AIX LDAP client + KRB5A with Active Directory 2012
http://aerostitch.github.io/linux_and_unix/AIX/AIX-Security-Kerberos_Authentication.html
The following attribute mappings are defined for Active Directory with service for UNIX: sfu30user.map
The following attribute mappings are defined for Active Directory with Windows 2003 R2 schema: sfur2user.map
AIX® supports multiple base DNs. Up to 10 base DNs for each entity can be specified in the /etc/security/ldap/ldap.cfg file. The base DNs are prioritized in the order they appear in the file.
Important File Locations
/etc/krb5/krb5.conf /etc/methods.cfg /etc/security/user /etc/security/ldap/ldap.cfg /etc/security/ldap/sfur2user.map /etc/resolv.conf /etc/hosts /etc/ntp.conf
If you select this method to authenticate/authorise you may notice that a user group membership is missing – a user with multiple groups will be shown to belong to only one group!
# lsuser -a pgrp groups mannt mannt pgrp=lawson groups=lawson
The mannt user belongs to more than one group, really. So why when we ask (using AIX LDAP client) Active Directory to deliver this information it does come to us truncated?
It could be that the Active Directory administrator did not follow this procedure:
Active Directory object management As is the case with any other authentication mechanism, we need to configure the user objects for the users that are to use the system. However, if you are implementing this solution, more than likely your users already have Windows accounts. In that case, all we need to do is to modify the objects to be POSIX compliant. 1. Open the Active Directory Users and Groups management tool.
a.) Modify a group object to function as a POSIX group. b.) Right-click on the user group for assignment of a GID. c.) Click on the Unix Attributes tab. d.) Populate the NIS Domain dropdown and the GID number as appropriate.
2. Modify a user object to function as a POSIX user.
a.) Locate and activate the tab that says Unix Settings. b.) Under Unix Settings, set the UID and GID for the user, as well as the home directory location (on the Linux filesystem /home/). Note: You will need to ensure that the directory exists with the appropriate user object having access to the directory. c.) Reset the user's password. This causes the AD password and the Unix password attributes to synchronize.
3. Add the user as a Unix member of the group.
a.) After you have added the user as a Unix user, you will also need to come back to the group properties and add the user as a member on the Unix Attributes tab. Otherwise, the user will not be populated in the msSFU30PosixMember attribute.
Next, you have to modify the /etc/security/ldap/sfur2group.map file, which default is presented bellow:
groupname SEC_CHAR cn s na yes id SEC_INT gidNumber s na yes users SEC_LIST cn m na yes
Depending how your user group membership is declared in Active directory, you have to replace the last line of this file so it looks either like this:
users SEC_LIST msSFU30PosixMember m na yes
or like this
users SEC_LIST member m na yes
Follow this modifications with execution of the restart-secldapclntd command and list the user again. Now, his full group membership is really shown.
# lsuser -a pgrp groups mannt mannt pgrp=lawson groups=lawson,shell,payroll,operator,printq
I will be able to provide you with the Active Directory “side” of this procedure as soon as my college Igor Zilberman (the greatest AD/CITRIX administrator I have been lucky to work with! 
) documents this process – Igor thanks in advance!
These two different attributes (member and msSFU30PosixMember) you use in sfur2group.map do really have an effect on how you assign UNIX attributes to AD users….
ATTENTION: Tu Vo (IBM) just told me that the default *.map files may be overwritten the next time AIX is patched!!! With this knowledge at hand, I copied the original sfur2group.map into sfur2AD2012group.map (am I creative or not?), edited it as described above and next, I modified the appropriate entry in the /etc/security/ldap/ldap.cfg so know it looks like that:
groupattrmappath:/etc/security/ldap/sfur2AD2012group.map
After a few days, a user tried to use the sftp command and failed. Fixing his issues, I noticed a “strange” behavior (AIX 7.1 host) – for a casual user the id command did not work:
# id uid=934960 gid=4141 groups=216(operator)
The host/user lost the ability to translate (to show) the user login name and his/her groups names – it just showed their numerals. When the same user tried to ssh to another host he would receive this pleasant message:
# ssh markd@hostB You don't exist, go away!
Well, tell it to the user that he does not exist! How dare you? Tu Vo (IBM) delivered the resolution to this issue letting me know that KRB5A is “depreciated” (on its way out….). Tu Vo advise was to replace in /etc/methods.cfg file every KRB5A with just KRB like that
KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,is_kadmind_compat=no,tgt_verify=no
LDAP:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64
KRB5LDAP:
options = auth=KRB5,db=LDAP
next, you must do the same in the /etc/security/user file – make sure that registry and SYSTEM also show KRB5LDAP instead of KRB5ALDAP.
After the change, you either has to restart the secldapclntd or to flush its cache (flush-secldapclntd). Now, login as the ordinary user and execute the id command, does it work? YES!!!! Now it is time to do ssh and sftp do they work? YES!!!
Thanks Tu Vo!
What about the earlier ssh issue? Well, it was not justKRB5 it was also the key in his ~/.ssh/known_hosts …….
