AIX and Linux Interoperability - IBM Redbooks

More documents

Recommendations

Info

The -A option will instruct the script to create a new administration principal root/hostname, such as root/marguerite.weeorg.com. This principal should have administrative rights, so you should have the following line in kadm5.acl: root/*@WEEORG.COM * 80 AIX and Linux Interoperabilty The mkkrb5clnt script configures a new method in /usr/lib/security/methods.cfg: KRB5LDAP: options = db=LDAP,auth=KRB5 All users authenticating through Kerberos should have KRB5LDAP specified for the SYSTEM and registry attributes in /etc/security/user. The mkseckrb5 script takes care of that task for the existing users: # mkseckrb5 joe Please enter the admin principal name: admin/admin Enter password: Importing joe Enter password for principal "joe@WEEORG.COM": Re-enter password for principal "joe@WEEORG.COM": For more details about the AIX and Kerberos integration, see the AIX 5L Differences Guide Version 5.2 Edition, SG24-5765. PAM Kerberos module Like many other Linux distributions, Red Hat Linux Version 8.0 delivers the PAM Kerberos module as part of the Kerberos support. This module is capable of authenticating users, obtaining TGT, and changing passwords. The Red Hat authconfig program may be used to configure Kerberos authentication, which includes setup for both Kerberos clients and the PAM Kerberos module: # authconfig --kickstart --enableshadow --enablemd5 \ --enableldap --ldapserver r-aix.weeorg.com --ldapbasedn dc=weeorg,dc=com \ --enablekrb5 --krb5realm WEEORG.COM \ --krb5kdc kerberos.weeorg.com,kerberos-1.weeorg.com \ --krb5adminserver kerberos.weeorg.com One can also stack the LDAP authentication method along with the Kerberos authentication, but we do not recommend mixing authentication methods for security reasons. Of course, the standard authentication method must be enabled for the sake of system users such as root.
3.8 Migrating users to Kerberos In Chapter 2, “Centralized user management” on page 15, we describe how to move users from local map files to the LDAP directory. The effort needed to migrate a few tens of users is close to that for a few thousands of users. That is not the case with Kerberos. Kerberos passwords are stored in a decryptable format. One simply cannot convert crypt or md5 hashes into the Kerberos format. In order to generate a user principal, the administrator has to have the corresponding password in clear text. On the other hand, the password hashes on UNIX cannot be decrypted. If the number of your users is small, you may invite all of them to stop by and negotiate new passwords. If there are many users, then this is probably not an option. One possibility may be to harvest user passwords during the migration phase. To do this, you probably have to modify an existing authentication module or write another for this purpose. We are not aware of any such module at the moment, though rumor has it that there is a PAM module available for this purpose. It may also be possible to use strategically located network sniffers, but your security policy may prohibit that. The security policy may prohibit collecting user passwords as well, so you should discuss the matter with management. For example, if the new authentication module is named XPF, which simply appends the user name and the password to a file, and the authentication currently in use is LDAP, we can set up the following SYSTEM grammar: SYSTEM = LDAP AND XPF It is possible to run the kadmin program in batch mode. If there is a file with one user name and a password per line separated by white space, the following shell script may be used to create principals: R=WEEORG.COM CACHE=my.cache ADM=admin/admin kinit -c $CACHE -S kadmin/admin $ADM while read user pass; do if kadmin -c $CACHE -p $ADM -q "getprinc $user@$R" 2>/dev/null | grep -qws $user@$R then echo "WARNING: principal $user@$R already exists" else kadmin -c $CACHE -p $ADM -q "addprinc -pw $pass $user@$R” fi done < userpwd.txt This is a very sensitive business and the file containing user data must be scrutinized before running the script. Chapter 3. Single sign-on 81
Page 1:
AIX and Linux Interoperability Effe
Page 4 and 5:
Note: Before using this information
Page 6 and 7:
2.6.2 AIX LDAP client setup. . . .
Page 8 and 9:
vi AIX and Linux Interoperability 7
Page 10 and 11:
viii AIX and Linux Interoperability
Page 12 and 13:
10-12 Webmin welcome Page for Linux
Page 14 and 15:
Trademarks The following terms are
Page 16 and 17:
Abhijit Chavan is a Systems Enginee
Page 18 and 19:
xvi AIX and Linux Interoperability
Page 20 and 21:
1.1 User security mechanisms 1.1.1
Page 22 and 23:
1.1.2 Linux security Linux keeps sh
Page 24 and 25:
1.2.2 PAM keywords 6 AIX and Linux
Page 26 and 27:
8 AIX and Linux Interoperabilty Her
Page 28 and 29:
It is also possible to install new
Page 30 and 31:
Configuring a PAM module The PAM LD
Page 32 and 33:
14 AIX and Linux Interoperabilty
Page 34 and 35:
2.1 Lightweight Directory Access Pr
Page 36 and 37:
platforms and supported by many LDA
Page 38 and 39:
2.3 LDAP servers the AIX LDAP authe
Page 40 and 41:
2.3.1 IBM Directory Server IBM Dire
Page 42 and 43:
Example 2-4 IBM Directory Server in
Page 44 and 45:
Choosing the suffix All DNs adminis
Page 46 and 47:
krb5-devel-1.2.5-6.i386.rpm openlda
Page 48 and 49: 30 AIX and Linux Interoperabilty ad
Page 50 and 51: Figure 2-4 Creating the key databas
Page 52 and 53: 2.5 LDAP authentication clients 34
Page 54 and 55: Figure 2-6 Linux security subsystem
Page 56 and 57: Example 2-8 Alternative LDAP identi
Page 58 and 59: If you enter '.', the field will be
Page 60 and 61: Example 2-10 OpenLDAP /etc/openldap
Page 62 and 63: objectClass: posixAccount objectCla
Page 64 and 65: Though authconfig does a good job,
Page 66 and 67: ut values may be only host names or
Page 68 and 69: 50 AIX and Linux Interoperabilty si
Page 70 and 71: standard authentication methods to
Page 72 and 73: The kinit program obtains the TGT.
Page 74 and 75: weeorg.com = WEEORG.COM The krb5.co
Page 76 and 77: the kadmind administration server i
Page 78 and 79: For example, ordinary users have ju
Page 80 and 81: minclasses Minimum number of charac
Page 82 and 83: server and loaded into the target d
Page 84 and 85: There exists, however, an LDAP back
Page 86 and 87: 68 AIX and Linux Interoperabilty Ve
Page 88 and 89: ACL restrictions. Enter password fo
Page 90 and 91: Note that version numbers may chang
Page 92 and 93: Example 3-7 The DNS zone with suppo
Page 94 and 95: principals that are running on a pa
Page 96 and 97: You should find other Kerberos serv
Page 100 and 101: 3.9 Security considerations Kerbero
Page 102 and 103: On AIX 5L Version 5.2, the EIM APIs
Page 104 and 105: 4.1 Protocols Protocols define how
Page 106 and 107: Configuring the master name server
Page 108 and 109: 90 AIX and Linux Interoperabilty c.
Page 110 and 111: 92 AIX and Linux Interoperabilty d.
Page 112 and 113: Address: 192.168.5.10 94 AIX and Li
Page 114 and 115: 96 AIX and Linux Interoperabilty }
Page 116 and 117: Route Tree for Protocol Family 2 (I
Page 118 and 119: 100 AIX and Linux Interoperabilty I
Page 120 and 121: 4.2 Data transfers 4.2.1 rsync On t
Page 122 and 123: For more information on the rsync.c
Page 124 and 125: Running the rdist command In AIX, g
Page 126 and 127: The IBM Tivoli Netview supports AIX
Page 128 and 129: If you want to install and compile
Page 130 and 131: 4.3.4 UNIX network performance mana
Page 132 and 133: - Mail aliases file - Mail queue -
Page 134 and 135: 5.1.2 Configuration file: sendmail.
Page 136 and 137: This creates a dbm version of the a
Page 138 and 139: The MASQUERADE_AS macro removes all
Page 140 and 141: macro files, which are generally in
Page 142 and 143: 6.1 Installing Samba on AIX You can
Page 144 and 145: 126 AIX and Linux Interoperabilty C
Page 146 and 147: Figure 6-3 Creating homes share thr
Page 148 and 149:
Figure 6-5 Configuring print shares
Page 150 and 151:
Example 6-2 Verifying the shares av
Page 152 and 153:
# server and service. # For example
Page 154 and 155:
136 AIX and Linux Interoperabilty W
Page 156 and 157:
[homes] 138 AIX and Linux Interoper
Page 158 and 159:
140 AIX and Linux Interoperabilty T
Page 160 and 161:
Page 162 and 163:
7.1 What NFS is NFS was designed by
Page 164 and 165:
Example 7-3 Installing NFS server f
Page 166 and 167:
Example 7-5 NFS options from SMIT 1
Page 168 and 169:
Use SECURE option? no + Public file
Page 170 and 171:
This means that /usr/home from aix_
Page 172 and 173:
► lockd ► statd The first servi
Page 174 and 175:
3. To verify the mounted directory,
Page 176 and 177:
On Linux, automount is started by r
Page 178 and 179:
7.6.4 NFS locking An RPC program ha
Page 180 and 181:
Page 182 and 183:
8.1 Journaled File System (JFS) The
Page 184 and 185:
Reboot the system. Now we have JFS
Page 186 and 187:
dev/fd0 /mnt/floppy auto noauto,own
Page 188 and 189:
which will be available in future r
Page 190 and 191:
udfcheck. The command names are sel
Page 192 and 193:
Where /dev/cd0 is the DVD-RAM drive
Page 194 and 195:
Since the export rules allow the wr
Page 196 and 197:
Another popular archiver is cpio. I
Page 198 and 199:
9.1 IPSec In this topic, we are goi
Page 200 and 201:
9.1.2 Tunnels and key management To
Page 202 and 203:
9.1.3 Installing IPSec on Linux The
Page 204 and 205:
In Figure 9-2, we suggest a test sc
Page 206 and 207:
9.1.4 Installing IPSec on AIX The I
Page 208 and 209:
6. Click OK. The Password Prompt wi
Page 210 and 211:
Expand the Network icon, on the lef
Page 212 and 213:
configuration to the corresponding
Page 214 and 215:
We can also check the logs files. I
Page 216 and 217:
9.2 Security tools 9.2.1 OpenSSL In
Page 218 and 219:
openssl ###########################
Page 220 and 221:
# so this is commented out by defau
Page 222 and 223:
# This goes against PKIX guidelines
Page 224 and 225:
Using OpenSSL Now we will cover som
Page 226 and 227:
To encrypt a file using a symmetric
Page 228 and 229:
In Example 9-17, we generate a set
Page 230 and 231:
In Example 9-21 we compute the publ
Page 232 and 233:
Example 9-24 Generating a RSA publi
Page 234 and 235:
organizationalUnitName = Internatio
Page 236 and 237:
Verifying password - Enter PEM pass
Page 238 and 239:
ea:c2:f7:e0:67:50:34:5d:ab:a9:89:83
Page 240 and 241:
9.2.2 OpenSSH 9.2.3 tcp_wrapper To
Page 242 and 243:
Page 244 and 245:
10.1 Web-based System Manager Web-b
Page 246 and 247:
If Web-based System Manager is not
Page 248 and 249:
Figure 10-2 Web-based System Manage
Page 250 and 251:
To install Web-based System Manager
Page 252 and 253:
Figure 10-5 Installation of Web-bas
Page 254 and 255:
We have a network that consists of
Page 256 and 257:
238 AIX and Linux Interoperability
Page 258 and 259:
10.On the Linux command line, run t
Page 260 and 261:
10.3 Webmin To view the CA certific
Page 262 and 263:
Config file directory [/etc/webmin]
Page 264 and 265:
Figure 10-11 Webmin welcome page fo
Page 266 and 267:
administer. An example Web page of
Page 268 and 269:
Figure 10-15 Servers category Other
Page 270 and 271:
252 AIX and Linux Interoperability
Page 272 and 273:
11.1 Printing from Linux to a print
Page 274 and 275:
Example 11-2 Adding a queue for pri
Page 276 and 277:
Example 11-5 Adding print access fo
Page 278 and 279:
11.2 Printing from AIX to a printer
Page 280 and 281:
4. Figure 11-4 shows that Red Hat a
Page 282 and 283:
Figure 11-7 A properly configured p
Page 284 and 285:
To configure a remote printer using
Page 286 and 287:
Example 11-10 Selecting the remote
Page 288 and 289:
2. Configure the IBM Directory to s
Page 290 and 291:
12.1 Linux on a logical partition (
Page 292 and 293:
Figure 12-2 Workload Management thr
Page 294 and 295:
Other related information and links
Page 296 and 297:
System applications Samba client, G
Page 298 and 299:
► Linux Applications on pSeries,
Page 300 and 301:
NS Name Server NSS Name Service Swi
Page 302 and 303:
284 AIX and Linux Interoperabilty A
Page 304 and 305:
Page 306 and 307:
Page 308 and 309:
► rsync Web site 290 AIX and Linu
Page 310 and 311:
Page 312 and 313:
allow-query 88 allow-transfer 88 Ap
Page 314 and 315:
LDAP directory schema 66 logging 56
Page 316 and 317:
AIX PAM module 9 applications on AI
Page 318 and 319:
udfcreate 171, 174 udflabel 171, 17
Page 322:
AIX and Linux Interoperability Effe
show all

AIX and Linux Interoperability - IBM Redbooks

Create successful ePaper yourself

Delete template?

Save as template?