Configure AIX to Authenticate to AD

6
How to Configure AIX to authenticate to AD Test Environment PART A: 1. AD details: The test server's information: Server name: 3thad IP add: 10.20.4.103 domain: bank.com.my Server OS: Windows 2003 Enterprise Edition R2 2. Test IDs: bimarcus rmstest 3. Test Groups: bigroup sasgroup PART B: 1. # instfix -ik APAR IY91514 In the case of Windows 2003 R2-based Active Directory, there is no need for the additional Windows Services for UNIX (SFU) layer. Windows 2003 R2 UNIX supporting schema is different from those defined in Services for UNIX 3.0 and 3.5. The AIX 5L operating system requires APAR IY91514 to support Active Directory with the Windows 2003 R2 schema. To check if the APAR is installed, run this above command. 2. # instfix -ik APAR IY91922 The AIX 5L operating system passwd command supports changing Windows users unicodePwd password. Windows Active Directory requires that password changes through LDAP be done through a secure connection. See the "Integrating AIX into Heterogeneous LDAP Environments" Redbook (in Resources) for details on configuring SSL on AIX 5L operating system to work with Active Directory. The AIX 5L operating system also requires APAR IY91922 to change the unicodePwd password. To check if the APAR is installed, run this above command. 3. Configure LDAP client – pre requisite

Transcript of Configure AIX to Authenticate to AD

Page 1: Configure AIX to Authenticate to AD

How to Configure AIX to authenticate to AD Test Environment

PART A:1. AD details:

The test server's information:Server name: 3thadIP add: 10.20.4.103domain: bank.com.myServer OS: Windows 2003 Enterprise Edition R2

2. Test IDs:bimarcusrmstest

3. Test Groups:bigroupsasgroup

PART B:

1. # instfix -ik APAR IY91514

In the case of Windows 2003 R2-based Active Directory, there is no need for the additional Windows Services for UNIX (SFU) layer. Windows 2003 R2 UNIX supporting schema is different from those defined in Services for UNIX 3.0 and 3.5. The AIX 5L operating system requires APAR IY91514 to support Active Directory with the Windows 2003 R2 schema. To check if the APAR is installed, run this above command.

2. # instfix -ik APAR IY91922

The AIX 5L operating system passwd command supports changing Windows users unicodePwd password. Windows Active Directory requires that password changes through LDAP be done through a secure connection. See the "Integrating AIX into Heterogeneous LDAP Environments" Redbook (in Resources) for details on configuring SSL on AIX 5L operating system to work with Active Directory. The AIX 5L operating system also requires APAR IY91922 to change the unicodePwd password. To check if the APAR is installed, run this above command.

3. Configure LDAP client – pre requisiteAdd IP and hostname to the /etc/hosts first.Install additional file set: get the ldap.client filesetRun# installp –acgXd /usr/local/temp ldap.client

4. Configure LDAP client

Example:

Page 2: Configure AIX to Authenticate to AD

# mksecldap -c -h 3thad –a cn=rmstest,ou=othersid,ou=tt,ou=hq,ou=intra-site,ou=bank, dc=bank,dc=com,dc=my -p mypassword -A ldap_auth

VERY important: Follow the sequence of the CN!! – Use Ldapbrowser to view the distinguishedName pattern.

5. Manually change the CN searching path:In /etc/security/ldap/ldap.cfg:Change to:Userbasedn:ou=bank, DC=adtest,dc….Groupbasedn:ou=bank, DC=adtest, dc ….

After that restart:# stop-secldapclntd

# start-secldapclntd

6. To verify that the AIX is configured correctly, run the lsuser command to list a user that defined in AD.# lsuser –R LDAP rmstest

7. Add the home directory# mkdir /home/rmstest# chown test1 /home/rmstest# chmod 755 /home/rmstest

8. To allow a Windows user to log in to the AIX, the administrator needs to set the user’s SYSTEM and registry attributes on the AIX correctly by running the following command:# chuser –R LDAP SYSTEM=LDAP registry=LDAP rmstest

Additional Info: Enable a test user for LDAP authentication.If possible use a user that is already in the LDAP directory with a knownpassword. To enable a test user such as user test1, change the SYSTEM andregistry attributes for that user to LDAP in the /etc/security/user. If the user previously exists on the client, this can be done with the chuser command, as shown here:# chuser -R LDAP SYSTEM=LDAP registry=LDAP test1

9. Once changed, the user rmstest can log in to the AIX with Windows password.

10. BE VERY CAREFUL WHEN CHANGE THIS VALUE AS YOU MAY LOCK OUT THE ROOT ID. It could be cumbersome to do the above for every user if all of the Windows users are to be allowed to log in to AIX. In such cases, the administrator can manually edit the /etc/security/user file and set the SYSTEM and registry attributes of the default stanza to LDAP. If the default stanza does not have the attributes, add them. The default stanza would look like:

default: ... SYSTEM = "LDAP" registry = LDAP

...

Page 3: Configure AIX to Authenticate to AD

11. This will create the user stanza in /etc/security/user, but will not create a HOME directory for the user, so you can add that with:# mkdir /home/rmstest# chown rmstest /home/rmstest# chmod 755 /home/rmstest

12. Test to make sure this user can log in using the password stored on the LDAP server. The SYSTEM=LDAP and registry=LDAP will make sure that LDAP isused instead of local files.

13. Configure root and other administrative users for local file authentication. Before setting the default user stanza to use LDAP, set specific users to use local files for authentication. Make sure to include the root user in this list, and if you do not allow root login, make sure to include at least one user that can su to root. Once again, you can make this change with the chuser command, as shown here:# chuser registry=files SYSTEM=compat root

14. Make sure that users are populated in the LDAP directory. Before setting the default user stanza to use LDAP, make sure that you have users populated in LDAP. You can use ldapsearch to do this, but perhaps the easiest way is to simply use lsuser, as shown here.# lsuser -R LDAP -a id pgrp SYSTEM registry ALL

15. Set the default user stanza in /etc/security/user to use LDAP. Once you are sure that LDAP is configured properly and that you have populated users into the LDAP directory, then set the default user to use LDAP, as described in 4.2.6, “Update default stanza in /etc/security/user” on104 Integrating AIX into Heterogenous LDAP Environments page 112. This will insure that you can log in to the AIX client with any user in the LDAP directory that is not restricted.

16. Test that you can log in using the users defined in LDAP. Once again, confirm that you can log in to the AIX client using one of the LDAP users. If that user was previously on the AIX client, you may need to change the user’s SYSTEM and registry attribute to LDAP, or remove that user from the local files. If that user is not on the local system, you will get an error that no HOME directory exists.

17. Test that the AIX client user management commands work. If you have set up the proper permissions, you should be able to add users to the LDAP directory using the mkuser command, change user information with the chuser command, and change the user’s password with the AIX client passwd command.

18. Set up user access restriction. Without restrictions, any user in the LDAP server can log in to the AIX client. For this reason, it is important to set up some type of user restrictions, as described in 3.5.6, “User login restriction” on page 91. Details for restricting using NIS netgroups are described in 4.3.4, “Restricting user access using netgroups” on page 123.

1. Set up methods to handle the user’s HOME directories. When the default user is set to LDAP, there is not an automatic method to create users the first time someone logs in. There are a number of ways to create the user’s home directory, and in this chapter we describe using automount in Example 4.3.5 on page 127

Page 4: Configure AIX to Authenticate to AD

19. Download and install the PAM supported sasauthhttp://support.sas.com/kb/21/154.html

If the Pluggable Authentication Module (PAM) is being used for authentication, the PAM-supported sasauth module must be installed in SAS_9.1/utilities/bin, and it must be setuid root.

In the following example, !SASROOT is the absolute path to the SAS_9.1 directory:

$ su root# cd !SASROOT/utilities/bin# chown root sasauth # chmod 4755 sasauth # exit

20. Go to /etc, edit pam.conf, add:sasauth         auth       required     /usr/lib/security/64/pam_aix sasauth         account     required     /usr/lib/security/64/pam_aix

21. Go to /usr/lib/security, edit methods.cfg and ensure it has the following settings

LDAP:program = /usr/lib/security/LDAPprogram_64 =/usr/lib/security/LDAP64

22. Enable the PAM debug mode # export SASAUTH_PAM_DEBUG=1

23. Run PROC PERMTEST to test the authenticationhttp://support.sas.com/kb/33/751.html

# cd /usr/local/SAS/SAS_9.1# ./sas -path ./utilities/src/auth -nodms

1? proc permtest; run;Authentication TestEnter userid:rmstestEnter password:sasauth debug for PAM.PAM authentication successful, fetching uid.User groups: 10000getgrset() returned 1 groupsGroup 0: 10000Authentication successful.

Permissions TestEnter a scratch filename:/tmp/rmstest.txtTest file written successfully.

24. If successfully created a file in tmp, then the user id can authenticate to AD.

25. Next is to test at SAS application level and you must restart all SAS Services before proceed.

Page 5: Configure AIX to Authenticate to AD

26. Login to SAS Management Console with an administrative user (e.g. sasadm). Go to User Manager, select a user and add the respective AD user id.

E.g. test\rmstest is added to user sas with a new authentication domain (e.g. LDAPAuth), leave the password field blank

27. Try login to SMC with the domain test user (rmstest)