Configuring HP-UX

Edit online

A Kerberos client can be configured against HP-UX.

The steps to authenticate against HP-UX 11i are similar to the steps in Configuring Sun Solaris. The HP-UX KDC and AIX® NAS client are interoperable at the Kerberos protocol level (RFC1510). Password change protocol is also compatible. Because the HP-UX kadmind daemon interface is not compatible with the AIX NAS client kadmin interface, you must include the –D flag with the mkkrb5clnt command when you configure AIX clients.

Use the following procedure to configure an AIX client for Kerberos-based authentication against HP-UX 11i Kerberos Version 2.1.
  1. Configure HP-UX 11i Kerberos Version 2.1 using the HP documentation.
  2. If the NAS client is not installed on the AIX client, install the krb5.client.rte file set from the AIX Expansion Pack.
  3. Use the mkkrb5clnt command with the following configuration information to configure an AIX Kerberos client:
    realm
    HP Kerberos realm name: HPSYS.AUSTIN.IBM.COM
    domain
    Domain name of the machine that hosts the HP-UX Kerberos servers: austin.ibm.com
    KDC
    Host name of the HP-UX system that hosts the KDC: hpsys.austin.ibm.com
    server
    Host name of the HP-UX server: hpsys.austin.ibm.com
    Note: Because the HP-UX and AIX NAS client kadmin interfaces are different, the server name is not used by the NAS clients, and the –D flag must be used in the mkkrb5clnt command.

    The following is an example of the mkkrb5clnt command:

    mkkrb5clnt -r AUSTIN.IBM.COM -d austin.ibm.com\
 -c hpsys.austin.ibm.com -s hpsys.austin.ibm.com -D

    The -D option in the mkkrb5clnt command creates the is_kadmind_compat=no option in the /etc/security/methods.cfg file and configures the Kerberos client environment for authentication against non-AIX systems. Do not use the -D option in the mkkrb5clnt command to configure the Kerberos client environment for authentication against the IBM® Network Authentication Service (NAS).

    Note: When you run the mkkrb5clnt command, the following stanza is added to the methods.cfg file.
    KRB5:
        program = /usr/lib/security/KRB5
        program_64 = /usr/lib/security/KRB5_64
        options = authonly,is_kadmind_compat=no

KRB5files:
        options = db=BUILTIN,auth=KRB5
    For more information about:
    • the mkkrb5clnt command and allowable flags, see the mkkrb5clnt command.
    • the methods.cfg file, see the methods.cfg file.
  4. Modify the krb5.conf file so that the encryption type matches the value used during the HP-UX Kerberos setup (krbsetup). If a DES-CRC value is used, edit the [libdefaults] stanza in krb5.conf file on the AIX client as follows:
    default_tkt_enctypes = des-cbc-crc

default_tgs_enctypes = des-cbc-crc
  5. Use the HP-UX kadmin_ui tool to create a host/tx3d.austin.ibm.com host principal.
  6. Extract the key and save it to a file. From the Edit menu in Principal Information window, select Extract Service Key to extract the keys.
  7. Copy the tx3d.keytab file to the AIX host system.
  8. Merge the tx3d.keytab file into the /etc/krb5/krb5.keytab file on the AIX system as follows:
    ktutil
rkt tx3d.keytab
l
slot KVNO Principal
wkt /etc/krb5/krb5.keytab
q
  9. Use the HP-UX kadmin_ui tool to create an hpuser Kerberos principal, then click the Edit/Attribute tab to clear the pw_require flag.
  10. Create an AIX account that corresponds to the Kerberos principal on HP-UX, as follows:
    mkuser registry=KRB5files SYSTEM=KRB5files hpuser
  11. Use the telnet command to log into the AIX system with the hpuser user name and password, and verify the configuration.
    The following is an example of a Kerberos integrated login session that uses KRB5 against HP-UX:
    telnet tx3d

echo $AUTHSTATE
KRB5files

View credentials:
/usr/krb5/bin/klist
  12. Use the passwd command to change the password.
    Note: The HP-UX password policy is enforced while changing the password. Refer to HP-UX documentation to determine how to set the password policy.