Manualshelf

LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
41424344454647484950
4. Add a host key to the /etc/krb5.keytab file
The keytab file is the one described in the previous section on Windows 2003 R2/2008
using ktpass. You need to securely transfer the keytab file previously created to your HP-UX
machine and name it krb5.keytab in the /etc directory. If you already have an
existing/etc/krb5.keytab file, merge the new keytab file with the existing one.ktutil
is a tool provided with the Kerberos product for you to maintain the keytab file.
NOTE: The keytab file should only be readable by the root user.
5. Synchronize the HP-UX clock to the Windows 2003 R2 or 2008 clock. These must be
synchronized within two minutes. You can run Network Time Synchronizer to synchronize
both clocks. If the tool is not available, you can manually synchronize them by setting
"Date/Time Properties" on Windows 2003 R2 or 2008 and running /etc/set_parms
date_time on HP-UX.
6. Configure /etc/pam.conf to use PAM Kerberos authentication. This file is the PAM
configuration file that specifies PAM service modules for PAM applications. To use PAM
Kerberos as an authentication module, edit /etc/pam.conf to include the PAM Kerberos
library /usr/lib/security/libpam_krb5.so.1 for all four services: authentication,
account management, session management, and password management. Sample PAM
configuration files and details about their structure and configuration are provided in “Sample
PAM configuration (pam.conf) files for Windows ADS” (page 149).
NOTE: The sample files reflect the recommendation to keep the root user in /etc/passwd
local on each client machine, and to allow for local account management of the root user.
This helps guarantee local access to the system in case the network is down. Other conditions
are necessary to guarantee local access, as discussed in “Sample PAM configuration (pam.conf)
files for Windows ADS” (page 149).
For more information, see the pam(3) and pam.conf(4) manpages, and the Managing Systems
and Workgroups: A Guide for HP-UX System Administrators document at the following location:
http://www.hp.com/go/hpux-core-docs (click HP-UX 11i v2)
2.4.5.4 Step 4: Configure the Name Service Switch (NSS)
The Name Service Switch (NSS) needs to be modified to retrieve your account and group information
from Active Directory.
Save a copy of the file /etc/nsswitch.confand edit the original to specify the ldap name
service and other name services you want to use. Refer to /etc/nsswitch.ldap for an example.
You may be able to just copy /etc/nsswitch.ldap to/etc/nsswitch.conf. Refer to
nsswitch.conf(4) for more information.
2.4.5.5 Step 5: Configure the PAM Authorization Service Module (PAM_AUTHZ)
This step is optional. You do this step only if you want to use PAM_AUTHZ to control access rules
defined in the policy file, /etc/opt/ldapux/pam_authz.policy. LDAP-UX Client Services
provides a sample policy file, /etc/opt/ldapux/pam_authz.policy.template. This sample
file shows you how to configure the policy file to work with PAM_AUTHZ. You can copy this sample
file and edit it using the correct syntax to specify the access rules you wish to authorize or exclude
from authorization. For more detailed information on how to configure the policy file, see Section 6.4
(page 98).
2.4.5.6 Step 6: Configure the Disable Login Flag
Optionally, configure the disable login flag (disable_uid_range).
2.4 Customized installation (setup) 47