AIX and Linux Interoperability - IBM Redbooks

More documents

Recommendations

Info

ACL restrictions. Enter password for principal "admin/admin@WEEORG.COM": Re-enter password for principal "admin/admin@WEEORG.COM": Principal "admin/admin@WEEORG.COM" created. Creating keytable... Attempting to bind to one or more LDAP servers. This may take a while... Creating /var/krb5/krb5kdc/kadm5.acl... Starting krb5kdc... Attempting to bind to one or more LDAP servers. This may take a while... krb5kdc was started successfully. Starting kadmind... Attempting to bind to one or more LDAP servers. This may take a while... kadmind was started successfully. The command completed successfully. Even though the Kerberos data is accessible through standard LDAP browsers, you should modify it with Kerberos tools, such as kadmin and ksetup. An important exception to the rule is the LDAP access controls. Regardless of how the LDAP server sets the ACLs initially, you should apply appropriate control, given the sensitivity of the Kerberos data. In particular, both read and write access to the KrbMstrKey and KrbKey object classes should be restricted to the KDCs and the administration server. Note that this is different from the Kerberos ACLs, which are manipulated using the kadmin program. The configuration script may not set all desired options for LDAP access. For example, if you access LDAP servers in different ways, then you must edit the /var/krb5/krb5kdc/.kdc_ldap_data configuration file using a text editor. We show one possible configuration in Example 3-5. Even though LDAP has a referral mechanism to deal with updates sent to replica servers, it is better to use the replica_type tag and specify whether the server’s data may be updated. The Kerberos servers keep connections open to all specified LDAP servers, but the preference tag governs which server is queried. The default preferences are 4 for the master LDAP server and 5 for the slave servers. Example 3-5 LDAP access configuration in /var/krb5/krb5kdc/.kdc_ldap_data 70 AIX and Linux Interoperabilty [ldapdefaults] realm = WEEORG.COM bind_dn = cn=root bind_dn_pw = secret ldapserver = r-aix.weeorg.com ldapserver = ldap-1.weeorg.com bind_type = simple [servers] r-aix.weeorg.com = { port = 389
eplica_type = readwrite preference = 4 } ldap-1.weeorg.com = { bind_dn = cn=krbadm bind_dn_pw = secret ssl_port = 636 keyring = /etc/ldap/key.kdb replica_type = readonly preference = 5 } At this point, you may use the kadmin program to add principals or define and apply policies. Note: In case any data changes in the realm, the KDC and administration servers have to be restarted in order for changes to have effect. The config.krb5 script should not be used to configure the slave KDC servers. However, given that there is no need to propagate the database using Kerberos tools, setting up the slave servers is easy. You should copy /etc/krb5/krb5.conf and /var/krb5/krb5kdc/.kdc_ldap_data from the master server and, optionally, edit them to suit the slave KDC server’s needs. 3.5 Linux Kerberos support As opposed to AIX, Linux sports a “vanilla” MIT Kerberos edition. Heimdal is another Kerberos package available as open source and is free, but we discuss the MIT version. Heimdal is not available from Red Hat, but is included with other distributions, such as Debian Linux. Of course, it may be compiled on any computer running Linux. 3.5.1 Red Hat Linux Kerberos packages On a Red Hat Linux Version 8.0 host, you should install the following RPM packages: krb5-libs-1.2.5-6 krb5-workstation-1.2.5-6 krb5-server-1.2.5-6 pam_krb5-1.56-1 cyrus-sasl-gssapi-2.1.7-2 Chapter 3. Single sign-on 71
Page 1:
AIX and Linux Interoperability Effe
Page 4 and 5:
Note: Before using this information
Page 6 and 7:
2.6.2 AIX LDAP client setup. . . .
Page 8 and 9:
vi AIX and Linux Interoperability 7
Page 10 and 11:
viii AIX and Linux Interoperability
Page 12 and 13:
10-12 Webmin welcome Page for Linux
Page 14 and 15:
Trademarks The following terms are
Page 16 and 17:
Abhijit Chavan is a Systems Enginee
Page 18 and 19:
xvi AIX and Linux Interoperability
Page 20 and 21:
1.1 User security mechanisms 1.1.1
Page 22 and 23:
1.1.2 Linux security Linux keeps sh
Page 24 and 25:
1.2.2 PAM keywords 6 AIX and Linux
Page 26 and 27:
8 AIX and Linux Interoperabilty Her
Page 28 and 29:
It is also possible to install new
Page 30 and 31:
Configuring a PAM module The PAM LD
Page 32 and 33:
14 AIX and Linux Interoperabilty
Page 34 and 35:
2.1 Lightweight Directory Access Pr
Page 36 and 37:
platforms and supported by many LDA
Page 38 and 39: 2.3 LDAP servers the AIX LDAP authe
Page 40 and 41: 2.3.1 IBM Directory Server IBM Dire
Page 42 and 43: Example 2-4 IBM Directory Server in
Page 44 and 45: Choosing the suffix All DNs adminis
Page 46 and 47: krb5-devel-1.2.5-6.i386.rpm openlda
Page 48 and 49: 30 AIX and Linux Interoperabilty ad
Page 50 and 51: Figure 2-4 Creating the key databas
Page 52 and 53: 2.5 LDAP authentication clients 34
Page 54 and 55: Figure 2-6 Linux security subsystem
Page 56 and 57: Example 2-8 Alternative LDAP identi
Page 58 and 59: If you enter '.', the field will be
Page 60 and 61: Example 2-10 OpenLDAP /etc/openldap
Page 62 and 63: objectClass: posixAccount objectCla
Page 64 and 65: Though authconfig does a good job,
Page 66 and 67: ut values may be only host names or
Page 68 and 69: 50 AIX and Linux Interoperabilty si
Page 70 and 71: standard authentication methods to
Page 72 and 73: The kinit program obtains the TGT.
Page 74 and 75: weeorg.com = WEEORG.COM The krb5.co
Page 76 and 77: the kadmind administration server i
Page 78 and 79: For example, ordinary users have ju
Page 80 and 81: minclasses Minimum number of charac
Page 82 and 83: server and loaded into the target d
Page 84 and 85: There exists, however, an LDAP back
Page 86 and 87: 68 AIX and Linux Interoperabilty Ve
Page 90 and 91: Note that version numbers may chang
Page 92 and 93: Example 3-7 The DNS zone with suppo
Page 94 and 95: principals that are running on a pa
Page 96 and 97: You should find other Kerberos serv
Page 98 and 99: The -A option will instruct the scr
Page 100 and 101: 3.9 Security considerations Kerbero
Page 102 and 103: On AIX 5L Version 5.2, the EIM APIs
Page 104 and 105: 4.1 Protocols Protocols define how
Page 106 and 107: Configuring the master name server
Page 108 and 109: 90 AIX and Linux Interoperabilty c.
Page 110 and 111: 92 AIX and Linux Interoperabilty d.
Page 112 and 113: Address: 192.168.5.10 94 AIX and Li
Page 114 and 115: 96 AIX and Linux Interoperabilty }
Page 116 and 117: Route Tree for Protocol Family 2 (I
Page 118 and 119: 100 AIX and Linux Interoperabilty I
Page 120 and 121: 4.2 Data transfers 4.2.1 rsync On t
Page 122 and 123: For more information on the rsync.c
Page 124 and 125: Running the rdist command In AIX, g
Page 126 and 127: The IBM Tivoli Netview supports AIX
Page 128 and 129: If you want to install and compile
Page 130 and 131: 4.3.4 UNIX network performance mana
Page 132 and 133: - Mail aliases file - Mail queue -
Page 134 and 135: 5.1.2 Configuration file: sendmail.
Page 136 and 137: This creates a dbm version of the a
Page 138 and 139:
The MASQUERADE_AS macro removes all
Page 140 and 141:
macro files, which are generally in
Page 142 and 143:
6.1 Installing Samba on AIX You can
Page 144 and 145:
126 AIX and Linux Interoperabilty C
Page 146 and 147:
Figure 6-3 Creating homes share thr
Page 148 and 149:
Figure 6-5 Configuring print shares
Page 150 and 151:
Example 6-2 Verifying the shares av
Page 152 and 153:
# server and service. # For example
Page 154 and 155:
136 AIX and Linux Interoperabilty W
Page 156 and 157:
[homes] 138 AIX and Linux Interoper
Page 158 and 159:
140 AIX and Linux Interoperabilty T
Page 160 and 161:
Page 162 and 163:
7.1 What NFS is NFS was designed by
Page 164 and 165:
Example 7-3 Installing NFS server f
Page 166 and 167:
Example 7-5 NFS options from SMIT 1
Page 168 and 169:
Use SECURE option? no + Public file
Page 170 and 171:
This means that /usr/home from aix_
Page 172 and 173:
► lockd ► statd The first servi
Page 174 and 175:
3. To verify the mounted directory,
Page 176 and 177:
On Linux, automount is started by r
Page 178 and 179:
7.6.4 NFS locking An RPC program ha
Page 180 and 181:
Page 182 and 183:
8.1 Journaled File System (JFS) The
Page 184 and 185:
Reboot the system. Now we have JFS
Page 186 and 187:
dev/fd0 /mnt/floppy auto noauto,own
Page 188 and 189:
which will be available in future r
Page 190 and 191:
udfcheck. The command names are sel
Page 192 and 193:
Where /dev/cd0 is the DVD-RAM drive
Page 194 and 195:
Since the export rules allow the wr
Page 196 and 197:
Another popular archiver is cpio. I
Page 198 and 199:
9.1 IPSec In this topic, we are goi
Page 200 and 201:
9.1.2 Tunnels and key management To
Page 202 and 203:
9.1.3 Installing IPSec on Linux The
Page 204 and 205:
In Figure 9-2, we suggest a test sc
Page 206 and 207:
9.1.4 Installing IPSec on AIX The I
Page 208 and 209:
6. Click OK. The Password Prompt wi
Page 210 and 211:
Expand the Network icon, on the lef
Page 212 and 213:
configuration to the corresponding
Page 214 and 215:
We can also check the logs files. I
Page 216 and 217:
9.2 Security tools 9.2.1 OpenSSL In
Page 218 and 219:
openssl ###########################
Page 220 and 221:
# so this is commented out by defau
Page 222 and 223:
# This goes against PKIX guidelines
Page 224 and 225:
Using OpenSSL Now we will cover som
Page 226 and 227:
To encrypt a file using a symmetric
Page 228 and 229:
In Example 9-17, we generate a set
Page 230 and 231:
In Example 9-21 we compute the publ
Page 232 and 233:
Example 9-24 Generating a RSA publi
Page 234 and 235:
organizationalUnitName = Internatio
Page 236 and 237:
Verifying password - Enter PEM pass
Page 238 and 239:
ea:c2:f7:e0:67:50:34:5d:ab:a9:89:83
Page 240 and 241:
9.2.2 OpenSSH 9.2.3 tcp_wrapper To
Page 242 and 243:
Page 244 and 245:
10.1 Web-based System Manager Web-b
Page 246 and 247:
If Web-based System Manager is not
Page 248 and 249:
Figure 10-2 Web-based System Manage
Page 250 and 251:
To install Web-based System Manager
Page 252 and 253:
Figure 10-5 Installation of Web-bas
Page 254 and 255:
We have a network that consists of
Page 256 and 257:
238 AIX and Linux Interoperability
Page 258 and 259:
10.On the Linux command line, run t
Page 260 and 261:
10.3 Webmin To view the CA certific
Page 262 and 263:
Config file directory [/etc/webmin]
Page 264 and 265:
Figure 10-11 Webmin welcome page fo
Page 266 and 267:
administer. An example Web page of
Page 268 and 269:
Figure 10-15 Servers category Other
Page 270 and 271:
252 AIX and Linux Interoperability
Page 272 and 273:
11.1 Printing from Linux to a print
Page 274 and 275:
Example 11-2 Adding a queue for pri
Page 276 and 277:
Example 11-5 Adding print access fo
Page 278 and 279:
11.2 Printing from AIX to a printer
Page 280 and 281:
4. Figure 11-4 shows that Red Hat a
Page 282 and 283:
Figure 11-7 A properly configured p
Page 284 and 285:
To configure a remote printer using
Page 286 and 287:
Example 11-10 Selecting the remote
Page 288 and 289:
2. Configure the IBM Directory to s
Page 290 and 291:
12.1 Linux on a logical partition (
Page 292 and 293:
Figure 12-2 Workload Management thr
Page 294 and 295:
Other related information and links
Page 296 and 297:
System applications Samba client, G
Page 298 and 299:
► Linux Applications on pSeries,
Page 300 and 301:
NS Name Server NSS Name Service Swi
Page 302 and 303:
284 AIX and Linux Interoperabilty A
Page 304 and 305:
Page 306 and 307:
Page 308 and 309:
► rsync Web site 290 AIX and Linu
Page 310 and 311:
Page 312 and 313:
allow-query 88 allow-transfer 88 Ap
Page 314 and 315:
LDAP directory schema 66 logging 56
Page 316 and 317:
AIX PAM module 9 applications on AI
Page 318 and 319:
udfcreate 171, 174 udflabel 171, 17
Page 322:
AIX and Linux Interoperability Effe
show all

AIX and Linux Interoperability - IBM Redbooks

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?