3.6. Configuring an HP-UX System as an IPA Client

Note

The IPA client installation process requires that an IPA server already exist.

3.6.1. Configuring NTP

Configure and enable NTP and make sure that time is synchronized between the client and the IPA server.

3.6.2. Configuring LDAP Authentication

Install the ldapux client.

 # swinstall -s /path/to/J4269AA_B.04.15.01_HP-UX_B.11.23_IA_PA.depot

Change to the configuration directory, and run the setup script.

# cd /opt/ldapux/config/

# ./setup

NOTE

Running the setup script is only necessary for the first HP-UX client. Every subsequent HP-UX client only needs to know where the LDAP profile is stored. All clients will then use the same configuration.

For more information on this, see the HP-UX documentation at http://docs.hp.com/en/J4269-90075/ch02s07.html.

The setup script prompts for information about the IPA LDAP service, such as its port and host, Directory Manager credentials, and schema and directory suffixes.

Would you like to continue with the setup? [Yes]
Select which Directory Server you want to connect to ? [RedHat Directory]
Directory server host ? [ipaserver.example.com]
Directory Server port number [389]
Would you like to extend the printer schema in this directory server? [No]
Would you like to install PublicKey schema in this directory server? [No]
Would you like to install the new automount schema ? [No]
Profile Entry DN: [cn=ldapuxprofile,cn=etc,dc=example,dc=com]
User DN [cn=Directory Manager]
Password ? [Directory Manager's Password]
Authentication method ? [ SIMPLE ]
Enter the number of the hosts you want to specify [1]
Default Base DN ? [dc=example,dc=com]
Accept remaining defaults ? [n]
Client binding [Anonymous]
Bind time limit [5 seconds]
Search time limit [no limit]
Do you want client searches of the directory to follow referrals? [Yes]
Profile TTL [0 = infinite]
Do you want to remap any of the standard RFC 2307 attribute? [Yes]
Specify the service you want to map? [ 3 ]
[ group ]
Specify the attribute you want to map [3 for memberuid ]
Type the name of the attribute memberuid should be mapped to [member]
Specify the service you want to map? [ 0 = exit ]
Do you want to remap any of the standard RFC 2307 attribute? [ no this time ]
Do you want to create custom search descriptors? [ No ]

Ensure that the LDAP client daemon is running.
```
# ps -ef | grep ldapclientd
```
If necessary, start the daemon:
```
# /opt/ldapux/bin/ldapclientd
```
Check that the user and group entries in the LDAP client are correct and available:
```
# nsquery passwd admin
# nsquery group admins
```
Create a new group on the IPA server.
```
 # ipa group-add testgroup
```

Add a test user to the new group.

 # ipa group-add-member -a testuser testgroup

Validate the new user and group:

# nsquery passwd testuser
# nsquery group testgroup

To ensure that the LDAP client daemon starts when the system boots, add the following lines to the /etc/opt/ldapux/ldapclientd.conf file:
```
[StartOnBoot]
enable=yes
```

3.6.3. Configuring Kerberos

Edit the /etc/krb5.conf file to reflect the Kerberos domain used by the IPA server. Setting up the Kerberos configuration includes specifying the realm and domain details, and default ticket attributes. Forwardable tickets are configured by default, which facilitates connection to the administration interface from any operating system, and also provides for auditing of administration operations. For example:

[libdefaults]
default_realm = EXAMPLE.COM
default_keytab_name = FILE:/etc/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
ccache_type = 2

[realms]
EXAMPLE.COM = {
      kpasswd_server = ipaserver.example.com
      kdc = ipaserver.example.com:88
      admin_server = ipaserver.example.com:749
      default_domain = example.com
      }

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

[appdefaults]
kinit = {
      forwardable = true
      }

3.6.4. Configuring PAM

The PAM configuration differs slightly between different versions of HP-UX.

3.6.4.1. HP-UX 11i v2

Edit the /etc/pam.conf file so that all of the required modules are loaded for authentication. For example:

#
# PAM configuration
#
# This pam.conf file is intended as an example only.
# see pam.conf(4) for more details

# Authentication management
#
login auth required libpam_hpsec.so.1
login auth sufficient libpam_krb5.so.1
login auth required libpam_unix.so.1 try_first_pass
su auth required libpam_hpsec.so.1
su auth sufficient libpam_krb5.so.1
su auth required libpam_unix.so.1 try_first_pass
dtlogin auth required libpam_hpsec.so.1
dtlogin auth sufficient libpam_krb5.so.1
dtlogin auth required libpam_unix.so.1 try_first_pass
dtaction auth required libpam_hpsec.so.1
dtaction auth sufficient libpam_krb5.so.1
dtaction auth required libpam_unix.so.1 try_first_pass
ftp auth required libpam_hpsec.so.1
ftp auth sufficient libpam_krb5.so.1
ftp auth required libpam_unix.so.1 try_first_pass
sshd auth required libpam_hpsec.so.1
sshd auth sufficient libpam_krb5.so.1
sshd auth required libpam_unix.so.1 try_first_pass
OTHER auth required libpam_unix.so.1
#

# Account management
#
login account required libpam_hpsec.so.1
login account sufficient libpam_krb5.so.1
login account required libpam_unix.so.1
su account required libpam_hpsec.so.1
su account sufficient libpam_krb5.so.1
su account required libpam_unix.so.1
dtlogin account required libpam_hpsec.so.1
dtlogin account sufficient libpam_krb5.so.1
dtlogin account required libpam_unix.so.1
dtaction account required libpam_hpsec.so.1
dtaction account sufficient libpam_krb5.so.1
dtaction account required libpam_unix.so.1
ftp account required libpam_hpsec.so.1
ftp account sufficient libpam_krb5.so.1
ftp account required libpam_unix.so.1
sshd account required libpam_hpsec.so.1
sshd account sufficient libpam_krb5.so.1
sshd account required libpam_unix.so.1
OTHER account required libpam_unix.so.1
#

# Session management
#
login session required libpam_hpsec.so.1
login session sufficient libpam_krb5.so.1
login session required libpam_unix.so.1
dtlogin session required libpam_hpsec.so.1
dtlogin session sufficient libpam_krb5.so.1
dtlogin session required libpam_unix.so.1
dtaction session required libpam_hpsec.so.1
dtaction session sufficient libpam_krb5.so.1
dtaction session required libpam_unix.so.1
sshd session required libpam_hpsec.so.1
sshd session sufficient libpam_krb5.so.1
sshd session required libpam_unix.so.1
OTHER session required libpam_unix.so.1
#

# Password management
#
login password required libpam_hpsec.so.1
login password sufficient libpam_krb5.so.1
login password required libpam_unix.so.1
passwd password required libpam_hpsec.so.1
passwd password sufficient libpam_krb5.so.1
passwd password required libpam_unix.so.1
dtlogin password required libpam_hpsec.so.1
dtlogin password sufficient libpam_krb5.so.1
dtlogin password required libpam_unix.so.1
dtaction password required libpam_hpsec.so.1
dtaction password sufficient libpam_krb5.so.1
dtaction password required libpam_unix.so.1
OTHER password required libpam_unix.so.1

3.6.4.2. HP-UX 11i v1

Edit the /etc/pam.conf file to reflect the following example:

#
# PAM configuration
#
# This pam.conf file is intended as an example only.
# see pam.conf(4) for more details
#

# Authentication management
#
login auth sufficient /usr/lib/security/libpam_krb5.1
login auth required /usr/lib/security/libpam_unix.1 try_first_pass
su auth sufficient /usr/lib/security/libpam_krb5.1
su auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtlogin auth sufficient /usr/lib/security/libpam_krb5.1
dtlogin auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtaction auth sufficient /usr/lib/security/libpam_krb5.1
dtaction auth required /usr/lib/security/libpam_unix.1 try_first_pass
ftp auth sufficient /usr/lib/security/libpam_krb5.1
ftp auth required /usr/lib/security/libpam_unix.1 try_first_pass
OTHER auth required /usr/lib/security/libpam_unix.1
#

# Account management
#
login account sufficient /usr/lib/security/libpam_krb5.1
login account required /usr/lib/security/libpam_unix.1
su account sufficient /usr/lib/security/libpam_krb5.1
su account required /usr/lib/security/libpam_unix.1
dtlogin account sufficient /usr/lib/security/libpam_krb5.1
dtlogin account required /usr/lib/security/libpam_unix.1
dtaction account sufficient /usr/lib/security/libpam_krb5.1
dtaction account required /usr/lib/security/libpam_unix.1
ftp account sufficient /usr/lib/security/libpam_krb5.1
ftp account required /usr/lib/security/libpam_unix.1
OTHER account required /usr/lib/security/libpam_unix.1
#

# Session management
#
login session sufficient /usr/lib/security/libpam_krb5.1
login session required /usr/lib/security/libpam_unix.1
dtlogin session sufficient /usr/lib/security/libpam_krb5.1
dtlogin session required /usr/lib/security/libpam_unix.1
dtaction session sufficient /usr/lib/security/libpam_krb5.1
dtaction session required /usr/lib/security/libpam_unix.1
OTHER session required /usr/lib/security/libpam_unix.1
#

# Password management
#
login password sufficient /usr/lib/security/libpam_krb5.1
login password required /usr/lib/security/libpam_unix.1
passwd password sufficient /usr/lib/security/libpam_krb5.1
passwd password required /usr/lib/security/libpam_unix.1
dtlogin password sufficient /usr/lib/security/libpam_krb5.1
dtlogin password required /usr/lib/security/libpam_unix.1
dtaction password sufficient /usr/lib/security/libpam_krb5.1
dtaction password required /usr/lib/security/libpam_unix.1
OTHER password required /usr/lib/security/libpam_unix.1

3.6.5. Configuring SSH

Ensure that you have version A.05.10.007 or later of ssh installed. A current package can be downloaded from the HP website at http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA.
Edit the /etc/opt/ssh/ssh_config file:
- Remove any PreferredAuthentications entries.
- Add the following lines:
```
Host *
	GSSAPIAuthentication yes
	GSSAPITrustDNS no
	PreferredAuthentications "gssapi-with-mic,publickey,password"
```
  IMPORTANT
  Include the tab character before the GSSAPIAuthentication, GSSAPITrustDNS, and PreferredAuthentications lines, and include the double quotes around the PreferredAuthentications value.
Remove the /etc/krb5.keytab file.

Set up the NFS/Kerberos mapping for the Solaris client on the IPA server.

Add a host service principal for the HP-UX client.

 # ipa service-add host/hpuxipaclient.example.com

Create the host keytab file.

 # ipa-getkeytab -s ipaserver.example.com -p host/hpuxipaclient.example.com -k /tmp/krb5.keytab -e des-cbc-crc

Copy this keytab to the HP-UX machine, and save it as /etc/krb5/krb5.keytab.

 # scp /tmp/krb5.keytab root@hpuxipaclient.example.com:/etc/krb5/krb5.keytab

3.6.6. Configuring Access Control

HP-UX systems provide the pam_authz PAM module, which can be used to control login access to the system based on a user's group membership. For details on how to configure access control with this module, see the HP documentation at http://h20000.www2.hp.com/bc/docs/support/SupportManual/c02261530/c02261530.pdf.

Example 3.1. pam_authz.policy File: Allow User Access, Deny Admin Access

This configuration in /etc/opt/ldapux/pam_authz.policy prevents the admin user from logging in while still allowing regular users to log in.

# pam_authz.policy.template:
#
# An example file that could be copied over to /etc/opt/ldapux/pam_authz.policy.
# pam_authz.policy is a local policy file that PAM_AUTHZ would use to help
# determine which users would be allowed to login to the local host.
#
# In this template file, by default, the only active access rule is
#     "allow:unix_local_user"
# All the local users are authorized to login.
#
# The policy file contains one or more access rule. The format of an access
# rule is <action>:<type>:<object>
#
# where   <action> could be "deny", "allow", "status"
#                           "PAM_SUCCESS", "PAM_PERM_DENIED", "PAM_MAXTRIES"
#                           "PAM_AUTH_ERR", "PAM_NEW_AUTHTOK_REQD",
#                           "PAM_AUTHTOKEN_REQD, "PAM_CRED_INSUFFICIENT",
#                           "PAM_AUTHINFO_UNAVAIL", "PAM_USER_UNKNOWN"
#                           "PAM_ACCT_EXPIRED", "PAM_AUTHOK_EXPIRED"
#
#                           Note: "status" must use along with "rhds" or
#                           "ads" <type>.
#         <type>   could be "unix_user", "unix_local_user", "unix_group",
#                           "netgroup", ldap_filter", "ldap_group"
#                           "rhds" or "ads"
#
#                           Note: When <type> is set to "rhds" or "ads",
#                           the <action> filed must set to "status".
#         <object> contains search information. For example,
#

deny:unix_group:admins
allow:unix_local_user

3.6.7. Testing the Configuration

NOTE

By default, the admin user is given /bin/bash as the shell to use and /home/admin as the home directory. It may be necessary to install bash to be able to log in.

There are two quick ways to check the Kerberos and PAM configuration for the HP client:

Authenticate as an administrator on a Linux box that is a client in the IPA domain, and then attempt to SSH into the HP machine. The admin user should be able to log in using SSH without being asked for a password.
```
# kinit admin

# ssh admin@hpuxipaclient.example.com
```
Log into the IPA web UI using the administrator credentials on the HP machine.