Configure AIX 6.x and 7.x clients on IPA

Latest response

Install AIX packages with installp:

  • GSKit8.gskcrypt32.ppc.rte
  • GSKit8.gskcrypt64.ppc.rte
  • GSKit8.gskssl32.ppc.rte
  • GSKit8.gskssl64.ppc.rte
  • krb5.lic
  • krb5.client
  • krb5.doc.en_US
  • krb5.toolkit
  • krb5.server

Accept IDS License:

{{ packages_path }}/license/idsLicense -q

Install IDS packages with installp:

  • idsldap.license64,
  • idsldap.cltbase64
  • idsldap.clt32bit64
  • idsldap.clt64bit64
  • idsldap.cltjava64
  • idsldap.clt_max_crypto32bit64
  • idsldap.clt_max_crypto64bit64

Install RPMS from IBM Toolkit:

  • openssl-1.0.2s-1.aix5.1.ppc.rpm
  • openldap-2.4.44-0.1.aix5.1.ppc.rpm
  • sudo-1.8.21p2-1.aix5.1.ppc.rpm

Configure AIX client:

 /usr/bin/gsk8capicmd -keydb -create -db /etc/security/ldap/ldap.kdb
 /usr/bin/gsk8capicmd -cert -add -db /etc/security/ldap/ldap.kdb -file /etc/ipa/ca.crt -label ipa_server_cert
 /usr/bin/gsk8capicmd -keydb -changepw -new_pw 3edc#EDC3edc#EDC -db /etc/security/ldap/ldap.kdb
 /usr/sbin/mksecldap -c -h {{ipaserver}} -a "uid=admin,cn=users,cn=accounts,dc=server,dc=cr" -p {{ipaadminpassword}} -d "dc=server,dc=cr" -k "/etc/security/ldap/ldap.kdb" -w "3edc#EDC3edc#EDC"
 /usr/sbin/mkkrb5clnt -c -r SERVER.CR -s -d -i LDAP -D
/usr/bin/chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
/usr/bin/chown root:sys /etc/krb5/krb5.keytab
/usr/bin/chmod 700 /etc/krb5/krb5.keytab
 /usr/bin/chsec -f /etc/security/user -s default -a SYSTEM="KRB5LDAP OR compat"
 /usr/bin/chauthent -k5 -std

Check the configuration of /etc/krb5/krb5.conf:

                       default_realm = SERVER.CR
                       default_keytab_name = FILE:/etc/krb5/krb5.keytab
                       dns_lookup_realm = true
                       dns_lookup_kdc = true

                        SERVER.CR = {
                        kdc =
                        master_kdc =
                        admin_server =
                        default_domain =
                        pkinit_anchors = FILE:/etc/ipa/ca.crt

              = SERVER.CR
              = SERVER.CR
              = SERVER.CR

                       kdc = FILE:/var/krb5/log/krb5kdc.log
                       admin_server = FILE:/var/krb5/log/kadmin.log
                       kadmin_local = FILE:/var/krb5/log/kadmin_local.log
                       default = SYSLOG:info:local1'

Check the configuration of /etc/ldap.conf:

                URI ldap://
                tls_cacert /etc/ipa/ca.crt
                BIND_TIMELIMIT 5
                TIMELIMIT 15
                binddn uid=admin,cn=users,cn=accounts,dc=server,dc=cr
                bindpw {{ipaadminpassword}}
                sudoers_base ou=sudoers,dc=server,dc=cr

Restart ldap service:


Sudo configuration edit /etc/netsvc.conf and add:

hosts = bind4,local
sudoers = files, ldap


This may be of some help

Wisdom: RH-SMEs had seen this advice previously, but on IDM mesh / infrastructure (I only created the one HBAC rule, didn't realize I needed to actually create the service too) . Works like a charm

RH-SMEs guess you are trying to auth AD users through the compatibility tree. Read the documentation.

When the Schema Compatibility Plugin is configured to expose users from trusted domains, their authentication is handled via PAM 'system-auth' service. This service exists by default on Linux systems and is provided by pam package as /etc/pam.d/system-auth. If your IDM/FreeIPA install does not have default HBAC rule 'allow_all' enabled, then make sure to define in IPA a special service called 'system-auth' and create an HBAC rule to allow access to anyone to this rule on IPA masters.

As 'system-auth' PAM service is not used directly by any other application, it

is safe to use it for trusted domain users (aka AIX host) via compatibility path.