Differences

This shows you the differences between two versions of the page.

--- aix:marc [2022/03/29 10:31]
manu [Register a new AD user]
+++ aix:marc [2025/08/23 23:37] (current)
@@ Line 3: / Line 3: @@
 ===== Register a new AD user =====
-If the user **-it** still exist, check the UID on a <fc #ff0000>linux server</fc> connected to Active Directory (sssd process will convert Windows SID to an UNIX UID; Else create it first into active directory
+If the user **-it** still exist, check the UID on a linux server connected to Active Directory (sssd process will convert Windows SID to an UNIX UID; Else create it first into active directory
 <cli prompt='#'>
 [root@LINUX ~]# id user01
@@ Line 11: / Line 11: @@
 We need uid=1200123421(user01@test.lu) and 1200123456(aix-users@test.lu)
-<fc #800080>For AIX users the following field must be fulfill into Active Directory</fc>
+**For AIX users the following field must be fulfill into Active Directory**
 ^Parameter^Value^comment^
 |uid|user01|lowercase|
@@ Line 19: / Line 20: @@
 |uidNumber|1200123421|userID|
-<fc #800080>For AIX groups the following field must be fulfill into Active Directory (For group aix-users)</fc>
+**For AIX groups the following field must be fulfill into Active Directory (For group aix-users)**
 ^Parameter^Value^
 |gidNumber|1200123456|
@@ Line 49: / Line 51: @@
 users           SEC_LIST        member                  m       na      yes
 </cli>
+AD registration in secure mode, using CA certificate
+<code>
+gsk8capicmd_64 -keydb -create -db /etc/security/ldap/ldap.kdb -pw $pwd1 -type cms -stash
+gsk8capicmd_64 -keydb -list -db /etc/security/ldap/ldap.kdb -pw $pwd1 -stash
+gsk8capicmd_64 -cert -add -db /etc/security/ldap/ldap.kdb -pw $pwd1 -type pem -file /tmp/ca2.ad.cer -label 'AD_LU_ca2.cer'
+gsk8capicmd_64 -cert -list -db /etc/security/ldap/ldap.kdb -pw $pwd1
+gsk8capicmd_64 -cert -details -db /etc/security/ldap/ldap.kdb -pw $pwd1 -label 'AD_LU_ca2.cer'
+mksecldap -c -h ldap_srv.test.lu -n 636 -k /etc/security/ldap/ldap.kdb -w $pwd1 -j SSL -a 'CN=ldapuser,OU=Users Misc,OU=Users,OU=....,DC=aaa,DC=test,DC=lu' -p $pwd2 -d 'OU=Users,OU=Users & Groups,DC=aaa,DC=test,DC=lu' -A ldap_auth  -u NONE
+</code>
+If mksecldap command failed, maybe you are not looking at right tree into AD, change the OU
 <cli prompt='#'>
@@ Line 72: / Line 87: @@
 </cli>
+Check if LDAP is present, else add the 3 following lines (added by mksecldap command)
 <cli prompt='#'>
 [root@aixsrv]/etc# cat /etc/methods.cfg
@@ Line 81: / Line 97: @@
 </cli>
+Change default user authentification to default LDAP, or files (both required)
+  chsec -f /etc/security/user -s default -a registry=files
+  chsec -f /etc/security/user -s default -a "SYSTEM=files or LDAP"
+  chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
+Check into the files user and login.cfg
 <cli prompt='#'>
 [root@aixsrv]/etc# cat /etc/security/user
@@ Line 86: / Line 108: @@
 default:
 ...
-        SYSTEM = "LDAP or files"
+        SYSTEM = "files or LDAP"
         registry = "files"
 ...
 </cli>
+===== Enable PAM on AIX =====
+PAM is more flexible to control access protocols compared to AIX standard authentifications
+You can comment unused services
+To use PAM with access control for user and groups
+<cli prompt='#'>
+[root@aixsrv]/etc # cat /etc/pam.conf
+# IBM_PROLOG_BEGIN_TAG
+# This is an automatically generated prolog.
+#
+# bos720 src/bos/etc/pam/pam.conf 1.8.1.1
+#
+# Licensed Materials - Property of IBM
+#
+# COPYRIGHT International Business Machines Corp. 2003,2012
+# All Rights Reserved
+#
+# US Government Users Restricted Rights - Use, duplication or
+# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
+#
+# IBM_PROLOG_END_TAG
+#
+# PAM Configuration File
+#
+# This file controls the PAM stacks for PAM enabled services.
+# The format of each entry is as follows:
+#
+# <service_name> <module_type> <control_flag> <module_path> [module_options]
+#
+# Where:
+#       <service_name> is:
+#               The name of the PAM enabled service.
+#
+#       <module_type> is one of:
+#               auth, account, password, session
+#
+#       <control_flag> is one of:
+#               required, requisite, sufficient, optional
+#
+#       <module_path> is:
+#               The path to the module. If the field does not begin with '/'
+#               then /usr/lib/security/ is prefixed for 32-bit services,
+#               /usr/lib/security/64/ is prefixed for 64-bit services.
+#               If the module path is specified as full path,then it
+#               directly uses for 32-bit services, for 64-bit services
+#               module path derived as <module_path>/64/<module_name>.
+#
+#       [module_options] is:
+#               An optional field. Consult the specified modules documentation
+#               for valid options.
+#
+# The service name OTHER controls the behavior of services that are PAM
+# enabled but do not have an explicit entry in this file.
+#
+#
+# Authentication
+#
+authexec auth   required        pam_aix
+dtaction auth   required        pam_aix
+dtsession auth  required        pam_aix
+dtlogin auth    required        pam_aix
+ftp     auth    required        pam_aix
+imap    auth    required        pam_aix
+login   auth    required        pam_aix
+rexec   auth    required        pam_aix
+rlogin  auth    sufficient      pam_rhosts_auth
+rlogin  auth    required        pam_aix
+rsh     auth    required        pam_rhosts_auth
+snapp   auth    required        pam_aix
+sshd    auth    requisite       pam_permission file=/etc/auth.allow found=allow
+sshd    auth    required        pam_aix
+su      auth    sufficient      pam_allowroot
+su      auth    required        pam_aix
+swrole  auth    required        pam_aix
+telnet  auth    required        pam_aix
+xdm     auth    required        pam_aix
+OTHER   auth    required        pam_prohibit
+#
+# Account Management
+#
+authexec account required       pam_aix
+dtlogin account required        pam_aix
+ftp     account required        pam_aix
+login   account required        pam_aix
+rexec   account required        pam_aix
+rlogin  account required        pam_aix
+rsh     account required        pam_aix
+sshd    account required        pam_aix
+su      account sufficient      pam_allowroot
+su      account required        pam_aix
+sudo    account sufficient      pam_allowroot
+sudo    account required        pam_aix
+swrole  account required        pam_aix
+telnet  account required        pam_aix
+xdm     account required        pam_aix
+OTHER   account required        pam_prohibit
+#
+# Password Management
+#
+authexec password  required     pam_aix
+dtlogin password  required      pam_aix
+login   password  required      pam_aix
+passwd  password  required      pam_aix
+rlogin  password  required      pam_aix
+sshd    password  required      pam_aix
+su      password  required      pam_aix
+sudo    password  required      pam_aix
+telnet  password  required      pam_aix
+xdm     password  required      pam_aix
+OTHER   password  required      pam_prohibit
+#
+# Session Management
+#
+dtlogin session required        pam_aix
+ftp     session required        pam_aix
+imap    session required        pam_aix
+login   session required        pam_aix
+rexec   session required        pam_aix
+rlogin  session required        pam_aix
+rsh     session required        pam_aix
+snapp   session required        pam_aix
+sshd    session required        pam_aix
+sshd    session optional        pam_mkuserhome
+su      session required        pam_aix
+sudo    session required        pam_aix
+sudo    session optional        pam_mkuserhome
+swrole  session required        pam_aix
+telnet  session required        pam_aix
+xdm     session required        pam_aix
+OTHER   session required        pam_prohibit
+#Support for IBM MQ
+ibmmq   auth    required        pam_aix
+ibmmq   account required        pam_aix
+</cli>
+Create the access control file
+<cli prompt='#'>
+[root@aixsrv]/etc # cat /etc/auth.allow
+root
+@users
+@dba_group
+user01
+</cli>
+Enable PAM into SSH
+<cli prompt='#'>
+[root@aixsrv]/etc # cat /etc/ssh/sshd_config | grep '^UsePAM'
+UsePAM yes
+[root@aixsrv]/etc # stopsrc -s sshd
+[root@aixsrv]/etc # startsrc -s sshd
+</cli>
+Change default authentification mechanism
+<cli prompt='#'>
+[root@aixsrv]/etc # lssec -f /etc/security/login.cfg -s usw -a auth_type
+usw auth_type=STD_AUTH
+[root@aixsrv]/etc # chsec -f /etc/security/login.cfg -s usw -a auth_type=PAM_AUTH
+</cli>
+<code>
+check_nimclient.sh
+#!/usr/bin/ksh
+#set -x
+##################################################
+#@(#) Check NIM CPUID
+##################################################
+# version: 1.0 2023-02 emmiff4
+##################################################
+dir=`dirname $0`
+. $dir/.env
+###########################################################################
+# usage ()
+#
+# Display usage message and exit
+#
+# Parameters:
+#   - none
+###########################################################################
+usage()
+{
+echo "Usage:"
+echo "no parameter, will check CPUID on master and client, and change if not OK"
+echo "-c reset -l <client_name> : will delete the nim client and recreate"
+exit 0
+}
+#------------------------------------------------
+reset_cpuid () {
+MASTERCPUID=$(uname -m)
+for lpar in $(lsnim -t standalone | awk '{print $1}' | grep -v vio)
+do
+  CPUID=$(ssh -o ConnectTimeout=10 $lpar 'uname -m' 2>/dev/null)
+  lenght=${#CPUID}
+  if [ "$lenght" -ne "12" ]
+  then
+    echo "$lpar: no CPUID $CPUID $lenght"
+  else
+    NIMCPUID=$(lsnim -l $lpar | grep cpuid | rev | awk '{print $1}' | rev)
+    CLIENTCPUID=$(ssh $lpar "grep NIM_MASTERID /etc/niminfo" | sed 's/=/\ /g' | rev | awk '{print $1}' | rev)
+    cmd=$(echo sed "'s/"${CLIENTCPUID}"/"${MASTERCPUID}"/'")
+    if [ "$NIMCPUID" == "$CPUID" ]
+    then
+#echo "$CPUID $CLIENTCPUID $NIMCPUID" | tr ' ' '\n' | sort -u
+      if [ "$MASTERCPUID" == "$CLIENTCPUID" ]
+      then
+        echo "$lpar: MASTERCPUID OK"
+      else
+        echo "$lpar: client $CPUID /etc/niminfo ERROR"
+        echo "$lpar: changed"
+        ssh $lpar "cp /etc/niminfo /etc/niminfo.old ; cat /etc/niminfo | $cmd > /etc/niminfo.new ; mv /etc/niminfo.new /etc/niminfo ; stopsrc -s nimsh ; startsrc -s nimsh"
+      fi
+    else
+      echo "$lpar: nimserver $CPUID $NIMCPUID ERROR"
+      nim -o change -a cpuid=${CPUID} $lpar
+      if [ "$MASTERCPUID" != "$CLIENTCPUID" ]
+      then
+        echo "$lpar: client $CPUID /etc/niminfo ERROR"
+        echo "$lpar: changed"
+        ssh $lpar "cp /etc/niminfo /etc/niminfo.old ; cat /etc/niminfo | $cmd > /etc/niminfo.new ; mv /etc/niminfo.new /etc/niminfo ; stopsrc -s nimsh ; startsrc -s nimsh"
+      fi
+    fi
+  fi
+done
+}
+#------------------------------------------------
+recreate_client () {
+echo $lpar $COMMAND
+echo "nim -o remove $lpar"
+echo "ssh $lpar ""'"rm /etc/niminfo"'"
+echo "ssh $lpar ""'"stopsrc -s nimsh"'"
+echo "ssh $lpar ""'"niminit -a name=$lpar -a pif_name=en0 -a master=$master -a platform=chrp -a connect=nimsh -a cable_type='"'N/A'"'"'"
+}
+#############################################
+# main
+#############################################
+main()
+{
+master=$(hostname -s)
+if [ -z "$1" ]
+then
+echo "OK"
+  reset_cpuid
+else
+  while (( "$#" )); do
+    case $1 in
+      help|-h|-help) usage ;;
+      -c) shift && COMMAND="$1" ;;
+      -l) shift && lpar="$1"
+          recreate_client ;;
+    esac
+    shift
+  done
+fi
+}
+main $* | tee $logname 2>&1
+</code>

wiki

User Tools

Site Tools

Differences

Page Tools