Authenticate AIX users from MS Active Directory

Login or Register for Dates, Times and to Reply

Thread Tools Search this Thread
# 1  
Authenticate AIX users from MS Active Directory

First, let me start off saying this is not spam. This is me trying to help out other AIX Admins with MS AD servers. If it is not applicable to you, someone else will find it useful.

As long as the "KDC" service is running on your AD server, these steps should work. There should be no additional configuration required on the Windows Active Directory servers by your Windows administrators (assuming you already have name matching AIX and Windows accounts). These steps work on AIX 7.1 and AIX 6.1. This configuration only authenticates an existing user's password. Each user still has to have their local AIX account created on each AIX box that matches their existing account already setup in Active Directory. As a side note, you do NOT have to set the local password. Just make sure the AD username and the local AIX user name match, like "user1" and "user1". Also, this is not an "all-or-nothing" change. Some users can authenticate from the Active Diretory server while others do not. Here is how to set it up:

Copy or install the following kerberos client filesets from the AIX 7.1 Expansion DVD

Use smitty to install those filesets
smitty install
Install and Update Software
Install Software
<specify the location of the filesets>
SOFTWARE to install --> [select the filesets above]
ACCEPT new license agreements? --> yes
<enter> to confirm

Run the following command to create the /etc/krb5/krb5.conf files. "" is the fully qualified hostname of your active directory server.
mkkrb5clnt -c -r DOMAIN.COM -s -d -D -t 365:0:0:0 -i files -K

Update "[libdefaults]" section in /etc/krb5/krb5.conf. Change these lines:
default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts
default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts

... to this:
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc

In the "KRB5" section of the /etc/methods.cfg, make the change below. The Windows AD server is not "kadmin" compliant but, for who knows what reason, the default value placed into the /etc/methods.cfg by the mkkrb5clnt is not recognized.
change "is_kadmind_compat" to "kadmin"

Setup "Kerberos 5" as a valid authentication type for AIX to use:
hostname:/:$ lsauthent
Standard Aix
hostname:/:$ chauthent -k5 -std
hostname:/:$ lsauthent
Kerberos 5
Standard Aix

Change the authentication parameters for your local users to use KRB5files (Kerberos):
chuser registry=KRB5files SYSTEM=KRB5files localuser

If you want users to go back to local authentication, use this:
chuser registry=files SYSTEM=compat localuser

This seems too easy for as much time as I put into figuring it out.
These 3 Users Gave Thanks to kah00na For This Post:
# 2  
Good information. Thanks. is the uid, gid, gecos, home dir, shell, etc.. stored in AD also? For a regular user why would you want a local account also? Doesn't that defeat the purpose of centralizing authentication?
# 3  
These steps use Kerberos for only setup password authentication. This is not an LDAP connection, therefore, none of the user attributes are pulled from it. This solution is good for those that only want password centralization. If you want to use LDAP authentication, then the UIDs and GIDs have to match across systems, you have to involve the Windows administrators to get the AD server configured for your users, and various other tasks have to be performed. This method allows you, as the AIX admin, to be able to have your users authenticate their password from the AD with minimal effort and gets you out of the "I can't remember my password" game. Also, since you are only installing software and adding a second authentication method, there is no down time and you an switch users back and forth between local and AD authentication with only one command.
These 2 Users Gave Thanks to kah00na For This Post:
# 4  
As a follow up to this post, if your Windows Admins apply "Microsoft Security Bulletin MS11-013 - Important", then you will need to change the default_tkt_enctypes and default_tgs_enctypes back to their default:
default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts
default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts

I speak from experience.
Login or Register for Dates, Times and to Reply

Previous Thread | Next Thread
Thread Tools Search this Thread
Search this Thread:
Advanced Search

Test Your Knowledge in Computers #656
Difficulty: Medium
Microsoft and IBM began developing OS/2 as an alternative to Unix.
True or False?

6 More Discussions You Might Find Interesting

1. AIX

Samba 3.6 on AIX 7.1 - Windows 10 Access to AIX file shares using Active Directory authentication

I am running AIX 7.1 and currently we have samba 3.6.25 installed on the server. As it stands some AIX folders are shared that can be accessed by certain Windows users. The problem is that since Windows 10 the guest feature no longer works so users have to manually type in their Windows login/pwd... (14 Replies)
Discussion started by: linuxsnake
14 Replies

2. AIX

AIX 7.1 - Samba 4 File Shares and Integration with Active Directory Issues

Hi. Ive recently upgraded Samba on an AIX server to Samba 4. The aim is to allow a specific group of Windows AD users to access some AIX file shares (with no requirement to enter passwords) - using AD to authenticate. Currently I have: Samba 4 installed ( and 3 daemons running) Installed... (1 Reply)
Discussion started by: linuxsnake
1 Replies

3. UNIX for Advanced & Expert Users

Windows AD users authenticate to Linux

Hello folks, Please advise me what is the best way to authenticate Windows AD users against Linux machines. Currently I am going to take a look of Vintela Authentication Services and please let me know if you have experience with VIntela. Thanks in advance (1 Reply)
Discussion started by: Vit0_Corleone
1 Replies

4. Proxy Server

Solaris 11.1 login authenticate with windows active directory

Hi, is that possible to login to solaris 11.1 authenticate with windows active directory? the user id is created in the windows active directory. Environment: Solaris 11.1 Windows 2012 Active Directory (3 Replies)
Discussion started by: freshmeat
3 Replies

5. UNIX for Dummies Questions & Answers

control permissions for Active Directory users on AIX

Hello, I've configured an user authentication against Active Directory (Windows Server 2008 R2) on AIX V6 with LDAP. It works fine. And here's my problem: How can I control ldap user permissions on the local AIX machine? E.g. an AD user should be able to write all files of local sys... (1 Reply)
Discussion started by: xia777
1 Replies

6. UNIX for Advanced & Expert Users

Compiling Samba from Source on AIX, Active Directory, LDAP, Kerberos

Hello, I asked this question in the AIX subforum but never received an answer, probably because the AIX forum is not that heavily trafficked. Anyway, here it is.. I have never had any issues like this when compiling applications from source. When I try to compile samba-3.5.0pre2, configure runs... (9 Replies)
Discussion started by: raidzero
9 Replies

Featured Tech Videos