Integrate AIX host with Active Directory using a KRB5ALDAP compound load module so that users can be created in AD and used in AIX, with unix attributes (registry values) being pulled from AD. Eliminate the need to manage user accounts on a per-server basis.
User attributes are visible with lsuser and returned with ldapsearch. Kerberos authentication shows successful at the domain controller, but a "permission denied" or "invalid login or password" message is displayed when trying to login. Files can be chown-ed to the user accounts, but SU fails.
I have attached a detailed listing of the configs, test commands, and output.
Any and all help or pointers are greatly appreciated.
NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
This topic has been locked.
2 replies Latest Post - 2013-03-07T04:19:57Z by SystemAdmin
Pinned topic KRB5ALDAP Module won't allow login or su, all other facets seem functional
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2013-03-07T04:19:57Z at 2013-03-07T04:19:57Z by SystemAdmin
Re: KRB5ALDAP Module won't allow login or su, all other facets seem functional2013-01-21T21:28:04Z in response to SystemAdminGot it!
2 small things:
1: The primary group of the AD user needed to be a group defined in AD.
(This fixed the su issue.)
2: Changed methods.cfg, added tgt_verify=no to the options.
program = /usr/lib/security/KRB5A
program_64 = /usr/lib/security/KRB5A_64
options = authonly,is_kadmind_compat=no,tgt_verify=no
Re: KRB5ALDAP Module won't allow login or su, all other facets seem functional2013-03-07T04:19:57Z in response to SystemAdminI've been deploying this in production for awhile now and I made a cheat sheet in case someone stumbles across it.