IBM AIX and Microsoft Active Directory integration with Kerberos and LDAP

Using the KRB5LDAP compound load module

The KRB5LDAP compound load module in IBM® AIX® allows user information to be pulled from Microsoft® Active Directory (AD) using Lightweight Directory Access Protocol (LDAP) and authentication against AD using Kerberos. This article explains the necessary steps to configure KRB5LDAP.

Share:

Jeff Geiger (jeff@jeffgeiger.com), System Administrator, Nebraska Book Company and Firespring

JeffJeff has been a UNIX/Linux system administrator for 16 years in both the private and public sectors. He enjoys integrating UNIX and Linux into existing Microsoft Windows enterprise environments and evangelizing open-source solutions.



11 July 2013

Also available in Chinese

Why Kerberos and LDAP

LDAP works well for storing and retrieving user attributes for AIX users, but using LDAP for the authentication piece still requires the user to have an AIX password and an AD password. Kerberos allows AIX to authenticate the user against the user's Microsoft Windows® password, using native AD protocols.


Active Directory attributes used

The following AD attributes can be used by AIX to get information about users.

Table 1. AIX user attributes
AD attributeUsage in AIX
uid AIX username
uidNumber AIX user ID
gecos Description field
unixhomeDirectory AIX home directory
loginShell Default Shell
gidNumber Primary group ID (must match an existing UNIX-enabled group)

The following AD attributes can be used by AIX to get information about groups.

Table 2. AIX group attributes
AD attributeUsage in AIX
cn AIX group name
gidNumber AIX group ID
memberUID AIX group members

Before you begin - prerequisites

The following items need to be configured before you begin the process.

  • Domain Name System (DNS) records (A and PTR) for your AIX hosts in your Windows DNS server.
  • Computer object matching the AIX host name in Active Directory.
  • An organizational unit (OU) that contains AIX objects.
  • At least one UNIX-enabled user in the target OU.
  • A service account in AD that can be used for LDAP binds to AD.
    • The service account should have full read rights on any OU that will have UNIX-enabled users.
  • Ensure that the hostname command returns the fully qualified domain name (FQDN) of the AIX server.
    • /etc/hosts entry for host should be {IP} {FQDN} {Short Name}
  • Ensure that the AIX host is using the domain controllers for DNS.
  • Configure Network Time Protocol (NTP) on the AIX server. (Kerberos fails if the clock is more than 5 minutes off.)
  • Configure syslog or verify that it is working as expected.

The example environment

This example scenario was tested using AIX 6.1 TL 6 and TL 8, and AIX 7.1 TL 1, with Active Directory on Server 2008 R2 domain controllers running at the 2003 functional level. It is important to note that the domain controllers must be Windows Server 2003 R2 or later in order to include the UNIX® LDAP attributes out-of-the-box. If you have Server 2003 domain controllers, the LDAP schema can be extended to include the UNIX attributes using Microsoft Windows Services for UNIX addition. (This article does not address that scenario.)

Table 3. Servers
PurposeNameIP Address
Domain controller pdc1.test.local 10.0.0.5
AIX server aix1.test.local 10.20.0.20
Table 4. Objects created in AD
PurposeNameDistinguished name
OU AIX OU=AIX,DC=TEST,DC=LOCAL
Service account aixservice CN=AIX Service,OU=Service Accounts,DC=TEST,DC=LOCAL
UNIX user aixtest CN=AIX Test,OU=AIX,DC=TEST,DC=LOCAL
Group AIXUsers CN=AIXUsers,OU=AIX,DC=TEST,DC=LOCAL

Install and configure LDAP

Install the following LDAP client file sets:

  • idsldap.clt32bit61.rte.6.1.0.40.bff
  • idsldap.clt64bit61.rte.6.1.0.40.bff
  • idsldap.cltbase61.rte.6.1.0.40.bff
  • idsldap.cltjava61.rte.6.1.0.40.bff
  • idsldap.msg61.en_US.6.1.0.40.bff

Verify the installation using the following command:

lslpp -L | grep ldap

Example output

    idsldap.clt32bit61.rte 6.1.0.40 C F Directory Server - 32 bit
    idsldap.clt64bit61.rte 6.1.0.40 C F Directory Server - 64 bit
    idsldap.cltbase61.adt 6.1.0.40 C F Directory Server - Base Client
    idsldap.cltbase61.rte 6.1.0.40 C F Directory Server - Base Client
    idsldap.cltjava61.rte 6.1.0.40 C F Directory Server - Java Client
    idsldap.msg61.en_US 6.1.0.40 C F Directory Server - Messages -

Check that the LDAP utilities were installed:

ls -l /opt/IBM/ldap/V6.1/

Example output

    total 64
    drwxr-xr-x 4 root system 4096 Jan 25 13:26 bin
    drwxr-xr-x 2 root system 8192 Apr 08 2011 codeset
    drwxr-xr-x 2 root system 256 Jan 25 13:26 etc
    drwxr-xr-x 3 root system 4096 Apr 08 2011 examples
    drwxr-xr-x 2 root system 4096 Apr 08 2011 include
    drwxr-xr-x 8 bin bin 4096 Jan 25 13:25 java
    drwxr-xr-x 2 bin bin 256 Apr 08 2011 javalib
    drwxr-xr-x 2 root system 4096 Jan 25 13:26 lib
    drwxr-xr-x 2 root system 4096 Jan 25 13:26 lib64
    drwxr-xr-x 3 root system 256 Apr 08 2011 nls

Test the LDAP client:

/opt/IBM/ldap/V6.1/bin/ldapsearch -h pdc1.test.local -D aixservice@test.local -w \? -b 
      DC=test,DC=local -v sAMAccountName=aixtest

Where:

  • pdc1.test.local is the IP address of the domain controller.
  • aixservice@test.local is the name and realm (domain) of your AD service account.
  • -w \? prompts for the password.
  • DC=test,DC=local is the distinguished name of the OU where your search begins.
  • sAMAccountName=aixtest is the search filter. sAMAccountName was chosen for simplicity.

Example output

Enter password ==>
ldap_init(pdc1.test.local, 389)
filter pattern: sAMAccountName=aixtest
returning: ALL
filter is: (sAMAccountName=aixtest)
CN=AIX TEST,OU=AIX,DC=test,DC=local
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=usercn=AIX TESTsn=TEST
description=User to Test AIX LDAP Integration
givenName=AIX
distinguishedName=CN=AIX TEST,OU=AIX,DC=test,DC=local
instanceType=4
whenCreated=20130124211358.0Z
whenChanged=20130125174941.0Z
 displayName=AIX TESTuSN
Created=24337388uSN
Changed=24435474
name=AIX TEST
objectGUID=NOT ASCII
userAccountControl=4194816
codePage=0
countryCode=0
lastLogon=130036097814205000pwd
LastSet=130035356383925796
primaryGroupID=513
objectSid=NOT ASCII
acountExpires=130061592000000000
logonCount=1
sAMAccountName=aixtest
sAMAccountType=805306368
userPrincipalName=aixtest@test.localobject
Category=CN=Person,CN=Schema,CN=Configuration,DC=test,DC=localdS
CorePropagationData=16010101000000.0Z
lastLogonTimestamp=130036097814205000
msDS-SupportedEncryptionTypes=0uid=aixtestmanager=CN=Jeff Geiger,OU=IT,DC=test,
DC=local
uidNumber=50001
gidNumber=10001
gecos=AIX Test User
unixHomeDirectory=/home/aixtest
loginShell=/usr/bin/ksh
1 matches

Testing the LDAP client with LDAP search serves several purposes:

  • It checks to make sure that the LDAP utilities and libraries are installed correctly.
  • It verifies that the options you will be using when configuring LDAP are correct.

Configure the AIX LDAP client:

mksecldap -c -h pdc1.test.local -a "CN=AIX Service,OU=Service Accounts,DC=TEST,DC=LOCAL" 
-d OU=AIX,DC=test,DC=local -p examplePassword

Where:

  • pdc1.test.local is the hostname of a domain controller.
  • CN=AIX Service,OU=Service Accounts,DC=TEST,DC=LOCAL is the distinguished name of the service account.
  • OU=AIX,DC=test,DC=local is the distinguished name of the OU where your AIX objects reside in AD.
  • examplePassword is the password for the service account. mksecldap may encrypt the password in the configuration file.

NOTE: It was encrypted on 6.1TL8, but not on 6.1TL6

This command does not produce output when it completes successfully.

Verify the ldap.cfg file by grepping for the uncommented lines:

grep '^[:a-z:]' /etc/security/ldap/ldap.cfg

Example output

ldapservers:pdc1.test.local
binddn:CN=AIX Service,OU=Service Accounts,DC=test,DC=local
bindpwd:examplePassword
authtype:unix_auth
useSSL:no
userattrmappath:/etc/security/ldap/sfur2user.map
groupattrmappath:/etc/security/ldap/sfur2group.map
userbasedn:OU=AIX,DC=test,DC=local
groupbasedn:OU=AIX,DC=test,DC=local
userclasses:user,person,organizationalperson
groupclasses:group
ldapport:389
searchmode:ALL
defaultentrylocation:LDAP
serverschematype:sfur2

Edit to add additional LDAP servers and to check base distinguished names (DNs) and cache sizes. I recommend having at least two LDAP servers that are in a geographically local network with your AIX host to avoid latency and provide failover.


Edit :/etc/security/ldap/ldap.cfg and make sure that the following settings are correct:

  • userattrmappath:/etc/security/ldap/sfur2user.map
  • groupattrmappath:/etc/security/ldap/sfur2group.map
  • serverschematype:sfur2


Windows Server 2008 R2 Active Directory already contains the R2 UNIX attributes without installing the Microsoft Windows Services for UNIX package.  The sfur2 mappings are best suited to this environment.


Note: On 6.1TL8, I had to change the mappings from sfu30 to sfur2; on TL6, I did not.
See the example ldap.cfg in the Example configuration files at the end of the article.

In some cases, your user's AIX user name (AD UID) might not match their sAMAccountName in AD. If this is the case, add the following line to /etc/security/ldap/sfur2user.map to support users changing their password uring Kerberos.

auth_name  SEC_CHAR  sAMAccountName  s  na   yes

Start LDAP client services:

restart-secldapclntd

Example output

The secldapclntd daemon terminated successfully.
Starting the secldapclntd daemon.The secldapclntd daemon started successfully.

Verify that LDAP client services are running:

ls-secldapclntd

Example output

ldapservers=pdc1.test.local
ldapport=389active connections=1
ldapversion=3
userbasedn=OU=AIX,DC=test,DC=local
groupbasedn=OU=AIX,DC=test,DC=local
idbasedn=
usercachesize=1000
usercacheused=1
groupcachesize=100
groupcacheused=2
usercachetimeout=300
groupcachetimeout=300
heartbeatT=300
numberofthread=10
connectionsperserver=10
alwaysmaster=no
authtype=UNIX_AUTH
searchmode=ALL
defaultentrylocation=LDAP
ldaptimeout=60
serverschematype=SFUR2
userobjectclass=user,person,organizationalperson
groupobjectclass=group

Test the LDAP resolution:

lsuser -R LDAP ALL

Output should return the user you created with UNIX attributes.

Example output

aixtest id=50001 pgrp=AIXLDAP groups=AIXLDAP home=/home/aixtest shell=/usr/bin/ksh 
gecos=AIX Test User login=true su=true rlogin=true daemon=true admin=false sugroups=ALL 
admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 
registry=LDAP SYSTEM=KRB5LDAP or compat logintimes= loginretries=0 pwdwarntime=0 
account_locked=false minage=0 maxage=0 
maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 
histsize=0 
pwdchecks= dictionlist= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 
nofiles=-1 time_last_login=1359144648 tty_last_login=/dev/pts/1 
host_last_login=pc42.test.local 
unsuccessful_login_count=0 roles=

Install and configure Kerberos

Verify that the Kerberos client is not already installed:

lslpp -l | grep krb

If Kerberos is not installed, there should be no output.

Download the AIX Network Authentication Service (NAS) package (contains Kerberos) from the IBM AIX Web Download Pack Programs website.

Note: I used NAS version 1.5.0.4 for AIX 6.1 TL8 and AIX 7.1 and 1.5.0.2 for AIX 6.1 TL6.

Extract and install the NAS package:

#list contents to verify a good download:
tar tf NAS_1.5.0.x_aix_image.tar
#untar
tar xf NAS_1.5.0.x_aix_image.tar
#rename folder tosomething more descriptive
mv images AIX_NAS

Install the following packages:

  • krb5.client.rte
  • krb5.client.samples
  • krb5.doc.en_US.html
  • krb5.doc.en_US.pdf
  • krb5.lic
  • krb5.client.rte

Note: Selecting client, doc, and lic packages in smit provides you the packages to be installed.

Configure Kerberos:

mkkrb5clnt -c pdc1.test.local -r TEST.LOCAL -s pdc1.test.local -d TEST.LOCAL -i LDAP -D

Where:

  • pdc1.test.local is the FQDN of a domain controller (in two switches).
  • TEST.LOCAL is the realm name, FQDN of domain, in all caps (in two switches)
  • LDAP is the source for user registry information. This triggers the creation of the KRB5LDAP stanza in /etc/methods.cfg.

Example output

Initializing configuration...
Creating /etc/krb5/krb5_cfg_typeCreating /etc/krb5/krb5.confThe command mkkrb5clnt completed successfully.

Edit the Kerberos configuration file:
Open the generated Kerberos configuration file (/etc/krb5/krb5.conf) and modify it as follows. You can use krb5.conf in the example configuration files (at the end of this article) as a template.

Key points:

  • Set both enctypes to arcfour-hmac.
  • Add the dns_lookup_kdc and dns_lookup_realm lines and set them to true.
  • Add additional kdc entries for domain controllers local to the AIX box. (Avoid WAN traversal.)
  • Add the master_kdc entry, pointing to your primary local domain controller.
  • Make sure that there are resolvers for the upper and lower case domain and dotted domain.


Test Kerberos with /usr/krb5/bin/kinit:

/usr/krb5/bin/kinit jgeiger@TEST.LOCAL

This should prompt for a password and then return no output. (Use any valid AD account.)

Example output

Password for jgeiger@TEST.LOCAL:

Verify that a Kerberos ticket was issued:

/usr/krb5/bin/klist

This should return a valid ticket with expiration and Renew until dates.

Example output

Default principal:  jgeiger@TEST.LOCAL

Valid starting     Expires            Service principal
01/25/13 13:56:23  01/25/13 23:56:20  krbtgt/TEST.LOCAL@TEST.LOCAL
Renew until 01/26/13 13:56:23

Clear out the ticket cache (no output).

/usr/krb5/bin/kdestroy

In order to support password-less Kerberos communication between the AIX server and Active Directory, you will need to generate a host principal keytab on a domain controller. This is done with the ktpass command from a domain controller, and must be ran with an account that has administrative rights on the domain.

Generate the host principal keytab:

ktpass /princ host/aix1.test.local@TEST.LOCAL /ptype KRB5_NT_PRINCIPAL /out aix1.keytab 
/pass examplePassword /crypto RC4-HMAC-NT /mapuser TEST\aix1 /kvno 2

Where:

  • host/aix1.test.local@TEST.LOCAL is the FQDN of the AIX host. Make a note of the host/ suffix.
  • KRB5_NT_PRINCIPAL is the Kerberos principal type. This would not change.
    aix1.keytab is the keytab file that will be created. This file will be transferred to the AIX host and is named as {hostname}.keytab for clarity.
  • examplePassword is the password that will be set for the host principal. This should be complex, but you might not ever use it.
  • RC4-HMAC-NT is the encryption type used. RC4 is the default for Kerberos on 2008 R2.
  • TEST\aix1 is the {domain}\{hostname} for the computer object in AD.
  • /kvno 2 is the key version number.

Answer yes when prompted to change the objects password. Make a note of the password used.

Example output

C:\Windows\system32>ktpass /princ host/aix1.test.local@TEST.LOCAL /ptype KRB
5_NT_PRINCIPAL /out aix1.keytab /pass examplePassword /crypto RC4-HMAC-NT /mapu
ser TEST\aix1 /kvno 2
Targeting domain controller: PDC1.test.local
Successfully mapped host/aix1.test.local to AIX1$.
WARNING: Account AIX1$ is not a user account (uacflags=0x1021).
WARNING: Resetting AIX1$'s password may cause authentication problems if AIX1$ is 
being used as a server.
Reset AIX1$'s password [y/n]?  y
Password succesfully set!
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to st1iaxnb07.keytab:
Keytab version: 0x502
keysize 70 host/aix1.test.local@TEST.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 2
etype 0x17 (RC4-HMAC) keylength 16 (0xb19656597cd0e7cec30561afaa7e09d4)

Note: The /kvno 2 value was found through trial, error, and packet captures. I have yet to make this set up work without this argument to the ktpass command.


Copy and import the keytab file in AIX:
SFTP your keytab file to the AIX server. (For this example, /tmp/aix1.keytab)

First remove any existing keytabs. Open ktutil and read the keytab file (rkt), list the keys (l), then write the keytab (wkt) to the default Kerberos keytab file (/etc/krb5/krb5.keytab).

Example output

rm /etc/krb5/krb5.keytab
/usr/krb5/sbin/ktutil
ktutil: rkt /tmp/aix1.keytab
ktutil: l
slot KVNO Principal------ ------ ------------------------------------------------------>
 1    2           host/aix1.test.local@TEST.LOCALktutil: wkt /etc/krb5/krb5.keytab
ktutil: q

Verify the keytab:

/usr/krb5/bin/klist –ke

This should provide the keys generated by ktpass on the domain controller.

Example output

Keytab name:  FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- ---------
  2 host/aix1.test.local@TEST.LOCAL (ArcFour with HMAC/md5)

Test the keytab:

/usr/krb5/bin/kinit -k 

Note: This should run without output. If you get errors, you most likely have DNS issues. I spent a great deal of time at this step troubleshooting KVNO, encryption type, and DNS errors. I captured packets destined to or from the domain controller with the tcpdump (tcpdump -i en0 -s 65535 -w krb5ldap_ts.pcap host 10.10.0.5) command and loaded the pcap file in Wireshark to see what was going on.

Use the klist utility to view the issued ticket:

/usr/krb5/bin/klist

This should show the ticket for the host principal.

Example output

Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  host/aix1.test.local@TEST.LOCAL

Valid starting     Expires            Service principal
01/25/13 13:59:10  01/25/13 23:59:03  krbtgt/TEST.LOCAL@TEST.LOCAL
       Renew until 01/26/13 13:59:10

Configure AIX to use KRB5LDAP

Edit /etc/methods.cfg:
Key points:

  • Ensure that the KRB5 options include: authonly,is_kadmind_compat=no,tgt_verify=no,allow_expired_pwd=yes
  • Make sure that the KRB5LDAP stanza includes the auth and db options.


Use the example methods.cfg file (provided at the end of this article) as an example.

Modify /etc/security/user:

chsec -f /etc/security/user  -s default  -a SYSTEM="KRB5LDAP OR compat"

Example output

# lssec -f /etc/security/user -s default -a SYSTEM
default SYSTEM="compat"
# chsec -f /etc/security/user -s default -a SYSTEM="KRB5LDAP or compat"
# lssec -f /etc/security/user -s default -a SYSTEM
default SYSTEM="KRB5LDAP or compat"

Add Kerberos to authorized authentication entities and verify:

chauthent -k5 –std
#Verify
lsauthent

This should return Kerberos 5 and Standard AIX.

Example output

Kerberos 5
Standard Aix

Test KRB5LDAP

Test KRB5LDAP by querying for the user you created in AD with AIX attributes (aixtest in the example):

lsuser –R KRB5LDAP aixtest

This should return details about the AD user from the AIX context.

Example output

aixtest id=50001 pgrp=AIXLDAP groups=AIXLDAP home=/home/aixtest shell=/usr/bin/ksh 
gecos=AIX Test User login=true su=true rlogin=true daemon=true admin=false sugroups=ALL 
admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 
registry=KRB5LDAP SYSTEM=KRB5LDAP or compat logintimes= loginretries=0 
pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 
minother=0 mindiff=0 maxrepeats=8 minlen=0
histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=-1 cpu=-1 
data=262144 stack=65536 core=2097151 rss=65536 nofiles=-1 roles=

Try to switch the user to the AD-defined user:

su – aixtest

This should work. You might see errors about inability to change directory to the user's home directory if it does not exist. (This can be fixed by setting the option to auto create home directories.) You might also get errors if the user's primary group is not set, or the group is not defined as an AD object.

Try to connect using Secure Shell (SSH) to your host as the AD-defined user:

ssh aixtest@localhost

You should be able to log in. After logging in, check the AUTHSTATE environment variable and klist output (similar to following example) to make sure that Kerberos was used for authentication.

Example output

aixtest@localhost's password:
*******************************************************************************
*                                                                             *
*                                                                             *
*  Welcome to AIX Version 6.1!                                                *
*                                                                             *
*                                                                             *
*  Please see the README file in /usr/lpp/bos for information pertinent to    *
*  this release of the AIX Operating System.                                  *
*                                                                             *
*                                                                             *
*******************************************************************************
Could not chdir to home directory /home/aixtest: The file access permissions do not allow
the specified action.
$ pwd
/
$ echo $AUTHSTATE
KRB5LDAP
$ /usr/krb5/bin/klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_x0000000000000001
Default principal:  aixtest@TEST.LOCAL

Valid starting     Expires            Service principal
01/25/13 14:02:59  01/26/13 00:02:52  krbtgt/TEST.LOCAL@TEST.LOCAL
       Renew until 01/26/13 14:02:59
$ exit
Connection to localhost closed.

Note: The AUTHSTATE variable should contain KRB5LDAP and running klist should return a valid Kerberos ticket.


Example configuration files

/etc/krb5/krb5.conf

[libdefaults]
       default_realm = TEST.LOCAL
       default_keytab_name = FILE:/etc/krb5/krb5.keytab
       default_tkt_enctypes = arcfour-hmac
       default_tgs_enctypes = arcfour-hmac
       dns_lookup_kdc = true
       dns_lookup_realm = true

[realms]
       TEST.LOCAL = {
               kdc = PDC1.TEST.LOCAL:88
               kdc = PDC2.TEST.LOCAL:88
               admin_server = PDC1.TEST.LOCAL:749
               master_kdc = PDC1.TEST.LOCAL
               default_domain = TEST.LOCAL
       }

[domain_realm]
       .TEST.LOCAL = TEST.LOCAL
       TEST.LOCAL = TEST.LOCAL
       PDC1.TEST.LOCAL = TEST.LOCAL
PDC2.TEST.LOCAL = TEST.LOCAL
       test.local = TEST.LOCAL
       .test.local = TEST.LOCAL

[logging]
       default = SYSLOG:debug:local1

/etc/security/ldap/ldap.cfg

ldapservers:pdc1.test.local
binddn:CN=AIX Service,OU=AIX,DC=test,DC=local
bindpwd:{DESv2}AAAAAAAAAAAABBBBBBBBBBCCCCCCCCCCCDDDDDDDDDDEEEEEEEEEEEE
authtype:unix_auth
useSSL:no
userattrmappath:/etc/security/ldap/sfur2user.map
groupattrmappath:/etc/security/ldap/sfur2group.map
userbasedn:OU=AIX,DC=test,DC=local
groupbasedn:OU=AIX,DC=test,DC=local
userclasses:user,person,organizationalperson
groupclasses:group
ldapport:389
searchmode:ALL
defaultentrylocation:LDAP
serverschematype:sfur2

/etc/methods.cfg

LDAP:
       program = /usr/lib/security/LDAP
       program_64 =/usr/lib/security/LDAP64

NIS:
       program = /usr/lib/security/NIS
       program_64 = /usr/lib/security/NIS_64

DCE:
       program = /usr/lib/security/DCE

KRB5:
       program = /usr/lib/security/KRB5
       program_64 = /usr/lib/security/KRB5_64
       options = authonly,is_kadmind_compat=no,tgt_verify=no,allow_expired_pwd=yes

KRB5LDAP:
       options = auth=KRB5,db=LDAP

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into AIX and Unix on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=AIX and UNIX
ArticleID=936877
ArticleTitle=IBM AIX and Microsoft Active Directory integration with Kerberos and LDAP
publish-date=07112013