LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
krb5_prop 754/tcp # Kerberos slave propagation
kerberos-adm 464/udp # Kerberos Password Change protocol
kerberos-cpw 464/tcp # Kerberos Password Change protocol
4. Add a host key to the /etc/krb5.keytab file. The keytab file is the one described in the
previous section on Windows 2003 R2 or 2008 using ktpass. You must securely transfer
the keytab file previously created to your HP-UX machine and name it krb5.keytab in the
/etc directory. If you already have an existing/etc/krb5.keytab file, merge the new
keytab file with the existing one. The ktutil tool is provided with the Kerberos product for
you to maintain the keytab file.
NOTE: The keytab file should only be readable by the root user.
5. Synchronize the HP-UX clock to the Windows 2003 R2 or 2008 clock. These must be
synchronized within two minutes. You can run Network Time Synchronizer to synchronize
both clocks. If the tool is not available, you can manually synchronize them by setting
"Date/Time Properties" on Windows 2003 R2 or 2008 and running /etc/set_parms
date_time on HP-UX.
6. Configure /etc/pam.conf to use PAM Kerberos authentication. This file is the PAM
configuration file that specifies PAM service modules for PAM applications. To use PAM
Kerberos as an authentication module, edit /etc/pam.conf to include the PAM Kerberos
library /usr/lib/security/libpam_krb5.so.1 for all four services: authentication,
account management, session management, and password management. Sample PAM
configuration files and details about their structure and configuration are provided in “Sample
PAM configuration (pam.conf) files ” (page 420).
NOTE: The sample files reflect the recommendation to keep the root user in /etc/passwd
local on each client machine, and to allow for local account management of the root user.
This helps guarantee local access to the system in case the network is down. Other conditions
are necessary to guarantee local access, as discussed in “Sample PAM configuration (pam.conf)
files ” (page 420).
For more information, see the pam(3) and pam.conf(4) manpages, and the Managing Systems
and Workgroups: A Guide for HP-UX System Administrators document at the following location:
http://www.hp.com/go/hpux-core-docs (click HP-UX 11i v2)
For a list of all steps that you might need to perform to set up Kerberos support, see Section 3.4.2
(page 128).
3.4.6.4 Step 4: Configure NSS
NSS needs to be modified to retrieve your account and group information from Active Directory.
Save a copy of the file /etc/nsswitch.confand edit the original to specify the LDAP name
service and other name services you want to use. For an example, see /etc/nsswitch.ldap.
You could just copy /etc/nsswitch.ldap to/etc/nsswitch.conf. For more information,
see the nsswitch.conf(4) manpage.
3.4.6.5 Step 5: Configure the PAM Authorization Service Module (PAM_AUTHZ)
This step is optional. You do this step only if you want to use PAM_AUTHZ to control access rules
defined in the policy file, /etc/opt/ldapux/pam_authz.policy. LDAP-UX Client Services
provides a sample policy file, /etc/opt/ldapux/pam_authz.policy.template. This sample
file shows you how to configure the policy file to work with PAM_AUTHZ. You can copy this sample
file and edit it using the correct syntax to specify the access rules you want to authorize or exclude
from authorization. For more detailed information on how to configure the policy file, see Section 7.4
(page 199).
150 Installing and configuring LDAP-UX Client Services for a Windows ADS environment