The KRB5ALDAP compound load module is giving me fits. Everything looks like it should be working, but no.

Goal: Integrate AIX host with Active Directory using a KRB5ALDAP compound load module so that users can be created in AD and used in AIX, with unix attributes (registry values) being pulled from AD. Eliminate the need to manage user accounts on a per-server basis.

Issue: User attributes are visible with lsuser and returned with ldapsearch. Kerberos authentication shows successful at the domain controller, but a "permission denied" or "invalid login or password" message is displayed. Files can be chown-ed to the user accounts, but SU fails.

I attached a doc with the pertinent configs and troubleshooting steps. Since making that doc, I have also chased the enctype (switched to solely RC4) and the KVNO (tried 2, 3, 4). But no love.

Any help would be greatly appreciated.

Attached Files

AIX_KRB5ALDAP.txt (12.2 KB, 15 views)

Looks like you have a lot of fundamental setup problems not directly related to AD or LDAP or Kerb... for example:

# su - aixtest2
3004-503 Cannot set process credentials.

# tail -2 /var/log/syslog.log
Jan 17 15:32:07 9111-52A auth|security:info sshd[6095100]: Connection closed by 10.0.0.6 [preauth]
Jan 17 15:34:31 9111-52A auth|security:crit su: BAD SU from root to aixtest2 at /dev/pts/1

# telnet 9111-52A
Trying...
Connected to 9111-52A.TESTDOMAIN.LOCAL.

AIX Version 6
Copyright IBM Corporation, 1982, 2012.
login: aixtest2
aixtest2's Password:
3004-007 You entered an invalid login name or password.

Got it!

2 small things:

1: The primary group of the AD user needed to be a group defined in AD.
(This fixed the su issue.)

2: Changed methods.cfg, added tgt_verify=no to the options.

KRB5A:
        program = /usr/lib/security/KRB5A
        program_64 = /usr/lib/security/KRB5A_64
        options = authonly,is_kadmind_compat=no,tgt_verify=no