Installing and configuring the system for Kerberos integrated login using IBM NAS

The IBM® Kerberos implementation of Network Authentication Services (NAS) is shipped on the expansion pack.

To install the Kerberos Version 5 server package, install the krb5.server.rte fileset by running the following command:
installp –aqXYgd . krb5.server

If the machine being configured as a Kerberos server will also be used as a Kerberos client, install the entire Kerberos KRB5 package.

DCE also has a set of Kerberos client utilities with the same names as the Kerberos utilities. To avoid namespace collisions between DCE and Kerberos commands (that is, between the klist, kinit, and kdestroy commands), the Kerberos commands are installed in the /usr/krb5/bin and the /usr/krb5/sbin directories.

To run the Kerberos commands, you must specify fully qualified command path names unless you add the Kerberos directories to your PATH definition as follows:
export PATH=$PATH:/usr/krb5/sbin:/usr/krb5/bin
Note: The Java14 SDK also installs a kinit command, and it may precede other kinit commands in the PATH environment variable. If Network Authentication Service commands are needed instead of the Java14 kinit program, move the Java14 kinit program to another location in your PATH definition.

Network Authentication Services documentation is provided in the krb5.doc.lang.pdf|html package, where lang represents the supported language.

The AIX® operating system has two database modules available to form a compound load module: LDAP and BUILTIN. The LDAP module is used to access information stored on an LDAP registry (directory) and the BUILTIN module is used to access information stored on a files registry (local file system). The compound load module that is created is typically named KRB5files or KRB5LDAP. These names indicate that KRB5 is used either for authentication and local files or for LDAP.

Network Authentication Service also supports storing Kerberos information in either a local file system (Kerberos Legacy database) or LDAP. There are four possible configurations:
  • KRB5files with Kerberos server information stored in Kerberos Legacy database
  • KRB5files with Kerberos server information stored in Kerberos LDAP database
  • KRB5LDAP with Kerberos server information stored in Kerberos Legacy database
  • KRB5LDAP with Kerberos server information stored in Kerberos LDAP database

When LDAP is the storage mechanism for storing Kerberos principals or AIX user and group information, configure LDAP before you invoke the Kerberos configuration commands. After you configure LDAP, use the mkkrb5srv command to configure the Kerberos servers.