First, let me start off saying this is not spam. This is me trying to help out other AIX Admins with MS AD servers. If it is not applicable to you, someone else will find it useful.
As long as the "KDC" service is running on your AD server, these steps should work. There should be no additional configuration required on the Windows Active Directory servers by your Windows administrators (assuming you already have name matching AIX and Windows accounts). These steps work on AIX 7.1 and AIX 6.1. This configuration only authenticates an existing user's password. Each user still has to have their local AIX account created on each AIX box that matches their existing account already setup in Active Directory. As a side note, you do NOT have to set the local password. Just make sure the AD username and the local AIX user name match, like "user1" and "user1". Also, this is not an "all-or-nothing" change. Some users can authenticate from the Active Diretory server while others do not. Here is how to set it up:
Copy or install the following kerberos client filesets from the AIX 7.1 Expansion DVD
Use smitty to install those filesets
Run the following command to create the /etc/krb5/krb5.conf files. "adhost.domain.com" is the fully qualified hostname of your active directory server.
Update "[libdefaults]" section in /etc/krb5/krb5.conf. Change these lines:
... to this:
In the "KRB5" section of the /etc/methods.cfg, make the change below. The Windows AD server is not "kadmin" compliant but, for who knows what reason, the default value placed into the /etc/methods.cfg by the mkkrb5clnt is not recognized.
Setup "Kerberos 5" as a valid authentication type for AIX to use:
Change the authentication parameters for your local users to use KRB5files (Kerberos):
If you want users to go back to local authentication, use this:
This seems too easy for as much time as I put into figuring it out.
These 3 Users Gave Thanks to kah00na For This Post:
Good information. Thanks. is the uid, gid, gecos, home dir, shell, etc.. stored in AD also? For a regular user why would you want a local account also? Doesn't that defeat the purpose of centralizing authentication?
These steps use Kerberos for only setup password authentication. This is not an LDAP connection, therefore, none of the user attributes are pulled from it. This solution is good for those that only want password centralization. If you want to use LDAP authentication, then the UIDs and GIDs have to match across systems, you have to involve the Windows administrators to get the AD server configured for your users, and various other tasks have to be performed. This method allows you, as the AIX admin, to be able to have your users authenticate their password from the AD with minimal effort and gets you out of the "I can't remember my password" game. Also, since you are only installing software and adding a second authentication method, there is no down time and you an switch users back and forth between local and AD authentication with only one command.
These 2 Users Gave Thanks to kah00na For This Post:
As a follow up to this post, if your Windows Admins apply "Microsoft Security Bulletin MS11-013 - Important", then you will need to change the default_tkt_enctypes and default_tgs_enctypes back to their default:
I speak from experience.
I am running AIX 7.1 and currently we have samba 3.6.25 installed on the server. As it stands some AIX folders are shared that can be accessed by certain Windows users.
The problem is that since Windows 10 the guest feature no longer works so users have to manually type in their Windows login/pwd... (14 Replies)
Hi. Ive recently upgraded Samba on an AIX server to Samba 4. The aim is to allow a specific group of Windows AD users to access some AIX file shares (with no requirement to enter passwords) - using AD to authenticate.
Currently I have:
Samba 4 installed ( and 3 daemons running)
Installed... (1 Reply)
Hello folks, Please advise me what is the best way to authenticate Windows AD users against Linux machines.
Currently I am going to take a look of Vintela Authentication Services and please let me know if you have experience with VIntela.
Thanks in advance (1 Reply)
is that possible to login to solaris 11.1 authenticate with windows active directory? the user id is created in the windows active directory.
Windows 2012 Active Directory (3 Replies)
I've configured an user authentication against Active Directory (Windows Server 2008 R2) on AIX V6 with LDAP. It works fine.
And here's my problem:
How can I control ldap user permissions on the local AIX machine?
E.g. an AD user should be able to write all files of local sys... (1 Reply)
Hello, I asked this question in the AIX subforum but never received an answer, probably because the AIX forum is not that heavily trafficked. Anyway, here it is..
I have never had any issues like this when compiling applications from source. When I try to compile samba-3.5.0pre2, configure runs... (9 Replies)