Has anyone attempted to define GPO / HBAC policies in Windows Server 2012 that could be respected by Kerberos/LDAP on AIX?
I'm looking to associate servers to groups so that when a user part of a group tries to login to a host not associated with that group, it would be denied. This would allow me to define finer group scope controls that we need / are looking for.
Has anyone done this? I'll try to post the same thread on a windows forum as well.
Thanks!
Dev
I guess that's a no? I'm aware that FreeIPA does this. Not sure about other solutions out there.
As you have already noticed what M$$ calls "AD" is in fact a LDAP domain with a Kerberos 5 authentication frontend.
This sounds like every system able to participate in an LDAP domain and with an available Kerberos client should be able to participate, but alas this is not true.
LDAP knows "entities", which are defined by the properties they possess (like a table definition in a database with the fields as properties). LDAP itself does not prescribe this structure (this in fact is part of the configuration of an LDAP domain and one of the reasons why this is best left to experts in the field - you can easily end up with a structure that is nearly impossible to handle in practice) but implementations such as M$$ AD does exactly that. So, in fact it is a prefabricated LDAP domain with every ounce of expandability and configuratbility carefully wrung out so that it will not work with anything else than the graphical computer virus sold in Redmond.
Especially the properties of "login shell" and "home directory", which are not necessary in Windows but in any UNIX(-like) OS are left out and you are no allowed to put them in - or lose any support there might be. Microsoft claims that you are using their (cough) product out of spec in this case. The company i work ATM for is actually in exacly this position.
Our solution (which is far from being commendable) is to manage user accounts manually on the AIX systems and just do the authentication part via Kerberos.
To use Kerberos 5 on an AIX client install the "krb5.client.*" and the "krb5.lic" packages available for AIX. Kerberos configuration is done either by hand ( /etc/krb5/krb5.conf ) or using the command mkkrb5clnt .
Then define users using the "Krb5Files" as "registry" and "system"-properties:
chuser registry=Krb5Files system=Krb5Files <username>
Similar for "mkuser", etc..
I hope this helps.
bakunin
/PS: if found this IBM link but have no experience with this. You will simply have to try it. I would love to hear from your experience, though.
I managed to get this going including HMC to AD (fully) without any local intervention required, however what remains now is how to get HBAC in. I have HBAC on users and SUDO in AD but that works allright in Linux, though it's far from production ready. I was looking for something specific for AIX to AD from IBM. No luck, even when asking our IBM representatives, they were not even aware that you can have HMC to AD fully integrated without having to create local accounts. So I think I scraped the barrel of that pot quite well.
I mean to get to this in time but Cloud stuff has my head spinning at the moment.
Cheers,
Tom