Integrating HP-UX 11.x Account Management and Authentication with Microsoft Windows 2000

Step 2: Configure your HP-UX machine to authenticate using PAM Kerberos.

The PAM Kerberos Release Note contains detailed information on how to configure a HP-UX machine to use PAM

Kerberos and use Windows 2000 as the KDC. Here is the brief description of the task.

Create /etc/krb5.conf:

/etc/krb5.conf is the Kerberos configuration file which specifies the default realm, the location of a KDC server and

the log file names. The Kerberos client depends on the configuration to locate the realm’s KDC. The following is an

example of /etc/krb5.conf which has the realm LA.CAL.COM, and machine myhost.la.cal.com as KDC:

[libdefaults]

default_realm = LA.CAL.COM

default_tgs_enctypes = DES-CBC-CRC

default_tkt_enctypes = DES-CBC-CRC

ccache_type = 2

[realms]

LA.CAL.COM = {

kdc = MYHOST.LA.CAL.COM:88

kpasswd_server = MYHOST.LA.CAL.COM:464

}

[domain_realm]

.la.cal.com = LA.CAL.COM

[logging]

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmin.log

default = FILE:/var/log/krb5lib.log

The permission of /etc/krb5.conf should be 644 and owned by root.

Add the Kerberos services to /etc/services:

The /etc/services file needs to contain Kerberos services. If your /etc/services is from the HP-UX 11.00 release, the

Kerberos will already exist. If your /etc/services doesn’t have Kerberos services, add the following:

kerberos 88/udp kdc # Kerberos v5 kdc

kerberos 88/tcp kdc # Kerberos V5 kdc

klogin 543/tcp # Kerberos rlogin -kfall

kshell 544/tcp cmd # Kerberos remote shell

kerberos-adm 464/udp # Kerberos 5 password change protocol

kerberos-adm 464/tcp # Kerberos 5 password change protocol

kerberos-adm 749/udp # Kerberos 5 admin/changepw

kerberos-adm 749/tcp # Kerberos 5 admin/changepw

krb5_prop 754/tcp # Kerberos slave propagation

eklogin 2105/tcp # Kerberos encrypted rlogin

krb524 4444/tcp # Kerberos 5 to 4 ticket translator

Add a host key to the /etc/krb5.keytab file: