I've seen several postings on this with no real answers.

Is it possible to authenticate AIX users against Active Directory? I
need my users to be able to use a single password. Would be willing to
auth against a Radius server but haven't been able to find any real
answers for that either.

Any insight would be greatly appreciated.

Yes it is possible to authenticate AIX against AD. If you are using AIX 5.2
you can use the KRB5A authentication module, using Kerberos Auth. see the
following:

http://publib16.boulder.ibm.com/pser...oad_module.htm

I've never tried this setup, as we are using 5.1, which doesn't support the
KRB5A auth module. What you can do in this situation is use LDAP as the
authentication mechanism. However, password are send over the network in
clear text, so it is possibly to sniff out those password, this is not the
best choice from a security standpoint. If you do want to use LDAP to
authenticate, download and install the NSS_LDAP authentication module from
the following site:

http://www.padl.com/Articles/nss_ldaponAIX.html

Once you have configured AIX, you have to configure your W2K AD schema to
support Unix object types, there is a tool I've used called AD4UNIX, not
sure where I got it, but basically it allows you to give each W2K user Unix
settings, such as uid, gid, home directory and shell.

If you get things setup correctly, you should be able to login to the AIX
box with you W2K username and password. There are a few things I've noticed
that don't work so well.

1. when you run ps -ef you will only see the uid of your W2K account,
unless you explicitly add them to /etc/password

2. lpstat, lp and other printing commands also do not work.


What I had to do was setup each W2K user as a regular AIX user and change
the authentication method from compat to LDAP.

Hope this helps!


Rich



"ckinion" <chuck.kinion@magellanlp.com> wrote in message
news:6d0c32a8.0401191503.6b7469b6@posting.google.c om...
> I've seen several postings on this with no real answers.
>
> Is it possible to authenticate AIX users against Active Directory? I
> need my users to be able to use a single password. Would be willing to
> auth against a Radius server but haven't been able to find any real
> answers for that either.
>
> Any insight would be greatly appreciated.

"Rich" <rolivieri@si.rr.com> wrote in message news:<rB2Pb.87543$cM1.15607056@twister.nyc.rr.com> ...
> Yes it is possible to authenticate AIX against AD. If you are using AIX 5.2
> you can use the KRB5A authentication module, using Kerberos Auth. see the
> following:
>
> http://publib16.boulder.ibm.com/pser...oad_module.htm
>
> I've never tried this setup, as we are using 5.1, which doesn't support the
> KRB5A auth module. What you can do in this situation is use LDAP as the
> authentication mechanism. However, password are send over the network in
> clear text, so it is possibly to sniff out those password, this is not the
> best choice from a security standpoint. If you do want to use LDAP to
> authenticate, download and install the NSS_LDAP authentication module from
> the following site:
>
> http://www.padl.com/Articles/nss_ldaponAIX.html
>
> Once you have configured AIX, you have to configure your W2K AD schema to
> support Unix object types, there is a tool I've used called AD4UNIX, not
> sure where I got it, but basically it allows you to give each W2K user Unix
> settings, such as uid, gid, home directory and shell.
>
> If you get things setup correctly, you should be able to login to the AIX
> box with you W2K username and password. There are a few things I've noticed
> that don't work so well.
>
> 1. when you run ps -ef you will only see the uid of your W2K account,
> unless you explicitly add them to /etc/password
>
> 2. lpstat, lp and other printing commands also do not work.
>
>
> What I had to do was setup each W2K user as a regular AIX user and change
> the authentication method from compat to LDAP.
>
> Hope this helps!
>
>
> Rich
>
>
>
> "ckinion" <chuck.kinion@magellanlp.com> wrote in message
> news:6d0c32a8.0401191503.6b7469b6@posting.google.c om...
> > I've seen several postings on this with no real answers.
> >
> > Is it possible to authenticate AIX users against Active Directory? I
> > need my users to be able to use a single password. Would be willing to
> > auth against a Radius server but haven't been able to find any real
> > answers for that either.
> >
> > Any insight would be greatly appreciated.


According to LDAP Authentication Load Module ( IBM Doc found at:
http://publib16.boulder.ibm.com/pser...2200020001endr
),
*******
* AIX - AIX schema (aixaccount and aixaccessgroup objectclasses)
* RFC2307 - RFC 2307 schema (posixaccount, shadowaccount, and
posixgroup objectclasses)
* RFC2307AIX - RFC 2307 schema with full AIX support
(posixaccount, shadowaccount, and posixgroup objectclasses, plus the
aixauxaccount and aixauxgroup object classes).

Attention: Systems running AIX 4.3 and AIX 5.1 which are
configured as LDAP clients will only work with servers of AIX schema
type. They will not talk to ldap servers of RFC2307 or RFC2307AIX
types.
*******

AIX 5.2 will use RFC2307AIX, so you should be able to be a client to
Active Directory. I thought I had this statement in writing, but I
can't find it this morning -- sorry.

Greg

gdyche@nmhs.org (Greg -- AIX Guy) writes:

> > "ckinion" <chuck.kinion@magellanlp.com> wrote in message
> > news:6d0c32a8.0401191503.6b7469b6@posting.google.c om...
> > > I've seen several postings on this with no real answers.
> > >
> > > Is it possible to authenticate AIX users against Active Directory? I
> > > need my users to be able to use a single password. Would be willing to
> > > auth against a Radius server but haven't been able to find any real
> > > answers for that either.
> > >
> > > Any insight would be greatly appreciated.
>
>
> According to LDAP Authentication Load Module ( IBM Doc found at:
> http://publib16.boulder.ibm.com/pser...2200020001endr
> ),
> *******
> * AIX - AIX schema (aixaccount and aixaccessgroup objectclasses)
> * RFC2307 - RFC 2307 schema (posixaccount, shadowaccount, and
> posixgroup objectclasses)
> * RFC2307AIX - RFC 2307 schema with full AIX support
> (posixaccount, shadowaccount, and posixgroup objectclasses, plus the
> aixauxaccount and aixauxgroup object classes).
>
> Attention: Systems running AIX 4.3 and AIX 5.1 which are
> configured as LDAP clients will only work with servers of AIX schema
> type. They will not talk to ldap servers of RFC2307 or RFC2307AIX
> types.
> *******
>
> AIX 5.2 will use RFC2307AIX, so you should be able to be a client to
> Active Directory. I thought I had this statement in writing, but I
> can't find it this morning -- sorry.
>
> Greg

You can write your own authentication module too. I don't know
anything about Active Directory in particular, but if nothing else
works this should. I've used it to connect to an LDAP server without
needing a particular schema.

http://publibn.boulder.ibm.com/doc_l...c_load_mod.htm

JC

Hi,

Authentication against AD is done via Kerberos by default (Directory/LDAP is
a repository)
Strictly speaking, for single-sign on, a TGT & Service host ticket from AD
KDC is sufficient.
The account information can be stored locally on your AIX client (no need to
centralize your accounts on a directory).

Authentication from unix client against Kerberos KDC from Microsoft may be
an issue :

*
http://msdn.microsoft.com/library/de...l/MSDN_PAC.asp
* Non-MS Kerberos clients will ignore the PAC field in tickets from MS KDC.
But if a user is a member of a large number of groups, then the PAC might
grow large enough that the KDC reply does not fit in one UDP packet. In this
case, MS KDC asks the client to retry the request using TCP...

I completely agree with remark on AIX 5.2 schema and RFC2307AIX. You can
thanks that, store accounts from Sun Solaris users in a IBM Secureway
directory (Posix compliant). To be able to retrieve AIX account information
on a AD, you will have to use a nss_ldap fom padl compiled with RFC2307bis
option. But Fields that extends the pure posix informaion in AIX will be
lost ...But that 's not the problem.

At this time the issu is the following :

AIX 5.2 like Sun Solaris & Linux has real pam support & nsswitch "like"
support. That is you can retrieve your AIX account from a *directory and
authencatite against a krb5 KDC. But at this time, no pam_krb5 exist fro
AIX. So you to use the AIX native method and authenticate against a IBM AIX
KDC which is IBM Network Authentication Services 1.3 which is a kb5 KDC with
a repository stored in the Secure Way Directory.

==> You have to use the IBM Product Suite : Secureway Directory Server
5.1/5.2 + IBM NAS 1.3

Which is not a bad thing : you keep a fully certified and supported solution
from IBM.

==> You can also forget your SingleSignOn

==> But you can decide for a trust between IBM KDC and MS KDC.
(I have done the test and it works with the remark of MS PAC field in krb
implementation)

Hope this can help you.