AIX Open Source

Hi All,

I have Winbind hooked up to AD to allow LDAP users in on one of my AIX 7.2 LPARs.

How do I configure the host to only allow users to log in if they are members of specific groups in LDAP? I assume this is something in PAM, but it's a weakness of mine. I've done some reading but just cannot easily wrap my head around what is required.

When the user logs into AIX, they do inherit the AD groups, for example:

domain\user@SERVER:/home/domain/user $ groupsdomain\user domain\domain_users domain\group1 domain\group2 domain\group3

I would like to limit logins to users who are members of domain\group1 or domain\group3 (non-exclusive). Additionally it might be good to know how to exclude certain groups from logging in, or even allow/deny access to individual users.

In case it matters, my /etc/methods.cfg:

NIS:        program = /usr/lib/security/NIS        program_64 = /usr/lib/security/NIS_64 DCE:        program = /usr/lib/security/DCE WINBIND:        program = /opt/freeware/lib/WINBIND.so        program_64 = /opt/freeware/lib/WINBIND.so

and my /etc/security/user default stanza has SYSTEM=WINBIND or compat:

chsec -f /etc/security/user -s default -a "SYSTEM=WINBIND or compat"

Hi David,

Have you looked at AIX's LDAP integration with AD?  It can restrict by groups (I don't know about individual users, that's not been a requirement for me).  It does take some fiddly setup on the AD side and some mucking around with the LDAP group filters.  When using this method, the AIX machine doesn't become a part of the AD domain like I take it does with winbind (which I haven't used, I have used realm on Linux for AD integration which binds the linux machine to AD)?

https://www.ibm.com/support/pages/active-directory-ad-aix-step-step-instructions-integrate-active-directory-2016-aix-ldap-protocol
https://thornelabs.net/posts/aix-restrict-server-login-via-ldap-groups/

With winbind, as the AIX machine becomes part of AD you might be able to do something with AD policy to restrict who can login, it might be something to have your AD admins look at.  I did find this - https://community.spiceworks.com/how_to/2797-restrict-computer-logons-to-a-group-of-users

Hi All,

I have Winbind hooked up to AD to allow LDAP users in on one of my AIX 7.2 LPARs.

How do I configure the host to only allow users to log in if they are members of specific groups in LDAP? I assume this is something in PAM, but it's a weakness of mine. I've done some reading but just cannot easily wrap my head around what is required.

When the user logs into AIX, they do inherit the AD groups, for example:

domain\user@SERVER:/home/domain/user $ groupsdomain\user domain\domain_users domain\group1 domain\group2 domain\group3

I would like to limit logins to users who are members of domain\group1 or domain\group3 (non-exclusive). Additionally it might be good to know how to exclude certain groups from logging in, or even allow/deny access to individual users.

In case it matters, my /etc/methods.cfg:

NIS:        program = /usr/lib/security/NIS        program_64 = /usr/lib/security/NIS_64 DCE:        program = /usr/lib/security/DCE WINBIND:        program = /opt/freeware/lib/WINBIND.so        program_64 = /opt/freeware/lib/WINBIND.so

and my /etc/security/user default stanza has SYSTEM=WINBIND or compat:

chsec -f /etc/security/user -s default -a "SYSTEM=WINBIND or compat"

Thanks Phill.

I wanted to use Winbind because I wanted to avoid the fiddly setup on the AD side, especially as every user needs that fiddling! The Winbind setup avoids a lot of work, both short and long-term.

You mentioned that using LDAP integration doesn't force the AIX server to become part of the AD domain. True, but why is that a positive? Is it better to fiddle with every user account instead of the AD joining?

Thank you for the links, I've seen the AIX LDAP ones, but not the last Spiceworks link. I had been approaching this as though I'd be limiting the groups on the AIX servers themselves, didn't even cross my mind to use group policy.  I'll look into it, thanks!

Hi David,

Have you looked at AIX's LDAP integration with AD?  It can restrict by groups (I don't know about individual users, that's not been a requirement for me).  It does take some fiddly setup on the AD side and some mucking around with the LDAP group filters.  When using this method, the AIX machine doesn't become a part of the AD domain like I take it does with winbind (which I haven't used, I have used realm on Linux for AD integration which binds the linux machine to AD)?

https://www.ibm.com/support/pages/active-directory-ad-aix-step-step-instructions-integrate-active-directory-2016-aix-ldap-protocol
https://thornelabs.net/posts/aix-restrict-server-login-via-ldap-groups/

With winbind, as the AIX machine becomes part of AD you might be able to do something with AD policy to restrict who can login, it might be something to have your AD admins look at.  I did find this - https://community.spiceworks.com/how_to/2797-restrict-computer-logons-to-a-group-of-users

Hi All,

I have Winbind hooked up to AD to allow LDAP users in on one of my AIX 7.2 LPARs.

How do I configure the host to only allow users to log in if they are members of specific groups in LDAP? I assume this is something in PAM, but it's a weakness of mine. I've done some reading but just cannot easily wrap my head around what is required.

When the user logs into AIX, they do inherit the AD groups, for example:

domain\user@SERVER:/home/domain/user $ groupsdomain\user domain\domain_users domain\group1 domain\group2 domain\group3

I would like to limit logins to users who are members of domain\group1 or domain\group3 (non-exclusive). Additionally it might be good to know how to exclude certain groups from logging in, or even allow/deny access to individual users.

In case it matters, my /etc/methods.cfg:

NIS:        program = /usr/lib/security/NIS        program_64 = /usr/lib/security/NIS_64 DCE:        program = /usr/lib/security/DCE WINBIND:        program = /opt/freeware/lib/WINBIND.so        program_64 = /opt/freeware/lib/WINBIND.so

and my /etc/security/user default stanza has SYSTEM=WINBIND or compat:

chsec -f /etc/security/user -s default -a "SYSTEM=WINBIND or compat"

Thanks Phill.

I wanted to use Winbind because I wanted to avoid the fiddly setup on the AD side, especially as every user needs that fiddling! The Winbind setup avoids a lot of work, both short and long-term.

You mentioned that using LDAP integration doesn't force the AIX server to become part of the AD domain. True, but why is that a positive? Is it better to fiddle with every user account instead of the AD joining?

Thank you for the links, I've seen the AIX LDAP ones, but not the last Spiceworks link. I had been approaching this as though I'd be limiting the groups on the AIX servers themselves, didn't even cross my mind to use group policy.  I'll look into it, thanks!

Hi David,

Have you looked at AIX's LDAP integration with AD?  It can restrict by groups (I don't know about individual users, that's not been a requirement for me).  It does take some fiddly setup on the AD side and some mucking around with the LDAP group filters.  When using this method, the AIX machine doesn't become a part of the AD domain like I take it does with winbind (which I haven't used, I have used realm on Linux for AD integration which binds the linux machine to AD)?

https://www.ibm.com/support/pages/active-directory-ad-aix-step-step-instructions-integrate-active-directory-2016-aix-ldap-protocol
https://thornelabs.net/posts/aix-restrict-server-login-via-ldap-groups/

With winbind, as the AIX machine becomes part of AD you might be able to do something with AD policy to restrict who can login, it might be something to have your AD admins look at.  I did find this - https://community.spiceworks.com/how_to/2797-restrict-computer-logons-to-a-group-of-users

Hi All,

I have Winbind hooked up to AD to allow LDAP users in on one of my AIX 7.2 LPARs.

How do I configure the host to only allow users to log in if they are members of specific groups in LDAP? I assume this is something in PAM, but it's a weakness of mine. I've done some reading but just cannot easily wrap my head around what is required.

When the user logs into AIX, they do inherit the AD groups, for example:

domain\user@SERVER:/home/domain/user $ groupsdomain\user domain\domain_users domain\group1 domain\group2 domain\group3

I would like to limit logins to users who are members of domain\group1 or domain\group3 (non-exclusive). Additionally it might be good to know how to exclude certain groups from logging in, or even allow/deny access to individual users.

In case it matters, my /etc/methods.cfg:

NIS:        program = /usr/lib/security/NIS        program_64 = /usr/lib/security/NIS_64 DCE:        program = /usr/lib/security/DCE WINBIND:        program = /opt/freeware/lib/WINBIND.so        program_64 = /opt/freeware/lib/WINBIND.so

and my /etc/security/user default stanza has SYSTEM=WINBIND or compat:

chsec -f /etc/security/user -s default -a "SYSTEM=WINBIND or compat"

> Please explain. What is your specific goal?

The usual authentical+authorisation.

We have 10,000 something users that connect to various CHUIs across the environment, with many onboarding/offboarding daily. A sister site has set up the LDAP integration using Ansible and workflows to manage 'fiddliness'. I'd rather avoid that. 

Winbind has filled the gaps in all of my testing, so I figured I'd use it. The only gap remaining is this group restriction, which I've 'filled' using SSHD group restrictions. But, group policy might be the way to go to make it global.

Thanks Phill.

I wanted to use Winbind because I wanted to avoid the fiddly setup on the AD side, especially as every user needs that fiddling! The Winbind setup avoids a lot of work, both short and long-term.

You mentioned that using LDAP integration doesn't force the AIX server to become part of the AD domain. True, but why is that a positive? Is it better to fiddle with every user account instead of the AD joining?

Thank you for the links, I've seen the AIX LDAP ones, but not the last Spiceworks link. I had been approaching this as though I'd be limiting the groups on the AIX servers themselves, didn't even cross my mind to use group policy.  I'll look into it, thanks!

Hi David,

Have you looked at AIX's LDAP integration with AD?  It can restrict by groups (I don't know about individual users, that's not been a requirement for me).  It does take some fiddly setup on the AD side and some mucking around with the LDAP group filters.  When using this method, the AIX machine doesn't become a part of the AD domain like I take it does with winbind (which I haven't used, I have used realm on Linux for AD integration which binds the linux machine to AD)?

https://www.ibm.com/support/pages/active-directory-ad-aix-step-step-instructions-integrate-active-directory-2016-aix-ldap-protocol
https://thornelabs.net/posts/aix-restrict-server-login-via-ldap-groups/

With winbind, as the AIX machine becomes part of AD you might be able to do something with AD policy to restrict who can login, it might be something to have your AD admins look at.  I did find this - https://community.spiceworks.com/how_to/2797-restrict-computer-logons-to-a-group-of-users

Hi All,

I have Winbind hooked up to AD to allow LDAP users in on one of my AIX 7.2 LPARs.

How do I configure the host to only allow users to log in if they are members of specific groups in LDAP? I assume this is something in PAM, but it's a weakness of mine. I've done some reading but just cannot easily wrap my head around what is required.

When the user logs into AIX, they do inherit the AD groups, for example:

domain\user@SERVER:/home/domain/user $ groupsdomain\user domain\domain_users domain\group1 domain\group2 domain\group3

I would like to limit logins to users who are members of domain\group1 or domain\group3 (non-exclusive). Additionally it might be good to know how to exclude certain groups from logging in, or even allow/deny access to individual users.

In case it matters, my /etc/methods.cfg:

NIS:        program = /usr/lib/security/NIS        program_64 = /usr/lib/security/NIS_64 DCE:        program = /usr/lib/security/DCE WINBIND:        program = /opt/freeware/lib/WINBIND.so        program_64 = /opt/freeware/lib/WINBIND.so

and my /etc/security/user default stanza has SYSTEM=WINBIND or compat:

chsec -f /etc/security/user -s default -a "SYSTEM=WINBIND or compat"

Hi David,

the pam_winbind modiule has the require_membership_of option to do tha you want but the corresponding AIX LAM module of Winbind does not have that feature. Ify you're interested in getting that implemented for AIX, feel free to contact us.

Björn

> Please explain. What is your specific goal?

The usual authentical+authorisation.

We have 10,000 something users that connect to various CHUIs across the environment, with many onboarding/offboarding daily. A sister site has set up the LDAP integration using Ansible and workflows to manage 'fiddliness'. I'd rather avoid that. 

Winbind has filled the gaps in all of my testing, so I figured I'd use it. The only gap remaining is this group restriction, which I've 'filled' using SSHD group restrictions. But, group policy might be the way to go to make it global.

Thanks Phill.

I wanted to use Winbind because I wanted to avoid the fiddly setup on the AD side, especially as every user needs that fiddling! The Winbind setup avoids a lot of work, both short and long-term.

You mentioned that using LDAP integration doesn't force the AIX server to become part of the AD domain. True, but why is that a positive? Is it better to fiddle with every user account instead of the AD joining?

Thank you for the links, I've seen the AIX LDAP ones, but not the last Spiceworks link. I had been approaching this as though I'd be limiting the groups on the AIX servers themselves, didn't even cross my mind to use group policy.  I'll look into it, thanks!

Hi David,

Have you looked at AIX's LDAP integration with AD?  It can restrict by groups (I don't know about individual users, that's not been a requirement for me).  It does take some fiddly setup on the AD side and some mucking around with the LDAP group filters.  When using this method, the AIX machine doesn't become a part of the AD domain like I take it does with winbind (which I haven't used, I have used realm on Linux for AD integration which binds the linux machine to AD)?

https://www.ibm.com/support/pages/active-directory-ad-aix-step-step-instructions-integrate-active-directory-2016-aix-ldap-protocol
https://thornelabs.net/posts/aix-restrict-server-login-via-ldap-groups/

With winbind, as the AIX machine becomes part of AD you might be able to do something with AD policy to restrict who can login, it might be something to have your AD admins look at.  I did find this - https://community.spiceworks.com/how_to/2797-restrict-computer-logons-to-a-group-of-users

Hi All,

I have Winbind hooked up to AD to allow LDAP users in on one of my AIX 7.2 LPARs.

How do I configure the host to only allow users to log in if they are members of specific groups in LDAP? I assume this is something in PAM, but it's a weakness of mine. I've done some reading but just cannot easily wrap my head around what is required.

When the user logs into AIX, they do inherit the AD groups, for example:

domain\user@SERVER:/home/domain/user $ groupsdomain\user domain\domain_users domain\group1 domain\group2 domain\group3

I would like to limit logins to users who are members of domain\group1 or domain\group3 (non-exclusive). Additionally it might be good to know how to exclude certain groups from logging in, or even allow/deny access to individual users.

In case it matters, my /etc/methods.cfg:

NIS:        program = /usr/lib/security/NIS        program_64 = /usr/lib/security/NIS_64 DCE:        program = /usr/lib/security/DCE WINBIND:        program = /opt/freeware/lib/WINBIND.so        program_64 = /opt/freeware/lib/WINBIND.so

and my /etc/security/user default stanza has SYSTEM=WINBIND or compat:

chsec -f /etc/security/user -s default -a "SYSTEM=WINBIND or compat"

Hi Björn, I checked out Samba+, the project looks good but unfortunately the cost is simply too high.  Even at the listed 3 year discount, the ~$650(+tax)/year/LPAR will put our operating costs into the stratosphere. We have hundreds of LPARs, simply wont work.

Hi David,

the pam_winbind modiule has the require_membership_of option to do tha you want but the corresponding AIX LAM module of Winbind does not have that feature. Ify you're interested in getting that implemented for AIX, feel free to contact us.

Björn

> Please explain. What is your specific goal?

The usual authentical+authorisation.

We have 10,000 something users that connect to various CHUIs across the environment, with many onboarding/offboarding daily. A sister site has set up the LDAP integration using Ansible and workflows to manage 'fiddliness'. I'd rather avoid that. 

Winbind has filled the gaps in all of my testing, so I figured I'd use it. The only gap remaining is this group restriction, which I've 'filled' using SSHD group restrictions. But, group policy might be the way to go to make it global.

Thanks Phill.

I wanted to use Winbind because I wanted to avoid the fiddly setup on the AD side, especially as every user needs that fiddling! The Winbind setup avoids a lot of work, both short and long-term.

You mentioned that using LDAP integration doesn't force the AIX server to become part of the AD domain. True, but why is that a positive? Is it better to fiddle with every user account instead of the AD joining?

Thank you for the links, I've seen the AIX LDAP ones, but not the last Spiceworks link. I had been approaching this as though I'd be limiting the groups on the AIX servers themselves, didn't even cross my mind to use group policy.  I'll look into it, thanks!

Hi David,

Have you looked at AIX's LDAP integration with AD?  It can restrict by groups (I don't know about individual users, that's not been a requirement for me).  It does take some fiddly setup on the AD side and some mucking around with the LDAP group filters.  When using this method, the AIX machine doesn't become a part of the AD domain like I take it does with winbind (which I haven't used, I have used realm on Linux for AD integration which binds the linux machine to AD)?

https://www.ibm.com/support/pages/active-directory-ad-aix-step-step-instructions-integrate-active-directory-2016-aix-ldap-protocol
https://thornelabs.net/posts/aix-restrict-server-login-via-ldap-groups/

With winbind, as the AIX machine becomes part of AD you might be able to do something with AD policy to restrict who can login, it might be something to have your AD admins look at.  I did find this - https://community.spiceworks.com/how_to/2797-restrict-computer-logons-to-a-group-of-users

Hi All,

I have Winbind hooked up to AD to allow LDAP users in on one of my AIX 7.2 LPARs.

How do I configure the host to only allow users to log in if they are members of specific groups in LDAP? I assume this is something in PAM, but it's a weakness of mine. I've done some reading but just cannot easily wrap my head around what is required.

When the user logs into AIX, they do inherit the AD groups, for example:

domain\user@SERVER:/home/domain/user $ groupsdomain\user domain\domain_users domain\group1 domain\group2 domain\group3

I would like to limit logins to users who are members of domain\group1 or domain\group3 (non-exclusive). Additionally it might be good to know how to exclude certain groups from logging in, or even allow/deny access to individual users.

In case it matters, my /etc/methods.cfg:

NIS:        program = /usr/lib/security/NIS        program_64 = /usr/lib/security/NIS_64 DCE:        program = /usr/lib/security/DCE WINBIND:        program = /opt/freeware/lib/WINBIND.so        program_64 = /opt/freeware/lib/WINBIND.so

and my /etc/security/user default stanza has SYSTEM=WINBIND or compat:

chsec -f /etc/security/user -s default -a "SYSTEM=WINBIND or compat"

Thanks Phill.

I wanted to use Winbind because I wanted to avoid the fiddly setup on the AD side, especially as every user needs that fiddling! The Winbind setup avoids a lot of work, both short and long-term.

You mentioned that using LDAP integration doesn't force the AIX server to become part of the AD domain. True, but why is that a positive? Is it better to fiddle with every user account instead of the AD joining?

Thank you for the links, I've seen the AIX LDAP ones, but not the last Spiceworks link. I had been approaching this as though I'd be limiting the groups on the AIX servers themselves, didn't even cross my mind to use group policy.  I'll look into it, thanks!

Hi David,

Have you looked at AIX's LDAP integration with AD?  It can restrict by groups (I don't know about individual users, that's not been a requirement for me).  It does take some fiddly setup on the AD side and some mucking around with the LDAP group filters.  When using this method, the AIX machine doesn't become a part of the AD domain like I take it does with winbind (which I haven't used, I have used realm on Linux for AD integration which binds the linux machine to AD)?

https://www.ibm.com/support/pages/active-directory-ad-aix-step-step-instructions-integrate-active-directory-2016-aix-ldap-protocol
https://thornelabs.net/posts/aix-restrict-server-login-via-ldap-groups/

With winbind, as the AIX machine becomes part of AD you might be able to do something with AD policy to restrict who can login, it might be something to have your AD admins look at.  I did find this - https://community.spiceworks.com/how_to/2797-restrict-computer-logons-to-a-group-of-users

Hi All,

I have Winbind hooked up to AD to allow LDAP users in on one of my AIX 7.2 LPARs.

How do I configure the host to only allow users to log in if they are members of specific groups in LDAP? I assume this is something in PAM, but it's a weakness of mine. I've done some reading but just cannot easily wrap my head around what is required.

When the user logs into AIX, they do inherit the AD groups, for example:

domain\user@SERVER:/home/domain/user $ groupsdomain\user domain\domain_users domain\group1 domain\group2 domain\group3

I would like to limit logins to users who are members of domain\group1 or domain\group3 (non-exclusive). Additionally it might be good to know how to exclude certain groups from logging in, or even allow/deny access to individual users.

In case it matters, my /etc/methods.cfg:

NIS:        program = /usr/lib/security/NIS        program_64 = /usr/lib/security/NIS_64 DCE:        program = /usr/lib/security/DCE WINBIND:        program = /opt/freeware/lib/WINBIND.so        program_64 = /opt/freeware/lib/WINBIND.so

and my /etc/security/user default stanza has SYSTEM=WINBIND or compat:

chsec -f /etc/security/user -s default -a "SYSTEM=WINBIND or compat"

Hi David,

The AIX server not being a part of the AD domain could easily be a disadvantage as it's read-only when using LDAP.  Users can't change their password from the AIX (same with HMC) end. For us, it's only a small percentage of users (unix support & operations team) who are relatively static in our AD domain that require access to AIX and HMC.  For HMC access, we needed to do the setup for every user due to different groups needing different access.  For new users, template users can be used.

Realm on Linux is somewhat different as the Linux instance does become part of the domain and users can change their password from Linux.  Realm also allows group restrictions at the Linux end.  A "realm" for AIX would probably be ideal and would do what you need to do at the AIX end.

If/when I get a chance, I might have a play with winbind in our Lab environment.  LDAP is working for us with HMC, PowerVC, AIX & VIOS all using it.

Phill.

Thanks Phill.

I wanted to use Winbind because I wanted to avoid the fiddly setup on the AD side, especially as every user needs that fiddling! The Winbind setup avoids a lot of work, both short and long-term.

You mentioned that using LDAP integration doesn't force the AIX server to become part of the AD domain. True, but why is that a positive? Is it better to fiddle with every user account instead of the AD joining?

Thank you for the links, I've seen the AIX LDAP ones, but not the last Spiceworks link. I had been approaching this as though I'd be limiting the groups on the AIX servers themselves, didn't even cross my mind to use group policy.  I'll look into it, thanks!

Hi David,

Have you looked at AIX's LDAP integration with AD?  It can restrict by groups (I don't know about individual users, that's not been a requirement for me).  It does take some fiddly setup on the AD side and some mucking around with the LDAP group filters.  When using this method, the AIX machine doesn't become a part of the AD domain like I take it does with winbind (which I haven't used, I have used realm on Linux for AD integration which binds the linux machine to AD)?

https://www.ibm.com/support/pages/active-directory-ad-aix-step-step-instructions-integrate-active-directory-2016-aix-ldap-protocol
https://thornelabs.net/posts/aix-restrict-server-login-via-ldap-groups/

With winbind, as the AIX machine becomes part of AD you might be able to do something with AD policy to restrict who can login, it might be something to have your AD admins look at.  I did find this - https://community.spiceworks.com/how_to/2797-restrict-computer-logons-to-a-group-of-users

Hi All,

I have Winbind hooked up to AD to allow LDAP users in on one of my AIX 7.2 LPARs.

How do I configure the host to only allow users to log in if they are members of specific groups in LDAP? I assume this is something in PAM, but it's a weakness of mine. I've done some reading but just cannot easily wrap my head around what is required.

When the user logs into AIX, they do inherit the AD groups, for example:

domain\user@SERVER:/home/domain/user $ groupsdomain\user domain\domain_users domain\group1 domain\group2 domain\group3

I would like to limit logins to users who are members of domain\group1 or domain\group3 (non-exclusive). Additionally it might be good to know how to exclude certain groups from logging in, or even allow/deny access to individual users.

In case it matters, my /etc/methods.cfg:

NIS:        program = /usr/lib/security/NIS        program_64 = /usr/lib/security/NIS_64 DCE:        program = /usr/lib/security/DCE WINBIND:        program = /opt/freeware/lib/WINBIND.so        program_64 = /opt/freeware/lib/WINBIND.so

and my /etc/security/user default stanza has SYSTEM=WINBIND or compat:

chsec -f /etc/security/user -s default -a "SYSTEM=WINBIND or compat"

Hi David,

The AIX server not being a part of the AD domain could easily be a disadvantage as it's read-only when using LDAP.  Users can't change their password from the AIX (same with HMC) end. For us, it's only a small percentage of users (unix support & operations team) who are relatively static in our AD domain that require access to AIX and HMC.  For HMC access, we needed to do the setup for every user due to different groups needing different access.  For new users, template users can be used.

Realm on Linux is somewhat different as the Linux instance does become part of the domain and users can change their password from Linux.  Realm also allows group restrictions at the Linux end.  A "realm" for AIX would probably be ideal and would do what you need to do at the AIX end.

If/when I get a chance, I might have a play with winbind in our Lab environment.  LDAP is working for us with HMC, PowerVC, AIX & VIOS all using it.

Phill.

Thanks Phill.

I wanted to use Winbind because I wanted to avoid the fiddly setup on the AD side, especially as every user needs that fiddling! The Winbind setup avoids a lot of work, both short and long-term.

You mentioned that using LDAP integration doesn't force the AIX server to become part of the AD domain. True, but why is that a positive? Is it better to fiddle with every user account instead of the AD joining?

Thank you for the links, I've seen the AIX LDAP ones, but not the last Spiceworks link. I had been approaching this as though I'd be limiting the groups on the AIX servers themselves, didn't even cross my mind to use group policy.  I'll look into it, thanks!

Hi David,

Have you looked at AIX's LDAP integration with AD?  It can restrict by groups (I don't know about individual users, that's not been a requirement for me).  It does take some fiddly setup on the AD side and some mucking around with the LDAP group filters.  When using this method, the AIX machine doesn't become a part of the AD domain like I take it does with winbind (which I haven't used, I have used realm on Linux for AD integration which binds the linux machine to AD)?

https://www.ibm.com/support/pages/active-directory-ad-aix-step-step-instructions-integrate-active-directory-2016-aix-ldap-protocol
https://thornelabs.net/posts/aix-restrict-server-login-via-ldap-groups/

With winbind, as the AIX machine becomes part of AD you might be able to do something with AD policy to restrict who can login, it might be something to have your AD admins look at.  I did find this - https://community.spiceworks.com/how_to/2797-restrict-computer-logons-to-a-group-of-users

Hi All,

I have Winbind hooked up to AD to allow LDAP users in on one of my AIX 7.2 LPARs.

How do I configure the host to only allow users to log in if they are members of specific groups in LDAP? I assume this is something in PAM, but it's a weakness of mine. I've done some reading but just cannot easily wrap my head around what is required.

When the user logs into AIX, they do inherit the AD groups, for example:

domain\user@SERVER:/home/domain/user $ groupsdomain\user domain\domain_users domain\group1 domain\group2 domain\group3

I would like to limit logins to users who are members of domain\group1 or domain\group3 (non-exclusive). Additionally it might be good to know how to exclude certain groups from logging in, or even allow/deny access to individual users.

In case it matters, my /etc/methods.cfg:

NIS:        program = /usr/lib/security/NIS        program_64 = /usr/lib/security/NIS_64 DCE:        program = /usr/lib/security/DCE WINBIND:        program = /opt/freeware/lib/WINBIND.so        program_64 = /opt/freeware/lib/WINBIND.so

and my /etc/security/user default stanza has SYSTEM=WINBIND or compat:

chsec -f /etc/security/user -s default -a "SYSTEM=WINBIND or compat"