Manualshelf

Integrate Logins with HP CIFS Server, HP-UX, and Windows 2003R2/2008

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software
31323334353637383940
33
Configure PAM Kerberos
Configuring PAM Kerberos on the local HP-UX server will re-direct authentication for kerberized HP-UX
functions. These include local HP-UX logons, Secure Internet Services (telnet, ftp, etc…), or Secure
Shell. HP CIFS Server does not require PAM Kerberos for Kerberos authentication.
In earlier chapters, Kerberos for HP CIFS Server was already configured:
1. The Kerberos client was installed
2. /etc/krb5.conf was edited
3. The HP CIFS Server was joined to the domain
a. /etc/opt/samba/smb.conf was edited for Kerberos
4. /etc/krb5.keytab was created during the CIFS Server join.
a. CIFS/Samba created the krb5.keytab with the correct service principals to
authenticate HP-UX local users and Internet Services users using Kerberos.
5. Kerberos authentication with HP CIFS Server client logons was verified using the “HP
CIFS Server and Kerberos” whitepaper.
Step 1 – Configure /etc/krb5.conf
CIFS/Samba creates the /etc/krb5.keytab file as part of the “net ads join” process. To successfully
write the krb5.keytab file, the krb5.conf file must be configured with a special “WRFILE” parameter.
However, this parameter is only needed for the krb5.keytab file creation. HP-UX Secure Internet
Services cannot authenticate successfully when the krb5.conf file has the WRFILE configured. So
WRFILE must be commented out after the krb5.keytab file is created.
NOTE: WRFILE must be commented out of /etc/krb5.conf ONLY if HP-UX Secure Internet Services
usage is required on the HP-UX system. The WRFILE does not affect local HP-UX logins, HP CIFS
Server client authentication, or SSH logins. WRFILE is not required at all for HP CIFS Server A.02.04
and later.
Here is the krb5.conf file configured for Secure Internet Services usage:
[libdefaults]
default_realm = ATCWIN1.HP.COM
default_tkt_enctypes = DES-CBC-CRC RC4-HMAC DES-CBC-MD5
default_tgs_enctypes = DES-CBC-CRC RC4-HMAC DES-CBC-MD5
# default_keytab_name = "WRFILE:/etc/krb5.keytab"
# The line above is not valid for HP CIFS Server A.02.04 and later. Remove it
ccache_type = 2
clockskew = 1800000
[realms]
ATCWIN1.HP.COM = {
kdc = ATCWINVM1.ATCWIN1.HP.COM:88
admin_server = ATCWINVM1.ATCWIN1.HP.COM
}
[domain_realm]
.hp.com = ATCWIN1.HP.COM
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log