Skip to content

AIX LDAP client + KRB5A with Active Directory 2012

If you select this method to authenticate/authorise you may notice that a user group membership is missing – a user with multiple groups will be shown to belong to only one group!

# lsuser -a pgrp groups mannt
mannt pgrp=lawson groups=lawson

The mannt user belongs to more than one group, really. So why when we ask (using AIX LDAP client) Active Directory to deliver this information it does come to us truncated?

It could be that the Active Directory administrator did not follow this procedure:

Active Directory object management
As is the case with any other authentication mechanism, we need to configure the user objects for the users that are to use the system. However, if you are implementing this solution, more than likely your users already have Windows accounts. In that case, all we need to do is to modify the objects to be POSIX compliant.
1.	Open the Active Directory Users and Groups management tool.
   a.) Modify a group object to function as a POSIX group. 
   b.) Right-click on the user group for assignment of a GID. 
   c.) Click on the Unix Attributes tab. 
   d.) Populate the NIS Domain dropdown and the GID number as appropriate.
2.	Modify a user object to function as a POSIX user.
   a.) Locate and activate the tab that says Unix Settings. 
   b.) Under Unix Settings, set the UID and GID for the user, as well         as the home directory location (on the Linux filesystem /home/). 
   Note: You will need to ensure that the directory exists with the appropriate user object having access to the directory. 
   c.) Reset the user's password. This causes the AD password and the Unix password attributes to synchronize.
3.	Add the user as a Unix member of the group.
   a.) After you have added the user as a Unix user, you will also need to come back to the group properties and add the user as a member on the Unix Attributes tab. Otherwise, the user will not be populated in the msSFU30PosixMember attribute.

Next, you have to modify the /etc/security/ldap/ file, which default is presented bellow:

groupname  SEC_CHAR   cn                 s       na      yes
id         SEC_INT    gidNumber          s       na      yes
users      SEC_LIST   cn                 m       na      yes

Depending how your user group membership is declared in Active directory, you have to replace the last line of this file so it looks either like this:

users      SEC_LIST    msSFU30PosixMember m      na      yes

or like this

users      SEC_LIST   member              m      na      yes

Follow this modifications with execution of the restart-secldapclntd command and list the user again. Now, his full group membership is really shown.

# lsuser -a pgrp groups mannt
mannt pgrp=lawson groups=lawson,shell,payroll,operator,printq

I will be able to provide you with the Active Directory “side” of this procedure as soon as my college Igor Zilberman (the greatest AD/CITRIX administrator I have been lucky to work with! 🙂 ) documents this process – Igor thanks in advance!
These two different attributes (member and msSFU30PosixMember) you use in do really have an effect on how you assign UNIX attributes to AD users….

Tu Vo (IBM) just told me that the default *.map files may be overwritten the next time AIX is patched!!! With this knowledge at hand, I copied the original into (am I creative or not?), edited it as described above and next, I modified the appropriate entry in the /etc/security/ldap/ldap.cfg so know it looks like that:


After a few days, a user tried to use the sftp command and failed. Fixing his issues, I noticed a “strange” behavior (AIX 7.1 host) – for a casual user the id command did not work:

# id
uid=934960 gid=4141 groups=216(operator)

The host/user lost the ability to translate (to show) the user login name and his/her groups names – it just showed their numerals. When the same user tried to ssh to another host he would receive this pleasant message:

# ssh markd@hostB
You don't exist, go away!

Well, tell it to the user that he does not exist! How dare you? Tu Vo (IBM) delivered the resolution to this issue letting me know that KRB5A is “depreciated” (on its way out….). Tu Vo advise was to replace in /etc/methods.cfg file every KRB5A with just KRB like that

        program = /usr/lib/security/KRB5
        program_64 = /usr/lib/security/KRB5_64
        options = authonly,is_kadmind_compat=no,tgt_verify=no

        program = /usr/lib/security/LDAP
        program_64 =/usr/lib/security/LDAP64

        options = auth=KRB5,db=LDAP

next, you must do the same in the /etc/security/user file – make sure that registry and SYSTEM also show KRB5LDAP instead of KRB5ALDAP.

After the change, you either has to restart the secldapclntd or to flush its cache (flush-secldapclntd). Now, login as the ordinary user and execute the id command, does it work? YES!!!! Now it is time to do ssh and sftp do they work? YES!!!

Thanks Tu Vo!

What about the earlier ssh issue? Well, it was not justKRB5 it was also the key in his ~/.ssh/known_hosts …….

Posted in Real life AIX.

Tagged with , , , , , , , , , , .

6 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. Dan Wolfe says

    Hi Mark,
    do you happen to know what sectors of the disk AIX uses for disk labels? I have a disk that won’t mount and the error claims the disk label was wiped. I have the label it needs, but I can’t figure out the proper dd command to correct the issue.
    If you can help at all I’d be greatly appreciative.
    Thanks in advance

  2. MarkD:-) says


    i am not really sure I understand the context of your question – you do not mount a disk in aix.

    search ODM for the disk in question (hdiskXXX)

    odmget -q ‘name = hdiskXXX’ CuAt > CuAt.hdisk
    odmget -q ‘name = hdiskXXX’ CuDv > CuDv.hdisk

    See if there info you look if any of these files. If so, the odmchange (for example) or the chpv command could be used to modify the disk information, by the way are you referring to the VGDA area of a disk?

    good luck!


  3. Addi says

    Hi Mark,

    Could you please help with this issue I’m experiencing.

    mksecldap -c -h Ad-2k08-dctst.test.local -a CN=Svc-adaixtest,OU=AIXOU,OU=TESTAdmin,DC=TEST,DC=local -d OU=AIXOU,OU=TESTAdmin,DC=TEST,DC=local -p Welcome1

    Cannot find users from OU=AIXOU,OU=JCTESTAdmin,DC=JCTEST,DC=local base DN.
    Client setup failed.

  4. MarkD:-) says


    it looks like the user defined as Svc-adaitest does not exist in OU=AIXOU,OU=TESTAdmin,DC=TEST,DC=local.
    use ldapsearch command and see if you can really “find” him there


  5. addi says

    Thanks Mark,

    Yes, users was in there but the user unix attributes were not set correctly. That ‘s resolved now.

    My new question is how can we setup AD authentication without creating a local user accounts on the AIX server. Do we have to setup AIX LDAP server create user there and sync with the AD user?

    Thanks in advance .

  6. MarkD:-) says


    you have to use the “default:” section of /etc/security/user – set SYSTEM & registry values to “LDAP” and the locally authenticated users leave as they are (local authentication.


Some HTML is OK

or, reply to this post via trackback.

WordPress Anti Spam by WP-SpamShield

Copyright © 2016 - 2018 Waldemar Mark Duszyk. All Rights Reserved. Created by Blog Copyright.