IBM AIX和Microsoft Active Directory与Kerberos和LDAP的集成

尝试以 AD 定义的用户的身份使用 Secure Shell (SSH) 连接到主机：

ssh aixtest@localhost

您应该能够进行登录。登录之后，检查 AUTHSTATE 环境变量和 klist 输出（类似下列示例），以确保 Kerberos 被用于身份验证。

示例输出

aixtest@localhost's password:
*******************************************************************************
* *
* *
* Welcome to AIX Version 6.1! *
* *
* *
* Please see the README file in /usr/lpp/bos for information pertinent to *
* this release of the AIX Operating System. *
* *
* *
*******************************************************************************
Could not chdir to home directory /home/aixtest: The file access permissions do not allow
the specified action.
$ pwd
/
$ echo $AUTHSTATE
KRB5LDAP
$ /usr/krb5/bin/klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_x0000000000000001
Default principal: aixtest@TEST.LOCAL
    
Valid starting Expires Service principal
01/25/13 14:02:59 01/26/13 00:02:52 krbtgt/TEST.LOCAL@TEST.LOCAL
Renew until 01/26/13 14:02:59
$ exit
Connection to localhost closed.

注意：AUTHSTATE 变量应包含 KRB5LDAP，而且运行 klist 应该返回一个有效的 Kerberos 票据。

示例配置文件

/etc/krb5/krb5.conf

[libdefaults]
default_realm = TEST.LOCAL
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = arcfour-hmac
default_tgs_enctypes = arcfour-hmac
dns_lookup_kdc = true
dns_lookup_realm = true
    
[realms]
TEST.LOCAL = {
kdc = PDC1.TEST.LOCAL:88
kdc = PDC2.TEST.LOCAL:88
admin_server = PDC1.TEST.LOCAL:749
master_kdc = PDC1.TEST.LOCAL
default_domain = TEST.LOCAL
}
    
[domain_realm]
.TEST.LOCAL = TEST.LOCAL
TEST.LOCAL = TEST.LOCAL
PDC1.TEST.LOCAL = TEST.LOCAL
PDC2.TEST.LOCAL = TEST.LOCAL
test.local = TEST.LOCAL
.test.local = TEST.LOCAL
    
[logging]
default = SYSLOG:debug:local1

/etc/security/ldap/ldap.cfg

ldapservers:pdc1.test.local
binddn:CN=AIX Service,OU=AIX,DC=test,DC=local
bindpwd:{DESv2}AAAAAAAAAAAABBBBBBBBBBCCCCCCCCCCCDDDDDDDDDDEEEEEEEEEEEE
authtype:unix_auth
useSSL:no
userattrmappath:/etc/security/ldap/sfur2user.map
groupattrmappath:/etc/security/ldap/sfur2group.map
userbasedn:OU=AIX,DC=test,DC=local
groupbasedn:OU=AIX,DC=test,DC=local
userclasses:user,person,organizationalperson
groupclasses:group
ldapport:389
searchmode:ALL
defaultentrylocation:LDAP
serverschematype:sfur2

/etc/methods.cfg

LDAP:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64
    
NIS:
program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64
    
DCE:
program = /usr/lib/security/DCE
    
KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,is_kadmind_compat=no,tgt_verify=no,allow_expired_pwd=yes
    
KRB5LDAP:
options = auth=KRB5,db=LDAP

（编辑：应用网_丽江站长网）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!