IBM Security Verify

Good morning,

We are am running 6 Power 8 AIX 7.2 servers a connection to a windows AD to verify the users password. 

At the moment I am configuring 6 Power 10 AIX 7.3 servers and I am running into 2 issues with the Kerberos one begin the most important one.

Downloaded NAS 1.16.1.6 from https://www.ibm.com/resources/mrs/assets/packageList?source=aixbp&lang=en_US  and installed it.

Executed mkkrb5clnt which made the /etc/krb5/krb5.conf file and also updated /usr/lib/security/method.cfg with

KRB5:
        program = /usr/lib/security/KRB5
        program_64 = /usr/lib/security/KRB5_64
        options = authonly,is_kadmind_compat=no

KRB5files:
        options = db=BUILTIN,auth=KRB5

created a user and set it to use KRB5
chuser registry=KRB5files SYSTEM=KRB5files auth_name= xxxxxxxxx auth_domain= xxxxxxxxxxx userid

        registry = KRB5files
        SYSTEM = "KRB5files"
        auth_name = "xxxxxxxxx"

this is all 100% identical to the AIX 7.2 boxes

however, when I try to login I keep getting the "You entered an invalid login name or password."

tcpdump host xxxxxxxxxxx -X -S -s 0

shows there is communication so the password verification is checking at the AD.
Yet while the AIX 7.2 machine dumps around 140 lines with tcpdump the AIX 7.3 machine does almost 10x that

So I started checking between the 2 systems and the only I could find in the Kerberos configuration was

AIX 7.2 
default_tkt_enctypes = aes256-cts aes128-cts des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts aes128-cts des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc

AIX 7.3
default_tkt_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc

but setting the order the same made no difference.

AIX 7.2 has openssl 1.1 
AIX 7.3 has openssl 3

I do have a few linux boxes with Kerberos password verification and they on openssl 1 also but I can't really do much about that I think, can't downgrade to 1.1 as far as I know and tried. 

AIX 7.2 has krb5.client.rte 1.6.0.4 
AIX 7.3 has krb5.client.rte 1.16.1.6

I thus also tried the older version but made no difference.

I feel it should all work but somehow it does not.
Also I have not found a proper way of debugging krb5, the log files defined in the krb5.conf are not there.

So looking further (I did not reach that point yet in my steps) I am also unable to installed ldap on the AIX 7.3 which this was no problem on AIX 7.2.

I keep getting the error:  IBM Security Verify Directory License not detected. Install cannot continue.
Which google is not very helpful on, 

I have no idea of this effects Kerberos but I do need /opt/IBM/ldap/V6.4/bin/ldapsearch on the machine for several tasks.

Regards, Alexander

------------------------------
Alexander van Kaam
------------------------------

Been plugging away on this, kinit works fine so I think that should eleminate all concerns about the krb5 config and openssl versions etc. etc.

Enabled all the logging I could in syslog and tried again:

Jan 24 08:55:50 bakunxtmp1 daemon:debug telnetd[7013106]: telnetd: child does exists
Jan 24 08:55:50 bakunxtmp1 daemon:notice telnetd[7078576]: telnet from ::ffff:10.212.134.150 on /dev/pts/1
Jan 24 08:55:59 bakunxtmp1 auth|security:debug tsm: Error in getting (cross realm) service ticket for host/<hostname> ...
Jan 24 08:55:59 bakunxtmp1 auth|security:debug tsm: Server not found in Network Authentication Service database or server locked out

the host/<hostname> I think should be the filled, so figured that might be the issue, 

/etc/hosts is filled correcty:  ip  hostname

/etc/netsvc.conf has: host=local4,bind4

/etc/resolv.conf is filled correctly with the 2 nameservers and the domain

nslookup works

hostname works

host works

host -n does not work, weird thing is it does work on the older servers, even if you put in the new servers hostname.

not even sure if I am looking in the right place but made a ticket at IBM for host -n not returning anything.

-Alex

Good morning,

We are am running 6 Power 8 AIX 7.2 servers a connection to a windows AD to verify the users password. 

At the moment I am configuring 6 Power 10 AIX 7.3 servers and I am running into 2 issues with the Kerberos one begin the most important one.

Downloaded NAS 1.16.1.6 from https://www.ibm.com/resources/mrs/assets/packageList?source=aixbp&lang=en_US  and installed it.

Executed mkkrb5clnt which made the /etc/krb5/krb5.conf file and also updated /usr/lib/security/method.cfg with

KRB5:
        program = /usr/lib/security/KRB5
        program_64 = /usr/lib/security/KRB5_64
        options = authonly,is_kadmind_compat=no

KRB5files:
        options = db=BUILTIN,auth=KRB5

created a user and set it to use KRB5
chuser registry=KRB5files SYSTEM=KRB5files auth_name= xxxxxxxxx auth_domain= xxxxxxxxxxx userid

        registry = KRB5files
        SYSTEM = "KRB5files"
        auth_name = "xxxxxxxxx"

this is all 100% identical to the AIX 7.2 boxes

however, when I try to login I keep getting the "You entered an invalid login name or password."

tcpdump host xxxxxxxxxxx -X -S -s 0

shows there is communication so the password verification is checking at the AD.
Yet while the AIX 7.2 machine dumps around 140 lines with tcpdump the AIX 7.3 machine does almost 10x that

So I started checking between the 2 systems and the only I could find in the Kerberos configuration was

AIX 7.2 
default_tkt_enctypes = aes256-cts aes128-cts des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts aes128-cts des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc

AIX 7.3
default_tkt_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc

but setting the order the same made no difference.

AIX 7.2 has openssl 1.1 
AIX 7.3 has openssl 3

I do have a few linux boxes with Kerberos password verification and they on openssl 1 also but I can't really do much about that I think, can't downgrade to 1.1 as far as I know and tried. 

AIX 7.2 has krb5.client.rte 1.6.0.4 
AIX 7.3 has krb5.client.rte 1.16.1.6

I thus also tried the older version but made no difference.

I feel it should all work but somehow it does not.
Also I have not found a proper way of debugging krb5, the log files defined in the krb5.conf are not there.

So looking further (I did not reach that point yet in my steps) I am also unable to installed ldap on the AIX 7.3 which this was no problem on AIX 7.2.

I keep getting the error:  IBM Security Verify Directory License not detected. Install cannot continue.
Which google is not very helpful on, 

I have no idea of this effects Kerberos but I do need /opt/IBM/ldap/V6.4/bin/ldapsearch on the machine for several tasks.

Regards, Alexander

------------------------------
Alexander van Kaam
------------------------------