wiki

User Tools

Site Tools

Trace: marc
aix:marc

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
aix:marc [2022/03/29 11:24]
manu 		aix:marc [2025/08/23 23:37] (current)
Line 3: Line 3:
 ===== Register a new AD user ===== ===== Register a new AD user =====
  
-If the user **-it** still exist, check the UID on a <fc #ff0000>linux server</​fc> ​connected to Active Directory (sssd process will convert Windows SID to an UNIX UID; Else create it first into active directory+If the user **-it** still exist, check the UID on a linux server connected to Active Directory (sssd process will convert Windows SID to an UNIX UID; Else create it first into active directory
 <cli prompt='#'>​ <cli prompt='#'>​
 [root@LINUX ~]# id user01 [root@LINUX ~]# id user01
Line 11: Line 11:
 We need uid=1200123421(user01@test.lu) and 1200123456(aix-users@test.lu) We need uid=1200123421(user01@test.lu) and 1200123456(aix-users@test.lu)
  
-<fc #800080>For AIX users the following field must be fulfill into Active Directory</fc>+**For AIX users the following field must be fulfill into Active Directory** 
 ^Parameter^Value^comment^ ^Parameter^Value^comment^
 |uid|user01|lowercase| |uid|user01|lowercase|
Line 19: Line 20:
 |uidNumber|1200123421|userID| |uidNumber|1200123421|userID|
  
-<fc #800080>For AIX groups the following field must be fulfill into Active Directory (For group aix-users)</fc>+**For AIX groups the following field must be fulfill into Active Directory (For group aix-users)** 
 ^Parameter^Value^ ^Parameter^Value^
 |gidNumber|1200123456| |gidNumber|1200123456|
Line 58: Line 60:
 gsk8capicmd_64 -cert -list -db /​etc/​security/​ldap/​ldap.kdb -pw $pwd1 gsk8capicmd_64 -cert -list -db /​etc/​security/​ldap/​ldap.kdb -pw $pwd1
 gsk8capicmd_64 -cert -details -db /​etc/​security/​ldap/​ldap.kdb -pw $pwd1 -label '​AD_LU_ca2.cer'​ gsk8capicmd_64 -cert -details -db /​etc/​security/​ldap/​ldap.kdb -pw $pwd1 -label '​AD_LU_ca2.cer'​
-ssh $host "mksecldap -c -h ldap_srv.test.lu -n 636 -k /​etc/​security/​ldap/​ldap.kdb -w $pwd1 -j SSL -a '​CN=ldapuser,​OU=Users Misc,​OU=Users,​OU=....,​DC=aaa,​DC=test,​DC=lu'​ -p $pwd2 -d '​OU=Users,​OU=Users & Groups,​DC=aaa,​DC=test,​DC=lu'​ -A ldap_auth ​ -u NONE+mksecldap -c -h ldap_srv.test.lu -n 636 -k /​etc/​security/​ldap/​ldap.kdb -w $pwd1 -j SSL -a '​CN=ldapuser,​OU=Users Misc,​OU=Users,​OU=....,​DC=aaa,​DC=test,​DC=lu'​ -p $pwd2 -d '​OU=Users,​OU=Users & Groups,​DC=aaa,​DC=test,​DC=lu'​ -A ldap_auth ​ -u NONE
 </​code>​ </​code>​
 +
 +If mksecldap command failed, maybe you are not looking at right tree into AD, change the OU
  
 <cli prompt='#'>​ <cli prompt='#'>​
Line 113: Line 117:
 PAM is more flexible to control access protocols compared to AIX standard authentifications PAM is more flexible to control access protocols compared to AIX standard authentifications
  
 +You can comment unused services
 +
 +To use PAM with access control for user and groups
 +<cli prompt='#'>​
 +[root@aixsrv]/​etc # cat /​etc/​pam.conf
 +# IBM_PROLOG_BEGIN_TAG
 +# This is an automatically generated prolog.
 +#
 +# bos720 src/​bos/​etc/​pam/​pam.conf 1.8.1.1
 +#
 +# Licensed Materials - Property of IBM
 +#
 +# COPYRIGHT International Business Machines Corp. 2003,2012
 +# All Rights Reserved
 +#
 +# US Government Users Restricted Rights - Use, duplication or
 +# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
 +#
 +# IBM_PROLOG_END_TAG
 +#
 +# PAM Configuration File
 +#
 +# This file controls the PAM stacks for PAM enabled services.
 +# The format of each entry is as follows:
 +#
 +# <​service_name>​ <​module_type>​ <​control_flag>​ <​module_path>​ [module_options]
 +#
 +# Where:
 +#       <​service_name>​ is:
 +#               The name of the PAM enabled service.
 +#
 +#       <​module_type>​ is one of:
 +#               auth, account, password, session
 +#
 +#       <​control_flag>​ is one of:
 +#               ​required,​ requisite, sufficient, optional
 +#
 +#       <​module_path>​ is:
 +#               The path to the module. If the field does not begin with '/'​
 +#               then /​usr/​lib/​security/​ is prefixed for 32-bit services,
 +#               /​usr/​lib/​security/​64/​ is prefixed for 64-bit services.
 +#               If the module path is specified as full path,then it
 +#               ​directly uses for 32-bit services, for 64-bit services
 +#               ​module path derived as <​module_path>/​64/<​module_name>​.
 +#
 +#       ​[module_options] is:
 +#               An optional field. Consult the specified modules documentation
 +#               for valid options.
 +#
 +# The service name OTHER controls the behavior of services that are PAM
 +# enabled but do not have an explicit entry in this file.
 +#
 +
 +#
 +# Authentication
 +#
 +authexec auth   ​required ​       pam_aix
 +dtaction auth   ​required ​       pam_aix
 +dtsession auth  required ​       pam_aix
 +dtlogin auth    required ​       pam_aix
 +ftp     ​auth ​   required ​       pam_aix
 +imap    auth    required ​       pam_aix
 +login   ​auth ​   required ​       pam_aix
 +rexec   ​auth ​   required ​       pam_aix
 +rlogin ​ auth    sufficient ​     pam_rhosts_auth
 +rlogin ​ auth    required ​       pam_aix
 +rsh     ​auth ​   required ​       pam_rhosts_auth
 +snapp   ​auth ​   required ​       pam_aix
 +sshd    auth    requisite ​      ​pam_permission file=/​etc/​auth.allow found=allow
 +sshd    auth    required ​       pam_aix
 +su      auth    sufficient ​     pam_allowroot
 +su      auth    required ​       pam_aix
 +swrole ​ auth    required ​       pam_aix
 +telnet ​ auth    required ​       pam_aix
 +xdm     ​auth ​   required ​       pam_aix
 +OTHER   ​auth ​   required ​       pam_prohibit
 +
 +#
 +# Account Management
 +#
 +authexec account required ​      ​pam_aix
 +dtlogin account required ​       pam_aix
 +ftp     ​account required ​       pam_aix
 +login   ​account required ​       pam_aix
 +rexec   ​account required ​       pam_aix
 +rlogin ​ account required ​       pam_aix
 +rsh     ​account required ​       pam_aix
 +sshd    account required ​       pam_aix
 +su      account sufficient ​     pam_allowroot
 +su      account required ​       pam_aix
 +sudo    account sufficient ​     pam_allowroot
 +sudo    account required ​       pam_aix
 +swrole ​ account required ​       pam_aix
 +telnet ​ account required ​       pam_aix
 +xdm     ​account required ​       pam_aix
 +OTHER   ​account required ​       pam_prohibit
 +
 +#
 +# Password Management
 +#
 +authexec password ​ required ​    ​pam_aix
 +dtlogin password ​ required ​     pam_aix
 +login   ​password ​ required ​     pam_aix
 +passwd ​ password ​ required ​     pam_aix
 +rlogin ​ password ​ required ​     pam_aix
 +sshd    password ​ required ​     pam_aix
 +su      password ​ required ​     pam_aix
 +sudo    password ​ required ​     pam_aix
 +telnet ​ password ​ required ​     pam_aix
 +xdm     ​password ​ required ​     pam_aix
 +OTHER   ​password ​ required ​     pam_prohibit
 +
 +#
 +# Session Management
 +#
 +dtlogin session required ​       pam_aix
 +ftp     ​session required ​       pam_aix
 +imap    session required ​       pam_aix
 +login   ​session required ​       pam_aix
 +rexec   ​session required ​       pam_aix
 +rlogin ​ session required ​       pam_aix
 +rsh     ​session required ​       pam_aix
 +snapp   ​session required ​       pam_aix
 +sshd    session required ​       pam_aix
 +sshd    session optional ​       pam_mkuserhome
 +su      session required ​       pam_aix
 +sudo    session required ​       pam_aix
 +sudo    session optional ​       pam_mkuserhome
 +swrole ​ session required ​       pam_aix
 +telnet ​ session required ​       pam_aix
 +xdm     ​session required ​       pam_aix
 +OTHER   ​session required ​       pam_prohibit
 +
 +#Support for IBM MQ
 +ibmmq   ​auth ​   required ​       pam_aix
 +ibmmq   ​account required ​       pam_aix
 +</​cli>​
 +
 +Create the access control file
 +<cli prompt='#'>​
 +[root@aixsrv]/​etc # cat /​etc/​auth.allow
 +root
 +@users
 +@dba_group
 +user01
 +</​cli>​
 +
 +Enable PAM into SSH
 +<cli prompt='#'>​
 +[root@aixsrv]/​etc # cat /​etc/​ssh/​sshd_config | grep '​^UsePAM'​
 +UsePAM yes
 +[root@aixsrv]/​etc # stopsrc -s sshd
 +[root@aixsrv]/​etc # startsrc -s sshd
 +</​cli>​
 +
 +Change default authentification mechanism
 +<cli prompt='#'>​
 +[root@aixsrv]/​etc # lssec -f /​etc/​security/​login.cfg -s usw -a auth_type ​
 +usw auth_type=STD_AUTH
 +[root@aixsrv]/​etc # chsec -f /​etc/​security/​login.cfg -s usw -a auth_type=PAM_AUTH
 +</​cli>​
 +
 +<​code>​
 +check_nimclient.sh
 +#​!/​usr/​bin/​ksh
 +#set -x
 +##################################################​
 +#@(#) Check NIM CPUID
 +##################################################​
 +# version: 1.0 2023-02 emmiff4
 +##################################################​
 +
 +dir=`dirname $0`
 +. $dir/.env
 +
 +
 +###########################################################################​
 +# usage ()
 +#
 +# Display usage message and exit
 +#
 +# Parameters:
 +#   - none
 +###########################################################################​
 +usage()
 +{
 +echo "​Usage:"​
 +echo "no parameter, will check CPUID on master and client, and change if not OK"
 +echo "-c reset -l <​client_name>​ : will delete the nim client and recreate"​
 +exit 0
 +}
 +
 +#​------------------------------------------------
 +reset_cpuid () {
 +
 +MASTERCPUID=$(uname -m)
 +for lpar in $(lsnim -t standalone | awk '​{print $1}' | grep -v vio)
 +do
 +  CPUID=$(ssh -o ConnectTimeout=10 $lpar 'uname -m' 2>/​dev/​null)
 +  lenght=${#​CPUID}
 +  if [ "​$lenght"​ -ne "​12"​ ]
 +  then
 +    echo "​$lpar:​ no CPUID $CPUID $lenght"​
 +  else
 +    NIMCPUID=$(lsnim -l $lpar | grep cpuid | rev | awk '​{print $1}' | rev)
 +    CLIENTCPUID=$(ssh $lpar "grep NIM_MASTERID /​etc/​niminfo"​ | sed 's/=/\ /g' | rev | awk '​{print $1}' | rev)
 +    cmd=$(echo sed "'​s/"​${CLIENTCPUID}"/"​${MASTERCPUID}"/'"​)
 +    if [ "​$NIMCPUID"​ == "​$CPUID"​ ]
 +    then
 +#echo "​$CPUID $CLIENTCPUID $NIMCPUID"​ | tr ' ' '​\n'​ | sort -u
 +      if [ "​$MASTERCPUID"​ == "​$CLIENTCPUID"​ ]
 +      then
 +        echo "​$lpar:​ MASTERCPUID OK"
 +      else
 +        echo "​$lpar:​ client $CPUID /​etc/​niminfo ERROR"
 +        echo "​$lpar:​ changed"​
 +        ssh $lpar "cp /​etc/​niminfo /​etc/​niminfo.old ; cat /​etc/​niminfo | $cmd > /​etc/​niminfo.new ; mv /​etc/​niminfo.new /​etc/​niminfo ; stopsrc -s nimsh ; startsrc -s nimsh"
 +      fi
 +    else
 +      echo "​$lpar:​ nimserver $CPUID $NIMCPUID ERROR"
 +      nim -o change -a cpuid=${CPUID} $lpar
 +      if [ "​$MASTERCPUID"​ != "​$CLIENTCPUID"​ ]
 +      then
 +        echo "​$lpar:​ client $CPUID /​etc/​niminfo ERROR"
 +        echo "​$lpar:​ changed"​
 +        ssh $lpar "cp /​etc/​niminfo /​etc/​niminfo.old ; cat /​etc/​niminfo | $cmd > /​etc/​niminfo.new ; mv /​etc/​niminfo.new /​etc/​niminfo ; stopsrc -s nimsh ; startsrc -s nimsh"
 +      fi
 +    fi
 +  fi
 +done
 +
 +}
 +
 +#​------------------------------------------------
 +recreate_client () {
 +echo $lpar $COMMAND
 +echo "nim -o remove $lpar"
 +echo "ssh $lpar ""'"​rm /​etc/​niminfo"'"​
 +echo "ssh $lpar ""'"​stopsrc -s nimsh"'"​
 +echo "ssh $lpar ""'"​niminit -a name=$lpar -a pif_name=en0 -a master=$master -a platform=chrp -a connect=nimsh -a cable_type='"'​N/​A'"'"'"​
 +}
 +
 +
 +
 +#############################################​
 +# main
 +#############################################​
 +main()
 +{
 +master=$(hostname -s)
 +
 +if [ -z "​$1"​ ]
 +then
 +echo "​OK"​
 +  reset_cpuid
 +else
 +  while (( "​$#"​ )); do
 +    case $1 in
 +      help|-h|-help) usage ;;
 +      -c) shift && COMMAND="​$1"​ ;;
 +      -l) shift && lpar="​$1"​
 +          recreate_client ;;
 +    esac
 +    shift
 +  done
 +fi
 +}
 +
 +main $* | tee $logname 2>&1
 +</​code>​
  
aix/marc.1648545858.txt.gz · Last modified: 2022/03/29 11:24 by manu

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki