Hi,

Some time ago I was looking for information about how to authenticate
AIX users against Active Directory. In the AIX documentation
(specifically the Security Guide) there is some information about this,
but for somebody who's not familiar with Kerberos, this doesn't work
too well. Also, searching the archives for this newsgroup (and others)
mostly turned up questions instead of answers.

This post is primarily meant as help for people searching the archives.
The assumption is that you're not familiar with Kerberos and/or the
Windows-implementation of it. (If you are, you probably don't need this
post. :-) )


How to authenticate AIX users against Active Directory
================================================== ====

Time setup
----------
First, make sure that all systems involved have the correct time. Since
Kerberos uses UTC, make sure that the timezone is set correctly. Having
the clock and/or the "date" command display the correct local time is
*not* necessarily enough. Also, arrange for some sort of synchronisation
between every machine involved. Authentication won't work if the clocks
of different systems are too far apart. ("too far" is measured in
minutes.) This is important on each and every machine involved, both
Windows and Unix.

Creating machine-accounts for the AIX machine in Active Directory
-----------------------------------------------------------------
Kerberos (and thus Active Directory) not only authenticates users, but
it also wants to make sure it communicates with the correct server.
To do this, a Kerberos-client and Kerberos-server have a shared secret.
On the Kerberos server, a keyfile is created for every Kerberos client.
This keyfile must be securely transported to the client.

You must create an account for the AIX machine in Active Directory. This
can be a "User"-account. Set a safe password for this account. Once the
account is created, you'll need to set up this account for Kerberos
authentication, and create a keyfile. This is both done with the
Ktpass.exe utility, found on the Windows product CD.

Ktpass -princ host/<hostname>@<realm> -mapuser <Windows-user> -pass <password> -out <filename>

<hostname> : the full hostname for the client
<realm> : the Active Directory-domain in uppercase
<Windows-user> : the Windows-account you just created
<password> : A random password, that does NOT have to be the same
as the password you used when creating the Windows
user. Use a strong password here! (Note that I
experienced problems with passwords longer than 8
characters, you mileage may vary)
<filename> : where to put the created keyfile

So, for an AIX-machine named "client", which you want to use in the
example.com-domain with the Windows-account "client":

Ktpass -princ host/client.example.com@EXAMPLE.COM -mapuser client -pass SecreT -out c:\client.keytab

After this command, the file c:\client.keytab contains the generated
keyfile, and the Windows-account "client" is set up correctly.

Transfer the file "client.keytab" to the AIX machine.

Configuring Kerberos on AIX
---------------------------
On the AIX machine, install the krb5.client fileset. This is found on
the AIX productmedia, specifically the Expansion Pack.

To configure Kerberos, the config.krb5 command can be used:

# config.krb5 -C -r <realm> -d <domain> -c <KDC> -s <server>

<realm> : the Active Directory-domain in uppercase
<domain> : the DNS domain of the Active Directory
<KDC> : the Kerberos Key Distribution Center. In the Windows
implementation of Kerberos, each Domain Controller is
automatically a Key Distribution Center.
<server> : A server that can administer the Kerberos realm. Use a
Windows domain controller here. Since only Windows-tools
will be used to administer the Kerberos realm, this is
of little use but we'll supply it anyway.

So, for the "example.com" Active Directory with a domain controller named
"dc.example.com", the following command can be used:

# config.krb5 -C -r EXAMPLE.COM -d example.com -c dc.example.com -s dc.example.com

This command creates a krb5.conf-file. You'll need to edit this file to
remove some encryption methods not supported by Windows. Open
/etc/krb5/krb5.conf in an editor and reduce default_tkt_enctypes and
default_tgs_enctypes to only des-cbc-md5 and des-cbc-crc. If you want, you
can add more Domain Controllers to this file: just add more "kdc =" lines.

Now you can install the keyfile you generated earlier. This is done
with the /usr/krb5/sbin/ktutil utility. If you start it, you'll get
a "ktutil: " prompt where you can enter commands.

First, read in the keyfile you generated with the command:
"rkt /path/to/client.keytab". Then, write it to the correct location:
"wkt /etc/krb5/krb5.keytab". Note that this assumes you don't already
have /etc/krb5/krb5.keytab. If you do, these commands will cause it to
be overwritten, so beware.

Testing the Kerberos installation
---------------------------------
Now the Kerberos client should be installed and configured correctly.
This assumes you have an AIX user with the same account name in AIX
and in the Active Directory. (See "KRB5A Authentication Load Module
Questions and Troubleshooting Information" in the Security Guide
for more information, and specifically the section "What is the
Purpose of the auth_name and auth_domain Attributes".)

The AIX user in this example is "foobar". The account in Active
Directory is also "foobar".

Log into AIX as "foobar". Issue "/usr/krb5/bin/kinit". It should
ask for your Active Directory password, and immediately return
when you enter the correct password.

$ /usr/krb5/bin/kinit
Password for foobar@EXAMPLE.COM:
$

If you enter an incorrect password, or the "foobar" account is
locked out in Active Directory, something like this will happen:

$ /usr/krb5/bin/kinit
Password for foobar@EXAMPLE.COM:
Unable to obtain initial credentials.
Status 0x96c73a18 - Preauthentication failed.
$

Configuring AIX to use Kerberos authentication for specific users
-----------------------------------------------------------------
Add the following stanzas in the methods.cfg file:

KRB5A:
program = /usr/lib/security/KRB5A
options = authonly
KRB5Afiles:
options = db=BUILTIN,auth=KRB5A

Issue the following command, for each user to be changed to
Kerberos authentication:

chuser registry=KRB5Afiles SYSTEM=KRB5Afiles <username>

<username> : AIX username to be changed to Kerberos authentication

You should be able to log on using the Windows password now. If you
use SSH and it doesn't work, restart the SSH-daemon first. Also
check if the AIX account doesn't have had too many incorrect logins.

--
Jurjen Oskam
"E-mail has just erupted like a weed, and instead of considering
what to say when they write, people now just let thoughts drool
out onto the screen." - R. Craig Hogan

Hi Jurjem,

Thanks for the clarifying text about Kerberos.
Have you tested Samba 3 with ADS?
I have also read too many documents during the last weeks but no luck
for AIX user. Ready made Samba 3 builds are compiled without ADS
support. So far I have managed to build Kerberos V5 1.3.6 from MIT and
OpenSSL. Also OpenLDAP is easy to build. But now the main the obstacle
is the Cyrus SASL Library from
http://asg.web.cmu.edu/sasl/sasl-library.html
This is required by OpenLDAP to use Kerberos based SASL/GSSAPI
authentication.

OpenSSL
config --openssldir=/opt/freeware

Kerberos V5 1.3.6
configure --prefix=/opt/freeware --disable-ipv6 --without-krb4

Cyrus SASL
../configure --prefix=/opt/freeware --with-openssl=/opt/freeware
--with-gss_impl=mit --enable-gssapi=/opt/freeware/include/gssapi
--disable-sample --disable-libtool-lock --disable-dependency-tracking

The SASL utils direcory Makefile fails...

Best Regards.
Jorma

Jorma wrote:
> Hi Jurjem,
>
> Thanks for the clarifying text about Kerberos.
> Have you tested Samba 3 with ADS?
> I have also read too many documents during the last weeks but no luck
> for AIX user. Ready made Samba 3 builds are compiled without ADS
> support. So far I have managed to build Kerberos V5 1.3.6 from MIT
and
> OpenSSL. Also OpenLDAP is easy to build. But now the main the
obstacle
> is the Cyrus SASL Library from
> http://asg.web.cmu.edu/sasl/sasl-library.html
> This is required by OpenLDAP to use Kerberos based SASL/GSSAPI
> authentication.
>
> OpenSSL
> config --openssldir=/opt/freeware
>
> Kerberos V5 1.3.6
> configure --prefix=/opt/freeware --disable-ipv6 --without-krb4
>
> Cyrus SASL
> ./configure --prefix=/opt/freeware --with-openssl=/opt/freeware
> --with-gss_impl=mit --enable-gssapi=/opt/freeware/include/gssapi
> --disable-sample --disable-libtool-lock --disable-dependency-tracking
>
> The SASL utils direcory Makefile fails...
>
> Best Regards.
> Jorma

Jorma,

Here's how I built cyrus-sasl on AIX 4.3.3 and AIX 5.1 using
"C" for AIX compiler (i.e. not GCC), hope this helps:
CC=cc_r \
../configure --prefix=/usr/local/dms/cyrus-sasl-2.1.18 \
--with-openssl=/usr/local/ssl \
--enable-gssapi=/usr/local \
--disable-libtool-lock \
--disable-dependency-tracking \
--enable-static \
--disable-shared \
--disable-krb4 \
--disable-ipv6


-tony

On 2005-02-01, Jorma <guest@guest.fi> wrote:

> Have you tested Samba 3 with ADS?

Nope.

[building of several packages fails]

Why do you want to build these? Are these a requirement for Samba 3?

IBM's Network Authentication Service is an implementation of MIT
Kerberos, wouldn't that work?

--
Jurjen Oskam
"E-mail has just erupted like a weed, and instead of considering
what to say when they write, people now just let thoughts drool
out onto the screen." - R. Craig Hogan

Hi,

Thanks Tony I managed to build the Cyrus SASL on AIX 5.2 ML 4
with IBM C 6.0

Cyrus SASL 2.1.20
../configure --prefix=/opt/freeware \
--with-openssl=/opt/freeware \
--with-gss_impl=mit \
--enable-gssapi=/opt/freeware/include/gssapi \
--disable-krb4 \
--enable-static \
--disable-shared \
--disable-sample \
--disable-libtool-lock \
--disable-dependency-tracking \
--with-plugindir=/opt/freeware/lib/sasl2

OpenLDAP 2.2.23 is still under work. It does not found SASL.
What are the right configuration parameters for Samba 3 usage.
Slap and Slurp are just funny names for me.
Do I need tls support for example?

env CPPFLAGS="-I/opt/freeware/include \
-I/opt/freeware/include/openssl \
-I/opt/freeware/include/sasl" \
LDFLAGS="-L/opt/freeware/lib -L/opt/freeware/lib/sasl2" \
../configure --prefix=/opt/freeware --with-tls --with-cyrus-sasl\
--with-threads \
--disable-bdb \
--enable-ldap \
--enable-rewrite \
--enable-proxycache \
--enable-dyngroup \
--disable-shared

Few lines from the end of configuration:
checking for sasl/sasl.h... yes
checking for sasl.h... yes
checking for sasl_client_init in -lsasl2... no
checking for sasl_client_init in -lsasl... no
configure: error: Could not locate Cyrus SASL

Is it really trying to find file sasl_client_init
from sasl library. At least I do not have such a call.
Maybe the SASL build is still broken.
Arg! What to do?

IBM Kerberos V5 package is subset of real MIT V5
These OpenXXX packages need the real thing.

Jorma


Jurjen Oskam wrote:
> On 2005-02-01, Jorma <guest@guest.fi> wrote:
>
>
>>Have you tested Samba 3 with ADS?
>
>
> Nope.
>
> [building of several packages fails]
>
> Why do you want to build these? Are these a requirement for Samba 3?
>
> IBM's Network Authentication Service is an implementation of MIT
> Kerberos, wouldn't that work?
>

Jorma wrote:
> Hi,
>
> Thanks Tony I managed to build the Cyrus SASL on AIX 5.2 ML 4
> with IBM C 6.0
>
> Cyrus SASL 2.1.20
> ./configure --prefix=/opt/freeware \
> --with-openssl=/opt/freeware \
> --with-gss_impl=mit \
> --enable-gssapi=/opt/freeware/include/gssapi \
> --disable-krb4 \
> --enable-static \
> --disable-shared \
> --disable-sample \
> --disable-libtool-lock \
> --disable-dependency-tracking \
> --with-plugindir=/opt/freeware/lib/sasl2
>
> OpenLDAP 2.2.23 is still under work. It does not found SASL.
> What are the right configuration parameters for Samba 3 usage.
> Slap and Slurp are just funny names for me.
> Do I need tls support for example?
>
> env CPPFLAGS="-I/opt/freeware/include \
> -I/opt/freeware/include/openssl \
> -I/opt/freeware/include/sasl" \
> LDFLAGS="-L/opt/freeware/lib -L/opt/freeware/lib/sasl2" \
> ./configure --prefix=/opt/freeware --with-tls --with-cyrus-sasl\
> --with-threads \
> --disable-bdb \
> --enable-ldap \
> --enable-rewrite \
> --enable-proxycache \
> --enable-dyngroup \
> --disable-shared
>
> Few lines from the end of configuration:
> checking for sasl/sasl.h... yes
> checking for sasl.h... yes
> checking for sasl_client_init in -lsasl2... no
> checking for sasl_client_init in -lsasl... no
> configure: error: Could not locate Cyrus SASL
>
> Is it really trying to find file sasl_client_init
> from sasl library. At least I do not have such a call.
> Maybe the SASL build is still broken.
> Arg! What to do?
>
> IBM Kerberos V5 package is subset of real MIT V5
> These OpenXXX packages need the real thing.
>
> Jorma
>
>
> Jurjen Oskam wrote:
> > On 2005-02-01, Jorma <guest@guest.fi> wrote:
> >
> >
> >>Have you tested Samba 3 with ADS?
> >
> >
> > Nope.
> >
> > [building of several packages fails]
> >
> > Why do you want to build these? Are these a requirement for Samba
3?
> >
> > IBM's Network Authentication Service is an implementation of MIT
> > Kerberos, wouldn't that work?
> >

Jorma,

Here is a script that I use to build OpenLdap
(Note: I have downloaded and installed MIT's Kerberos):
---------------------------------------------------------------
#!/bin/ksh
#
#
# NOTE:
# Performing this:
# ac_cv_func_getaddrinfo=no
# Was recommended by Howard Chu
# to solve the problem with getaddrinfo returning a 3
# which means hints.ai_flags is invalid...
# ...it is set to AI_ADDRCONFIG.
#
# NOTE: Setting CPPFLAGS below:
# - configure can't locate openssl's includes even
# when specified with "--x-includes"
# - configure can't locate cyrus-sasl's includes even
# when specified with "--x-includes"
#
# NOTE: Setting LDFLAGS below:
# - configure can't locate openssl's libraries even
# when specified with "--x-libraries"
# - configure can't locate cyrus-sasl's libraries even
# when specified with "--x-libraries"
#
# /usr/local/lib: kerberos libraries
# (gssapi_krb5, krb5, k5crypto &
com_err)
# /usr/local/ssl/lib: ssl libraries
# (crypto)
# /usr/local/dms/cyrus-sasl/lib: sasl libraries
# (sasl2, & sasl2/libgssapiv2.a)
#
CC=xlc_r \
CPPFLAGS="-I/usr/local/ssl/include \
-I/usr/local/dms/cyrus-sasl/include" \
LDFLAGS="-L/usr/local/ssl/lib -L/usr/local/dms/cyrus-sasl/lib \
-L/usr/local/lib \
-lcrypto -ldl -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err " \
MKDEP=/dnload/ldap_dir/openldap-2.2.13/build/mkdep.aix \
ac_cv_func_getaddrinfo=no \
../configure --prefix=/usr/local/dms/openldap-2.2.13 \
--with-cyrus-sasl \
--with-tls=openssl \
--disable-slapd \
--with-kerberos \
--disable-shared \
--enable-static \
--disable-ipv6
---------------------------------------------------------------
Hope this helps.
-tony

bennett.tony@cnf.com wrote:

> Jorma,
>
> Here is a script that I use to build OpenLdap
> (Note: I have downloaded and installed MIT's Kerberos):
> ---------------------------------------------------------------
> #!/bin/ksh
> #
> #
> # NOTE:
> # Performing this:
> # ac_cv_func_getaddrinfo=no
> # Was recommended by Howard Chu
> # to solve the problem with getaddrinfo returning a 3
> # which means hints.ai_flags is invalid...
> # ...it is set to AI_ADDRCONFIG.
> #
> # NOTE: Setting CPPFLAGS below:
> # - configure can't locate openssl's includes even
> # when specified with "--x-includes"
> # - configure can't locate cyrus-sasl's includes even
> # when specified with "--x-includes"
> #
> # NOTE: Setting LDFLAGS below:
> # - configure can't locate openssl's libraries even
> # when specified with "--x-libraries"
> # - configure can't locate cyrus-sasl's libraries even
> # when specified with "--x-libraries"
> #
> # /usr/local/lib: kerberos libraries
> # (gssapi_krb5, krb5, k5crypto &
> com_err)
> # /usr/local/ssl/lib: ssl libraries
> # (crypto)
> # /usr/local/dms/cyrus-sasl/lib: sasl libraries
> # (sasl2, & sasl2/libgssapiv2.a)
> #
> CC=xlc_r \
> CPPFLAGS="-I/usr/local/ssl/include \
> -I/usr/local/dms/cyrus-sasl/include" \
> LDFLAGS="-L/usr/local/ssl/lib -L/usr/local/dms/cyrus-sasl/lib \
> -L/usr/local/lib \
> -lcrypto -ldl -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err " \
> MKDEP=/dnload/ldap_dir/openldap-2.2.13/build/mkdep.aix \
> ac_cv_func_getaddrinfo=no \
> ./configure --prefix=/usr/local/dms/openldap-2.2.13 \
> --with-cyrus-sasl \
> --with-tls=openssl \
> --disable-slapd \
> --with-kerberos \
> --disable-shared \
> --enable-static \
> --disable-ipv6
> ---------------------------------------------------------------
> Hope this helps.
> -tony
>

Thanks again Tony,

I managed to build OpenLDAP with Cyrus-SASL!
----------------------------------------------------
CC=xlc_r \
CPPFLAGS="-I/opt/freeware/include \
-I/opt/freeware/openssl/include \
-I/opt/freeware/include/sasl \
-I/opt/freeware/include/gssapi" \
LDFLAGS="-L/opt/freeware/lib -L/opt/freeware/lib/sasl2 \
-lcrypto -ldl -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err " \
MKDEP=/opt/freeware/lib/openldap-2.2.23/build/mkdep.aix \
ac_cv_func_getaddrinfo=no \
../configure --prefix=/opt/freeware \
--with-cyrus-sasl \
--with-tls=openssl \
--disable-slapd \
--disable-monitor \
--disable-bdb \
--with-kerberos \
--disable-shared \
--enable-static \
--disable-ipv6
-----------------------------------------------------------
I managed to build the Samba 3 without ADS support.
../configure --prefix=/opt/freeware/samba --without-ads --without-ldap \
--without-winbind --without-pam --disable-cups --without-krb5
--with-libiconv=/opt/freeware
It works OK. But the ADS support...

If try to ad ADS support Samba can't find/use OpenLDAP.
I tried Samba versions 3.0.10 and 3.0.11.
The message is the same.

Here is my Samba 3 configure script.
I get the same Samba message if I remove these extra ..FLAGS lines.
I just need to have ADS member server for sharing the files.
AIX and ADS has identical user names. So no mapping is required.
-----------------------------------------------------------
env CC=cc \
FLAGS="-I/opt/freeware\include" \
CPPFLAGS="-I/opt/freeware/include \
-I/opt/freeware/openssl/include \
-I/opt/freeware/include/sasl \
-I/opt/freeware/include/gssapi" \
LDFLAGS="-L/opt/freeware/lib -L/opt/freeware/lib/sasl2" \
CFLAGS="-I/opt/freeware/include" \
./configure --prefix=/opt/freeware/samba \
--with-ads \
--with-ldap \
--without-winbind \
--without-pam \
--disable-cups \
--with-krb5=/opt/freeware \
--with-libiconv=/opt/freeware
------------------------------------------------------------
Lines removed....
checking whether to use DFS clear-text auth... no
checking for LDAP support... yes
checking ldap.h usability... yes
checking ldap.h presence... yes
checking for ldap.h... yes
checking lber.h usability... yes
checking lber.h presence... yes
checking for lber.h... yes
checking for ber_scanf in -llber... yes
checking for ldap_init in -lldap... no
checking for ldap_domain2hostlist... no
checking for ldap_set_rebind_proc... no
checking whether ldap_set_rebind_proc takes 3 arguments... 3
checking for ldap_initialize... no
configure: error: libldap is needed for LDAP support

At least the library exists.

# cd /opt/freeware/lib
# ls -ls libld*
436 -rw-r--r-- 1 root system 443330 Feb 06 23:21 libldap.a
1 -rw-r--r-- 1 root system 782 Feb 06 23:21 libldap.la
488 -rw-r--r-- 1 root system 496729 Feb 06 23:21 libldap_r.a
1 -rw-r--r-- 1 root system 788 Feb 06 23:21 libldap_r.la

But do I have to configure OpenLDAP before running the Samba configure?

Jorma