Configuring Windows Server 2000 Kerberos Service
The Windows Server 2000 Kerberos Service and NAS client are interoperable at the Kerberos protocol level (RFC1510). Because Windows Server 2000 does not support the kadmin interface, include the –D flag in the mkkrb5clnt command during configuration of AIX® clients. Use Windows tools to manage principals on Windows systems.
- Set up Windows Server 2000. Refer to the Microsoft documentation for configuring a Microsoft Active Directory Server.
- If the NAS client is not installed on the AIX client, install the krb5.client.rte file set from the AIX Expansion Pack.
- Use the mkkrb5clnt command with the following
configuration information to configure an AIX Kerberos client:
- realm
- Windows Active Directory Domain name
- domain
- Domain name of the machine that hosts the Active Directory server
- KDC
- Host name of the Windows server
- server
- Host name of the Windows server
The following is an example of the mkkrb5clnt command:
mkkrb5clnt -r MYREALM -d austin.ibm.com -c w2k.austin.ibm.com -s w2k.austin.ibm.com -D
The -D option in the mkkrb5clnt command creates the is_kadmind_compat=no option in the /etc/methods.cfg file and configures the Kerberos client environment for authentication against non-AIX systems. Do not use the -D option in the mkkrb5clnt command to configure the Kerberos client environment for authentication against the IBM® Network Authentication Service (NAS).
Note: When you run the mkkrb5clnt command, the following stanza is added to the methods.cfg file.KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,is_kadmind_compat=no KRB5files: options = db=BUILTIN,auth=KRB5
For more information about:- the mkkrb5clnt command and allowable flags, see the mkkrb5clnt command.
- the methods.cfg file, see the methods.cfg file.
- Because Windows supports
DES-CBC-MD5 and DES-CBC-CRC encryption types, change the krb5.conf file information to be similar to the following:
[libdefaults] default_realm = MYREALM default_keytab_name = FILE:/etc/krb5/krb5.keytab default_tkt_enctypes = des-cbc-md5 des-cbc-crc default_tgs_enctypes = des-cbc-md5 des-cbc-crc
- Create a host principal.
Because Windows account names do not have multiple parts like NAS principal names, you cannot directly create an account by using the fully qualified host name (
host/<fully_qualified_host_name>
). Instead, a principal instance is created through service-principal-name mapping. In this case, an account is created that corresponds to the host principal, and principal-name mapping is added.On the Active Directory server, use the Active Directory Management tool to create a new user account that corresponds to the tx3d.austin.ibm.com AIX client as follows:- Select the
User
folder. - Right-click to select
New
. - Select
User
. - Enter
tx3d
in theFirst name
field, and then clickNext
. - Create a password, and then click
Next
. - Click
Finish
to create a host principal.
- Select the
- On the Windows Server
2000 machine, enter the Ktpass command from the
command line to create a tx3d.keytab file and
set up an AIX host account
as follows:
Ktpass -princ host/tx3d.austin.ibm.com@MYREALM -mapuser tx3d -pass password -out tx3d.keytab
- Copy the tx3d.keytab file to the AIX host system.
- Merge the tx3d.keytab file into the /etc/krb5/krb5.keytab file on the AIX system as follows:
ktutil rkt tx3d.keytab wkt /etc/krb5/krb5.keytab q
- Create Windows domain accounts using the Active Directory user management tools.
- To create AIX accounts
that correspond to the Windows-domain accounts and use Kerberos authentication,
run the following command:
mkuser registry=KRB5files SYSTEM=KRB5files foo
- To log into the AIX system and verify the configuration, run the telnet command.The following is an example of a Kerberos integrated login session that uses KRB5 against the Windows Active Directory:
telnet tx3d Trying... Connected to tx3d.austin.ibm.com. Escape character is '^]'. telnet (tx3d.austin.ibm.com) login: foo foo's Password: *************************************************************************** * Welcome to AIX Version 6.1! * *************************************************************************** echo $AUTHSTATE KRB5files /usr/krb5/bin/klist Ticket cache: FILE:/var/krb5/security/creds/krb5cc_foo@AUSTIN.IBM.COM_203 Default principal: foo@AUSTIN.IBM.COM Valid starting Expires Service principal 04/29/05 14:37:28 04/30/05 00:39:22 krbtgt/AUSTIN.IBM.COM@AUSTIN.IBM.COM Renew until 04/30/05 14:37:28 04/29/05 14:39:22 04/30/05 00:39:22 host/tx3d.austin.ibm.com@AUSTIN.IBM.COM