LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

131

132

133

134

135

136

137

138

139

140

10. A screen displays that confirms your configuration. Click finish if everything is correct;

otherwise, click Back to modify your responses.

11. Repeat the steps 8 and 9 to delegate user POSIX attributes to the proxy user by

choosing User objects in step 8 and choosing the following POSIX user attributes in

step 9:

– Read gecos

– Read loginShell

– Read unixHomeDirectory

– Read gidNumber

– Read uidNumber

– Read uid

• If you will be using ADS multiple domains:

If you configure LDAP-UX with ADS multiple domains, and you configure a proxy user in one

of the domains, as described previously, then configure the same proxy user in every domain

that you want to include for remote domain support with LDAP-UX. For example, first configure

a proxy user proxyusr for the domain ldap.hp.com. Next, include the domain

eng.hp.com in the support, and add proxyusr@ldap.hp.com to the domain eng.hp.com

using the preceding steps. Repeat these steps for every domain that you want to include. If

you have multiple LDAP-UX clients, you may also configure one proxy user for each client as

long as the proxy user has the access right to all domains that the client wants to access.

The proxy user needs to have access right to read passwd and group information in multiple

domains.

3.4.5.3 Step 3: Add an HP-UX client machine account to Active Directory

Use the Active Directory Users and Computer tool to create a user account for your HP-UX host.

• If you are using ADS multiple domains: add a host account for an HP-UX client machine to

every domain you want to access.

3.4.5.4 Step 4: Use ktpass to create the keytab file for the HP-UX client machine

Use the ktpass tool to create the keytab file and set up an identity mapping the host account.

The following is an example showing you how to run ktpass to create the keytab file for the

HP-UX host myhost with the KDC realm cup.hp.com:

C:> ktpass -princ host/myhost.cup.hp.com@CUP.HP.COM -mapuser myhost

-pass mypasswd -out unix.keytab

NOTE: Unless a ptype is specified, the resulting keytab will have ptype 0 -

KRB5_NT_UNKNOWN, whereas it should probably be set to KRB5_NT_PRINCIPAL.

NOTE: If your machine doesn't have ktpass for Windows 2003 R2, you can install it from your

Windows 2003 Server compact disc, in the directory support/tools/suptools.msi. For

Windows 2008, this is installed by default.

If you are using ADS multiple domains, repeat step 3 and step 4 in this procedure for the HP-UX

client machine in every domain to be accessed. Then, merge the keytab files on your HP-UX machine

to create /etc/krb5.keytab. For more information, see Section 7.11 (page 246).

This is one way to configure an HP-UX Kerberos client to communicate with multiple KDCs. For

other possibilities using cross-realm authentication, refer to the [capaths] section of the krb5.conf

manpage (that is: man krb5.conf). For information about the /etc/krb5.conf file, see

“Sample /etc/krb5.conf file” (page 434).

3.4 Customized installation (setup) for a Windows ADS environment 137