How-To Docs

Configuring DB2 UDB with Quest Authentication Services for Active Directory authentication

NOTE: The information on this page is obsolete. DB2 administrators should use the PAM/LAM-based DB2_sys-auth authentication module instead of the Kerberos-based integration techniques described here.

Introduction

This guide describes how to configure DB2 UDB on AIX for Active Directory authentication via system Kerberos libraries. Although this guide uses Quest Authentication Services (QAS) tools to generate the DB2 configuration files, once configured, DB2 will authenticate users directly against Active Directory using the system Kerberos libraries and without any further use of Quest Authentication Services.

This guide is provided as an alternative to the DB2_sys-auth authentication module which uses PAM/LAM to authenticate users.

Requirements

Your DB2 server must satisfy the following requirements:

Limitations

Because DB2 links against the platform Kerberos libraries, it may not be able to use all encryption types available in Active Directory.

Configuration steps

1. Create a krb5.conf using vastool:

# cd /etc/opt/vintela/vas
# cp vas.conf vas.conf.orig
# /opt/vintela/vas/bin/vastool realms cache toconf
# cp vas.conf /etc/krb5/krb5.conf
# cp vas.conf.orig vas.conf

2. Edit /etc/krb5/krb5.conf and remove any servers from the [realms] section that you don't wish to use. Then change the default_keytab_name entry to point to /etc/krb5/krb5.keytab. Finally change the etypes and enctypes lines to contain only DES ciphers.

An example krb5.conf with these changes follows:

[libdefaults] 
    default_realm = EXAMPLE.COM 
    dns_lookup_kdc = true 
    ticket_lifetime = 36000 
    default_keytab_name = /etc/krb5/krb5.keytab
    default_etypes = des-cbc-crc
    default_etypes_des = des-cbc-crc
    default_tkt_enctypes = des-cbc-crc des-cbc-md5
    default_tgs_enctypes = des-cbc-crc des-cbc-md5
[domain_realm] 
    udb1.example.com = EXAMPLE.COM
[vascd] 
    workstation-mode = false 
[realms] 
    EXAMPLE.COM = { 
      kdc = dc1.example.com:88 dc2.example.com:88 dc3.example.com:88
      kpasswd_server = dc1.example.com:464 dc2.example.com:464 dc3.example.com:464
    }

3. Create an instance of the UDB service in Active directory:

# /opt/vintela/vas/bin/vastool -u <Administrator> service create <instance-name>/
where <Administrator> is a sufficiently privileged account and <instance-name> is the DB instance name.

You may also need to change the service account to be DES-only. Do this through Active directory, through the service's Account tab setting named "Use DES encryption types for this account".

4. Link the AIX Kerberos credentials directory to /tmp and krb5.keytab:

# cd /var/krb5/security
# mv creds creds.orig
# ln -s /tmp creds
# ln -s /etc/krb5/krb5.keytab keytab/krb5.keytab

5. Remove arcfour entries from the keytab:

# /usr/krb5/sbin/ktutil
ktutil: rkt /etc/opt/vintela/vas/<instance-name>.keytab
ktutil: l -e

At this point you should see a list of keys and their slots. Look for the two with ArcFour as a type. Usually they will be slot 1 and slot 2. Note that when you delete one of the keys, the other keys are renumbered. We'll continue this example assuming that the keys are in slots 1 and 2:

ktutil: delent 2
ktutil: delent 1
ktutil: l -e

Finally, verify that you deleted the right keys, and then save the file.

ktutil: wkt /etc/krb5/krb5.keytab
ktutil: q
# chown <dbuser>.<dbgroup> /etc/krb5/krb5.keytab

At this point, a DB2 configured with Kerberos will be able to authenticate against Active Directory.

Using Unix-enabled Active Directory groups for access control

DB2 appears to use the getgrent() call, which under AIX only returns those groups that are also listed in /etc/group. This section describes how to fool getgrent() so that more group information from Active Directory is available to DB2. To do this, you need t install vasypserv.

1. Install vasypserv as per the administrator guide but skip the Quest Authentication Services NIS schema extension because we only need the passwd and group maps and these do not need the schema extension. If you plan to use other features of vasypserv then you will need to install the schema extension.

Once installed, you should be able to see the passwd and group maps by invoking ypwhich:

# ypwhich -m

2. Create or locate the Active Directory groups that you'll be using for access control and unix-enable them. Add the users as members of the group as needed.

3. Edit /etc/group to enable NIS lookups. If you have only a few unix-enabled groups in Active directory, you can simply add a plus (+) character on a line by itself at the end of the file. If you want to avoid pulling in all of the groups, then you can add just the groups you need, on separate lines in the form

+<group-name>

4. Test the getgrent() configuration using vastool:

# vastool nss getgrent

— K Robinson and D Leonard, 2005

More information