If the user -it still exist, check the UID on a linux server connected to Active Directory (sssd process will convert Windows SID to an UNIX UID; Else create it first into active directory
[root@LINUX ~]# id user01 uid=1200123421(emmiff4-it@test.lu) gid=12001222222(domain users@test.lu) ......,12004111111(storage-admin@test.lu),1200123456(aix-users@test.lu)
We need uid=1200123421(user01@test.lu) and 1200123456(aix-users@test.lu)
For AIX users the following field must be fulfill into Active Directory
| Parameter | Value | comment |
|---|---|---|
| uid | user01 | lowercase |
| unixHomeDirectory | /home/user01 | lowercase |
| loginShell | /bin/bash | shell: keep bash everywhere |
| gidNumber | 1200123456 | primary group ID (always aix-users) |
| uidNumber | 1200123421 | userID |
For AIX groups the following field must be fulfill into Active Directory (For group aix-users)
| Parameter | Value |
|---|---|
| gidNumber | 1200123456 |
[root@aixsrv]/etc/security/ldap# cat sfur2user.map username SEC_CHAR uid s na yes id SEC_INT uidNumber s na yes pgrp SEC_CHAR gidNumber s na yes home SEC_CHAR unixhomeDirectory s na yes shell SEC_CHAR loginShell s na yes gecos SEC_CHAR gecos s na yes spassword SEC_CHAR unicodePwd s lastupdate SEC_INT pwdLastSet s UTC no time_last_login SEC_INT lastLogon s UTC no maxage SEC_INT codePage s na yes minage SEC_INT shadowMin s na yes maxexpired SEC_INT shadowExpire s na yes pwdwarntime SEC_INT shadowWarning s na yes pgid SEC_INT gidnumber s na yes
[root@aixsrv]/etc/security/ldap# cat sfur2group.map groupname SEC_CHAR cn s na yes id SEC_INT gidNumber s na yes users SEC_LIST member m na yes
AD registration in secure mode, using CA certificate
gsk8capicmd_64 -keydb -create -db /etc/security/ldap/ldap.kdb -pw $pwd1 -type cms -stash gsk8capicmd_64 -keydb -list -db /etc/security/ldap/ldap.kdb -pw $pwd1 -stash gsk8capicmd_64 -cert -add -db /etc/security/ldap/ldap.kdb -pw $pwd1 -type pem -file /tmp/ca2.ad.cer -label 'AD_LU_ca2.cer' gsk8capicmd_64 -cert -list -db /etc/security/ldap/ldap.kdb -pw $pwd1 gsk8capicmd_64 -cert -details -db /etc/security/ldap/ldap.kdb -pw $pwd1 -label 'AD_LU_ca2.cer' mksecldap -c -h ldap_srv.test.lu -n 636 -k /etc/security/ldap/ldap.kdb -w $pwd1 -j SSL -a 'CN=ldapuser,OU=Users Misc,OU=Users,OU=....,DC=aaa,DC=test,DC=lu' -p $pwd2 -d 'OU=Users,OU=Users & Groups,DC=aaa,DC=test,DC=lu' -A ldap_auth -u NONE
If mksecldap command failed, maybe you are not looking at right tree into AD, change the OU
[root@aixsrv]/etc/security/ldap# grep -v '^#' /etc/security/ldap/ldap.cfg | sed '/^$/d' serverschematype:sfur2 ldapservers:ldap_srv.test.lu binddn:CN=ldapuser,OU=Users Misc,OU=Users,OU=....,DC=aaa,DC=test,DC=lu bindpwd:{DESv2}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx authtype:ldap_auth searchmode:ALL defaultentrylocation:LDAP ldapport:636 useSSL:SSL pwdalgorithm:system ldapsslkeyf:/etc/security/ldap/ldap.kdb ldapsslkeypwd:{DESv2}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx userclasses:user,person,organizationalperson groupclasses:group userattrmappath:/etc/security/ldap/sfur2user.map groupattrmappath:/etc/security/ldap/sfur2group.map userbasedn:OU=Users,OU=Users & Groups,DC=aaa,DC=test,DC=lu groupbasedn:OU=xxx,OU=Groups,OU=Users & Groups,DC=aaa,DC=test,DC=lu
Check if LDAP is present, else add the 3 following lines (added by mksecldap command)
[root@aixsrv]/etc# cat /etc/methods.cfg ... LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64 ...
Change default user authentification to default LDAP, or files (both required)
chsec -f /etc/security/user -s default -a registry=files chsec -f /etc/security/user -s default -a "SYSTEM=files or LDAP" chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
Check into the files user and login.cfg
[root@aixsrv]/etc# cat /etc/security/user ... default: ... SYSTEM = "files or LDAP" registry = "files" ...
PAM is more flexible to control access protocols compared to AIX standard authentifications
You can comment unused services
To use PAM with access control for user and groups
[root@aixsrv]/etc # cat /etc/pam.conf # IBM_PROLOG_BEGIN_TAG # This is an automatically generated prolog. # # bos720 src/bos/etc/pam/pam.conf 1.8.1.1 # # Licensed Materials - Property of IBM # # COPYRIGHT International Business Machines Corp. 2003,2012 # All Rights Reserved # # US Government Users Restricted Rights - Use, duplication or # disclosure restricted by GSA ADP Schedule Contract with IBM Corp. # # IBM_PROLOG_END_TAG # # PAM Configuration File # # This file controls the PAM stacks for PAM enabled services. # The format of each entry is as follows: # # <service_name> <module_type> <control_flag> <module_path> [module_options] # # Where: # <service_name> is: # The name of the PAM enabled service. # # <module_type> is one of: # auth, account, password, session # # <control_flag> is one of: # required, requisite, sufficient, optional # # <module_path> is: # The path to the module. If the field does not begin with '/' # then /usr/lib/security/ is prefixed for 32-bit services, # /usr/lib/security/64/ is prefixed for 64-bit services. # If the module path is specified as full path,then it # directly uses for 32-bit services, for 64-bit services # module path derived as <module_path>/64/<module_name>. # # [module_options] is: # An optional field. Consult the specified modules documentation # for valid options. # # The service name OTHER controls the behavior of services that are PAM # enabled but do not have an explicit entry in this file. # # # Authentication # authexec auth required pam_aix dtaction auth required pam_aix dtsession auth required pam_aix dtlogin auth required pam_aix ftp auth required pam_aix imap auth required pam_aix login auth required pam_aix rexec auth required pam_aix rlogin auth sufficient pam_rhosts_auth rlogin auth required pam_aix rsh auth required pam_rhosts_auth snapp auth required pam_aix sshd auth requisite pam_permission file=/etc/auth.allow found=allow sshd auth required pam_aix su auth sufficient pam_allowroot su auth required pam_aix swrole auth required pam_aix telnet auth required pam_aix xdm auth required pam_aix OTHER auth required pam_prohibit # # Account Management # authexec account required pam_aix dtlogin account required pam_aix ftp account required pam_aix login account required pam_aix rexec account required pam_aix rlogin account required pam_aix rsh account required pam_aix sshd account required pam_aix su account sufficient pam_allowroot su account required pam_aix sudo account sufficient pam_allowroot sudo account required pam_aix swrole account required pam_aix telnet account required pam_aix xdm account required pam_aix OTHER account required pam_prohibit # # Password Management # authexec password required pam_aix dtlogin password required pam_aix login password required pam_aix passwd password required pam_aix rlogin password required pam_aix sshd password required pam_aix su password required pam_aix sudo password required pam_aix telnet password required pam_aix xdm password required pam_aix OTHER password required pam_prohibit # # Session Management # dtlogin session required pam_aix ftp session required pam_aix imap session required pam_aix login session required pam_aix rexec session required pam_aix rlogin session required pam_aix rsh session required pam_aix snapp session required pam_aix sshd session required pam_aix sshd session optional pam_mkuserhome su session required pam_aix sudo session required pam_aix sudo session optional pam_mkuserhome swrole session required pam_aix telnet session required pam_aix xdm session required pam_aix OTHER session required pam_prohibit #Support for IBM MQ ibmmq auth required pam_aix ibmmq account required pam_aix
Create the access control file
[root@aixsrv]/etc # cat /etc/auth.allow root @users @dba_group user01
Enable PAM into SSH
[root@aixsrv]/etc # cat /etc/ssh/sshd_config | grep '^UsePAM' UsePAM yes [root@aixsrv]/etc # stopsrc -s sshd [root@aixsrv]/etc # startsrc -s sshd
Change default authentification mechanism
[root@aixsrv]/etc # lssec -f /etc/security/login.cfg -s usw -a auth_type usw auth_type=STD_AUTH [root@aixsrv]/etc # chsec -f /etc/security/login.cfg -s usw -a auth_type=PAM_AUTH
check_nimclient.sh
#!/usr/bin/ksh
#set -x
##################################################
#@(#) Check NIM CPUID
##################################################
# version: 1.0 2023-02 emmiff4
##################################################
dir=`dirname $0`
. $dir/.env
###########################################################################
# usage ()
#
# Display usage message and exit
#
# Parameters:
# - none
###########################################################################
usage()
{
echo "Usage:"
echo "no parameter, will check CPUID on master and client, and change if not OK"
echo "-c reset -l <client_name> : will delete the nim client and recreate"
exit 0
}
#------------------------------------------------
reset_cpuid () {
MASTERCPUID=$(uname -m)
for lpar in $(lsnim -t standalone | awk '{print $1}' | grep -v vio)
do
CPUID=$(ssh -o ConnectTimeout=10 $lpar 'uname -m' 2>/dev/null)
lenght=${#CPUID}
if [ "$lenght" -ne "12" ]
then
echo "$lpar: no CPUID $CPUID $lenght"
else
NIMCPUID=$(lsnim -l $lpar | grep cpuid | rev | awk '{print $1}' | rev)
CLIENTCPUID=$(ssh $lpar "grep NIM_MASTERID /etc/niminfo" | sed 's/=/\ /g' | rev | awk '{print $1}' | rev)
cmd=$(echo sed "'s/"${CLIENTCPUID}"/"${MASTERCPUID}"/'")
if [ "$NIMCPUID" == "$CPUID" ]
then
#echo "$CPUID $CLIENTCPUID $NIMCPUID" | tr ' ' '\n' | sort -u
if [ "$MASTERCPUID" == "$CLIENTCPUID" ]
then
echo "$lpar: MASTERCPUID OK"
else
echo "$lpar: client $CPUID /etc/niminfo ERROR"
echo "$lpar: changed"
ssh $lpar "cp /etc/niminfo /etc/niminfo.old ; cat /etc/niminfo | $cmd > /etc/niminfo.new ; mv /etc/niminfo.new /etc/niminfo ; stopsrc -s nimsh ; startsrc -s nimsh"
fi
else
echo "$lpar: nimserver $CPUID $NIMCPUID ERROR"
nim -o change -a cpuid=${CPUID} $lpar
if [ "$MASTERCPUID" != "$CLIENTCPUID" ]
then
echo "$lpar: client $CPUID /etc/niminfo ERROR"
echo "$lpar: changed"
ssh $lpar "cp /etc/niminfo /etc/niminfo.old ; cat /etc/niminfo | $cmd > /etc/niminfo.new ; mv /etc/niminfo.new /etc/niminfo ; stopsrc -s nimsh ; startsrc -s nimsh"
fi
fi
fi
done
}
#------------------------------------------------
recreate_client () {
echo $lpar $COMMAND
echo "nim -o remove $lpar"
echo "ssh $lpar ""'"rm /etc/niminfo"'"
echo "ssh $lpar ""'"stopsrc -s nimsh"'"
echo "ssh $lpar ""'"niminit -a name=$lpar -a pif_name=en0 -a master=$master -a platform=chrp -a connect=nimsh -a cable_type='"'N/A'"'"'"
}
#############################################
# main
#############################################
main()
{
master=$(hostname -s)
if [ -z "$1" ]
then
echo "OK"
reset_cpuid
else
while (( "$#" )); do
case $1 in
help|-h|-help) usage ;;
-c) shift && COMMAND="$1" ;;
-l) shift && lpar="$1"
recreate_client ;;
esac
shift
done
fi
}
main $* | tee $logname 2>&1