Posts tagged ·



Enabling Informix SSO authentication

no comments

The idea was to let users, who have accounts in the MS AD, log on to Informix database running on Solaris without requiring to enter credentials again as they are already authenticated in the domain on their Windows workstations. So, we will configure Informix for Kerberos and Single Sign-On (SSO) authentication for Windows clients. This configuration can be called the logical conclusion of a previous configuration with PAM.

Informix box must be preconfigured and joined AD domain like in this my example for Solaris and MS AD. Installing the latest patches is strongly recommended as some related bugs were fixed recently in Solaris and Informix.

  1. On any Domain Controller:
    • create a service account in AD, one per server/alias
    • run setspn -A <sso_alias>/<informix_server> <informix_server>
    • run ktpass -princ <sso_alias>/<informix_server> -mapuser <serv_acc>@DOMAIN.COM -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -mapop set -pass <serv_acc_password> -out my.keytab
    • upload generated keytab file to Informix server
  2. On the Informix box:
    • run ktutil and insert generated key to existing keys file:
      ktutil:  rkt /upload/my.keytab
      ktutil:  wkt /etc/krb5/krb5.keytab
      ktutil:  quit
    • run klist -e -k /etc/krb5/krb5.keytab to check keys file
    • create <informix_home>ids/etc/concsm.cfg file with one row like this:
      GSSCSM("/app/informix/ids/lib/csm/", "", "c=1,i=1")
    • add sso alias to Informix onconfig file
    • add sso alias to sqlhosts file:
      ssoalias         ontlitcp        hostname      1526   s=7,csm=(GSSCSM)
  3. On all Windows workstations:
    • latest version of IBM Informix-Connect must be installed
    • create concsm.cfg file in the C:\Program Files\IBM\Informix\Connect\etc folder with one row like this:
      GSSCSM("client=C:\Program Files\IBM\Informix\Connect\lib\client\csm\igsss11a.dll", "", "c=1,i=1")
    • run setnet32 and describe server like on my screenshot, don’t forget specify options: s=7,csm=(GSSCSM)
    • test using ilogin or define ODBC source; leave username and password fields empty

To check AD accounts from Unix or debug Kerberos and SSO use the following tools:

  • klist, ldapsearch, ldaplist, getent
  • krb-diag

Enabling Informix PAM authentication

1 comment

Some text from Wikipedia for introduction:

pluggable authentication modules, or PAM, is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API). It allows programs that rely on authentication to be written independently of the underlying authentication scheme.

In my case the idea was to let users, who have accounts in the MS AD, log on to Informix Dynamic Server using their AD username and password.

Your OS must be ready to use PAM and Kerberos, configured like in this example for Solaris and MS AD.

So, lets start:

  1. Better to limit number of enctypes for Kerberos, especially if KDC is Windows 2008 R2.
    To do that, add the flowing rows in the /etc/krb5/krb5.conf:
    default_tkt_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
    default_tgs_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
    default_etypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
    default_etypes_des = des-cbc-crc
  2. To define Informix for PAM, add its name to /etc/pam.conf, I will name it ids_pam_service:
    ids_pam_service auth sufficient
    ids_pam_service auth sufficient

    First line for Kerberos authentication, second to allow local users (defined in passwd) to login through pam-enabled Informix alias.
  3. Configure one or many Informix aliases to enable PAM. Do that in sqlhosts file:
    <alias_name>           ontlitcp        <host_name>      <service_name>    s=4,pam_serv=(ids_pam_service),pamauth=(password)
    like in my example:
    onpam           ontlitcp        serv-inf01      1526    s=4,pam_serv=(ids_pam_service),pamauth=(password)

After Informix restart, PAM authentication will be enabled. Clients will be prompted to enter their local or AD credentials to connect.

If it doesn’t work, you can debug PAM, just touch /etc/pam_debug file and put auth.debug string in the /etc/syslog.conf file:
auth.debug /var/adm/dmessages
Keep in mind that spaces not allowed in syslog.conf, only tabs, and syslog daemon restart is required.

Main disadvantage of PAM is that due to limits of the PAM API, it is not possible for a PAM module to request a Kerberos service ticket from a Kerberos Key Distribution Center (KDC), allowing the user to utilize the application without re-authenticating. pam_krb5 only fetches ticket granting tickets, which involves prompting the user for credentials and are only used for initial login in an SSO environment. To fetch a service ticket for a particular application, and not prompt the user to enter credentials again, that application must be specifically coded to support Kerberos, as pam_krb5 cannot itself get service tickets.

I will describe how to configure Informix for Kerberos and Single Sign-On (SSO) authentication in the next post.

Update: each account in AD must have the following attributes specified: uid, uidNumber, gidNumber, unixHomeDirectory, loginShell. The easiest way to do that is using ADSI Edit snap-in for MMC.

Are you a bluepill or a redpill?

no comments

This post is a copy from blog. I like this joke :)

Disclaimer: As some readers didn’t get it … this article is a joke.

<joke>One of my readers pointed his finger to a really nice analogy: Are you a redpill or a bluepill. For the uninitiated: That is a scene from Matrix. Neo can choice take the blue pills to stay in the matrix, believing what he wants, or he can take the red pill to be free and to see the truth. Given that the Oracle logo is red and the IBM logo is blue, this gives a nice analogy.

You can take the blue pill. It’s the way of the matrix, it’s protected by agents from IBM Global Services, hiding you from the complexity of the reality, but sucking all your energy in the form of you IT budget from you. An agent can overwrite any of your coworkers. It downloads on the chair next to you, your colleagues are gone. They call this “Outsourcing”

On the other side: You can take the red pill. It’s the reality, sometimes problematic, sometimes pleasant. But you are free. You have your own will, you are not just in this world to feed the owners of matrix. And we show you how deeps the rabbit hole goes.

You have to decide: Do you take the blue pill or the red pill. Remember, all I’m offering is the truth. Nothing more.</joke>