Now that the PAM Server has been installed and configured, you must setup CA ACF2 for z/VM to support the PAM Server.
The following sections detail the steps required to setup CA ACF2 for z/VM to support the PAM Server.
Using VMO LINUX records, the first step in enabling the PAM Server is defining all Linux for zSeries hosts and their TCP/IP addresses that are using this security database. Without these definitions, all logons fail.
SET CONTROL(VMO) INSERT LINUX.qual MACHNAME(the linux machine name) IPADDR(the.ip.addr.here)
Repeat inserts
ACFSERVE RELOAD CONTROL VMO LINUX
Note: The MACHNAME value can be determined by issuing 'hostname -f' on the Linux system. The IP can then be determined by PINGing the hostname value from the z/VM system.
Before you assign the Linux group name to a users profile record, you should define it and the GID that is associated with it. During RACROUTE EXTRACT processing, if the GID cannot be found for a group name, processing will fail and the user will not be allowed on to the Linux system.
SET PROF(GROUP) DIV(LINUX) INSERT grpname LINUXGID(gid#)
Repeat the inserts for each group that needs to be defined, then issue the following to enable the changes:
ACFSERVE RELOAD PROFILE LINUX GROUP
Note: When defining groups, you should ensure that GID values are unique and that one group is not assigned the same value as another.
When signing on to a Linux for Series system, the user can use their existing 8-byte (short) CA ACF2 for z/VM user id, or if it is desired to allow the user to log on with a long name (greater than 8-byte), it can be mapped to their existing CA ACF2 for z/VM id.
The PAM Server installs by default with MIXED mode mapping enabled. Mixed mode configures the PAM Server to map the logon id to a short name before issuing the RACROUTE VERIFY call. If the mapping is successful, then the RACROUTE VERIFY is issued. If the mapping failed, but the length of the id is 8-bytes or less, it will issue the RACROUTE VERIFY with the original value.
If you want to define a user profile record that supports id mapping, issue the following.
SET PROF(USER) DIV(LINUX)
INSERT lid_here LINUXNAM(the linux long name) LINUXUID(uid#) LINUXGRP(grpname) LINUXHOM(home.dir) LINUXPGM(shell_name)
If id mapping is not required, omit the LINUXNAM parm.
For the LINUXGRP parameter, specify a group name that matches one of the Linux group profiles you have defined.
Repeat inserts for each user that needs to be configured, then issue the following to enable the changes:
ACFSERVE RELOAD PROFILE LINUX USER
Note: If id mapping will never be used, you can disable the mapping call prior to the VERIFY. Refer to the userid parameter in the Installing and Configuring the PAM Server chapter.
Tip: When defining users, you need to ensure that UID values are not assigned to more than one user.
Using the resource rule type of LNX, you now define who can access which Linux for zSeries system.
SET RESOURCE(LNX) COMPILE $KEY(linux_Machine_name) TYPE(LNX) UID(string) ALLOW
The resource rule type LGR defines who is a member of which group. Linux makes a distinction between a user's primary and secondary groups. You define the user's primary group when you define the Linux User Profile record for the user (the LINUXGRP option). Secondary groups are defined here.
Note: Skip this step if no user is a member of a secondary group.
To define who is a member of which group
SET RESOURCE(LGR) COMPILE . $KEY(groupname) TYPE(LGR) . UID(uidmask) ALLOW . additional resource rule entries . END STORE
Repeat the COMPILE-END-STORE sequence for each group that needs to be defined.
ACFSERVE RELOAD RESOURCE LGR
Include one resource rule entry for each user that is a member of this group. Do not list users who have this group as a primary group; only list users that have this group as a secondary group.
Note: Because CA ACF2 for z/VM implements secondary group membership through resource rules, any user who has the SECURITY attribute becomes a member of any group configured here whether or not they are listed.
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|