How to setup for AIX 7.1 to authenticate against Windows active directory

Setup for AIX 7.1 to authenticate against active directory.

Make sure correct file sets are installed:

tstsvaap004:/>lslpp -l | grep krb

krb5.client.rte            1.5.0.2  COMMITTED  Network Authentication Service

krb5.client.samples        1.5.0.2  COMMITTED  Network Authentication Service

krb5.doc.en_US.html        1.5.0.2  COMMITTED  Network Auth Service HTML

krb5.doc.en_US.pdf         1.5.0.2  COMMITTED  Network Auth Service PDF

krb5.lic                   1.5.0.2  COMMITTED  Network Authentication Service

krb5.msg.en_US.client.rte  1.5.0.2  COMMITTED  Network Auth Service Client

krb5.client.rte            1.5.0.2  COMMITTED  Network Authentication Service

 

Generate default kerberos configuration.

 

tstsvaap004:/>mkkrb5clnt -c tstdc1.example.co.uk -r EXAMPLE.CO.UK -s tstdc1.example.co.uk -d example.co.uk -D -i files -K

Initializing configuration...

Creating /etc/krb5/krb5_cfg_type

Creating /etc/krb5/krb5.conf

The command mkkrb5clnt completed successfully.

 

Adapt the default /etc/krb5/krb5.conf

Replace/Update the content of /etc/krb5/krb5.conf with the following content

[libdefaults]

default_realm = EXAMPLE.CO.UK

default_keytab_name = FILE:/etc/krb5/krb5.keytab

default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts

default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts

 

[realms]

EXAMPLE.CO.UK = {

kdc = tstdc1.example.co.uk:88

kdc = tstdc2.example.co.uk:88

kdc = tstdc3.example.co.uk:88

kdc = tstdc4.example.co.uk:88

admin_server = tstdc1.example.co.uk:749

default_domain = example.co.uk

}

 

[domain_realm]

.example.co.uk = EXAMPLE.CO.UK

tstdc1.example.co.uk = EXAMPLE.CO.UK

 

[logging]

kdc = FILE:/var/krb5/log/krb5kdc.log

admin_server = FILE:/var/krb5/log/kadmin.log

kadmin_local = FILE:/var/krb5/log/kadmin_local.log

default = FILE:/var/krb5/log/krb5lib.log

 

Adapt the default /etc/methods.cfg

 

Update the contents of /etc/methods.cfg  to include:

KRB5:

program = /usr/lib/security/KRB5

program_64 = /usr/lib/security/KRB5_64

options = authonly,kadmind=no

 

KRB5files:

options = db=BUILTIN,auth=KRB5

 

Check the current authentication providers

 

tstsvaap004:/etc>lsauthent

Standard Aix

 

Add in Kerberos Support

 

tstsvaap004:/etc>chauthent -k5 -std

tstsvaap004:/etc>lsauthent

Kerberos 5

Standard Aix

 

 

Update current user accounts to used Kerberos Auths

 

e.g. chuser registry=KRB5files SYSTEM=KRB5files existusr

 

Set up a new unix user to use Kerberos Auths

 

e.g. mkuser registry=KRB5files SYSTEM=KRB5files newusr