Manualshelf

Integrating HP-UX 11.x Account Management and Authentication with Microsoft Windows 2000

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
11121314151617181920
15
The keytab file is the one described in the previous section on Windows 2000 using ktpass. You need to transfer this file
securely to your HP-UX machine and name it krb5.keytab in the /etc/ directory. If you already have an existing
/etc/krb5.keytab file, you need to merge the new keytab file with the existing one. ktutil is a tool provided with the
product for you to import the keys. This file should be readable only by root.
Synchronize the HP-UX clock to the Windows 2000 clock:
The clocks in Windows 2000 and your HP-UX machine must be synchronized. The default clock sync time is within 5
minutes. You can run Network Time Synchronizer to synchronize both clocks. If the tool is not available, you can
manually synchronize them by setting “Date/Time Properties” on Windows 2000 and running “/etc/set_parms
date_time”on HP-UX.
Step 3: Change /etc/pam.conf to use PAM Kerberos.
/etc/pam.conf is the PAM configuration file which specifies PAM service modules for PAM applications. To use PAM
Kerberos as authentication module, you will need to edit /etc/pam.conf to include the PAM Kerberos library
/usr/lib/security/libpam_krb5.1 for all four services: authentication, account management, session management, and
password management. Refer to PAM Kerberos Release Note for detailed information on PAM configuration. The
following is an example:
login auth sufficient /usr/lib/security/libpam_krb5.1
login auth required /usr/lib/security/libpam_unix.1 try_first_pass
su auth sufficient /usr/lib/security/libpam_krb5.1
su auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtlogin auth sufficient /usr/lib/security/libpam_krb5.1
dtlogin auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtaction auth sufficient /usr/lib/security/libpam_krb5.1
dtaction auth required /usr/lib/security/libpam_unix.1 try_first_pass
ftp auth sufficient /usr/lib/security/libpam_krb5.1
ftp auth required /usr/lib/security/libpam_unix.1 try_first_pass
OTHER auth sufficient /usr/lib/security/libpam_unix.1
#
# Account management
#
login account required /usr/lib/security/libpam_krb5.1
login account required /usr/lib/security/libpam_unix.1
su account required /usr/lib/security/libpam_krb5.1
su account required /usr/lib/security/libpam_unix.1
dtlogin account required /usr/lib/security/libpam_krb5.1
dtlogin account required /usr/lib/security/libpam_unix.1
dtaction account required /usr/lib/security/libpam_krb5.1
dtaction account required /usr/lib/security/libpam_unix.1
ftp account required /usr/lib/security/libpam_krb5.1
ftp account required /usr/lib/security/libpam_unix.1
OTHER account sufficient /usr/lib/security/libpam_unix.1
#
# Session management
#