Configuring Windows Server 2000 Kerberos Service

Edit online

The Windows Server 2000 Kerberos Service and NAS client are interoperable at the Kerberos protocol level (RFC1510). Because Windows Server 2000 does not support the kadmin interface, include the –D flag in the mkkrb5clnt command during configuration of AIX® clients. Use Windows tools to manage principals on Windows systems.

Use the following procedure to configure an AIX client for Kerberos-based authentication against Windows Server 2000 Kerberos Service.
  1. Set up Windows Server 2000. Refer to the Microsoft documentation for configuring a Microsoft Active Directory Server.
  2. If the NAS client is not installed on the AIX client, install the krb5.client.rte file set from the AIX Expansion Pack.
  3. Use the mkkrb5clnt command with the following configuration information to configure an AIX Kerberos client:
    realm
    Windows Active Directory Domain name
    domain
    Domain name of the machine that hosts the Active Directory server
    KDC
    Host name of the Windows server
    server
    Host name of the Windows server

    The following is an example of the mkkrb5clnt command:

    mkkrb5clnt -r MYREALM -d austin.ibm.com -c w2k.austin.ibm.com -s w2k.austin.ibm.com -D

    The -D option in the mkkrb5clnt command creates the is_kadmind_compat=no option in the /etc/methods.cfg file and configures the Kerberos client environment for authentication against non-AIX systems. Do not use the -D option in the mkkrb5clnt command to configure the Kerberos client environment for authentication against the IBM® Network Authentication Service (NAS).

    Note: When you run the mkkrb5clnt command, the following stanza is added to the methods.cfg file.
    KRB5:
        program = /usr/lib/security/KRB5
        program_64 = /usr/lib/security/KRB5_64
        options = authonly,is_kadmind_compat=no

KRB5files:
        options = db=BUILTIN,auth=KRB5
    For more information about:
    • the mkkrb5clnt command and allowable flags, see the mkkrb5clnt command.
    • the methods.cfg file, see the methods.cfg file.
  4. Because Windows supports DES-CBC-MD5 and DES-CBC-CRC encryption types, change the krb5.conf file information to be similar to the following:
    [libdefaults]
    default_realm = MYREALM
    default_keytab_name = FILE:/etc/krb5/krb5.keytab
    default_tkt_enctypes = des-cbc-md5 des-cbc-crc
    default_tgs_enctypes = des-cbc-md5 des-cbc-crc
  5. Create a host principal.

    Because Windows account names do not have multiple parts like NAS principal names, you cannot directly create an account by using the fully qualified host name (host/<fully_qualified_host_name>). Instead, a principal instance is created through service-principal-name mapping. In this case, an account is created that corresponds to the host principal, and principal-name mapping is added.

    On the Active Directory server, use the Active Directory Management tool to create a new user account that corresponds to the tx3d.austin.ibm.com AIX client as follows:
    1. Select the User folder.
    2. Right-click to select New.
    3. Select User.
    4. Enter tx3d in the First name field, and then click Next.
    5. Create a password, and then click Next.
    6. Click Finish to create a host principal.
  6. On the Windows Server 2000 machine, enter the Ktpass command from the command line to create a tx3d.keytab file and set up an AIX host account as follows:
    Ktpass -princ host/tx3d.austin.ibm.com@MYREALM -mapuser tx3d -pass password -out tx3d.keytab
  7. Copy the tx3d.keytab file to the AIX host system.
  8. Merge the tx3d.keytab file into the /etc/krb5/krb5.keytab file on the AIX system as follows:
    ktutil
rkt tx3d.keytab
wkt /etc/krb5/krb5.keytab
q
  9. Create Windows domain accounts using the Active Directory user management tools.
  10. To create AIX accounts that correspond to the Windows-domain accounts and use Kerberos authentication, run the following command:
    mkuser registry=KRB5files SYSTEM=KRB5files foo
  11. To log into the AIX system and verify the configuration, run the telnet command.
    The following is an example of a Kerberos integrated login session that uses KRB5 against the Windows Active Directory:
    telnet tx3d

Trying...
Connected to tx3d.austin.ibm.com.
Escape character is '^]'.

telnet (tx3d.austin.ibm.com)
login: foo
foo's Password:
***************************************************************************
* Welcome to AIX Version 6.1! *
***************************************************************************
echo $AUTHSTATE
KRB5files

/usr/krb5/bin/klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_foo@AUSTIN.IBM.COM_203
Default principal: foo@AUSTIN.IBM.COM

Valid starting Expires Service principal
04/29/05 14:37:28 04/30/05 00:39:22 krbtgt/AUSTIN.IBM.COM@AUSTIN.IBM.COM
     Renew until 04/30/05 14:37:28

04/29/05 14:39:22 04/30/05 00:39:22 host/tx3d.austin.ibm.com@AUSTIN.IBM.COM