Eliminating the dependency on the kadmind daemon during authentication

Edit online

The KRB5 load module may fail authentication when the kadmind daemon is not available. This dependency can be eliminated by setting the kadmind parameter in the methods.cfg file.

The possible values are kadmind=no or kadmind=false for disabling the kadmind lookups and kadmind=yes or kadmind=true for enabling kadmind lookups (the default value is yes). When this option is set to no, the kadmind daemon is not contacted during authentication. Therefore, users can log into the system regardless of the status of the kadmind daemon provided that the user enters the correct password when the system prompts for one. However, AIX user administration commands such as mkuser, chuser, or rmuser will not work to administrate Kerberos integrated users if the daemon is not available (for example, either the daemon is down or the machine is not accessible).

The default value for the kadmind parameter is yes. This means that kadmind lookups are performed during authentication. In the default case, if the daemon is not available, the authentication might take longer.

To disable the checking of the kadmind daemon during authentication, modify the stanzas in the methods.cfg file as follows:

KRB5:
        program = /usr/lib/security/KRB5
        options = kadmind=no

KRB5files:
        options = db=BUILTIN,auth=KRB5

When the kadmind daemon is not available, the root user will not be able to change user passwords. In a situation such as a forgotten password, you must make the kadmind daemon available. Also, if a user chooses to enter a Kerberos principal name at the login prompt, the primary name of the principal name will be truncated according to the AIX user name length limitation. This truncated name will be used for AIX user identification information retrieval (for example, to retrieve your home directory value).

If the kadmind daemon is not available (the daemon is down or not reachable), the mkuser command gives the following error:

3004-694 Error adding "krb5user": You do not have permission.

If the kadmind parameter is set to no or the kadmind daemon is not accessible, the system cannot validate the principal’s existence in the Kerberos database, so it will not retrieve Kerberos related attributes. This situation causes incomplete or inaccurate results. For example, the lsuser command might not report any users for the ALL query.

Additionally, the chuser command will manage only AIX-related attributes and not Kerberos-related attributes. The rmuser command will not delete the Kerberos principal, and the passwd command will fail for Kerberos authenticated users.

If the network where the kadmind daemon resides is not accessible, response time is delayed. Setting the kadmind option to no in the methods.cfg file eliminates the delays during authentication when the machine is not accessible.

When the kadmind daemon is down, users who have expired passwords cannot log in or change their passwords.

When you set kadmind=no but the kadmind daemon is running, you can run the following commands: login, su, passwd, mkuser, chuser, and rmuser.