As for me it means, that you plan to use Kerberos authentication, but not LDAP features of MSAD. At least you don't want to change MSAD schema and it is good so.

I don't know a solution for password resetting in MSAD domain. afaik it is only possible from Windows workstation.

If you want to control access to your boxes, you have somehow to define, which users are allowed to access them. The easiest way imo is to define (create) users on AIX, which are authenticated in MSAD domain using Kerberos. If you don't want to create users on AIX, you move the responsibility somewhere else. E.g. you can create an MSAD group "AIX-Users" and bind LDAP client on AIX side to this group. Then all users, who belong to this group, receive automatically access to your AIX box. You don't control access to AIX anymore, but your helpdesk or Windows administrator does it. But at the same time the next problem arises - if you use LDAP, you have to store AIX user attributes in LDAP. In this case you may need to modify MSAD schema and that is bad. Almost all known by me Windows administrators are against it and they have good reasons for it. Or you may need to install a "proxy" LDAP server with AIX attributes, but then you have to replicate users from MSAD to the LDAP server. Not every enterprise allows it.


imho the easiest way to start is to configure kerberos client on AIX. You need AIX Expansion Pack or AIX Web Download Pack - I think, Kerberos client is in both packs. Next you have to install krb5.client.rte fileset -

Code:

installp -acgXYd /path/to/expansion/pack krb5.client.rte

and configure Kerberos, something like:

Code:

$ cat /etc/krb5.conf
[libdefaults]
        default_realm = <YOUR_MSAD_DOMAIN_IN_BIG_LETTERS>
        default_keytab_name = FILE:/etc/krb5/krb5.keytab
        default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
        default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc

[realms]
        <YOUR_MSAD_DOMAIN_IN_BIG_LETTERS> = {
                kdc = <your_active_directory_controller>:88
                admin_server = <your_active_directory_controller>:749 <-- it doesn't work in MS environment though ;-)
                default_domain = <your_msad_domain_in_small_letters>
        }

[domain_realm]
        .<your-dns-domain> = <YOUR_MSAD_DOMAIN_IN_BIG_LETTERS>

[logging]
        kdc = FILE:/var/krb5/log/krb5kdc.log
        admin_server = FILE:/var/krb5/log/kadmin.log
        default = FILE:/var/krb5/log/krb5lib.log

You have to check the file /usr/lib/security/methods.cfg, it should contain something like:

Code:

KRB5:
        program = /usr/lib/security/KRB5
        program_64 = /usr/lib/security/KRB5_64
        options = authonly,tgt_verify=no,kadmind=no,is_kadmind_compat=no

KRB5files:
        options = db=BUILTIN,auth=KRB5

Then you can create a user on AIX with standard mkuser command. The user name should be the same as in MSAD and it should have 2 special attributes - registry=KRB5files SYSTEM=KRB5files

After this the user should be able to login on AIX with his/her MSAD password.

Some notices:
1. I personally made MSAD-AIX integration for many clients, but what I write here is written off the head and was not tested. It may work, but there is no warranty.
2. It is just quick and dirty fix to start the integration, it requires more work and thoughts to make everything right.
3. It is very difficult to troubleshoot problems between AIX and MSAD. If it works, everything is fine. If it doesn't, you can spend a lot of time troubleshooting an easy problem.
4. Don't forget - we have very few AIX versions, but they have a lot of Windows versions, and they change rules from time to time. It makes life funnier.