The idea was to let users, who have accounts in the MS AD, log on to Informix database running on Solaris without requiring to enter credentials again as they are already authenticated in the domain on their Windows workstations. So, we will configure Informix for Kerberos and Single Sign-On (SSO) authentication for Windows clients. This configuration can be called the logical conclusion of a previous configuration with PAM.

Informix box must be preconfigured and joined AD domain like in this my example for Solaris and MS AD. Installing the latest patches is strongly recommended as some related bugs were fixed recently in Solaris and Informix.

1. On any Domain Controller:
   • create a service account in AD, one per server/alias
   • run setspn -A <sso_alias>/<informix_server>.domain.com@DOMAIN.COM <informix_server>
   • run ktpass -princ <sso_alias>/<informix_server>.domain.com@DOMAIN.COM -mapuser <serv_acc>@DOMAIN.COM -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -mapop set -pass <serv_acc_password> -out my.keytab
   • upload generated keytab file to Informix server
2. On the Informix box:
   • run ktutil and insert generated key to existing keys file:
     ktutil:  rkt /upload/my.keytab
ktutil:  wkt /etc/krb5/krb5.keytab
ktutil:  quit
   • run klist -e -k /etc/krb5/krb5.keytab to check keys file
   • create <informix_home>ids/etc/concsm.cfg file with one row like this:
     GSSCSM("/app/informix/ids/lib/csm/libixgss.so", "", "c=1,i=1")
   • add sso alias to Informix onconfig file
   • add sso alias to sqlhosts file:
     ssoalias         ontlitcp        hostname      1526   s=7,csm=(GSSCSM)
3. On all Windows workstations:
   • latest version of IBM Informix-Connect must be installed
   • create concsm.cfg file in the C:\Program Files\IBM\Informix\Connect\etc folder with one row like this:
     GSSCSM("client=C:\Program Files\IBM\Informix\Connect\lib\client\csm\igsss11a.dll", "", "c=1,i=1")
   • run setnet32 and describe server like on my screenshot, don’t forget specify options: s=7,csm=(GSSCSM)
   • test using ilogin or define ODBC source; leave username and password fields empty

To check AD accounts from Unix or debug Kerberos and SSO use the following tools:

• klist, ldapsearch, ldaplist, getent
• krb-diag

Some text from Wikipedia for introduction:

pluggable authentication modules, or PAM, is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API). It allows programs that rely on authentication to be written independently of the underlying authentication scheme.

In my case the idea was to let users, who have accounts in the MS AD, log on to Informix Dynamic Server using their AD username and password.

Your OS must be ready to use PAM and Kerberos, configured like in this example for Solaris and MS AD.

So, lets start:

1. Better to limit number of enctypes for Kerberos, especially if KDC is Windows 2008 R2.
   To do that, add the flowing rows in the /etc/krb5/krb5.conf:
   [libdefaults]
default_tkt_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
default_etypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
default_etypes_des = des-cbc-crc
2. To define Informix for PAM, add its name to /etc/pam.conf, I will name it ids_pam_service:
   ids_pam_service auth sufficient pam_krb5.so.1
ids_pam_service auth sufficient pam_unix_auth.so.1
   First line for Kerberos authentication, second to allow local users (defined in passwd) to login through pam-enabled Informix alias.
3. Configure one or many Informix aliases to enable PAM. Do that in sqlhosts file:
   <alias_name>           ontlitcp        <host_name>      <service_name>    s=4,pam_serv=(ids_pam_service),pamauth=(password)
   like in my example:
   onpam           ontlitcp        serv-inf01      1526    s=4,pam_serv=(ids_pam_service),pamauth=(password)

After Informix restart, PAM authentication will be enabled. Clients will be prompted to enter their local or AD credentials to connect.

If it doesn’t work, you can debug PAM, just touch /etc/pam_debug file and put auth.debug string in the /etc/syslog.conf file:
auth.debug /var/adm/dmessages
Keep in mind that spaces not allowed in syslog.conf, only tabs, and syslog daemon restart is required.

Main disadvantage of PAM is that due to limits of the PAM API, it is not possible for a PAM module to request a Kerberos service ticket from a Kerberos Key Distribution Center (KDC), allowing the user to utilize the application without re-authenticating. pam_krb5 only fetches ticket granting tickets, which involves prompting the user for credentials and are only used for initial login in an SSO environment. To fetch a service ticket for a particular application, and not prompt the user to enter credentials again, that application must be specifically coded to support Kerberos, as pam_krb5 cannot itself get service tickets.

I will describe how to configure Informix for Kerberos and Single Sign-On (SSO) authentication in the next post.

Update: each account in AD must have the following attributes specified: uid, uidNumber, gidNumber, unixHomeDirectory, loginShell. The easiest way to do that is using ADSI Edit snap-in for MMC.