Ben Huntsman
2021-May-23 19:19 UTC
[Samba] Samba on AIX with security = ads - does it actually work?
Does anyone on here actually use Samba on AIX, with security = ads?
Appologies for the long post, but I wanted to be thorough.
With Windows 10 1709 and higher, they disabled any of the "guest"
features. So basically, in a Windows domain environment, if we don't want
to make any changes to the Windows clients, we have to set up Samba as a domain
member server and Samba has to be able to accept and validate all the domain
users. There are a few ramifications:
1. All users should be able to browse to \\<aix server hostname> and see
all the shares Samba is presenting.
2. Samba should be able to fully authenticate and authorize users via Active
Directory entirely even if there is not a local user account set up for that
user. If every AD user might access a share on the AIX Samba server, it would
be impractical to add an AIX account to the server for every AD user.
3. So long as we are talking about only one or few AIX servers, the rid backend
should be sufficient for mapping users, and we should not require schema
extensions to AD or the additional administrative overhead of populating the gid
field in AD for every user that might connect to our AIX system.
Do all of those seem reasonable?
I have this set up on AIX 7.1 with Samba 4.12.10. As you'll see in the
configuration below, we have a less-than-ideal security configuration in that
all the shares basically have read/write permissions as root. Unfortunately
that is by design, but it is beside the point. The goal here is that any AD user
can connect to the AIX system's Samba shares without having to change any
default security settings on Windows.
Joining to the AD domain was successful, wbinfo works in pretty much every way I
can think of. But, I can browse the shares only if an AIX account exists that
matches the name of the AD user. If the AIX user doesn't exist, Samba logs
show that it successfully authenticates the user, but we get an
NT_STATUS_UNSUCCESSFUL and Windows gets an error message.
Here is the smb.conf, with appropriate sanitization:
[global]
lock dir = /var/locks
pid directory = /var/locks
force user = root
read only = no
#log level = 1
log file = /var/log/samba/log.smbd
max log size = 5000k
disable netbios = yes
workgroup = MY
security = ADS
realm = MY.LOCAL.DOMAIN
vfs objects = acl_xattr
map acl inherit = yes
winbind use default domain = yes
winbind nested groups = yes
winbind enum users = yes
winbind enum groups = yes
#map to guest = bad uid
guest account = root
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config NSI : backend = rid
idmap config NSI : range = 10000-999999
template shell = /bin/ksh
template homedir = /home/%U
local master = no
username map = /etc/samba/user.map
### Debug settings ###
max log size = 0
log level = 3
debug pid = yes
debug uid = yes
debug class = yes
[share1]
path = /export/share1
here is the krb5.conf:
[libdefaults]
default_realm = MY.LOCAL.DOMAIN
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac
des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac
des-cbc-md5 des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
MY.LOCAL.DOMAIN = {
kdc = my.local.domain:88
admin_server = my.local.domain:749
default_domain = my.local.domain
}
[domain_realm]
.my.local.domain = MY.LOCAL.DOMAIN
my.local.domain = MY.LOCAL.DOMAIN
[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
kadmin_local = FILE:/var/krb5/log/kadmin_local.log
default = FILE:/var/krb5/log/krb5lib.log
Here is my stanza from /etc/methods.cfg:
WINBIND:
program = /opt/freeware/lib/WINBIND.so
options = debug
And here is an excerpt from the modification to /etc/security/user:
default:
...
SYSTEM = "compat OR WINBIND
...
As I said, share access works fine when the user has a local AIX account. Here
is a log excerpt from when a user doesn't:
[2021/05/23 12:01:25.934788, 3, pid=15007794, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth.c:201(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[MY]\[testuser]@[TESTSERVER] with the new password interface
[2021/05/23 12:01:25.934898, 3, pid=15007794, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth.c:204(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [MY]\[testuser]@[TESTSERVER]
[2021/05/23 12:01:25.935334, 3, pid=15728798, effective(0, 0), real(0, 0),
class=winbind]
../../source3/winbindd/winbindd_misc.c:432(winbindd_interface_version)
winbindd_interface_version: [<unknown> (15007794)]: request interface
version (version = 31)
[2021/05/23 12:01:25.935593, 3, pid=15728798, effective(0, 0), real(0, 0),
class=winbind]
../../source3/winbindd/winbindd_misc.c:470(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (15007794)]: request location of
privileged pipe
[2021/05/23 12:01:25.935744, 3, pid=15728798, effective(0, 0), real(0, 0),
class=winbind]
../../source3/winbindd/winbindd_misc.c:483(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (15007794)]: response location of
privileged pipe: (NULL)
[2021/05/23 12:01:25.936158, 3, pid=15728798, effective(0, 0), real(0, 0),
class=winbind]
../../source3/winbindd/winbindd_pam_auth_crap.c:113(winbindd_pam_auth_crap_send)
[15007794]: pam auth crap domain: [MY] user: testuser
[2021/05/23 12:01:25.941600, 3, pid=15728798, effective(0, 0), real(0, 0),
class=winbind]
../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (15007794)] getpwnam my\testuser
[2021/05/23 12:01:25.942593, 3, pid=15007794, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth.c:268(auth_check_ntlm_password)
auth_check_ntlm_password: winbind authentication for user [testuser] succeeded
[2021/05/23 12:01:25.942859, 3, pid=15007794, effective(0, 0), real(0, 0),
class=auth_audit]
../../auth/auth_log.c:653(log_authentication_event_human_readable)
Auth: [SMB2,(NULL)] user [MY]\[testuser] at [Sun, 23 May 2021 12:01:25.942750
PDT] with [NTLMv2] status [NT_STATUS_OK] workstation [TESTSERVER] remote host
[ipv4:192.168.1.20:62441] became [MY]\[testuser]
[S-1-5-21-4249303916-4241796776-1217518425-1681]. local host
[ipv4:192.168.1.20:445]
[2021/05/23 12:01:25.943065, 3, pid=15007794, effective(0, 0), real(0, 0)]
../../auth/auth_log.c:485(log_no_json)
log_no_json: JSON auth logs not available unless compiled with jansson
[2021/05/23 12:01:25.943156, 2, pid=15007794, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth.c:329(auth_check_ntlm_password)
check_ntlm_password: authentication for user [testuser] -> [testuser]
-> [MY\testuser] succeeded
[2021/05/23 12:01:25.943386, 3, pid=15007794, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2021/05/23 12:01:25.943472, 3, pid=15007794, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe2088215
[2021/05/23 12:01:25.943655, 3, pid=15007794, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2021/05/23 12:01:25.943756, 3, pid=15007794, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe2088215
[2021/05/23 12:01:25.944042, 3, pid=15728798, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/winbindd_misc.c:407(winbindd_ping)
winbindd_ping: [<unknown> (15007794)]: ping
[2021/05/23 12:01:25.945318, 3, pid=15728798, effective(0, 0), real(0, 0),
class=winbind]
../../source3/winbindd/winbindd_getpwuid.c:52(winbindd_getpwuid_send)
winbindd_getpwuid_send: [<unknown> (15007794)] getpwuid 11681
[2021/05/23 12:01:25.949845, 0, pid=15007794, effective(0, 0), real(0, 0)]
../../source3/lib/system_smbd.c:226(getgroups_unix_user)
get_user_groups: failed to get the unix group list
[2021/05/23 12:01:25.950012, 1, pid=15007794, effective(0, 0), real(0, 0)]
../../source3/auth/token_util.c:601(add_local_groups)
getgroups_unix_user for user testuser failed
[2021/05/23 12:01:25.950103, 3, pid=15007794, effective(0, 0), real(0, 0)]
../../source3/auth/token_util.c:403(create_local_nt_token_from_info3)
Failed to add local groups
[2021/05/23 12:01:25.950218, 3, pid=15007794, effective(0, 0), real(0, 0),
class=smb2] ../../source3/smbd/smb2_server.c:3280(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_UNSUCCESSFUL] || at ../../source3/smbd/smb2_sesssetup.c:146
[2021/05/23 12:01:25.962375, 3, pid=15007794, effective(0, 0), real(0, 0)]
../../source3/smbd/server_exit.c:250(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
And here is the debug output from WINBIND.so (via the /etc/methods.cfg and AIX
LAM system):
open name='WINBIND' mode=0 domain='' options='debug'
getpwnam 'my\testuser'
getpwnam gave ptr 300b37d8
open name='WINBIND' mode=0 domain='' options='debug'
getpwuid '11681'
getpwuid gave ptr 300b8288
open name='WINBIND' mode=0 domain='' options='debug'
getgrset 'testuser'
open name='WINBIND' mode=0 domain='' options='debug'
getgrset 'testuser'
open name='WINBIND' mode=0 domain='' options='debug'
getpwnam 'my\testuser'
getpwnam gave ptr 300b37d8
open name='WINBIND' mode=0 domain='' options='debug'
getpwuid '11681'
getpwuid gave ptr 300b9aa8
open name='WINBIND' mode=0 domain='' options='debug'
getgrset 'testuser'
open name='WINBIND' mode=0 domain='' options='debug'
getgrset 'testuser'
My suspicion here is that this is a problem with the AIX NSS LAM stuff and
WINBIND.so. It appears that Samba and winbind aren't coming up with a
proper list of groups or gid's when a user doesn't have any AIX groups.
But clearly, it is able to know that the user is a valid and authenticated AD
user.
As I don't care who writes the files on AIX, I'd even be fine with an
override to force users to appear to belong to the AIX group 'staff'.
Either way, this is a showstopper for letting AD users who don't have a
local AIX account access the AIX system.
But regardless, has anyone seen this behavior? Is this exactly corresponding to
bug #14230: https://bugzilla.samba.org/show_bug.cgi?id=14230
This is a huge issue for us, and I can't thank you enough for any
assistance!
-Ben
Rowland penny
2021-May-23 19:54 UTC
[Samba] Samba on AIX with security = ads - does it actually work?
On 23/05/2021 20:19, Ben Huntsman via samba wrote:> Does anyone on here actually use Samba on AIX, with security = ads?Probably, but the OS shouldn't matter, it should work.> > Appologies for the long post, but I wanted to be thorough. > > With Windows 10 1709 and higher, they disabled any of the "guest" features. So basically, in a Windows domain environment, if we don't want to make any changes to the Windows clients, we have to set up Samba as a domain member server and Samba has to be able to accept and validate all the domain users. There are a few ramifications: > > 1. All users should be able to browse to \\<aix server hostname> and see all the shares Samba is presenting.this is correct.> > 2. Samba should be able to fully authenticate and authorize users via Active Directory entirely even if there is not a local user account set up for that user. If every AD user might access a share on the AIX Samba server, it would be impractical to add an AIX account to the server for every AD user.Ah, I begin to see the light, you want to use the users in /etc/passwd and AD, well, if so, then stop there, you cannot have the same user in /etc/passwd and in AD. Further to this, Samba will not know who the users in /etc/passwd are.> > 3. So long as we are talking about only one or few AIX servers, the rid backend should be sufficient for mapping users, and we should not require schema extensions to AD or the additional administrative overhead of populating the gid field in AD for every user that might connect to our AIX system.You don't actually have to extend the schema, all the rfc2307 attributes are in the AD schema as standard. If all your users and groups are in AD, then the rid backend will make them Unix users and groups.> > Do all of those seem reasonable? > > I have this set up on AIX 7.1 with Samba 4.12.10. As you'll see in the configuration below, we have a less-than-ideal security configuration in that all the shares basically have read/write permissions as root. Unfortunately that is by design, but it is beside the point. The goal here is that any AD user can connect to the AIX system's Samba shares without having to change any default security settings on Windows.You might use root by design, but can I introduce you to the concept of security ? Also this isn't how AD works. Can I suggest you read this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs It might also help if you read this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member> > Joining to the AD domain was successful, wbinfo works in pretty much every way I can think of. But, I can browse the shares only if an AIX account exists that matches the name of the AD user. If the AIX user doesn't exist, Samba logs show that it successfully authenticates the user, but we get an NT_STATUS_UNSUCCESSFUL and Windows gets an error message. > > Here is the smb.conf, with appropriate sanitization: > > [global] > lock dir = /var/locks > pid directory = /var/locks > force user = root > read only = no > #log level = 1 > log file = /var/log/samba/log.smbd > max log size = 5000k > disable netbios = yes > workgroup = MY > security = ADS > realm = MY.LOCAL.DOMAIN > vfs objects = acl_xattr > map acl inherit = yes > winbind use default domain = yes > winbind nested groups = yes > winbind enum users = yes > winbind enum groups = yes > #map to guest = bad uid > guest account = root > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config NSI : backend = rid > idmap config NSI : range = 10000-999999 > template shell = /bin/ksh > template homedir = /home/%U > local master = no > username map = /etc/samba/user.map > ### Debug settings ### > max log size = 0 > log level = 3 > debug pid = yes > debug uid = yes > debug class = yes > > [share1] > path = /export/share1 > >Is the workgroup 'MY' or 'NSI' ? They should match. Are you aware that the share shown is read only ? If you have any further questions, please feel free to ask. Rowland