Product SiteDocumentation Site

3.7. Configuring an AIX System as an IPA Client

3.7.1. Prerequisites

Make sure that all of these packages are installed on the AIX machine before beginning the client configuration:
  • v5.3 OS
  • v5.3 Updates
  • krb5 client packages
  • openssh
  • wget
  • bash
  • krb5 server
  • ldap.client
  • openssl
  • modcrypt.base (for gssd)
Configure and enable NTP and make sure that time is synchronized between the client and the IPA server.

3.7.2. Configuring the AIX Client

Setting up an AIX client requires setting up the client to work in the IPA Kerberos domain and, optionally, to enable SSH authentication to the AIX client using IPA credentials.
Kerberos configuration includes specifying the realm and domain details, and default ticket attributes. Forwardable tickets are configured by default, which facilitates connection to the administration interface from any operating system, and also provides for auditing of administration operations. For example:
  1. Configure the krb5 client settings to use the IPA Kerberos domain: 
    # mkkrb5clnt -r EXAMPLE.COM -d example.com -c ipaclient.example.com -s ipaserver.example.com
  2. Get a Kerberos ticket: 
    # kinit admin
  3. Configure the LDAP client settings to use the IPA directory services: 
    # mksecldap -c -h ipaserver.example.com -d cn=accounts,dc=example,dc=com -a uid=nss,cn=sysaccounts,cn=etc,dc=example,dc=com -p secret
  4. In the /etc/security/ldap directory, create user and group map files:
    • For example, for the IPAuser.map file: 
      #IPAuser.map file
keyobjectclass  SEC_CHAR        posixaccount    s

# The following attributes are required by AIX to be functional
username        SEC_CHAR        uid     s
id      SEC_INT uidnumber       s
pgrp    SEC_CHAR        gidnumber       s
home    SEC_CHAR        homedirectory   s
shell   SEC_CHAR        loginshell      s
gecos   SEC_CHAR        gecos   s
spassword       SEC_CHAR        userpassword    s
lastupdate      SEC_INT shadowlastchange        s
    • For example, for the IPAgroup.map file: 
      #IPAgroup.map file
groupname       SEC_CHAR        cn      s
id      SEC_INT gidNumber       s
users   SEC_LIST        member  m
  5. Modify the /etc/security/ldap/ldap.cfg file to set the REALM and base DN values for the IPA domain. 
    userbasedn:cn=users,cn=accounts,dc=example,dc=com
groupbasedn:cn=groups,cn=accounts,dc=example,dc=com

userattrmappath:/etc/security/ldap/IPAuser.map
groupattrmappath:/etc/security/ldap/IPAgroup.map

userclasses:posixaccount
  6. Start the LDAP client daemon: 
    # start-secldapclntd
  7. Test the LDAP client connection to the IPA server: 
    # lsldap -a passwd
  8. Add the following sections to the /usr/lib/security/methods.cfg file to configure the system login to use Kerberos and LDAP: 
    KRB5A:
program = /usr/lib/security/KRB5A
program_64 = /usr/lib/security/KRB5A_64
options = authonly

LDAP:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64

KRB5ALDAP:
options = auth=KRB5A,db=LDAP
  9. Edit the /etc/security/user file, and modify the default section to use the Kerberos/LDAP system and the LDAP user registry. 
    SYSTEM = "KRB5ALDAP"
registry = LDAP
  10. To test the Kerberos configuration, log in as an IPA user and verify that the user and group information is correct: 
    $ id
  11. Optionally, configure the IPA client to accept incoming SSH requests and authenticate with the user's Kerberos credentials.
    1. Set the SSH syslog configuration: 
      auth.info       /var/log/sshd.log
auth.info       /var/log/sshd.log
auth.crit       /var/log/sshd.log
auth.warn       /var/log/sshd.log
auth.notice     /var/log/sshd.log
auth.err        /var/log/sshd.log
    2. Set the SSH logging configuration: 
      SyslogFacility AUTH
LogLevel INFO
    3. Configure sshd to use GSS-API, including disabling DNS for GSS-API: 
      vim /etc/ssh/sshd_config

# GSSAPI options
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPITrustDNS no
    4. Restart the sshd daemon: 
      # stopsrc -s sshd
# startsrc -s sshd
    5. Restart the syslogd daemon: 
      # stopsrc -s syslogd
# startsrc -s syslogd
    6. Add the client to the IPA server's Kerberos configuration.
      1. Add a host service principal for the client. 
         # ipa service-add host/ipaclient.example.com
      2. Retrieve the host keytab. 
         # ipa-getkeytab -s ipaserver -p host/ipaclient.example.com -k /tmp/krb5.keytab -e des-cbc-crc
      3. Copy the keytab from the server to the client. 
         # scp /tmp/krb5.keytab root@ipaclient.example.com:/tmp/krb5.keytab
    7. On the IPA client, use the ktutil command to import the contents into the main host keytab. 
      # ktutil
ktutil: read_kt /tmp/krb5.keytab
ktutil: write_kt /etc/krb5/krb5.keytab
ktutil: q
    8. On the IPA server, add a user that is only used for authentication. (This can be substituted with krb5 authentication if that works from the LDAP client). Otherwise go to the IPA server and use ldapmodify, bind as Directory Manager and create this user. The user should be assigned a shared password. 
      ldapmodify -D "cn=directory manager" -w secret -p 389 -h ipaserver.example.com -x -a

dn: uid=nss,cn=sysaccounts,cn=etc,dc=example,dc=com
objectClass: account
objectClass: simplesecurityobject
objectClass: top
uid: nss
userPassword: secretpassword
    9. On the IPA server, get a ticket for the admin user. 
       # kinit admin
    10. To test the SSH configuration, try to log in as the admin user using SSH without providing a password. 
       # ssh admin@ipaclient.example.com

NOTE

By default, the admin user is given /bin/bash as the shell to use and /home/admin as the home directory. It may be necessary to install bash to be able to log in.