aix:marc
Table of Contents
aix_ldap
Register a new AD user
If the user -it still exist, check the UID on a linux server connected to Active Directory (sssd process will convert Windows SID to an UNIX UID; Else create it first into active directory
[root@LINUX ~]# id user01 uid=1200123421(emmiff4-it@test.lu) gid=12001222222(domain users@test.lu) ......,12004111111(storage-admin@test.lu),1200123456(aix-users@test.lu)
We need uid=1200123421(user01@test.lu) and 1200123456(aix-users@test.lu)
For AIX users the following field must be fulfill into Active Directory
| Parameter | Value | comment |
|---|---|---|
| uid | user01 | lowercase |
| unixHomeDirectory | /home/user01 | lowercase |
| loginShell | /bin/bash | shell: keep bash everywhere |
| gidNumber | 1200123456 | primary group ID (always aix-users) |
| uidNumber | 1200123421 | userID |
For AIX groups the following field must be fulfill into Active Directory (For group aix-users)
| Parameter | Value |
|---|---|
| gidNumber | 1200123456 |
config LDAP
[root@aixsrv]/etc/security/ldap# cat sfur2user.map username SEC_CHAR uid s na yes id SEC_INT uidNumber s na yes pgrp SEC_CHAR gidNumber s na yes home SEC_CHAR unixhomeDirectory s na yes shell SEC_CHAR loginShell s na yes gecos SEC_CHAR gecos s na yes spassword SEC_CHAR unicodePwd s lastupdate SEC_INT pwdLastSet s UTC no time_last_login SEC_INT lastLogon s UTC no maxage SEC_INT codePage s na yes minage SEC_INT shadowMin s na yes maxexpired SEC_INT shadowExpire s na yes pwdwarntime SEC_INT shadowWarning s na yes pgid SEC_INT gidnumber s na yes
[root@aixsrv]/etc/security/ldap# cat sfur2group.map groupname SEC_CHAR cn s na yes id SEC_INT gidNumber s na yes users SEC_LIST member m na yes
AD registration in secure mode, using CA certificate
gsk8capicmd_64 -keydb -create -db /etc/security/ldap/ldap.kdb -pw $pwd1 -type cms -stash gsk8capicmd_64 -keydb -list -db /etc/security/ldap/ldap.kdb -pw $pwd1 -stash gsk8capicmd_64 -cert -add -db /etc/security/ldap/ldap.kdb -pw $pwd1 -type pem -file /tmp/ca2.ad.cer -label 'AD_LU_ca2.cer' gsk8capicmd_64 -cert -list -db /etc/security/ldap/ldap.kdb -pw $pwd1 gsk8capicmd_64 -cert -details -db /etc/security/ldap/ldap.kdb -pw $pwd1 -label 'AD_LU_ca2.cer' mksecldap -c -h ldap_srv.test.lu -n 636 -k /etc/security/ldap/ldap.kdb -w $pwd1 -j SSL -a 'CN=ldapuser,OU=Users Misc,OU=Users,OU=....,DC=aaa,DC=test,DC=lu' -p $pwd2 -d 'OU=Users,OU=Users & Groups,DC=aaa,DC=test,DC=lu' -A ldap_auth -u NONE
If mksecldap command failed, maybe you are not looking at right tree into AD, change the OU
[root@aixsrv]/etc/security/ldap# grep -v '^#' /etc/security/ldap/ldap.cfg | sed '/^$/d' serverschematype:sfur2 ldapservers:ldap_srv.test.lu binddn:CN=ldapuser,OU=Users Misc,OU=Users,OU=....,DC=aaa,DC=test,DC=lu bindpwd:{DESv2}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx authtype:ldap_auth searchmode:ALL defaultentrylocation:LDAP ldapport:636 useSSL:SSL pwdalgorithm:system ldapsslkeyf:/etc/security/ldap/ldap.kdb ldapsslkeypwd:{DESv2}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx userclasses:user,person,organizationalperson groupclasses:group userattrmappath:/etc/security/ldap/sfur2user.map groupattrmappath:/etc/security/ldap/sfur2group.map userbasedn:OU=Users,OU=Users & Groups,DC=aaa,DC=test,DC=lu groupbasedn:OU=xxx,OU=Groups,OU=Users & Groups,DC=aaa,DC=test,DC=lu
Check if LDAP is present, else add the 3 following lines (added by mksecldap command)
[root@aixsrv]/etc# cat /etc/methods.cfg ... LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64 ...
Change default user authentification to default LDAP, or files (both required)
chsec -f /etc/security/user -s default -a registry=files chsec -f /etc/security/user -s default -a "SYSTEM=files or LDAP" chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
Check into the files user and login.cfg
[root@aixsrv]/etc# cat /etc/security/user ... default: ... SYSTEM = "files or LDAP" registry = "files" ...
Enable PAM on AIX
PAM is more flexible to control access protocols compared to AIX standard authentifications
You can comment unused services
To use PAM with access control for user and groups
[root@aixsrv]/etc # cat /etc/pam.conf # IBM_PROLOG_BEGIN_TAG # This is an automatically generated prolog. # # bos720 src/bos/etc/pam/pam.conf 1.8.1.1 # # Licensed Materials - Property of IBM # # COPYRIGHT International Business Machines Corp. 2003,2012 # All Rights Reserved # # US Government Users Restricted Rights - Use, duplication or # disclosure restricted by GSA ADP Schedule Contract with IBM Corp. # # IBM_PROLOG_END_TAG # # PAM Configuration File # # This file controls the PAM stacks for PAM enabled services. # The format of each entry is as follows: # # <service_name> <module_type> <control_flag> <module_path> [module_options] # # Where: # <service_name> is: # The name of the PAM enabled service. # # <module_type> is one of: # auth, account, password, session # # <control_flag> is one of: # required, requisite, sufficient, optional # # <module_path> is: # The path to the module. If the field does not begin with '/' # then /usr/lib/security/ is prefixed for 32-bit services, # /usr/lib/security/64/ is prefixed for 64-bit services. # If the module path is specified as full path,then it # directly uses for 32-bit services, for 64-bit services # module path derived as <module_path>/64/<module_name>. # # [module_options] is: # An optional field. Consult the specified modules documentation # for valid options. # # The service name OTHER controls the behavior of services that are PAM # enabled but do not have an explicit entry in this file. # # # Authentication # authexec auth required pam_aix dtaction auth required pam_aix dtsession auth required pam_aix dtlogin auth required pam_aix ftp auth required pam_aix imap auth required pam_aix login auth required pam_aix rexec auth required pam_aix rlogin auth sufficient pam_rhosts_auth rlogin auth required pam_aix rsh auth required pam_rhosts_auth snapp auth required pam_aix sshd auth requisite pam_permission file=/etc/auth.allow found=allow sshd auth required pam_aix su auth sufficient pam_allowroot su auth required pam_aix swrole auth required pam_aix telnet auth required pam_aix xdm auth required pam_aix OTHER auth required pam_prohibit # # Account Management # authexec account required pam_aix dtlogin account required pam_aix ftp account required pam_aix login account required pam_aix rexec account required pam_aix rlogin account required pam_aix rsh account required pam_aix sshd account required pam_aix su account sufficient pam_allowroot su account required pam_aix sudo account sufficient pam_allowroot sudo account required pam_aix swrole account required pam_aix telnet account required pam_aix xdm account required pam_aix OTHER account required pam_prohibit # # Password Management # authexec password required pam_aix dtlogin password required pam_aix login password required pam_aix passwd password required pam_aix rlogin password required pam_aix sshd password required pam_aix su password required pam_aix sudo password required pam_aix telnet password required pam_aix xdm password required pam_aix OTHER password required pam_prohibit # # Session Management # dtlogin session required pam_aix ftp session required pam_aix imap session required pam_aix login session required pam_aix rexec session required pam_aix rlogin session required pam_aix rsh session required pam_aix snapp session required pam_aix sshd session required pam_aix sshd session optional pam_mkuserhome su session required pam_aix sudo session required pam_aix sudo session optional pam_mkuserhome swrole session required pam_aix telnet session required pam_aix xdm session required pam_aix OTHER session required pam_prohibit #Support for IBM MQ ibmmq auth required pam_aix ibmmq account required pam_aix
Create the access control file
[root@aixsrv]/etc # cat /etc/auth.allow root @users @dba_group user01
Enable PAM into SSH
[root@aixsrv]/etc # cat /etc/ssh/sshd_config | grep '^UsePAM' UsePAM yes [root@aixsrv]/etc # stopsrc -s sshd [root@aixsrv]/etc # startsrc -s sshd
Change default authentification mechanism
[root@aixsrv]/etc # lssec -f /etc/security/login.cfg -s usw -a auth_type usw auth_type=STD_AUTH [root@aixsrv]/etc # chsec -f /etc/security/login.cfg -s usw -a auth_type=PAM_AUTH
check_nimclient.sh
#!/usr/bin/ksh
#set -x
##################################################
#@(#) Check NIM CPUID
##################################################
# version: 1.0 2023-02 emmiff4
##################################################
dir=`dirname $0`
. $dir/.env
###########################################################################
# usage ()
#
# Display usage message and exit
#
# Parameters:
# - none
###########################################################################
usage()
{
echo "Usage:"
echo "no parameter, will check CPUID on master and client, and change if not OK"
echo "-c reset -l <client_name> : will delete the nim client and recreate"
exit 0
}
#------------------------------------------------
reset_cpuid () {
MASTERCPUID=$(uname -m)
for lpar in $(lsnim -t standalone | awk '{print $1}' | grep -v vio)
do
CPUID=$(ssh -o ConnectTimeout=10 $lpar 'uname -m' 2>/dev/null)
lenght=${#CPUID}
if [ "$lenght" -ne "12" ]
then
echo "$lpar: no CPUID $CPUID $lenght"
else
NIMCPUID=$(lsnim -l $lpar | grep cpuid | rev | awk '{print $1}' | rev)
CLIENTCPUID=$(ssh $lpar "grep NIM_MASTERID /etc/niminfo" | sed 's/=/\ /g' | rev | awk '{print $1}' | rev)
cmd=$(echo sed "'s/"${CLIENTCPUID}"/"${MASTERCPUID}"/'")
if [ "$NIMCPUID" == "$CPUID" ]
then
#echo "$CPUID $CLIENTCPUID $NIMCPUID" | tr ' ' '\n' | sort -u
if [ "$MASTERCPUID" == "$CLIENTCPUID" ]
then
echo "$lpar: MASTERCPUID OK"
else
echo "$lpar: client $CPUID /etc/niminfo ERROR"
echo "$lpar: changed"
ssh $lpar "cp /etc/niminfo /etc/niminfo.old ; cat /etc/niminfo | $cmd > /etc/niminfo.new ; mv /etc/niminfo.new /etc/niminfo ; stopsrc -s nimsh ; startsrc -s nimsh"
fi
else
echo "$lpar: nimserver $CPUID $NIMCPUID ERROR"
nim -o change -a cpuid=${CPUID} $lpar
if [ "$MASTERCPUID" != "$CLIENTCPUID" ]
then
echo "$lpar: client $CPUID /etc/niminfo ERROR"
echo "$lpar: changed"
ssh $lpar "cp /etc/niminfo /etc/niminfo.old ; cat /etc/niminfo | $cmd > /etc/niminfo.new ; mv /etc/niminfo.new /etc/niminfo ; stopsrc -s nimsh ; startsrc -s nimsh"
fi
fi
fi
done
}
#------------------------------------------------
recreate_client () {
echo $lpar $COMMAND
echo "nim -o remove $lpar"
echo "ssh $lpar ""'"rm /etc/niminfo"'"
echo "ssh $lpar ""'"stopsrc -s nimsh"'"
echo "ssh $lpar ""'"niminit -a name=$lpar -a pif_name=en0 -a master=$master -a platform=chrp -a connect=nimsh -a cable_type='"'N/A'"'"'"
}
#############################################
# main
#############################################
main()
{
master=$(hostname -s)
if [ -z "$1" ]
then
echo "OK"
reset_cpuid
else
while (( "$#" )); do
case $1 in
help|-h|-help) usage ;;
-c) shift && COMMAND="$1" ;;
-l) shift && lpar="$1"
recreate_client ;;
esac
shift
done
fi
}
main $* | tee $logname 2>&1
aix/marc.txt · Last modified: 2025/08/23 23:37 (external edit)
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
