====== Kerberos ======

===== Disadvantage of using kerberos =====

:!: You have to create the user localy, only the authentification (password) is managed by kerberos



https://www.ibm.com/support/pages/active-directory-ad-aix-step-step-instructions-integrate-active-directory-2016-aix-ldap-protocol

http://www.wmduszyk.com/?author=0&cpage=1&langswitch_lang=pl&paged=15

https://www.ibm.com/developerworks/aix/library/au-aixldap/index.html#artdownload

https://www.ibm.com/developerworks/community/forums/html/topic?id=e8867f92-a2b7-435c-8baa-f0e164599061

https://docs.pagure.org/SSSD.sssd/users/ldap_with_ad.html

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-2/learning-center/configure-the-gateway-for-kerberos-token-based-authentication/working-with-multiple-service-principal-names.html

https://docs.datastax.com/en/tutorials/kerberos/kerberos/addingKerberosPrincipals.html

https://web.mit.edu/kerberos/krb5-devel/doc/admin/princ_dns.html

options for cluster:
  DNSLOOKUP none
  ignore_acceptor_hostname = true
  rdns = false       # reverse DNS false
  
Check kerberos on Windows:
<cli prompt='>'>
c:\> setspn -Q user1/server1
Checking Domain ....
</cli>

<cli prompt='#'> 
[root@aix1]/root# mkkrb5clnt -r DOM1.LU -c ad-dc1.test.lu -s ad-dc1.test.lu -d dom1.lu -D -t 365:0:0:0 -i files -K

[root@aix1]/root# cat /usr/lib/security/methods.cfg | grep -v ^*
...
KRB5:
        program = /usr/lib/security/KRB5
        program_64 = /usr/lib/security/KRB5_64
        options = authonly,tgt_verify=no,kadmind=no,is_kadmind_compat=no

KRB5files:
        options = db=BUILTIN,auth=KRB5


[root@aix1]/root# chauthent -k5 -std

[root@aix1]/root# lsauthent
Kerberos 5
Standard Aix

[root@aix1]/root# chuser registry=KRB5files SYSTEM=KRB5files user1

[root@aix1]/root# grep -p user1 /etc/security/user
user1:
        registry = KRB5files
        SYSTEM = "KRB5files"
</cli>

<cli prompt='#'>    
[user1@aix1]/root# ssh user1@aix1
..............
[user1@aix1]/home/user1# /usr/krb5/bin/klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_x0000000000000001
Default principal:  user1@DOM1.LU

Valid starting     Expires            Service principal
11/15/12 15:12:00  11/16/12 01:12:00  krbtgt/DOM1.LU@DOM1.LU
        Renew until 11/22/12 15:12:00

[root@aix1]/var/krb5/security# ls -l creds
total 8
lrwxrwxrwx    1 user1 staff            49 Nov 15 12:22 krb5cc_user1@DOM1.LU_5026 -> /var/krb5/security/creds/krb5cc_x0000000000000001
-rw-------    1 user1 staff          1731 Nov 15 12:22 krb5cc_x0000000000000001
</cli>