Matthew, I am right now started testing on AIX 5.2 with NAS 1.4 (only clients and server not the kdc, I use a w2k3 kdc). Most things work, but a few don't and I put in a PMR to IBM. IBM also confirmed that for AIX 5.1 you need DCE to get the clients/servers work as they need the chauthent -k5 setting ( I suggest you set it initially to chauthent -k5 -std so that in the case of a Kerberos failure you can still use the localpassword)
Regards Markus "Matthew B. Brookover" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > The mkkrb5clnt tool configures the system very similar to what you > described below. The difference was /etc/security/user set > SYSTEM=KRB5files OR compat and /usr/lib/security/methods.cfg did not > have the options=authonly. I made both changes and kerberos still fails > to work on login. > > Markus Moeller also suggested chauthent -k5. The response was: > > [EMAIL PROTECTED] security]# chauthent -k5 > Kerberos 4 permitted on SP system only. > Kerberos 5 requires DCE version 2.2 or greater. > [EMAIL PROTECTED] security]# > > > I looked around for DCE but could not find in on the AIX 5.1 CDROMs. I > also looked on the IBM Scholars Program software offerings and did not > see DCE there either. Is DCE still offered by TransArc? > > Out of curiosity, I put a packet sniffer on the KDC. There was no > connection from AIX. There were several exchanges between the AIX host > and the KDC when I ran kinit, kadmin, and mkkrb5clnt with the KDC which > leads me to believe that the system is configured correctly. > > While grasping at straws, I downloaded and installed the patches > suggested by compare_report. It did not help. > > krb.conf: > > [libdefaults] > default_realm = MINES.EDU > default_keytab_name = FILE:/etc/krb5/krb5.keytab > default_tkt_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc > default_tgs_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc > > [realms] > MINES.EDU = { > kdc = eightoften.mines.edu:88 > admin_server = eightoften.mines.edu:749 > default_domain = mines.edu > } > > [domain_realm] > .mines.edu = MINES.EDU > eightoften.mines.edu = MINES.EDU > > [logging] > kdc = FILE:/var/krb5/log/krb5kdc.log > admin_server = FILE:/var/krb5/log/kadmin.log > default = FILE:/var/krb5/log/krb5lib.log > > > I am using the Kerberos client file sets provided by IBM on the > expansion pack CD: > > [EMAIL PROTECTED] security]# lslpp -p | grep krb > krb5.client.rte 1.3.0.0 > krb5.client.samples 1.3.0.0 > *prereq krb5.client.rte 1.3.0.0 > krb5.msg.en_US.client.rte 1.3.0.0 > *instreq krb5.client.rte 1.3.0.0 > krb5.toolkit.adt 1.3.0.0 > *prereq krb5.client.rte 1.3.0.0 > krb5.client.rte 1.3.0.0 > [EMAIL PROTECTED] security]# > > I had originally installed all of the krb* file sets from the expansion > pack disk. After reading the list below, I removed them and installed > only the ones listed. > > /etc/security/methods.cfg: > > NIS: > program = /usr/lib/security/NIS > program_64 = /usr/lib/security/NIS_64 > > DCE: > program = /usr/lib/security/DCE > > KRB5: > program = /usr/lib/security/KRB5 > options = authonly > > KRB5files: > options = db=BUILTIN,auth=KRB5 > > > The NIS and DCE stanzas where there already. mkkrb5clnt added the KRB5 > and KRB5files stanzas. I added the options=authonly line to the KRB5 > stanza. > > The only errors that show up in any of the logs are like this one in > /var/adm/messages. > > Apr 2 10:52:49 bologna syslog: pts/1: failed login attempt for test06 > from merlin.Mines.EDU > > > After running mkkrb5clnt, I cannot log in as any user accept root. The > system is running openssh that was not compiled with kerberos. OpenSSH > will still let me log in using keys that were set up before kerberos. > Even with openssh, you cannot log in using a password. If I run > /usr/krb5/sbin/unconfig.krb5, every thing goes back to normal. > > I have not tried to use LDAP yet. It looks like the AIX LDAP client > will not work with the schema provided with OpenLDAP, leaving a number > of issues to sort out. For now, I need authorization from local files > and authentication from Kerberos. > > I thought about upgrading to AIX 5.3, unfortunately, my development > system is not supported by AIX 5.2 and above. > > Thank you > > > Matt Brookover > [EMAIL PROTECTED] > > > On Fri, 2005-04-01 at 16:44, Christopher D. Clausen wrote: > >> Matthew B. Brookover <[EMAIL PROTECTED]> wrote: >> > I have MIT Kerberos 1.4 KDC on a Linux (Fedora Core 3) server. The >> > server works with Linux, Windows, and open LDAP. I am trying to get >> > an RS/6000 running AIX 5.1 with IBM's kerberos client (Network >> > Authentication Service 1.3) to work with the KDC on Linux. >> > >> > I ran mkkrb5clnt -c eightoften.mines.edu -r MINES.EDU -s >> > eightoften.mines.edu -d mines.edu -i files -K -T on the RS/6000. The >> > /etc/krb5/krb5.conf and /usr/lib/sec /usr/lib/security/methods.cfg >> > files look fine. I can use kinit, and kadmin. The problem is I >> > cannot log in. >> >> Using MIT binaries? Or the ones from the krb5.client.rte fileset? >> (probably installed in /usr/krb5/bin) >> >> Also, I'd suggest symlinking /etc/krb5.conf to /etc/krb5/krb5.conf. >> >> > The only user that can log is is root, all other users get '3004-007 >> > You entered an invalid login name or password.' There are no log >> > entries in /var/log/krb5/krb5kdc.log for the test user, suggesting >> > that login is not even trying to connect to the KDC. >> >> Get Kerberos to first work with a local account (set the passwords >> different) on the AIX box, then try to get LDAP working (assuming this >> is what you want to do.) >> >> > The default stanza in /etc/security/user has SYSTEM set to "KRB5files >> > OR compat" I have also tried to set the users SYSTEM parameter to >> > KRBfiles. >> >> I posted some info to a similar question to comp.unix.aix a month ago. >> You might want to read the through that thread: >> http://groups-beta.google.com/group/comp.unix.aix/browse_frm/thread/7441e04b0acc2e5/90a21cf05720edf3 >> >> Here are some parts of that message with additional info added: >> >> I currently have an AIX 5.1 machine (enzo.acm.uiuc.edu) up that uses NIS >> for account info and Kerberos for auth (no passwords in NIS.) KDCs are >> one Debian Linux sparc machine and one Solaris 9 sparc, running Kerberos >> 1.3.6, I think. >> >> I found this useful: >> http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/kerberos_auth_only_load_module.htm >> >> This may also be useful for you: http://www.feep.net/PAM/AIX/ >> >> my current /lib/security/methods.cfg: >> NIS: >> program = /usr/lib/security/NIS >> program_64 = /usr/lib/security/NIS_64 >> >> * not sure if you need this or not, I'm guessing no >> DCE: >> program = /usr/vice/etc/afs_dynamic_kerbauth >> options = authonly >> >> * you probably don't need the AFS or AFSfiles stanzas >> AFS: >> program = /usr/vice/etc/afs_dynamic_kerbauth >> options = authonly >> >> AFSfiles: >> options = db=BUILTIN,auth=AFS >> >> KRB5: >> program = /usr/lib/security/KRB5 >> options = authonly >> >> KRB5files: >> options = db=BUILTIN,auth=KRB5 >> >> KRB5NIS: >> options = db=NIS,auth=KRB5 >> >> I don't think you need dce installed, but you do need krb5.client.rte: >> # lslpp -p | grep krb >> krb5.client.rte 1.3.0.0 >> krb5.client.samples 1.3.0.0 >> *prereq krb5.client.rte 1.3.0.0 >> krb5.toolkit.adt 1.3.0.0 >> *prereq krb5.client.rte 1.3.0.0 >> krb5.client.rte 1.3.0.0 >> # lslpp -p | grep dce >> # >> >> from my /etc/security/user file: >> default: >> SYSTEM = "KRB5 OR (KRB5[UNAVAIL] AND compat[SUCCESS])" >> registry = NIS >> >> Let me know if this helps! >> >> I have not yet attempted LDAP auth. I'm sure there are others who would >> like to know how to get LDAP+KRB5 working, so post anything you find out >> back to the list. >> >> <<CDC >> Christopher D. Clausen >> [EMAIL PROTECTED] SysAdmin >> > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos