Some text from Wikipedia for introduction:
pluggable authentication modules, or PAM, is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API). It allows programs that rely on authentication to be written independently of the underlying authentication scheme.
In my case the idea was to let users, who have accounts in the MS AD, log on to Informix Dynamic Server using their AD username and password.
Your OS must be ready to use PAM and Kerberos, configured like in this example for Solaris and MS AD.
So, lets start:
- Better to limit number of enctypes for Kerberos, especially if KDC is Windows 2008 R2.
To do that, add the flowing rows in the
default_tkt_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
default_etypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
default_etypes_des = des-cbc-crc
- To define Informix for PAM, add its name to
/etc/pam.conf, I will name it ids_pam_service:
ids_pam_service auth sufficient pam_krb5.so.1
ids_pam_service auth sufficient pam_unix_auth.so.1
First line for Kerberos authentication, second to allow local users (defined in passwd) to login through pam-enabled Informix alias.
- Configure one or many Informix aliases to enable PAM. Do that in
<alias_name> ontlitcp <host_name> <service_name> s=4,pam_serv=(ids_pam_service),pamauth=(password)
like in my example:
onpam ontlitcp serv-inf01 1526 s=4,pam_serv=(ids_pam_service),pamauth=(password)
After Informix restart, PAM authentication will be enabled. Clients will be prompted to enter their local or AD credentials to connect.
If it doesn’t work, you can debug PAM, just touch
/etc/pam_debug file and put auth.debug string in the
Keep in mind that spaces not allowed in syslog.conf, only tabs, and syslog daemon restart is required.
Main disadvantage of PAM is that due to limits of the PAM API, it is not possible for a PAM module to request a Kerberos service ticket from a Kerberos Key Distribution Center (KDC), allowing the user to utilize the application without re-authenticating. pam_krb5 only fetches ticket granting tickets, which involves prompting the user for credentials and are only used for initial login in an SSO environment. To fetch a service ticket for a particular application, and not prompt the user to enter credentials again, that application must be specifically coded to support Kerberos, as pam_krb5 cannot itself get service tickets.
I will describe how to configure Informix for Kerberos and Single Sign-On (SSO) authentication in the next post.
Update: each account in AD must have the following attributes specified: uid, uidNumber, gidNumber, unixHomeDirectory, loginShell. The easiest way to do that is using ADSI Edit snap-in for MMC.