
Renew until 08/03/07 03:52:47
|
Since you were able to acquire the Kerberos ticket, it confirms that the client was able to successfully contact the KDC server.
Also, let's check if the configured client is able to contact the NAS
administration sever by running the IBM NAS kadmin
utility and listing all the principals:
bash-2.05b# hostname land.in.ibm.com bash-2.05b# /usr/krb5/sbin/kadmin -p admin/admin Authenticating as principal admin/admin with password. Password for admin/admin@ISL.IN.IBM.COM: kadmin: getprincs K/M@ISL.IN.IBM.COM admin/admin@ISL.IN.IBM.COM admin/sales@ISL.IN.IBM.COM john@ISL.IN.IBM.COM kadmin/admin@ISL.IN.IBM.COM kadmin/changepw@ISL.IN.IBM.COM kadmin/history@ISL.IN.IBM.COM kadmin/huntcup.in.ibm.com@ISL.IN.IBM.COM krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM mack_correct@ISL.IN.IBM.COM one-minute-sandy@ISL.IN.IBM.COM sachin/guest@ISL.IN.IBM.COM tester@ISL.IN.IBM.COM vipin@ISL.IN.IBM.COM kadmin:q |
Hence, you have successfully set up the IBM NAS client with the default configuration where the IBM NAS server entries are hard-coded in the client configuration file (/etc/krb5/krb5.conf).
So if things work well with the default configuration of the IBM NAS client, why is there a need for having IBM NAS client configuration with LDAP lookup for server discovery?
Need for KDC and administration servers discovery using TDS
Consider a production environment scenario where there are thousands of IBM NAS client machines configured to the IBM NAS server machine using the default configuration previously described. In such a case, if you plan to move or migrate the NAS server to another high-end machine or plan to rename the hostname of the NAS server machine, then you would have to manually change the configuration settings (in the /etc/krb5/krb5.conf file) on all the configured IBM NAS client machines.
In such scenarios, using IBM NAS server discovery by TDS feature, you are only required to do minimal changes, such as updating the new IBM NAS server's hostname in the LDAP database. Unlike in the default method of IBM NAS client configuration, no client-side configuration changes are required for this technique. All the IBM NAS clients continue to work seamlessly, as if nothing has changed.
In the following sections, you will go through the configuration steps required for such a setup and the details on how the clients can achieve this seamless configuration.
Configuration of IBM NAS feature of server discovery using TDS
In this method of configuration, the location information of IBM NAS servers is centrally stored in the LDAP database. All the IBM NAS clients are configured to lookup the centralized LDAP database to locate the IBM NAS servers. Hence, in scenarios where the hostname of the IBM NAS server changes, you need to only update the changes in the LDAP while the IBM NAS clients continue to work seamlessly. This method of configuration consists of two steps:
- Server-side configuration steps for enrolling IBM NAS KDC and Administration server information in TDS
- Client-side configuration for enabling IBM NAS server discovery using TDS
- The first configuration step is to add the IBM NAS schema definitions to the
LDAP directory. These schema definitions are used by TDS for IBM NAS KDC and
administration server lookup. The schema definition files are shipped in LDAP
Data Interchange format (LDIF) format with IBM NAS 1.4 and installed under the
/usr/krb5/ldif directory. The /usr/krb5/ldif/IBM.service.schema.ldif file
contains the schema required by IBM NAS 1.4 to work with IBM Tivoli Directory
Server Version 5.2.
To add the schema definitions, use the
ldapmodifyTDS command, as shown below:#hostname huntcup.in.ibm.com #ldapmodify -h fsaix11.in.ibm.com -D cn=root -w secret -f /usr/krb5/ldif/IBM.service.schema.ldif -v -c ldap_init(fsaix11.in.ibm.com, 389) add attributetypes: BINARY (93 bytes) ( 1.3.18.0.2.4.818 NAME 'ibmCom1986-Krb-kerberosRealm' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) add ibmattributetypes: BINARY (63 bytes) ( 1.3.18.0.2.4.818 DBNAME( 'kerberosRealm' 'kerberosRealm' ) ) modifying entry cn=schema ldap_modify: Type or value exists ldap_modify: additional info: attribute type '1.3.18.0.2.4.818' already exists, add operation failed. replace attributetypes: BINARY (202 bytes) ( 1.3.18.0.2.4.818 NAME ('ibmCom1986-Krb-kerberosRealm' 'KerberosRealm' ) DESC 'Kerberos realm name' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE USAGE userApplications ) replace ibmattributetypes: BINARY (94 bytes) ( 1.3.18.0.2.4.818 DBNAME( 'kerberosRealm' 'kerberosRealm' ) ACCESS-CLASS normal LENGTH 256 ) modifying entry cn=schema add objectclasses: BINARY (69 bytes) ( 1.3.18.0.2.6.173 NAME 'ibmCom1986-Krb-kerberosService' STRUCTURAL ) modifying entry cn=schema ldap_modify: Type or value exists ldap_modify: additional info: object class '1.3.18.0.2.6.173' already exists, add operation failed. replace objectclasses: BINARY (258 bytes) ( 1.3.18.0.2.6.173 NAME ( 'ibmCom1986-Krb-kerberosService' 'KerberosService' ) DESC 'A kerberosService object is created for each host system within the realm.' SUP eService STRUCTURAL MUST ( ibmCom1986-Krb-kerberosRealm ) MAY ( ipServicePort $ seeAlso ) ) modifying entry cn=schemaWhile adding schema definitions from the LDIF file, you might receive errors saying the attributes and OIDs already exists. These errors can be safely ignored. You are not required to make any changes to the /usr/krb5/ldif/IBM.service.schema.ldif LDIF file.
For detailed information on the
ldapmodifycommand and usage, please refer to the IBM Tivoli Directory Server V5.2 documentation. - Once the required schema is loaded, you need to add a suffix for your root
domain name in the LDAP directory. In the example, you have ISL.IN.IBM.COM as
your Kerberos realm; therefore, you need to add a suffix "COM" as a domain
component. For this, log in to the TDS machine (in the example, it's
fsaix11.in.ibm.com), stop the TDS server, add the suffix, and restart the TDS
server, as shown below:
[root@fsaix11 ldif ]# hostname fsaix11.in.ibm.com [root@fsaix11 ldif ]# ibmdirctl -D cn=root -w secret stop Stop operation succeeded [root@fsaix11 ldif ]# ldapcfg -s dc=COM -n You have chosen the following actions: Suffix 'dc=COM' will be added to the configuration file. Adding suffix: 'dc=COM'. Added suffix: 'dc=COM'. IBM Tivoli Directory Server Configuration complete. [root@fsaix11 ldif ]# ibmdirctl -D cn=root -w secret start Start operation succeeded
- Next, add the Kerberos realm information to the LDAP directory. Each
component of the Kerberos realm corresponds to a domain component entry in the
LDAP directory. So let's define the domain components for your
"ISL.IN.IBM.COM" Kerberos realm. For this, modify the
/usr/krb5/ldif/service_add.ldif file, which is shipped with the IBM NAS fileset
on the IBM NAS server machine (huntcup.in.ibm.com in our case) and make the
following changes:
dn: dc=COM dc: COM objectClass: top objectClass: domain description: Domain realm COM dn: dc=IBM, dc=COM dc: IBM objectClass: domain description: Domain realm IBM.COM dn: dc=IN, dc=IBM, dc=COM dc: IN objectClass: domain description: Domain realm IN.IBM.COM dn: dc=ISL, dc=IN, dc=IBM, dc=COM dc: ISL objectClass: domain description: Domain realm ISL.IN.IBM.COM
To add the above LDIF file information to the LDAP directory, use the
ldapmodifycommand from the IBM NAS server machine, as shown below:#hostname huntcup.in.ibm.com #ldapmodify -h fsaix11.in.ibm.com -D cn=root -w secret -f /usr/krb5/ldif/service_add.ldif -v -c -a ldap_init(fsaix11.in.ibm.com, 389) add dc: BINARY (3 bytes) COM add objectClass: BINARY (3 bytes) top BINARY (6 bytes) domain add description: BINARY (16 bytes) Domain realm COM adding new entry dc=COM add dc: BINARY (3 bytes) IBM add objectClass: BINARY (6 bytes) domain add description: BINARY (20 bytes) Domain realm IBM.COM adding new entry dc=IBM, dc=COM add dc: BINARY (2 bytes) IN add objectClass: BINARY (6 bytes) domain add description: BINARY (23 bytes) Domain realm IN.IBM.COM adding new entry dc=IN, dc=IBM, dc=COM add dc: BINARY (3 bytes) ISL add objectClass: BINARY (6 bytes) domain add description: BINARY (27 bytes) Domain realm ISL.IN.IBM.COM adding new entry dc=ISL, dc=IN, dc=IBM, dc=COM - Add the IBM NAS KDC and administration server entries in the LDAP directory
for your Kerberos realm. To accomplish this, use the IBM NAS
/usr/krb5/sbin/ksetupcommand. Theksetupcommand deals with NAS entries in the LDAP directory for a NAS realm. It has various subcommands to add, remove, and list the entries. For complete information onksetup, please refer to the IBM NAS 1.4 Administrator's and User's Guide shipped with the AIX Version 5.3 Expansion Pack CD.By using the
ksetupcommand, you add huntcup.in.ibm.com as the KDC and administration server for your ISL.IN.IBM.COM realm. Then, you verify the addition by listing the servers, as follows:#hostname huntcup.in.ibm.com # /usr/krb5/sbin/ksetup -h fsaix11.in.ibm.com -n cn=root -p secret ksetup> addadmin huntcup.in.ibm.com ISL.IN.IBM.COM ksetup> addkdc huntcup.in.ibm.com ISL.IN.IBM.COM ksetup> listkdc huntcup.in.ibm.com:88 ksetup> listadmin huntcup.in.ibm.com:749 ksetup> exit
Please note that
ksetuphas assigned default port numbers for the KDC and administration server. If you want to override the default port number, specify the port numbers using theaddadminandaddkdcsubcommands. For example, tryaddadmin huntcup.in.ibm.com:99 ISL.IN.IBM.COM.This completes server-side configuration steps for IBM NAS server lookup. Now you are all set to configure an IBM NAS client, which discovers the location of the NAS servers using IBM Directory Server.
Client-side configuration for enabling IBM NAS server discovery using TDS
First and foremost, you need to make sure that you have installed the TDS client
on each IBM NAS client machine. To configure the IBM NAS client with the IBM NAS
server discovery using the LDAP method, use the
/usr/krb5/sbin/config.krb5 command, but this time with
different arguments, as shown below:
bash-2.05b# hostname land.in.ibm.com bash-2.05b# config.krb5 -C -r ISL.IN.IBM.COM -d in.ibm.com -l fsaix11.in.ibm.com Initializing configuration... Creating /etc/krb5/krb5_cfg_type... Creating /etc/krb5/krb5.conf... The command completed successfully. |
For reconfiguring the IBM NAS client with a different configuration method, you
need to first unconfigure the existing client configuration by running the
/usr/krb5/sbin/unconfig.krb5 command on the client
machine.
Please notice that this time you have used the
-l
<ldap_server> option to indicate to
the IBM NAS client to use the specified TDS server for KDC and administration
server lookup. Let's see how the IBM NAS client configuration file looks
like:
bash-2.05b# hostname
land.in.ibm.com
bash-2.05b# cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = ISL.IN.IBM.COM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = \
des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
default_tgs_enctypes = \
des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
use_ldap_lookup = 1
ldap_server = fsaix11.in.ibm.com
[realms]
ISL.IN.IBM.COM = {
default_domain = in.ibm.com
}
[domain_realm]
.in.ibm.com = ISL.IN.IBM.COM
[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log
|
Notice the use_ldap_server = 1 configuration file entry. This indicates that the IBM NAS client uses the TDS server for the lookup on NAS servers, and the ldap_server = fsaix11.in.ibm.com entry tells you which TDS server to contact. Note: There is no "kdc" or "admin_server" entry for this type of configuration under the [realm] stanza, unlike in the default case.
Verify your setup by running the kinit command
followed by the klist command:
bash-2.05b# hostname
land.in.ibm.com
bash-2.05b# /usr/krb5/bin/kinit admin/admin
Password for admin/admin@ISL.IN.IBM.COM:
bash-2.05b# /usr/krb5/bin/klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: admin/admin@ISL.IN.IBM.COM
Valid starting Expires Service principal
08/17/07 07:04:53 08/18/07 07:04:53 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
Renew until 08/18/07 07:05:02
|
As you can see, you successfully contacted your KCD using TDS and get the initial ticket. You will also verify if the client setup can contact the administration server using TDS:
bash-2.05b# hostname land.in.ibm.com bash-2.05b# /usr/krb5/sbin/kadmin -p admin/admin Authenticating as principal admin/admin with password. Password for admin/admin@ISL.IN.IBM.COM: kadmin: getprincs K/M@ISL.IN.IBM.COM admin/admin@ISL.IN.IBM.COM admin/sales@ISL.IN.IBM.COM john@ISL.IN.IBM.COM kadmin/admin@ISL.IN.IBM.COM kadmin/changepw@ISL.IN.IBM.COM kadmin/history@ISL.IN.IBM.COM kadmin/huntcup.in.ibm.com@ISL.IN.IBM.COM krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM mack_correct@ISL.IN.IBM.COM one-minute-sandy@ISL.IN.IBM.COM sachin/guest@ISL.IN.IBM.COM tester@ISL.IN.IBM.COM vipin@ISL.IN.IBM.COM kadmin:q |
You successfully contacted both the NAS servers using TDS seamlessly.
The utilities that use the administration server and KDC discovery using LDAP feature include:
kadmin: This utility obtains the name and port of the kadmin server from the LDAP server.kinit: This utility obtains the name and port of the KDC from the LDAP server.kpasswd: This utility obtains the name and port of the password change service from the LDAP server.ksetup: This utility puts the administration and the information of the KDC servers in the LDAP directory.
One of the limitations with the above configuration is that when the TDS server goes down, the IBM NAS clients are unable to discover and contact any of the IBM NAS servers. To overcome this problem, IBM NAS provides another kind of client configuration where the IBM NAS client primarily uses TDS for NAS server discovery. If IBM NAS cannot resolve the TDS server connection, then it falls back to use the local configuration file for the NAS lookup. Let's have a look at how this configuration type works.
Configuration of IBM NAS client for server discovery using TDS with the fallback mechanism
As explained in the previous IBM NAS client configuration, please make sure you have TDS client and IBM NAS filesets installed on the client machine.
Now let's configure the IBM NAS client for server discovery using TDS with the fallback mechanism:
bash-2.05b# hostname land.in.ibm.com bash-2.05b# /usr/krb5/sbin/config.krb5 -C -r ISL.IN.IBM.COM -d in.ibm.com -l fsaix11.in.ibm.com -c huntcup.in.ibm.com -s huntcup.in.ibm.com Initializing configuration... Creating /etc/krb5/krb5_cfg_type... Creating /etc/krb5/krb5.conf... The command completed successfully. |
Please notice that this time you have specified both the
-l, -c, and
-s options in the
config.krb5 command while configuring the IBM NAS
client.
Let's see how the local IBM NAS client configuration file looks like this time:
bash-2.05b# hostname
land.in.ibm.com
bash-2.05b# cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = ISL.IN.IBM.COM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = \
des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
default_tgs_enctypes = \
des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
use_ldap_lookup = 1
ldap_server = fsaix11.in.ibm.com
[realms]
ISL.IN.IBM.COM = {
kdc = huntcup.in.ibm.com:88
admin_server = huntcup.in.ibm.com:749
default_domain = in.ibm.com
}
[domain_realm]
.in.ibm.com = ISL.IN.IBM.COM
huntcup.in.ibm.com = ISL.IN.IBM.COM
[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log
|
In this configuration method, you have your LDAP server information plus the
"kdc" and "admin_server" entries in the configuration file. Use the
kinit and klist commands to
resolve the KDC location using TDS:
bash-2.05b# hostname land.in.ibm.com bash-2.05b# /usr/krb5/bin/kinit admin/admin Password for admin/admin@ISL.IN.IBM.COM: bash-2.05b# /usr/krb5/bin/klist Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: admin/admin@ISL.IN.IBM.COM Valid starting Expires Service principal 08/17/07 07:08:32 08/18/07 07:08:32 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM |
You can successfully acquire the initial ticket using the TDS server. Also, verify if you can contact the IBM NAS administration server:
bash-2.05b# hostname land.in.ibm.com bash-2.05b# /usr/krb5/sbin/kadmin -p admin/admin Authenticating as principal admin/admin with password. Password for admin/admin@ISL.IN.IBM.COM: kadmin: getprincs K/M@ISL.IN.IBM.COM admin/admin@ISL.IN.IBM.COM admin/sales@ISL.IN.IBM.COM john@ISL.IN.IBM.COM kadmin/admin@ISL.IN.IBM.COM kadmin/changepw@ISL.IN.IBM.COM kadmin/history@ISL.IN.IBM.COM kadmin/huntcup.in.ibm.com@ISL.IN.IBM.COM krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM mack_correct@ISL.IN.IBM.COM one-minute-sandy@ISL.IN.IBM.COM sachin/guest@ISL.IN.IBM.COM tester@ISL.IN.IBM.COM vipin@ISL.IN.IBM.COM kadmin: q |
Until now, you have configured the IBM NAS client for the NAS server discovery using the TDS with a fallback mechanism. To check to see if the fallback mechanism is working or not, shutdown the TDS server on the TDS server machine, as shown below:
[root@fsaix11 ldif ]# hostname fsaix11.in.ibm.com [root@fsaix11 ldif ]# ibmdirctl -D cn=root -w secret stop Stop operation succeeded |
Now, go to your IBM NAS client machine that you just configured using the fallback mechanism and try to get an initial ticket, as shown below:
bash-2.05b# hostname land.in.ibm.com bash-2.05b# /usr/krb5/bin/kinit admin/admin connect: A remote host refused an attempted connect operation. The ldap_simple_bind_s system function detects an error. LDAP_CONNECT_ERROR. connect: A remote host refused an attempted connect operation. The ldap_simple_bind_s system function detects an error. LDAP_CONNECT_ERROR. Password for admin/admin@ISL.IN.IBM.COM: connect: A remote host refused an attempted connect operation. The ldap_simple_bind_s system function detects an error. LDAP_CONNECT_ERROR. connect: A remote host refused an attempted connect operation. The ldap_simple_bind_s system function detects an error. LDAP_CONNECT_ERROR. bash-2.05b# /usr/krb5/bin/klist Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: admin/admin@ISL.IN.IBM.COM Valid starting Expires Service principal 08/17/07 07:12:01 08/18/07 07:11:54 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM |
Notice that you are able to do kinit, even when the
TDS server is down. You can also see the same behavior at the time of connecting
to the IBM NAS administration server:
bash-2.05b# /usr/krb5/sbin/kadmin -p admin/admin Authenticating as principal admin/admin with password. connect: A remote host refused an attempted connect operation. The ldap_simple_bind_s system function detects an error. LDAP_CONNECT_ERROR. connect: A remote host refused an attempted connect operation. The ldap_simple_bind_s system function detects an error. LDAP_CONNECT_ERROR. connect: A remote host refused an attempted connect operation. The ldap_simple_bind_s system function detects an error. LDAP_CONNECT_ERROR. Password for admin/admin@ISL.IN.IBM.COM: connect: A remote host refused an attempted connect operation. The ldap_simple_bind_s system function detects an error. LDAP_CONNECT_ERROR. connect: A remote host refused an attempted connect operation. The ldap_simple_bind_s system function detects an error. LDAP_CONNECT_ERROR. kadmin: getprincs K/M@ISL.IN.IBM.COM admin/admin@ISL.IN.IBM.COM admin/sales@ISL.IN.IBM.COM john@ISL.IN.IBM.COM kadmin/admin@ISL.IN.IBM.COM kadmin/changepw@ISL.IN.IBM.COM kadmin/history@ISL.IN.IBM.COM kadmin/huntcup.in.ibm.com@ISL.IN.IBM.COM krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM mack_correct@ISL.IN.IBM.COM one-minute-sandy@ISL.IN.IBM.COM sachin/guest@ISL.IN.IBM.COM tester@ISL.IN.IBM.COM vipin@ISL.IN.IBM.COM kadmin: q |
You have successfully configured the IBM NAS client to look up the NAS servers using TDS, along with a fallback mechanism.
In this article, you have examined all the necessary steps required to set up the IBM NAS KDC and administration discovery using TDS. You also reviewed all the possible IBM NAS client configuration types to enable you to configure your Kerberos environment more effectively in order to manage the changes in IBM NAS server configuration.
Learn
- "AIX 5L LDAP
user management"
(developerWorks, April 2006): Read this developerWorks article to learn about LDAP
user management on AIX.
- Configuring AIX 5L
for Kerberos-based authentication using IBM Network Authentication Service:
Read this white paper to learn about using Kerberos as an alternative
authentication mechanism to AIX.
- "DB2 UDB
Security, Part 3: Security Plug-ins using the GSS-API security mechanisms (SPKM /
LIPKEY)"
(developerWorks, December 2005): Check out this developerWorks article by Sandeep
Patil on how you can customize the IBM DB2 Universal Database (UDB) security
plug-ins to achieve authentication based on public key technology.
- "A Kerberos Primer"
(developerWorks, Nov 2001): This article introduces Kerberos technology and
Distributed Computing Environment-based applications.
- Popular content:
See what AIX and UNIX® content your peers find interesting.
- AIX and
UNIX:
The AIX and UNIX developerWorks zone provides a wealth of information relating to
all aspects of AIX systems administration and expanding your UNIX skills.
- New to AIX and UNIX?:
Visit the "New to AIX and UNIX" page to learn more about AIX and UNIX.
- AIX Wiki:
A collaborative environment for technical information related to AIX.
- Search the AIX and UNIX library by topic:
- System administration
- Application development
- Performance
- Porting
- Security
- Tips
- Tools and utilities
- Java™ technology
- Linux
- Open source
- Safari bookstore:
Visit this e-reference library to find specific technical resources.
- developerWorks technical events and webcasts:
Stay current with developerWorks technical events and webcasts.
- Podcasts: Tune in and
catch up with IBM technical experts.
Get products and technologies
- IBM GUI-based administration tool for Network Authentication Service:
Experience the GUI to perform the IBM NAS-related administration tasks. Download
from the IBM alphaWorks today.
- AIX 5L Expansion Pack and Web Download Pack:
Start downloading now.
- IBM trial software:
Build your next development project with software for download directly from
developerWorks.
Discuss
- Participate in the
developerWorks blogs
and get involved in the developerWorks community.
- Participate in the AIX and UNIX forums:
- AIX —technical forum
- AIX 6 Open Beta
- AIX for Developers Forum
- Cluster Systems Management
- IBM Support Assistant
- Performance Tools—technical
- Virtualization—technical
- More AIX and UNIX forums

Vipin Rathor has been with IBM India System and Technology Lab for three years. He works for IBM Network Authentication Service Development and Support activities. His areas of interest include network security, particularly Kerberos and other authentication protocols.

Sandeep Ramesh Patil works as an Advisory Software Engineer for the IBM India Software Labs. He has worked for IBM for the past six years, focusing on distributed technology including DCE, SARPC, and security products, such as the IBM Network Authentication Service (IBM Kerberos). He is currently developing new features and implementing security-related RFC for the IBM Network Authentication Service, along with its product support. Sandeep holds a Bachelor of Engineering degree in computer science from the University of Pune, India. You can contact him at rsandeep@in.ibm.com.





