Kerberos against Network Authentication Service: troubleshooting information

Edit online

This provides troubleshooting information about Kerberos clients which are using a Kerberos server on the AIX operating system.

The LDAP module writes error and debug information to the syslog subsystem.

The IBM® Network Authentication Service uses its own log files to log requests made to the KDC and kadmind daemons. The log files are specified in the [logging] stanza of the krb5.conf file. The default locations of these files are the /var/krb5/log/krb5kdc.log file and the /var/krb5/log/kadmin.log file.

If a problem is related to the IBM Tivoli® Directory Server, check the log files generated by IBM Tivoli Directory Server. By default, the log files are located in the /var/ldap/ibmslapd.log file and the /var/ldap/db2cli.log file.

  • How do I create AIX Kerberos authenticated users?

    The root user must obtain Kerberos credentials that grant the required privilege to perform administrative tasks. Administrative tasks are performed on the following KDC server: kdcsrv.austin.ibm.com.

    Create an AIX user account (foo) and Kerberos principal (foo@MYREALM) on the Kerberos database by entering the following commands:
    kinit root/kdcsrv.austin.ibm.com
mkuser –R KRB5files SYSTEM=KRB5files registry=KRB5files foo

    These commands also authenticate the user to the KRB5files files.

    If you configured LDAP by using the mksecldap command, you can create AIX Kerberos authenticated users by entering the following command:
    mkuser –R KRB5LDAP SYSTEM=KRB5LDAP registry=KRB5LDAP foo
  • How do I remove a Kerberos authenticated user?
    To remove a Kerberos authenticated user, enter the following command :
    rmuser –R KRB5files foo
    If you configured LDAP by using the mksecldap command, you can remove a Kerberos authenticated user by entering the following command:
    rmuser –R KRB5LDAP foo
  • How do I change the password of a Kerberos authenticated user?
    To change the password of a Kerberos authenticated user, enter the following command: 
    passwd –R KRB5files foo
  • What are AIX Kerberos extended attributes?

    Kerberos principal information is manipulated by using AIX extended attributes through the AIX lsuser and chuser commands. Only attributes that have the GET access mode can be displayed. Attributes that have the SET access mode can be assigned values by a privileged user (root on the AIX operating system). An AIX Kerberos authenticated user can display his own Kerberos extended attributes and other allowed AIX attributes such as id, pgrp, groups, gecos, home, and shell.

    Table 1 lists the AIX Kerberos extended attributes and their access modes.
    Table 1. AIX Kerberos extended attributes and access modes
    Extended attribute name Description Access mode
    krb5_principal_name The principal name associated with the AIX user name. GET
    krb5_principal The same as the krb5_principal_name attribute. GET
    krb5_realm The Kerberos realm name that the principal belongs to. GET
    krb5_last_pwd_change The time when the password for the principal was last changed. GET
    krb5_attributes The set of attributes used by the KDC. GET/SET
    krb5_mod_name The name of the principal who most recently modified the principal. GET
    krb5_mod_date The time that the principal was last modified. GET
    krb5_kvno The version of the principal’s current key (password). GET/SET
    krb5_mkvno The database master key version number. This is provided for compatibility with other implementations. This field is 0. GET
    krb5_max_renewable_life The maximum renewable lifetime of any ticket issued for the principal. GET/SET
    krb5_names A list of name:hostname pairs. This field is for future use. Do not modify this attribute. GET/SET
    The krb5_attributes extended attribute, represents the set of Kerberos principal attributes available for use by the KDC. A privileged user can use the chuser command to modify these Kerberos attributes.
    chuser –R KRB5files krb5_attributes=+requires_preauth krb5user

    To set a flag, add a plus (+) in front of the flag. To reset a flag, add a minus (-) in front of the flag. For example:

    +attribute_name sets the flag

    -attribute_name resets the flag

    Note: When a user is created, all of the attributes except for the following are set: requires_hwauth, needchange, password_changing_service, and support_desmd5
    The following list contains the attributes for the krb5_attributes extended attribute:
    allow_postdated
    If set, postdated tickets can be issued for the principal.
    allow_forwardable
    If set, forwardable tickets can be issued for the principal.
    allow_tgs_req
    If set, service tickets for the principal are issued using a ticket-granting ticket.
    allow_renewable
    If set, renewable tickets can be issued for the principal.
    allow_proxiable
    If set, proxiable tickets can be issued for the principal.
    allow_dup_skey
    If set, user-to-user authentication is enabled for the principal.
    allow_tix
    If set, tickets are issued for the principal.
    requires_preauth
    If set, software preauthentication is required before a ticket is issued.
    requires_hwauth
    If set, hardware preauthentication by the software is required before a ticket is issued for the principal.
    needchange
    If set, the key (password) for the principal must be changed before tickets are issued.
    Note: If the needchange flag is set, the user is prompted to change the password during the next login attempt. In this case, the user is authenticated (using Kerberos) but does not have a ticket-granting ticket. To get a ticket-granting ticket, the user must invoke the kinit command. The needchange flag applies only to Kerberos that is using the Network Authentication Services module.
    allow_svr
    If set, service tickets can be issued for the principal.
    password_changing_service
    If set, the principal is the special principal for the password changing service
    support_desmd5
    If set, the KDC might issue tickets that use the RSA MD5 checksum algorithm.
    Note: Setting this attribute might cause interoperability problems.
  • How do I list the AIX Kerberos extended attributes?
    To list the AIX® Kerberos extended attributes, runr the following command: 
    lsuser –R KRB5files foo
    You can also list specific extended attributes by using the –a option. For example:
    lsuser -R KRB5files -f -a krb5_principal krb5_principal_name krb5_realm
  • How do I modify the AIX Kerberos extended attributes?

    Only a privileged user can modify the following extended attributes with a SET access mode: krb5_kvno, krb5_max_renewable_life, krb5_attributes and krb5_names.

    • To change the maximum renewable lifetime to five days for any ticket issued to foo, enter the following command:
      chuser -R KRB5files krb5_max_renewable_life=432000 foo
    • To change the key (password) version number of the principal associated with foo, enter the following command:
      chuser -R KRB5files krb5_kvno=4 foo
    • To set all of the Kerberos principal attributes listed in Table 1, enter the following commands:
      chuser -R KRB5files krb5_attributes=+allow_postdated,+allow_forwardable,\
+allow_tgs_req,+allow_renewble,+allow_proxiable,+allow_dup_skey,+allow_tix,\
+requires_preauth,+requires_hwath,+needchange,+allow_svr,\
+password_changing_service,+support_desmd5 foo
      lsuser -R KRB5files -a krb5_attributes foo
    • To reset all of the Kerberos principal attributes listed in Table 1, enter the following commands:
      chuser -R KRB5files krb5_attributes=-allow_postdated,-allow_forwardable,\
-allow_tgs_req,-allow_renewable,-allow_proxiable,-allow_dup_skey,\
-allow_tix,-requires_preauth,-requires_hwauth,-needchange,-allow_svr,\
-password_changing_service,-support_desmd5 foo
      lsuser -R KRB5files -a krb5_attributes foo
    • To change the krb5_names and add an AIX user name/host name pair, enter the following commands:
      lsuser -R KRB5files -a krb5_names foo
      chuser -R KRB5files krb5_names=bar:greenjeans.austin.ibm.com foo
      lsuser -R KRB5files -a krb5_names foo
  • How do I list all of the users that are defined in KRB5files?
    To list all of the Kerberos authenticated users, enter the following command:
    lsuser -R KRB5files -a registry ALL
  • How do I convert an AIX user to a Kerberos authenticated user?

    Use the mkseckrb5 command to convert an AIX user to a Kerberos authenticated user. The mkseckrb5 command converts non-administrative users (users with user IDs that are greater than 201) to Kerberos authenticated users. When you invoke the mkseckrb5 command, you are prompted for the Network Authentication Service administrative-principal name and password. If you do not use the randomize option, you are also prompted for the password of each user that you are converting.

    Note: The mkseckrb5 command converts only local users. The users in remote domains, such as LDAP, cannot be converted using this command.
    The following example does not use the randomize option during the conversion of an AIX user to a Kerberos authenticated user.
    1. Enter the following command:
      mkseckrb5 foo
    2. Before you log in a user with Kerberos, set the user’s SYSTEM and registry attributes as follows:
      chuser -R KRB5files SYSTEM=KRB5files registry=KRB5files foo
    The following example uses the randomize option during the conversion of an AIX user to a Kerberos authenticated user.
    1. Enter the following command:
      mkseckrb5 -r user1
    2. After the conversion completes, set the user’s SYSTEM, registry attributes, and password as follows:
      chuser -R KRB5files SYSTEM=KRB5files registry=KRB5files user1
      passwd -R KRB5files user1
  • How do I change the password for a Kerberos principal?
    A root user can set the password of a Kerberos principal by entering the following passwd command:
    passwd -R KRB5files foo
    The following messages display after you enter the passwd command:
    Changing password for "foo"
foo's Old password:
foo's New password:
Enter the new password again:
    When you enter the passwd command as a root user, the old password is ignored. You can disable the prompt for the old password, by using the rootpwdrequired option in the methods.cfg file. To disable the prompt for the old password, edit the /usr/lib/security/methods.cfg file as follows:
    KRB5files:
   options = db=BUILTIN,auth=KRB5,rootrequiresopw=false
  • How do I get a ticket-granting ticket after a successful login when the needchange attribute is set?

    To get a ticket-granting ticket after a successful login when the needchange flag is set, invoke the kinit command. For more information about this subject, see the needhange attribute.

  • Why is my password not accepted by the AIX operating system?
    If your password is not accepted, do the following:
    • Verify that the KDC and kadmind servers are running.
    • Verify that the password meets the requirements of both the AIX operating system and the Network Authentication Service.
  • How do I change the password rules?

    You can change the password rules on the AIX operating system by modifying the password-policy attributes. You can use the Network Authentication Server kadmin tool to change the password policy on the Kerberos database.

  • Can a Kerberos-authenticated user become authenticated by using only Standard AIX authentication?
    A Kerberos-authenticated user (foo) can become authenticated by using AIX crypt() authentication as follows:
    1. Set the AIX password of user foo (/etc/security/passwd) using the passwd command.
    2. Choose a different password for testing purposes. For example:
      passwd -R files foo
    3. Change the SYSTEM attribute of the user, as follows:
      chuser -R KRB5files SYSTEM=compat foo

      Changing the SYSTEM attribute changes the method of authentication from Kerberos to crypt().

      Note: Because the user in this example logged in using local authentication, the AUTHSTATE value is compat and no ticket-granting ticket is issued. If you want to use crypt() authentication as a backup mechanism, go to step 4.
    4. To use crypt() authentication as a backup mechanism, change the SYSTEM attribute as follows:
      chuser -R KRB5files SYSTEM="KRB5files or compat" foo
  • How do I change the client kadmind port?
    The kadmind daemon is used to perform Kerberos principal management on Kerberos authenticated systems that are using NAS. The following example illustrates how to change the client kadmind port. In this example, the kadmind daemon runs on the kdcsrv.austin.ibm.com server and uses port 812.
    1. Use the config.krb5 command to configure the client:
      config.krb5 –C –r MYREALM –c kdcsrv.austin.ibm.com –s \
kdcsrv.austin.ibm.com –d austin.ibm.com
    2. Edit the krb5.conf file and change the port number:
      admin_server = kdcsrv.austin.ibm.com:812
  • How do I remove Kerberos credentials?
    Each time a user logs in, the previous Kerberos credentials are overwritten. However, when a user logs out, these credentials are not removed. To remove these credentials, enter the following NAS kdestroy command:
    /usr/krb5/bin/kdestroy
  • How do I change the ticket-life time on KDC?
    To change the ticket-life time on KDC, do the following:
    1. Change the max_life attribute in the kdc.conf file. For example:
      max_life = 8h 0m 0s
    2. Stop and then start the krb5kdc and kadmind daemons.
    3. Change the max_life value of the krbtgt/MYREALM and kadmin/admin principals to the value that you entered in step 1. For example:
      kadmin.local
kadmin.local: modify_principal -maxlife "8 hours" krbtgt/MYREALM
  • What happens if the kadmind daemon is not available?

    If the kadmind daemon is not available, authentication might take longer or fail. The authentication might fail if the part of the nextwork where the kadmind daemon is located is not accessible or the system that is hosting the kadmind server is down. When the system is not accessible, setting the kadmind option in the methods.cfg file to no eliminates delays during authentication.

    When the kadmind daemon is down, users cannot log in if their passwords are expired. If the kadmind daemon is not available (the daemon is down or not reachable) and a user enters the mkuser command, the following error is displayed: 
    3004-694 Error adding "krb5user": You do not have permission

    In addition, the chuser and lsuser commands manage only AIX-related attributes, not Kerberos-related attributes. The rmuser command does not delete the Kerberos principal and the passwd command fails for Kerberos authenticated users.

    When the kadmind daemon is not available, the root user cannot change user passwords. In a situation such as a forgotten password, you must make the kadmind daemon available. Also, if a user chooses to enter a Kerberos principal name at the login prompt, the primary name of the principal name is truncated (according to the AIX user name length limitation). This truncated name is used for AIX user-identification information retrieval (for example, to retrieve your home directory value).

  • How do I configure the AIX operating system for Kerberos integrated login with LDAP AIX user/group management?
    If you plan to use LDAP to store AIX user/group information, use the mksecldap command to configure the LDAP server and client before you run the mkkrb5srv and mkkrb5clnt commands. To configure the Kerberos servers, use the mkkrb5srv command. To configure the Kerberos client, use the mkkrb5clnt command with the –i LDAP option. For example:
    mkkrb5clnt -r MYREALM -c kdcsrv.ustin.ibm.com\
 –s kdcsrv.austin.ibm.com -a admin/admin -d austin.ibm.com -A -i LDAP -K –T
  • How do I use Kerberos-enabled remote commands after a successful login?

    When an AIX user authenticates to a system by using Kerberos, the ticket-granting ticket can be used for Kerberos-enabled remote commands.

    In the following example, the NAS server is configured on kdcsrv.austin.ibm.com by using the mkkrb5srv command. This system is also configured for Kerberos-based logins by using the mkkrb5clnt command. A second system, tx3d.austin.ibm.com, is configured as a client by using the mkkrb5clnt command.
    1. Save the keys for the host principal, host/tx3d.austin.ibm.com, to the /etc/krb5/krb5.keytab file on the tx3d system.
    2. Because you used the mkkrb5clnt to configure the client machine, these keys were extracted to the /var/krb5/security/keytab/tx3d.austin.ibm.com.keytab file. Link this file to the /etc/krb5/krb5.keytab file as follows:
      ln -s /var/krb5/security/keytab/tx3d.austin.ibm.com.keytab /etc/krb5/krb5.keytab
    3. If the tx3d.austin.ibm.com system is configured with a non-AIX Kerberos server, then explicitly create a host principal and extract the keys. For example:
      kadmin -p admin/admin

kadmin: addprinc -randkey host/tx3d.austin.ibm.com
kadmin: ktadd -k /etc/krb5/krb5.keytab host/tx3d.austin.ibm.com
kadmin:

      Because the kadmin tool is invoked from the tx3d.austin.ibm.com system, the keys are extracted to the /etc/krb5/krb5.keytab file on the tx3d.austin.ibm.com system. You can also do this step on the machine that hosts the Kerberos admin server (for example, kdcsrv). After you extract the keys into a keytab file, the file is transferred and merged with the /etc/krb5/krb5.keytab file on tx3d.

    4. Enable remote commands to use Kerberos Version 5 authentication on the tx3d.austin.ibm.com system:
      lsauthent
Standard Aix
chauthent -k5 -std
lsauthent
Kerberos 5
Standard Aix
    5. Enable remote commands to use Kerberos Version 5 authentication on the kdcsrv.austin.ibm.com system:
      chauthent -k5 -std
lsauthent
Kerberos 5
Standard Aix
    6. Create a Kerberos authenticated user (foo) on kdcsrv, and set the password.
      mkuser -R KRB5files SYSTEM=KRB5files registry=KRB5files foo
passwd -R KRB5files foo
    7. Create user foo on tx3d:
      mkuser -R files foo
    8. Telnet to the kdcsrv.austin.ibm.com system using Kerberos authentication.
    9. To ensure that a ticket-granting ticket was issued, enter the klist command.
      /usr/krb5/bin/klist
    The following are examples of Kerberos-enabled remote commands.
    Note: Before you run the commands in the following examples, remove the .klogin, .rhost or hosts.equiv files.
    • Enter the date command on the remote tx3d.austin.ibm.com host system with the rsh command:
      rsh tx3d date
    • Log in to the remote tx3d.austin.ibm.com system with the rlogin command:
      hostname
kdcsrv.austin.ibm.com
rlogin tx3d -l foo
********************************
* Welcome to AIX Version 6.1! *
********************************
hostname
tx3d.austin.ibm.com
id
uid=234(foo) gid=1(staff)
    • Transfer a file to the remote tx3d.austin.ibm.com system with the rcp command:
      rsh tx3d "ls -l /home/foo"
total 0
echo "Testing Kerberize-d rcp" >> xfile
rcp xfile tx3d:/home/foo
rsh tx3d "ls -l /home/foo"
total 0
-rw-r--r-- 1 foo staff 0 Apr 28 14:30 xfile
rsh tx3d "more /home/foo/xfile"
Testing Kerberize-d rcp
    • Telnet to the remote tx3d.austin.ibm.com system with Kerberos credentials:
      telnet tx3d
Trying...
Connected to tx3d.austin.ibm.com.
Escape character is '^]'.
[ Kerberos V5 accepts you as "foo@MYREALM" ]

    • Telnet to the tx3d.austin.ibm.com system, and then enter the host name and ID when prompted:
      hostname
tx3d.austin.ibm.com
id
uid=234(foo) gid=1(staff)
    • Before you can use the Kerberos-enabled ftp command, you must use the kadmin command (from tx3d.austin.ibm.com) to create the FTP service principal ftp/tx3d.austin.ibm.com, and extract it into the /etc/krb5/krb5.keytab file:
      kadmin: addprinc -randkey ftp/tx3d.austin.ibm.com@MYREALM
kadmin: ktadd -k /etc/krb5/krb5.keytab ftp/tx3d.austin.ibm.com@MYREALM
kadmin:
      The following is an example of how FTP to the tx3d.austin.ibm.com remote system with Kerberos credentials.
      ftp tx3d
Name (tx3d:foo): foo
232 GSSAPI user foo@MYREALM is authorized as foo
230-Last login: Thu May 19 17:58:57 CDT 2005 on ftp from kdcsrv.austin.ibm.com
230 User foo logged in.
ftp> ftp> ls -la