First, let me start off saying this is not spam. This is me trying to help out other AIX Admins with MS AD servers. If it is not applicable to you, someone else will find it useful.
As long as the "KDC" service is running on your AD server, these steps should work. There should be no additional configuration required on the Windows Active Directory servers by your Windows administrators (assuming you already have name matching AIX and Windows accounts). These steps work on AIX 7.1 and AIX 6.1. This configuration only authenticates an existing user's password. Each user still has to have their local AIX account created on each AIX box that matches their existing account already setup in Active Directory. As a side note, you do NOT have to set the local password. Just make sure the AD username and the local AIX user name match, like "user1" and "user1". Also, this is not an "all-or-nothing" change. Some users can authenticate from the Active Diretory server while others do not. Here is how to set it up:
Copy or install the following kerberos client filesets from the AIX 7.1 Expansion DVD
krb5.client
krb5.doc.en_US
krb5.lic
Use smitty to install those filesets
smitty install
Install and Update Software
Install Software
<specify the location of the filesets>
SOFTWARE to install --> [select the filesets above]
ACCEPT new license agreements? --> yes
<enter>
<enter> to confirm
Esc-0
Run the following command to create the /etc/krb5/krb5.conf files. "adhost.domain.com" is the fully qualified hostname of your active directory server.
mkkrb5clnt -c adhost.domain.com -r DOMAIN.COM -s adhost.domain.com -d domain.com -D -t 365:0:0:0 -i files -K
Update "[libdefaults]" section in /etc/krb5/krb5.conf. Change these lines:
default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts
default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts
... to this:
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc
In the "KRB5" section of the /etc/methods.cfg, make the change below. The Windows AD server is not "kadmin" compliant but, for who knows what reason, the default value placed into the /etc/methods.cfg by the mkkrb5clnt is not recognized.
change "is_kadmind_compat" to "kadmin"
Setup "Kerberos 5" as a valid authentication type for AIX to use:
hostname:/:$ lsauthent
Standard Aix
hostname:/:$ chauthent -k5 -std
hostname:/:$ lsauthent
Kerberos 5
Standard Aix
hostname:/:$
Change the authentication parameters for your local users to use KRB5files (Kerberos):
chuser registry=KRB5files SYSTEM=KRB5files localuser
If you want users to go back to local authentication, use this:
chuser registry=files SYSTEM=compat localuser
This seems too easy for as much time as I put into figuring it out.