===== RedHat IdM or FreeIPA with IBM AIX =====

==== Pre-requisites ====
  * A working FreeIPA server or RedHat IdM ;)
  * You must add host and reverse to DNS
  * You must add complete hostname and short hostname to /etc/hosts
  * You will need install some packages from AIX media:
<code>
GSKit8.gskcrypt32.ppc.rte, GSKit8.gskcrypt64.ppc.rte, GSKit8.gskssl32.ppc.rte, GSKit8.gskssl64.ppc.rte, krb5.lic, krb5.client, krb5.doc.en_US, krb5.toolkit, krb5.server idsldap.license64, idsldap.cltbase64, idsldap.clt32bit64, idsldap.clt64bit64, idsldap.cltjava64, idsldap.clt_max_crypto32bit64, idsldap.clt_max_crypto64bit64
</code>

You can install it with smit or installp. In my case I make a tarball and uploaded to a web server, with Ansible I retrieve the file to every IPA client and install it.

==== Generate host records and keytabs manually ====
<code>
kinit admin
ipa host-add happyserver.gbmdc.dc
ipa-getkeytab -s happyipaserver01.gbmdc.dc -p 'host/happyserver.gbmdc.dc' -k /tmp/happyserver.keytab
</code>

Copy keytab file to AIX Server and execute:
<code>
mkdir /etc/krb5/
mv /home/estebanescool/happyserver.keytab /etc/krb5/krb5.keytab
</code>

==== Ansible ====
I automatized this tasks with Ansible, maybe this is great for you, maybe not. Sorry I not will rewrite bash commands. So this is the yml file:
<code>
---
- hosts: all
  tasks:
  - name: Configure /etc/hosts
    lineinfile:
      path: /etc/hosts
      regexp: '^10.50.20.13'
      line: '10.50.20.13     happyipaserver01.gbmdc.dc happyipaserver01'
  - name: Retrieve LDAP packages on AIX
    get_url:
      url: http://10.50.120.20:8080/installers/aixldap/ldap.tar
      dest: /tmp/ldap.tar
      mode: '555'
      validate_certs: no
    when: ansible_facts['os_family'] == 'AIX'
  - name: Extract packages on AIX
    command: /usr/bin/tar -xvf   /tmp/ldap.tar -C /tmp
    args:
      creates: /tmp/ldap
    when: ansible_facts['os_family'] == 'AIX'
  - name: Install AIX packages
    installp:
      repository_path: /tmp/ldap
      accept_license: yes
      name: GSKit8.gskcrypt32.ppc.rte, GSKit8.gskcrypt64.ppc.rte, GSKit8.gskssl32.ppc.rte, GSKit8.gskssl64.ppc.rte, krb5.lic, krb5.client, krb5.doc.en_US, krb5.toolkit, krb5.server
    when: ansible_facts['os_family'] == 'AIX'
  - name: Accept IDSLDAP license
    command: /tmp/ldap/license/idsLicense -q
    when: ansible_facts['os_family'] == 'AIX'
  - name: Install additional AIX packages
    installp:
      repository_path: /tmp/ldap
      accept_license: yes
      name: idsldap.license64, idsldap.cltbase64, idsldap.clt32bit64, idsldap.clt64bit64, idsldap.cltjava64, idsldap.clt_max_crypto32bit64, idsldap.clt_max_crypto64bit64
    when: ansible_facts['os_family'] == 'AIX'
  - name: Configure LDAP on AIX
    command: "{{ item }} chdir=/tmp"
    when: ansible_facts['os_family'] == 'AIX'
    with_items:
      - /usr/bin/mkdir /etc/ipa
      - /usr/bin/cp /tmp/ldap/ca.crt /etc/ipa
      - /usr/bin/gsk8capicmd -keydb -create -db /etc/security/ldap/ldap.kdb
      - /usr/bin/gsk8capicmd -cert -add -db /etc/security/ldap/ldap.kdb -file /etc/ipa/ca.crt -label ipa_server_cert
      - /usr/bin/gsk8capicmd -keydb -changepw -new_pw 3edc#EDC3edc#EDC -db /etc/security/ldap/ldap.kdb
      - /usr/sbin/mksecldap -c -h happyipaserver01.gbmdc.dc -a "uid=admin,cn=users,cn=accounts,dc=gbmdc,dc=dc" -p 'Manager20' -d "dc=gbmdc,dc=dc" -k "/etc/security/ldap/ldap.kdb" -w "3edc#EDC3edc#EDC" -j tls
      - /usr/sbin/mkkrb5clnt -c happyipaserver01.gbmdc.dc -r GBMDC.DC -s happyipaserver01.gbmdc.dc -d gbmdc.dc -i LDAP -D
  - name: Configure kerberos file
    copy:
       dest: "/etc/krb5/krb5.conf"
       content: |
                [libdefaults]
                       default_realm = GBMDC.DC
                       default_keytab_name = FILE:/etc/krb5/krb5.keytab
                       dns_lookup_realm = true
                       dns_lookup_kdc = true

                [realms]
                        GBMDC.DC = {
                        kdc = happyipaserver01.gbmdc.dc:88
                        master_kdc = happyipaserver01.gbmdc.dc:88
                        admin_server = happyipaserver01.gbmdc.dc:749
                        default_domain = gbmdc.dc
                        pkinit_anchors = FILE:/etc/ipa/ca.crt
                        }

                [domain_realm]
                       .gbmdc.dc = GBMDC.DC
                       gbmdc.dc = GBMDC.DC
                       happyipaserver01.gbmdc.dc = GBMDC.DC

                [logging]
                       kdc = FILE:/var/krb5/log/krb5kdc.log
                       admin_server = FILE:/var/krb5/log/kadmin.log
                       kadmin_local = FILE:/var/krb5/log/kadmin_local.log
                       default = SYSLOG:info:local1'
  - name: Configure ldap file
    copy:
       dest: "/etc/ldap.conf"
       content: |
                URI ldap://happyipaserver01.gbmdc.dc
                tls_cacert /etc/ipa/ca.crt
                BIND_TIMELIMIT 5
                TIMELIMIT 15
                sudoers_base ou=sudoers,dc=gbmdc,dc=dc
  - name: Configure auth on AIX
    command: "{{ item }} chdir=/tmp"
    when: ansible_facts['os_family'] == 'AIX'
    with_items:
      - /usr/bin/chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
      - /usr/bin/chown root:sys /etc/krb5/krb5.keytab
      - /usr/bin/chmod 700 /etc/krb5/krb5.keytab
      - /usr/bin/chsec -f /etc/security/user -s default -a SYSTEM="KRB5LDAP OR compat"
      - /usr/bin/chauthent -k5 -std
  become: yes
</code>

==== References ====
  * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/retrieve-existing-keytabs
  * https://blog.delouw.ch/2017/08/05/manually-enroll-sles12-systems-to-redhat-idm/
  * https://github.com/aaron-cole/IPA-Configuration-Guides/blob/master/AIX/AIX.txt