Configure AIX 6.x and 7.x clients on IPA

Posted on

Install AIX packages with installp:

  • GSKit8.gskcrypt32.ppc.rte
  • GSKit8.gskcrypt64.ppc.rte
  • GSKit8.gskssl32.ppc.rte
  • GSKit8.gskssl64.ppc.rte
  • krb5.lic
  • krb5.client
  • krb5.doc.en_US
  • krb5.toolkit
  • krb5.server

Accept IDS License:

{{ packages_path }}/license/idsLicense -q

Install IDS packages with installp:

  • idsldap.license64,
  • idsldap.cltbase64
  • idsldap.clt32bit64
  • idsldap.clt64bit64
  • idsldap.cltjava64
  • idsldap.clt_max_crypto32bit64
  • idsldap.clt_max_crypto64bit64

Install RPMS from IBM Toolkit:

  • openssl-1.0.2s-1.aix5.1.ppc.rpm
  • openldap-2.4.44-0.1.aix5.1.ppc.rpm
  • sudo-1.8.21p2-1.aix5.1.ppc.rpm

Configure AIX client:

 /usr/bin/gsk8capicmd -keydb -create -db /etc/security/ldap/ldap.kdb
 /usr/bin/gsk8capicmd -cert -add -db /etc/security/ldap/ldap.kdb -file /etc/ipa/ca.crt -label ipa_server_cert
 /usr/bin/gsk8capicmd -keydb -changepw -new_pw 3edc#EDC3edc#EDC -db /etc/security/ldap/ldap.kdb
 /usr/sbin/mksecldap -c -h {{ipaserver}} -a "uid=admin,cn=users,cn=accounts,dc=server,dc=cr" -p {{ipaadminpassword}} -d "dc=server,dc=cr" -k "/etc/security/ldap/ldap.kdb" -w "3edc#EDC3edc#EDC"
 /usr/sbin/mkkrb5clnt -c linux81ipa.server.cr -r SERVER.CR -s linux81ipa.server.cr -d server.cr -i LDAP -D
/usr/bin/chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
/usr/bin/chown root:sys /etc/krb5/krb5.keytab
/usr/bin/chmod 700 /etc/krb5/krb5.keytab
 /usr/bin/chsec -f /etc/security/user -s default -a SYSTEM="KRB5LDAP OR compat"
 /usr/bin/chauthent -k5 -std

Check the configuration of /etc/krb5/krb5.conf:

                [libdefaults]
                       default_realm = SERVER.CR
                       default_keytab_name = FILE:/etc/krb5/krb5.keytab
                       dns_lookup_realm = true
                       dns_lookup_kdc = true

                [realms]
                        SERVER.CR = {
                        kdc = linux81ipa.server.cr:88
                        master_kdc = linux81ipa.server.cr:88
                        admin_server = linux81ipa.server.cr:749
                        default_domain = server.cr
                        pkinit_anchors = FILE:/etc/ipa/ca.crt
                        }

                [domain_realm]
                       .server.cr = SERVER.CR
                       server.cr = SERVER.CR
                       linux81ipa.server.cr = SERVER.CR

                [logging]
                       kdc = FILE:/var/krb5/log/krb5kdc.log
                       admin_server = FILE:/var/krb5/log/kadmin.log
                       kadmin_local = FILE:/var/krb5/log/kadmin_local.log
                       default = SYSLOG:info:local1'

Check the configuration of /etc/ldap.conf:

                URI ldap://linux81ipa.server.cr
                tls_cacert /etc/ipa/ca.crt
                BIND_TIMELIMIT 5
                TIMELIMIT 15
                binddn uid=admin,cn=users,cn=accounts,dc=server,dc=cr
                bindpw {{ipaadminpassword}}
                sudoers_base ou=sudoers,dc=server,dc=cr

Restart ldap service:

/usr/sbin/restart-secldapclntd

Sudo configuration edit /etc/netsvc.conf and add:

hosts = bind4,local
sudoers = files, ldap