Authenticating to the AIX operating system using the Network Authentication Service or non-AIX services

Prior to AIX® 6.1, the KRB5 load module handled the Kerberos authentication against the Network Authentication Service (NAS) environment and the KRB5A load module handled the Kerberos authentication against non-AIX systems environment. Starting with AIX 6.1, the KRB5 load module handles the Kerberos authentication of both the Network Authentication Service (NAS) environment and the non-AIX systems environment. The is_kadmind_compat attribute in the /etc/security/methods.cfg file specifies either the KRB5 environment or the KRB5A environment. From AIX 7.1 onwards, the KRB5A load module is not available. Therefore, is_kadmind_compat attribute must be used in the /etc/security/methods.cfg file to specify either the KRB5 environment or the KRB5A environment.

When you use Kerberos against a non-AIX system, Kerberos principals are stored on a non-AIX system and cannot be managed from the AIX operating system by using the kadmin Kerberos database interface. In this case, principal management must be performed separately by using the Kerberos principal-management tools. These tools might be part of a Kerberos product, or they might be integrated into an OS (for example, Windows 2000). The original goal of using Kerberos against non-AIX systems was to provide authentication against Windows 2000 Active Directory servers where Kerberos principal management is performed using the Active Directory account management tools and APIs. However, Kerberos against non-AIX systems can be used against other compliant KDCs where the Kerberos administration interface is not supported.