Microsoft Windows 2003 Active Directory integration

This tutorial will help you integrate your AIX 5L hosts into an existing Microsoft Windows 2003 Active Directory (MSAD) environment. When complete, AIX 5L user will authenticate against the Microsoft KDC and all user information will be stored in the Microsoft Active Directory. User administration...

Hi
your krb5.conf looks fine.
May you try the command:
kinit -k #(without -t /etc/krb5/krb5.keytab)
This takes the default location.
And afterwards check with "klist".

Regards
Stefan

# kinit -k /etc/krb5/krb5.keytab
Unable to obtain initial credentials.
Status 0x96c73a9a - Cannot find KDC for requested realm.

# klist
Unable to get cache name (ticket cache: /var/krb5/security/creds/krb5cc_0).
Status 0x96c73ac3 - No credentials cache found.

# ls -al /var/krb5/security/creds/
total 0
drwxrwxrwt 2 root security 256 Aug 20 09:41 .
drwxr-xr-x 4 root security 256 Aug 20 09:41 ..

Hi uGuys,

I have been working with the IBM stuff more and more lately and i am like any other person sometimes in need of great information. I found the forum when i was searching for some answers on kerberos and AIX -> w2003 R2.



Thanx for allowing me to join.


IzaX_Max

Hi Fida,

I am trying to implement the AIX and AD integration using the doc. I am facing the problem
Unable to obtain initial credentials.
Status 0x96c73a06 - Client not found in Network Authentication Service database or client locked out.

Can you let me know how you resolved the problem.

Best Regards,

Ravikumar

I have never used aix so maybe you guys dont have these problems. but i have been searching for a long time to get this to work and maybe someone here knows. And I think something like this would be a problem in AIX too.

i have solaris and linux machines i want to authenticate to AD.

1. in AD as far as i can tell you cant have a user called root and a group called root. so how are you making users and groups that have the same names? The only thing i can think of is make group root be something like groot but that sucks...

2. some of the uids/gids in solaris and linux dont match up. For instance in solaris uid 5 is uucp and in linux uid 5 is sync. have you dealt with this? I know i can change them and then relabel the fs but then what about updates? In ldap i just created a new ou and put solaris in it and linux in another. But I dont see a way to do this in AD and the AD admins go nuts if i even mention making a new domain, but i am not sure if even that would work.

I can set system auth to use the passwd files for system accounts and not put the system accounts in AD, but this seems dangerous if an account gets deleted from the passwd file then it will authenticate against ad and either not work or authenticate wrong. hasn't been a problem in solaris but i have dealt with this in linux. user rpc got deleted by an rpm update and so it auth'd to my ldap server. i had user rpc in ldap and everything worked fine, i didnt even know there was a problem until i tried to update rpc again and the rpm failed because there was no user rpc in the passwd file.


thanks for any help.

First, you would not want root to log in through AD. That should be done ONLY on the local machine. Also you would not want the system users such a uucp to log in through AD. It is only meant for actual users like jdoe (john doe). The gid and uid don't seem to matter but the name of the group does, we use users as the name of our groups.

As far as system accounts, yes set them manually through either chuser or by editting /etc/security/user