Troubleshooting
Problem
'Cannot set process credentials' error might be seen during a login or su attempt.
Cause
The primary cause of 'cannot set process credentials' when attempting to login or su to a user is the inability of AIX to find the user's primary group.
Another cause of this error could be if Kerberos integrated login with an IBM NAS Kerberos KDC is configured, but kadmind lookups are failing.
Resolving The Problem
Primary Group Issues
First, use lsuser to check the user's primary group membership: if lsuser shows nothing, login/su will fail. Ensure that the user's primary group ID number is set, and that a group exists with that GID.
For local users, this means simply checking /etc/passwd for their primary group ID number, and verifying a group exists in /etc/group with that GID; if not, either create the group or change the user's primary group ID number.
For LDAP, you will need to check your user's 'gidnumber' (or other attribute that stores their primary group ID) and verify that a group with that group number exists on the LDAP server.
If you are sure a group exists on the LDAP server side with that particular GID number, but lsuser still shows nothing, and lsgroup cannot find the group either - then you will need to verify your LDAP client configuration in ldap.cfg.
One possibility is that even though the group exists on the LDAP server, it is not located in the 'groupbasedn' that you have configured in ldap.cfg. That would mean AIX has no idea where to start looking for it - you'll need to add this group's groupbasedn to ldap.cfg. You can add multiple groupbasedn's to ldap.cfg if you have groups spread out over different locations.
If there are still issues, check your LDAP attribute maps. Check your user attribute map file (specified by userattrmappath in ldap.cfg), and ensure pgrp is mapped to a valid LDAP attribute that stores the user's primary group ID.
Next, check that your group attribute map file (specified by groupattrmappath in ldap.cfg) is configured correctly and mapping groupname, id, and users to valid LDAP attributes.
One thing to consider is that by default, local users must belong to local groups, LDAP users to LDAP groups, etc - this applies to 3rd party authentication modules like VAS as well.
The only exception is if domainlessgroups=true in /etc/secvars.cfg; if that is the case, then local users can belong to LDAP groups and vice-versa. This DOES NOT apply to other authentication methods like VAS - only local and LDAP.
For further possibilities of what causes 'Cannot set process credentials', see this technote as well, concerning a possible error in /etc/group that could cause this:
https://www.ibm.com/support/pages/node/795734
kadmind Lookup Issues
Another cause for 'Cannot set process credentials' could be if the system is configured for Kerberos integrated login with an IBM NAS Kerberos KDC, and kadmind lookups are failing. For example, if the /etc/methods.cfg file contains:
KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,is_kadmind_compat=yes,kadmind=yes
KRB5LDAP:
options = db=LDAP,auth=KRB5
Or, since both the is_kadmind_compat and kadmind options default to 'yes', the KRB5 stanza may look like:
KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly
With that configuration, kadmind lookups will be attempted during the login process, and if that isn't set up correctly, user logins will fail:
# su - ldapusr
3004-503 Cannot set process credentials.
Try turning off kadmind lookups to see if that resolves the error:
KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,kadmind=no
If you are wanting the kdamind lookups to occur, consult these technotes which have notes about getting that working:
https://www.ibm.com/support/pages/node/7237111
https://www.ibm.com/support/pages/node/6551164
Document Location
Worldwide
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]
Was this topic helpful?
Document Information
Modified date:
28 October 2025
UID
ibm10967565