AIX Integration in to Active Directory

Integrating an AIX system in to Active Directory is not entirely straight forward.  Integration in to an Active Directory domain for user authentication can be done utilizing the following steps (similar to that found in http://us1.samba.org/samba/ftp/Binary_Packages/AIX/README):

  1. Download and install the krb5.client.rte package for AIX.
  2. Download the pre-built AIX 5.2 (compatible with AIX 5.3) binaries from the SAMBA web site (http://us1.samba.org/samba/ftp/Binary_Packages/AIX/) to a temporary location.
    1. opt-samba-base.tar.gz
    2. opt-samba-3.0.28-AIX5.tar.gz
  3. Use “gunzip” to decompress each of the files (eg: gunzip opt-samba-base.tar) in the same directory. The result will be a bunch of *.bff files. These are considered “backup files” in AIX, but, essentially, are the same thing as if they were archives.
  4. Use either:
    1. installp -agYX -d. all
    2. Start up “smit” and navigate to “Software Installation and Maintenance”->”Install and Update Software”->”Install Software”
      1. Enter in the full path to the temporary directory that the .bff files are stored in and hit “enter”
      2. On the new menu, use the arrow keys to navigate down to the line for “ACCEPT new license agreements” and hit “tab” to change the value to “yes”. Hit enter to start the install.
  5. Install the /opt/pware/samba/3.0.28/lib/smb.conf file which has all of the configuration necessary to properly join to the domain.
  6. With the packages now installed, edit /etc/krb5/krb5.conf to look like:
    1. [libdefaults]
      default_realm = AD.DOMAIN
      default_keytab_name = FILE:/etc/krb5/krb5.keytab
      default_tkt_enctypes = des-cbc-crc des-cbc-md5
      default_tgs_enctypes = des-cbc-crc des-cbc-md5[realms]
      AD.DOMAIN= {
      kdc = ad.server.ad.domain:88
      admin_server = ad.server.ad.domain:464
      default_domain = AD.DOMAIN
      }

      [domain_realm]
      .AD.DOMAIN = AD.DOMAIN
      ad.server.ad.domain=AD.DOMAIN

      [logging]
      kdc = FILE:/var/krb5/log/krb5kdc.log
      admin_server = FILE:/var/krb5/log/kadmin.log
      default = FILE:/var/krb5/log/krb5lib.log

  7. Run : kinit Administrator@AD.DOMAIN to get a kerberos ticket. You will be prompted to enter the domain administrator account password.
  8. Join the computer to the windows domain: /opt/pware/samba/3.0.28/bin/net ads join -U Administrator , and enter the domain administrator account password when prompted.
  9. Start winbind: /opt/pware/samba/3.0.28/sbin/winbindd
  10. Confirm that you are able to see the active domain users via: wbinfo -u
  11. To enabled command line login access, edit /etc/security/user. Look for the link that reads “SYSTEM =” in the default: settings. Change it to look like : SYSTEM = “WINBIND”.
  12. To complete the process, edit /usr/lib/security/user to include the following code at the end:
    1. WINBIND:
      program = /usr/lib/security/WINBIND
      options = authonly
  13. Copy the WINBIND security binary in to place: cp /opt/pware/samba/3.0.28/lib/security/WINBIND /usr/lib/security/WINBIND

At this point, without restarting any daemons or anything, you should be able to access and log in as any active directory user. Your home directory probably won’t mount, but you should be able to successfully log in anyhow:

]# telnet aixserver
Trying 10.10.10.75...
Connected to aixserver.
Escape character is '^]'.
telnet (aixserver)
AIX Version 5
Copyright IBM Corporation, 1982, 2007.
login: myadaccount
myadaccount's Password:
*******************************************************************************
*                                                                             *
*                                                                             *
*  Welcome to AIX Version 5.3!                                                *
*                                                                             *
*                                                                             *
*  Please see the README file in /usr/lpp/bos for information pertinent to    *
*  this release of the AIX Operating System.                                  *
*                                                                             *
*                                                                             *
*******************************************************************************
3 unsuccessful login attempts since last login.
Last unsuccessful login: Thu Sep  4 15:20:34 EDT 2008 on ssh from yourmachine.ad.domain
Last login: Thu Sep  4 14:23:23 EDT 2008 on /dev/pts/1 from yourmachine.ad.domain
3004-614 Unable to change directory to "/home/ADDOMAIN/myadaccount".
        You are in "/" instead.
-bash-3.00$

2 Comments

  1. theiosx

    Yes it works, but is it possible to create home dirs for AD users automaticaly ?

  2. Rich

    You’d have to do that on the AIX side by enabling that feature upon login.
    chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
    Basically if the user’s home directory does not exist, AIX will create it for them based upon the system skeleton files.

Leave a Reply