From Free IPA

Back to Client Configuration Guide

Introduction

This document describes the procedures required to configure AIX 5.3 as an IPA client.

Prerequisites

Before you begin the configuration phase, you need to ensure that the following software is installed and up to date on your system. This can be installed from your AIX media:

• v5.3 OS
• v5.3 Updates
• krb5 client packages
• openssh
• wget
• bash
• ldap.client
• openssl
• modcrypt.base (for gssd)

Configuring the IPA Client on AIX 5.3

The following instructions describe how to configure AIX 5.3 as an IPA client. The following hostnames are used as examples only; you need to replace these with the hostnames that apply to your deployment.

        REALM = EXAMPLE.COM
        IPA server = ipaserver.example.com
        IPA client = ipaclient.example.com

Configuring Kerberos and LDAP

1. Configure the krb5 client settings as follows:

       # mkkrb5clnt -r EXAMPLE.COM -d example.com -c ipaclient.example.com -s ipaserver.example.com

2. Get a Kerberos ticket.

       # kinit  admin

3. Configure the LDAP client settings as follows:

       # mksecldap -c -h ipaserver.example.com -d cn=accounts,dc=example,dc=com -a uid=nss,cn=sysaccounts,cn=etc,dc=example,dc=com -p secret

4. Add custom settings for the LDAP client.

Under /etc/security/ldap create 2 new map files:

#IPAuser.map file
keyobjectclass  SEC_CHAR        posixaccount            s

# The following attributes are required by AIX to be functional
username        SEC_CHAR        uid                     s
id              SEC_INT         uidnumber               s
pgrp            SEC_CHAR        gidnumber               s
home            SEC_CHAR        homedirectory           s
shell           SEC_CHAR        loginshell              s
gecos           SEC_CHAR        gecos                   s
spassword       SEC_CHAR        userpassword            s
lastupdate      SEC_INT         shadowlastchange        s

#IPAgroup.map file
groupname       SEC_CHAR    cn                    s
id              SEC_INT     gidNumber             s
users           SEC_LIST    member                m

Change the /etc/security/ldap/ldap.cfg file and set the relevant options as follow.
In this example the RELAM name is EXAMPLE.COM and the basedn is dc=example,dc=com
Change all basedns values to conform to your installation realm name.

userbasedn:cn=users,cn=accounts,dc=example,dc=com
groupbasedn:cn=groups,cn=accounts,dc=example,dc=com

userattrmappath:/etc/security/ldap/IPAuser.map
groupattrmappath:/etc/security/ldap/IPAgroup.map

userclasses:posixaccount

5. Start the ldap client daemon.

       # start-secldapclntd

6. Test the LDAP client connection to the IPA server.

       # lsldap -a passwd

7. Configure the system login to use Krberos and LDAP

Add the following sections to the file /usr/lib/security/methods.cfg

KRB5A:
        program = /usr/lib/security/KRB5A
        program_64 = /usr/lib/security/KRB5A_64
        options = authonly

LDAP:
        program = /usr/lib/security/LDAP
        program_64 =/usr/lib/security/LDAP64

KRB5ALDAP:
        options = auth=KRB5A,db=LDAP

Edit the file /etc/security/user
In the default section change the options 'SYSTEM' and 'registry' to look like this:

        SYSTEM = "KRB5ALDAP"
        regisrty = LDAP

Configuring Client SSH Access

You can configure the IPA client to accept incoming SSH requests and authenticate with the user's Kerberos credentials. After configuring the IPA client, use the following procedure to configure the IPA client for SSH connections. Remember to replace the example host and domain names with your own host and domain names:

1. SSH syslog Configuration

        auth.info       /var/log/sshd.log
        auth.info       /var/log/sshd.log
        auth.crit       /var/log/sshd.log
        auth.warn       /var/log/sshd.log
        auth.notice     /var/log/sshd.log
        auth.err        /var/log/sshd.log

2. SSH Logging Configuration

        SyslogFacility AUTH
        LogLevel INFO

3. Configure sshd for GSSAPI (/etc/ssh/sshd_config)

        # GSSAPI options
        GSSAPIAuthentication yes
        #GSSAPICleanupCredentials yes

4. Restart sshd

        # stopsrc -s sshd
        # startsrc -s sshd

5. Restart syslogd

        # stopsrc -s syslogd
        # startsrc -s syslogd

Note:

The ipa-admintools package is not available for AIX. Consequently, you need to perform the following commands on the IPA server.

6. Add a host service principal.

        # ipa-addservice host/ipaclient.example.com

7. Retrieve the host keytab.

        # ipa-getkeytab -s ipaserver -p host/ipaclient.example.com -k /tmp/krb5.keytab -e des-cbc-crc

8. Copy the keytab from the server to the client.

        # scp /tmp/krb5.keytab root@ipaclient.example.com:/tmp/krb5.keytab

9. On the IPA client, use the ktutil command to import the keytab.

        # ktutil
        ktutil: read_kt /tmp/krb5.keytab
        ktutil: write_kt /etc/krb5/krb5.keytab
        ktutil: q

10. Add a user that is only used for authentication. (This can be substituted with krb5 authentication if that works from the ldap client). Otherwise go to the IPA server and use ldapmodify, bind as Directory Manager and create this user.

        dn: uid=nss,cn=sysaccounts,cn=etc,dc=example,dc=com
        objectClass: account
        objectClass: simplesecurityobject
        objectClass: top
        uid: nss
        userPassword: Your own shared password here

11. On the IPA server, get a ticket for the admin user.

        # kinit admin

You should be able to log in as admin using ssh without providing a password.

        # ssh admin@ipaclient.example.com

System Login

On the AIX machine console, enter the admin username and password. You should be able to log in.

Use the id command to verify user and group information.

Note:

By default, admin is given /bin/bash as the shell to use and /home/admin as the home directory. You may need to install bash (or link sh to /bin/bash or modify admin to use /bin/sh or a shell available in all of your systems) to be able to log in.