for future refrence, if someone has the same kerberos issue, change the methods.cfg line to options = authonly,is_kadmind_compat=no,tgt_verify=no
Original Message:
Sent: Thu January 25, 2024 12:14 AM
From: Alexander van Kaam
Subject: kerberos & ldap AIX 7.3
Been plugging away on this, kinit works fine so I think that should eleminate all concerns about the krb5 config and openssl versions etc. etc.
Enabled all the logging I could in syslog and tried again:
Jan 24 08:55:50 bakunxtmp1 daemon:debug telnetd[7013106]: telnetd: child does exists
Jan 24 08:55:50 bakunxtmp1 daemon:notice telnetd[7078576]: telnet from ::ffff:10.212.134.150 on /dev/pts/1
Jan 24 08:55:59 bakunxtmp1 auth|security:debug tsm: Error in getting (cross realm) service ticket for host/<hostname> ...
Jan 24 08:55:59 bakunxtmp1 auth|security:debug tsm: Server not found in Network Authentication Service database or server locked out
the host/<hostname> I think should be the filled, so figured that might be the issue,
/etc/hosts is filled correcty: ip hostname
/etc/netsvc.conf has: host=local4,bind4
/etc/resolv.conf is filled correctly with the 2 nameservers and the domain
nslookup works
hostname works
host works
host -n does not work, weird thing is it does work on the older servers, even if you put in the new servers hostname.
not even sure if I am looking in the right place but made a ticket at IBM for host -n not returning anything.
-Alex
------------------------------
Alexander van Kaam
Original Message:
Sent: Wed January 24, 2024 02:06 AM
From: Alexander van Kaam
Subject: kerberos & ldap AIX 7.3
Good morning,
We are am running 6 Power 8 AIX 7.2 servers a connection to a windows AD to verify the users password.
At the moment I am configuring 6 Power 10 AIX 7.3 servers and I am running into 2 issues with the Kerberos one begin the most important one.
Downloaded NAS 1.16.1.6 from https://www.ibm.com/resources/mrs/assets/packageList?source=aixbp&lang=en_US and installed it.
Executed mkkrb5clnt which made the /etc/krb5/krb5.conf file and also updated /usr/lib/security/method.cfg with
KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,is_kadmind_compat=no
KRB5files:
options = db=BUILTIN,auth=KRB5
created a user and set it to use KRB5
chuser registry=KRB5files SYSTEM=KRB5files auth_name= xxxxxxxxx auth_domain= xxxxxxxxxxx userid
registry = KRB5files
SYSTEM = "KRB5files"
auth_name = "xxxxxxxxx"
this is all 100% identical to the AIX 7.2 boxes
however, when I try to login I keep getting the "You entered an invalid login name or password."
tcpdump host xxxxxxxxxxx -X -S -s 0
shows there is communication so the password verification is checking at the AD.
Yet while the AIX 7.2 machine dumps around 140 lines with tcpdump the AIX 7.3 machine does almost 10x that
So I started checking between the 2 systems and the only I could find in the Kerberos configuration was
AIX 7.2
default_tkt_enctypes = aes256-cts aes128-cts des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts aes128-cts des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc
AIX 7.3
default_tkt_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc
but setting the order the same made no difference.
AIX 7.2 has openssl 1.1
AIX 7.3 has openssl 3
I do have a few linux boxes with Kerberos password verification and they on openssl 1 also but I can't really do much about that I think, can't downgrade to 1.1 as far as I know and tried.
AIX 7.2 has krb5.client.rte 1.6.0.4
AIX 7.3 has krb5.client.rte 1.16.1.6
I thus also tried the older version but made no difference.
I feel it should all work but somehow it does not.
Also I have not found a proper way of debugging krb5, the log files defined in the krb5.conf are not there.
So looking further (I did not reach that point yet in my steps) I am also unable to installed ldap on the AIX 7.3 which this was no problem on AIX 7.2.
I keep getting the error: IBM Security Verify Directory License not detected. Install cannot continue.
Which google is not very helpful on,
I have no idea of this effects Kerberos but I do need /opt/IBM/ldap/V6.4/bin/ldapsearch on the machine for several tasks.
Regards, Alexander
------------------------------
Alexander van Kaam
------------------------------