it depends, what you understand under "integration". Do you need only authentication (passwords/users are the same in MSAD/AIX)? Do you need Single Sign-On (users are authenticated on AIX without password using their MSAD credentials)? Do you need automatic user replication from MSAD to AIX? Do you need MSAD groups and roles on AIX? Where do you want to store AIX-specific attributes, such as home directory, shell etc - in MSAD or on AIX? There are many questions to be answered first before the "integration". The way you go depends on this answers.
I would like to store AIX specific attributes (home directory, shell etc) in AIX only.
But the users should be able to authenticate using their MSAD password.
they should be able to reset the password on their own. (just like for their work stations)
I just want to avoid USER administration (like creating/resetting users etc) from AIX side. But i(AIX admin) should be able to control access. (not all AD users can login)
Do we need to create AD group (and attach USERs, that need access) and integrate with AIX ?
please let me know how this works, and which approach is better for my scenario.
I would like to store AIX specific attributes (home directory, shell etc) in AIX only.
But the users should be able to authenticate using their MSAD password.
As for me it means, that you plan to use Kerberos authentication, but not LDAP features of MSAD. At least you don't want to change MSAD schema and it is good so.
Quote:
Originally Posted by aaron8667
they should be able to reset the password on their own. (just like for their work stations)
I don't know a solution for password resetting in MSAD domain. afaik it is only possible from Windows workstation.
Quote:
Originally Posted by aaron8667
I just want to avoid USER administration (like creating/resetting users etc) from AIX side. But i(AIX admin) should be able to control access. (not all AD users can login)
Do we need to create AD group (and attach USERs, that need access) and integrate with AIX ?
If you want to control access to your boxes, you have somehow to define, which users are allowed to access them. The easiest way imo is to define (create) users on AIX, which are authenticated in MSAD domain using Kerberos. If you don't want to create users on AIX, you move the responsibility somewhere else. E.g. you can create an MSAD group "AIX-Users" and bind LDAP client on AIX side to this group. Then all users, who belong to this group, receive automatically access to your AIX box. You don't control access to AIX anymore, but your helpdesk or Windows administrator does it. But at the same time the next problem arises - if you use LDAP, you have to store AIX user attributes in LDAP. In this case you may need to modify MSAD schema and that is bad. Almost all known by me Windows administrators are against it and they have good reasons for it. Or you may need to install a "proxy" LDAP server with AIX attributes, but then you have to replicate users from MSAD to the LDAP server. Not every enterprise allows it.
Quote:
Originally Posted by aaron8667
please let me know how this works, and which approach is better for my scenario.
imho the easiest way to start is to configure kerberos client on AIX. You need AIX Expansion Pack or AIX Web Download Pack - I think, Kerberos client is in both packs. Next you have to install krb5.client.rte fileset -
Then you can create a user on AIX with standard mkuser command. The user name should be the same as in MSAD and it should have 2 special attributes - registry=KRB5files SYSTEM=KRB5files
After this the user should be able to login on AIX with his/her MSAD password.
Some notices:
1. I personally made MSAD-AIX integration for many clients, but what I write here is written off the head and was not tested. It may work, but there is no warranty.
2. It is just quick and dirty fix to start the integration, it requires more work and thoughts to make everything right.
3. It is very difficult to troubleshoot problems between AIX and MSAD. If it works, everything is fine. If it doesn't, you can spend a lot of time troubleshooting an easy problem.
4. Don't forget - we have very few AIX versions, but they have a lot of Windows versions, and they change rules from time to time. It makes life funnier.
Thank you for your time. I actually tried setting up in similar manner after i found some post on unix.com
but for some reason, it did not work. May be i missed something. please see the error below.
Code:
[root@aixlpar]/home/root>/usr/krb5/bin/kinit user7@domain.com
Unable to obtain initial credentials.
Status 0x96c73a44 - KRB5 error code 68.
Code:
[root@aixlpar]/home/root>/usr/krb5/bin/klist
Unable to get cache name (ticket cache: /var/krb5/security/creds/krb5cc_0).
Status 0x96c73ac3 - No credentials cache found.
I will look into it again. And i've looked at the above link (IBM ). not yet started.
It has the information about integrating Active directory with kerberos & LDAP as well.
I would like to go with Kerberos option for now. As this is a test server, i would like to test this out now.
please let me know if you've any suggestions.
---------- Post updated at 15:00 ---------- Previous update was at 14:55 ----------
You will need to create an AD user for that AIX machine.
Login initial with it to Windows and change the password (to any windows machine in domain), no need to load desktop.
Once you have the user operational, configure the user to it cannot change password and password never expires.
Then generate a kerberos keytab on domain controller (host keytab not HTTP) with ktpass for that user (representing your server), which you will copy as krb5.keytab to your AIX server.
Check NTP, AD and server should be in sync, or kerberos will fail to work.
Now, you should be able to do kinit user@DOMAIN to get a ticket and confirm it is working.
After that SSO should work (with putty or winscp) if user is defined on unix system and he is logged on to Windows domain.
I'm haven't worked with AIX in this regards, but this seems universal on all unix/linux systems.
// AIX 6.1
In need of finding which AIX user accounts will be expired and are
locked.
I have placed the following parameters under /etc/security/user... (1 Reply)
I have two accounts, one for gmail and one for all other Google applications. I would like to put the gmail account on the same account as the others.
I like Google, and all the products offered. However, it has been very difficult and frustrating to find this forum, and to figure out how to... (2 Replies)
Discussion started by: chaimelle
2 Replies
4. Post Here to Contact Site Administrators and Moderators
I have two different accounts under two names. That is my fault and I own that issue. I would like to combine the two account or just remove one of them. How do I go about doing that on this site. (1 Reply)
Hello all,
I am trying to list all accounts that are still activated on a HP-UX trusted system. I have tried to do something with the modprpw command but can't think of any way. Can someone give me a hint? I am not looking for a whole script, this I can do it, but just a way to get that into a... (1 Reply)
I have found a script to create user accounts. But there are a few lines i dont understand. Can someone help me with this? Here's the code:
######################################
while ;
do
ACCT=${USER_ACCT}${START}
START=`expr $START + 1`
START=`echo ${START} | awk... (3 Replies)
Hello all:
I am new to UNIX and I am given the responsibility of administering a UNIX machine recently. The system is a IBM AIX 3.1. As a part of my duties I recently created some user accounts
using "smit". It looked as if everything went well. But, after creating the account, I logged into... (3 Replies)
Hi there
I am a newbie. want to learn followings:
1. How can i create an mail only account.?
2. Where is the file containing mail accounts?What is the path?
3. Can i create mail accounts from PHP?
Thanx (3 Replies)
04-29-2015
