Product SiteDocumentation Site

3.7. Configuring an AIX System as a FreeIPA Client

3.7.1. Prerequisites

Make sure that all of these packages are installed on the AIX machine before beginning the client configuration:
  • v5.3 OS
  • v5.3 Updates
  • krb5 client packages
  • openssh
  • wget
  • bash
  • krb5 server
  • ldap.client
  • openssl
  • modcrypt.base (for gssd)
Configure and enable NTP and make sure that time is synchronized between the client and the FreeIPA server.

3.7.2. Configuring the AIX Client

Setting up an AIX client requires setting up the client to work in the FreeIPA Kerberos domain and, optionally, to enable SSH authentication to the AIX client using FreeIPA credentials.
Kerberos configuration includes specifying the realm and domain details, and default ticket attributes. Forwardable tickets are configured by default, which facilitates connection to the administration interface from any operating system, and also provides for auditing of administration operations. For example:
  1. Configure the krb5 client settings to use the FreeIPA Kerberos domain:
    # mkkrb5clnt -r EXAMPLE.COM -d example.com -c ipaclient.example.com -s ipaserver.example.com
  2. Get a Kerberos ticket:
    # kinit admin
  3. Configure the LDAP client settings to use the FreeIPA directory services:
    # mksecldap -c -h ipaserver.example.com -d cn=accounts,dc=example,dc=com -a uid=nss,cn=sysaccounts,cn=etc,dc=example,dc=com -p secret
  4. In the /etc/security/ldap directory, create user and group map files:
    • For example, for the FreeIPAuser.map file:
      #FreeIPAuser.map file
      keyobjectclass  SEC_CHAR        posixaccount    s
      
      # The following attributes are required by AIX to be functional
      username        SEC_CHAR        uid     s
      id      SEC_INT uidnumber       s
      pgrp    SEC_CHAR        gidnumber       s
      home    SEC_CHAR        homedirectory   s
      shell   SEC_CHAR        loginshell      s
      gecos   SEC_CHAR        gecos   s
      spassword       SEC_CHAR        userpassword    s
      lastupdate      SEC_INT shadowlastchange        s
      
    • For example, for the FreeIPAgroup.map file:
      #FreeIPAgroup.map file
      groupname       SEC_CHAR        cn      s
      id      SEC_INT gidNumber       s
      users   SEC_LIST        member  m
      
  5. Modify the /etc/security/ldap/ldap.cfg file to set the REALM and base DN values for the FreeIPA domain.
    userbasedn:cn=users,cn=accounts,dc=example,dc=com
    groupbasedn:cn=groups,cn=accounts,dc=example,dc=com
    
    userattrmappath:/etc/security/ldap/FreeIPAuser.map
    groupattrmappath:/etc/security/ldap/FreeIPAgroup.map
    
    userclasses:posixaccount
    
  6. Start the LDAP client daemon:
    # start-secldapclntd
  7. Test the LDAP client connection to the FreeIPA server:
    # lsldap -a passwd
  8. Add the following sections to the /usr/lib/security/methods.cfg file to configure the system login to use Kerberos and LDAP:
    KRB5A:
    program = /usr/lib/security/KRB5A
    program_64 = /usr/lib/security/KRB5A_64
    options = authonly
    
    LDAP:
    program = /usr/lib/security/LDAP
    program_64 =/usr/lib/security/LDAP64
    
    KRB5ALDAP:
    options = auth=KRB5A,db=LDAP
    
  9. Edit the /etc/security/user file, and modify the default section to use the Kerberos/LDAP system and the LDAP user registry.
    SYSTEM = "KRB5ALDAP"
    registry = LDAP
    
  10. To test the Kerberos configuration, log in as a FreeIPA user and verify that the user and group information is correct:
    $ id
  11. Optionally, configure the FreeIPA client to accept incoming SSH requests and authenticate with the user's Kerberos credentials.
    1. Set the SSH syslog configuration:
      auth.info       /var/log/sshd.log
      auth.info       /var/log/sshd.log
      auth.crit       /var/log/sshd.log
      auth.warn       /var/log/sshd.log
      auth.notice     /var/log/sshd.log
      auth.err        /var/log/sshd.log
      
    2. Set the SSH logging configuration:
      SyslogFacility AUTH
      LogLevel INFO
      
    3. Configure sshd to use GSS-API, including disabling DNS for GSS-API:
      vim /etc/ssh/sshd_config
      
      # GSSAPI options
      GSSAPIAuthentication yes
      #GSSAPICleanupCredentials yes
      GSSAPITrustDNS no
      
    4. Restart the sshd daemon:
      # stopsrc -s sshd
      # startsrc -s sshd
    5. Restart the syslogd daemon:
      # stopsrc -s syslogd
      # startsrc -s syslogd
    6. Add the client to the FreeIPA server's Kerberos configuration.
      1. Add a host service principal for the client.
         # ipa service-add host/ipaclient.example.com
      2. Retrieve the host keytab.
         # ipa-getkeytab -s ipaserver -p host/ipaclient.example.com -k /tmp/krb5.keytab -e des-cbc-crc
      3. Copy the keytab from the server to the client.
         # scp /tmp/krb5.keytab root@ipaclient.example.com:/tmp/krb5.keytab
    7. On the FreeIPA client, use the ktutil command to import the contents into the main host keytab.
      # ktutil
      ktutil: read_kt /tmp/krb5.keytab
      ktutil: write_kt /etc/krb5/krb5.keytab
      ktutil: q
      
    8. On the FreeIPA server, add a user that is only used for authentication. (This can be substituted with krb5 authentication if that works from the LDAP client). Otherwise go to the FreeIPA server and use ldapmodify, bind as Directory Manager and create this user. The user should be assigned a shared password.
      ldapmodify -D "cn=directory manager" -w secret -p 389 -h ipaserver.example.com -x -a
      
      dn: uid=nss,cn=sysaccounts,cn=etc,dc=example,dc=com
      objectClass: account
      objectClass: simplesecurityobject
      objectClass: top
      uid: nss
      userPassword: secretpassword
      
    9. On the FreeIPA server, get a ticket for the admin user.
       # kinit admin
    10. To test the SSH configuration, try to log in as the admin user using SSH without providing a password.
       # ssh admin@ipaclient.example.com

NOTE

By default, the admin user is given /bin/bash as the shell to use and /home/admin as the home directory. It may be necessary to install bash to be able to log in.