Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

AIX AD integration for Password authentication

Status
Not open for further replies.

AmjathS

Technical User
Oct 1, 2012
1
KW
I am trying to create SSO for an Application running on AIX 7.1 to be authenticated by WIndows AD 2008.I have done below steps. ( Just need to use Windows for authentication only , user administration can be done at AIX server)

1) Installed KRB5 filesets in AIX server.

2) Created AD user in WIndows AD server -

3) Created keytab file using below command
C:\>ktpass -princ host/AIXserver.mycompany.com@MYCOMPANY.COM -mapuser host_ai-ker
r-pr -pass xxxxxxx -out host_AIXserver.keytab
Targeting domain controller: server1.mycompany.com
Using legacy password setting method
Successfully mapped host/AIXserver.mycompany.com to host_AIXserver.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to host_AIXserver.keytab:
Keytab version: 0x502
keysize 76 host/AIXserver.mycompany.com@MYCOMPANY.COM ptype 0 (KRB5_NT_UNKNOWN) v
no 3 etype 0x17 (RC4-HMAC) keylength 16 (0x0229a7a4cd52062d9480fb4dbe41d41a)

C:\>setspn -L host_AIXserver
Registered ServicePrincipalNames for CN=host_AIXserver,CN=Users,DC=mycompany,DC=
com:
host/AIXserver.mycompany.com
4) FTP'ed Keytab to AIX server and created keytab using ktutil:

rkt /home/root/host_AIXserver.keytab
ktutil: list
slot KVNO Principal
------
1 3 host/AIXserver.mycompany.com@MYCOMPANY.COM
ktutil: wkt /etc/krb5/krb5.keytab
ktutil: quit

5) But I am not able to proceed further due to below error.

root@AIXserver[/home/root]# /usr/krb5/bin/kinit -kt /etc/krb5/krb5.keytab
Unable to obtain initial credentials.Status 0x96c73a06 - Client not found in Network Authentication Service database or client locked out.
root@AIXserver[/home/root]# /usr/krb5/bin/kinit -kt host_AIXserver@MYCOMPANY.COM
Unable to obtain initial credentials.
Status 0x96c73a06 - Client not found in Network Authentication Service database or client locked out.
Pls suggest a fix for this error. Pls let me know for more clarifications. Any suggestion is appreciated
 
hi,
probably it does not seem to be your case,
but what made me crazy some years ago, deploying a similar architecture,
was the time synchronization between the servers: kerberos was a real daemon!
bye
vic
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top