Setup for AIX 7.1 to authenticate against active directory.

Make sure correct file sets are installed:

tstsvaap004:/>lslpp -l | grep krb

krb5.client.rte    COMMITTED  Network Authentication Service

krb5.client.samples  COMMITTED  Network Authentication Service

krb5.doc.en_US.html  COMMITTED  Network Auth Service HTML

krb5.doc.en_US.pdf  COMMITTED  Network Auth Service PDF

krb5.lic           COMMITTED  Network Authentication Service

krb5.msg.en_US.client.rte  COMMITTED  Network Auth Service Client

krb5.client.rte    COMMITTED  Network Authentication Service


Generate default kerberos configuration.


tstsvaap004:/>mkkrb5clnt -c -r EXAMPLE.CO.UK -s -d -D -i files -K

Initializing configuration...

Creating /etc/krb5/krb5_cfg_type

Creating /etc/krb5/krb5.conf

The command mkkrb5clnt completed successfully.


Adapt the default /etc/krb5/krb5.conf

Replace/Update the content of /etc/krb5/krb5.conf with the following content


default_realm = EXAMPLE.CO.UK

default_keytab_name = FILE:/etc/krb5/krb5.keytab

default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts

default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts




kdc =

kdc =

kdc =

kdc =

admin_server =

default_domain =



[domain_realm] = EXAMPLE.CO.UK = EXAMPLE.CO.UK



kdc = FILE:/var/krb5/log/krb5kdc.log

admin_server = FILE:/var/krb5/log/kadmin.log

kadmin_local = FILE:/var/krb5/log/kadmin_local.log

default = FILE:/var/krb5/log/krb5lib.log


Adapt the default /etc/methods.cfg


Update the contents of /etc/methods.cfg  to include:


program = /usr/lib/security/KRB5

program_64 = /usr/lib/security/KRB5_64

options = authonly,kadmind=no



options = db=BUILTIN,auth=KRB5


Check the current authentication providers



Standard Aix


Add in Kerberos Support


tstsvaap004:/etc>chauthent -k5 -std


Kerberos 5

Standard Aix



Update current user accounts to used Kerberos Auths


e.g. chuser registry=KRB5files SYSTEM=KRB5files existusr


Set up a new unix user to use Kerberos Auths


e.g. mkuser registry=KRB5files SYSTEM=KRB5files newusr