AIX and Linux Interoperability - IBM Redbooks

More documents

Recommendations

Info

Note: Before using this information and the product it supports, read the information in “Notices” on page xi. First Edition (April 2003) This edition applies to IBM ^ pSeries and RS/6000 Systems for use with the AIX 5L for POWER Version 5.2 Operating System, Program Number 5765-E62, and is based on information available in November 2002. © Copyright International Business Machines Corporation 2003. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .ix Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xi Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii The team that wrote this redbook. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Chapter 1. Identification and authentication . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 User security mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1.1 AIX security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1.2 Linux security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2 Pluggable Authentication Modules (PAM). . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.2.1 PAM configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.2.2 PAM keywords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3 Linux PAM implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.4 AIX PAM implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.4.1 PAM modules and AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.4.2 PAM applications and AIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Chapter 2. Centralized user management. . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.1 Lightweight Directory Access Protocol (LDAP) . . . . . . . . . . . . . . . . . . . . . 16 2.1.1 Introduction to LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.1.2 Using LDAP for authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.2 Planning for LDAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.3 LDAP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.3.1 IBM Directory Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.3.2 The OpenLDAP directory server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.4 Migrating user information to LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 2.4.1 Migrating users on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.4.2 Migrating users on AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.5 LDAP authentication clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 2.5.1 AIX LDAP authentication client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 2.5.2 Linux LDAP authentication client . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 2.5.3 PAM and NSS LDAP modules on AIX . . . . . . . . . . . . . . . . . . . . . . . 36 2.6 Deploying LDAP for authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.6.1 OpenLDAP server setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 © Copyright IBM Corp. 2003. All rights reserved. iii
Page 1: AIX and Linux Interoperability Effe
Page 6 and 7: 2.6.2 AIX LDAP client setup. . . .
Page 8 and 9: vi AIX and Linux Interoperability 7
Page 10 and 11: viii AIX and Linux Interoperability
Page 12 and 13: 10-12 Webmin welcome Page for Linux
Page 14 and 15: Trademarks The following terms are
Page 16 and 17: Abhijit Chavan is a Systems Enginee
Page 18 and 19: xvi AIX and Linux Interoperability
Page 20 and 21: 1.1 User security mechanisms 1.1.1
Page 22 and 23: 1.1.2 Linux security Linux keeps sh
Page 24 and 25: 1.2.2 PAM keywords 6 AIX and Linux
Page 26 and 27: 8 AIX and Linux Interoperabilty Her
Page 28 and 29: It is also possible to install new
Page 30 and 31: Configuring a PAM module The PAM LD
Page 32 and 33: 14 AIX and Linux Interoperabilty
Page 34 and 35: 2.1 Lightweight Directory Access Pr
Page 36 and 37: platforms and supported by many LDA
Page 38 and 39: 2.3 LDAP servers the AIX LDAP authe
Page 40 and 41: 2.3.1 IBM Directory Server IBM Dire
Page 42 and 43: Example 2-4 IBM Directory Server in
Page 44 and 45: Choosing the suffix All DNs adminis
Page 46 and 47: krb5-devel-1.2.5-6.i386.rpm openlda
Page 48 and 49: 30 AIX and Linux Interoperabilty ad
Page 50 and 51: Figure 2-4 Creating the key databas
Page 52 and 53: 2.5 LDAP authentication clients 34
Page 54 and 55:
Figure 2-6 Linux security subsystem
Page 56 and 57:
Example 2-8 Alternative LDAP identi
Page 58 and 59:
If you enter '.', the field will be
Page 60 and 61:
Example 2-10 OpenLDAP /etc/openldap
Page 62 and 63:
objectClass: posixAccount objectCla
Page 64 and 65:
Though authconfig does a good job,
Page 66 and 67:
ut values may be only host names or
Page 68 and 69:
50 AIX and Linux Interoperabilty si
Page 70 and 71:
standard authentication methods to
Page 72 and 73:
The kinit program obtains the TGT.
Page 74 and 75:
weeorg.com = WEEORG.COM The krb5.co
Page 76 and 77:
the kadmind administration server i
Page 78 and 79:
For example, ordinary users have ju
Page 80 and 81:
minclasses Minimum number of charac
Page 82 and 83:
server and loaded into the target d
Page 84 and 85:
There exists, however, an LDAP back
Page 86 and 87:
68 AIX and Linux Interoperabilty Ve
Page 88 and 89:
ACL restrictions. Enter password fo
Page 90 and 91:
Note that version numbers may chang
Page 92 and 93:
Example 3-7 The DNS zone with suppo
Page 94 and 95:
principals that are running on a pa
Page 96 and 97:
You should find other Kerberos serv
Page 98 and 99:
The -A option will instruct the scr
Page 100 and 101:
3.9 Security considerations Kerbero
Page 102 and 103:
On AIX 5L Version 5.2, the EIM APIs
Page 104 and 105:
4.1 Protocols Protocols define how
Page 106 and 107:
Configuring the master name server
Page 108 and 109:
90 AIX and Linux Interoperabilty c.
Page 110 and 111:
92 AIX and Linux Interoperabilty d.
Page 112 and 113:
Address: 192.168.5.10 94 AIX and Li
Page 114 and 115:
96 AIX and Linux Interoperabilty }
Page 116 and 117:
Route Tree for Protocol Family 2 (I
Page 118 and 119:
100 AIX and Linux Interoperabilty I
Page 120 and 121:
4.2 Data transfers 4.2.1 rsync On t
Page 122 and 123:
For more information on the rsync.c
Page 124 and 125:
Running the rdist command In AIX, g
Page 126 and 127:
The IBM Tivoli Netview supports AIX
Page 128 and 129:
If you want to install and compile
Page 130 and 131:
4.3.4 UNIX network performance mana
Page 132 and 133:
- Mail aliases file - Mail queue -
Page 134 and 135:
5.1.2 Configuration file: sendmail.
Page 136 and 137:
This creates a dbm version of the a
Page 138 and 139:
The MASQUERADE_AS macro removes all
Page 140 and 141:
macro files, which are generally in
Page 142 and 143:
6.1 Installing Samba on AIX You can
Page 144 and 145:
126 AIX and Linux Interoperabilty C
Page 146 and 147:
Figure 6-3 Creating homes share thr
Page 148 and 149:
Figure 6-5 Configuring print shares
Page 150 and 151:
Example 6-2 Verifying the shares av
Page 152 and 153:
# server and service. # For example
Page 154 and 155:
136 AIX and Linux Interoperabilty W
Page 156 and 157:
[homes] 138 AIX and Linux Interoper
Page 158 and 159:
140 AIX and Linux Interoperabilty T
Page 160 and 161:
142 AIX and Linux Interoperabilty
Page 162 and 163:
7.1 What NFS is NFS was designed by
Page 164 and 165:
Example 7-3 Installing NFS server f
Page 166 and 167:
Example 7-5 NFS options from SMIT 1
Page 168 and 169:
Use SECURE option? no + Public file
Page 170 and 171:
This means that /usr/home from aix_
Page 172 and 173:
► lockd ► statd The first servi
Page 174 and 175:
3. To verify the mounted directory,
Page 176 and 177:
On Linux, automount is started by r
Page 178 and 179:
7.6.4 NFS locking An RPC program ha
Page 180 and 181:
Page 182 and 183:
8.1 Journaled File System (JFS) The
Page 184 and 185:
Reboot the system. Now we have JFS
Page 186 and 187:
dev/fd0 /mnt/floppy auto noauto,own
Page 188 and 189:
which will be available in future r
Page 190 and 191:
udfcheck. The command names are sel
Page 192 and 193:
Where /dev/cd0 is the DVD-RAM drive
Page 194 and 195:
Since the export rules allow the wr
Page 196 and 197:
Another popular archiver is cpio. I
Page 198 and 199:
9.1 IPSec In this topic, we are goi
Page 200 and 201:
9.1.2 Tunnels and key management To
Page 202 and 203:
9.1.3 Installing IPSec on Linux The
Page 204 and 205:
In Figure 9-2, we suggest a test sc
Page 206 and 207:
9.1.4 Installing IPSec on AIX The I
Page 208 and 209:
6. Click OK. The Password Prompt wi
Page 210 and 211:
Expand the Network icon, on the lef
Page 212 and 213:
configuration to the corresponding
Page 214 and 215:
We can also check the logs files. I
Page 216 and 217:
9.2 Security tools 9.2.1 OpenSSL In
Page 218 and 219:
openssl ###########################
Page 220 and 221:
# so this is commented out by defau
Page 222 and 223:
# This goes against PKIX guidelines
Page 224 and 225:
Using OpenSSL Now we will cover som
Page 226 and 227:
To encrypt a file using a symmetric
Page 228 and 229:
In Example 9-17, we generate a set
Page 230 and 231:
In Example 9-21 we compute the publ
Page 232 and 233:
Example 9-24 Generating a RSA publi
Page 234 and 235:
organizationalUnitName = Internatio
Page 236 and 237:
Verifying password - Enter PEM pass
Page 238 and 239:
ea:c2:f7:e0:67:50:34:5d:ab:a9:89:83
Page 240 and 241:
9.2.2 OpenSSH 9.2.3 tcp_wrapper To
Page 242 and 243:
Page 244 and 245:
10.1 Web-based System Manager Web-b
Page 246 and 247:
If Web-based System Manager is not
Page 248 and 249:
Figure 10-2 Web-based System Manage
Page 250 and 251:
To install Web-based System Manager
Page 252 and 253:
Figure 10-5 Installation of Web-bas
Page 254 and 255:
We have a network that consists of
Page 256 and 257:
238 AIX and Linux Interoperability
Page 258 and 259:
10.On the Linux command line, run t
Page 260 and 261:
10.3 Webmin To view the CA certific
Page 262 and 263:
Config file directory [/etc/webmin]
Page 264 and 265:
Figure 10-11 Webmin welcome page fo
Page 266 and 267:
administer. An example Web page of
Page 268 and 269:
Figure 10-15 Servers category Other
Page 270 and 271:
252 AIX and Linux Interoperability
Page 272 and 273:
11.1 Printing from Linux to a print
Page 274 and 275:
Example 11-2 Adding a queue for pri
Page 276 and 277:
Example 11-5 Adding print access fo
Page 278 and 279:
11.2 Printing from AIX to a printer
Page 280 and 281:
4. Figure 11-4 shows that Red Hat a
Page 282 and 283:
Figure 11-7 A properly configured p
Page 284 and 285:
To configure a remote printer using
Page 286 and 287:
Example 11-10 Selecting the remote
Page 288 and 289:
2. Configure the IBM Directory to s
Page 290 and 291:
12.1 Linux on a logical partition (
Page 292 and 293:
Figure 12-2 Workload Management thr
Page 294 and 295:
Other related information and links
Page 296 and 297:
System applications Samba client, G
Page 298 and 299:
► Linux Applications on pSeries,
Page 300 and 301:
NS Name Server NSS Name Service Swi
Page 302 and 303:
284 AIX and Linux Interoperabilty A
Page 304 and 305:
Page 306 and 307:
Page 308 and 309:
► rsync Web site 290 AIX and Linu
Page 310 and 311:
Page 312 and 313:
allow-query 88 allow-transfer 88 Ap
Page 314 and 315:
LDAP directory schema 66 logging 56
Page 316 and 317:
AIX PAM module 9 applications on AI
Page 318 and 319:
udfcreate 171, 174 udflabel 171, 17
Page 322:
AIX and Linux Interoperability Effe
show all

AIX and Linux Interoperability - IBM Redbooks

Create successful ePaper yourself

Delete template?

Save as template?