Ben Huntsman
2021-May-23 21:17 UTC
[Samba] Samba on AIX with security = ads - does it actually work?
Hi there, and thank you for the reply! Very much appreciated!>Ah, I begin to see the light, you want to use the users in /etc/passwd >and AD, well, if so, then stop there, you cannot have the same user in >/etc/passwd and in AD. Further to this, Samba will not know who the >users in /etc/passwd are.Right, I want the AD users to *not* be in /etc/passwd. What I'm saying is that if I don't put them in there, then they can't connect to the server via \\<aix host name> at all.>You might use root by design, but can I introduce you to the concept of >security ? Also this isn't how AD works.Agreed, but this isn't part of the actual issue at hand. I will tighten up security but I want to get basic connectivity working first.>Is the workgroup 'MY' or 'NSI' ? They should match.Apparently I missed one, but I was trying to sanitize the logs so it didn't contain specifics of my environment. They should have all said 'MY' in the examples I posted. The configuration provided works perfectly for users who are in AD and also have a matching AIX account.>Are you aware that the share shown is read only ?Yes, but I also have "read only = no" in the [global] section. Regardless, the individual shares are beside the point. Right now AD users not in /etc/passwd can't even get to \\<aix host name> whereas users in /etc/passwd (with matching AD accounts) can. I followed those two links you sent as closely as I was able given that they are written for Linux and not AIX. AIX has no nsswitch.conf and uses the stanza in /etc/methods.cfg I provided for the same purpose. But, I didn't see in those articles an answer to why Samba realizes that the user is valid but we still get an NT_STATUS_UNSUCCESSFUL when the user doesn't have an AIX account. Security ramifications aside, my read of the documentation suggests that my configs as provided should work. I feel like I'm missing something very AIX-specific here, or that this is a bug... Thanks again, and I look forward to getting to the bottom of this! -Ben ________________________________ From: samba <samba-bounces at lists.samba.org> on behalf of Rowland penny via samba <samba at lists.samba.org> Sent: Sunday, May 23, 2021 12:54 PM To: samba at lists.samba.org <samba at lists.samba.org> Subject: Re: [Samba] Samba on AIX with security = ads - does it actually work? On 23/05/2021 20:19, Ben Huntsman via samba wrote:> Does anyone on here actually use Samba on AIX, with security = ads?Probably, but the OS shouldn't matter, it should work.> > Appologies for the long post, but I wanted to be thorough. > > With Windows 10 1709 and higher, they disabled any of the "guest" features. So basically, in a Windows domain environment, if we don't want to make any changes to the Windows clients, we have to set up Samba as a domain member server and Samba has to be able to accept and validate all the domain users. There are a few ramifications: > > 1. All users should be able to browse to \\<aix server hostname> and see all the shares Samba is presenting.this is correct.> > 2. Samba should be able to fully authenticate and authorize users via Active Directory entirely even if there is not a local user account set up for that user. If every AD user might access a share on the AIX Samba server, it would be impractical to add an AIX account to the server for every AD user.Ah, I begin to see the light, you want to use the users in /etc/passwd and AD, well, if so, then stop there, you cannot have the same user in /etc/passwd and in AD. Further to this, Samba will not know who the users in /etc/passwd are.> > 3. So long as we are talking about only one or few AIX servers, the rid backend should be sufficient for mapping users, and we should not require schema extensions to AD or the additional administrative overhead of populating the gid field in AD for every user that might connect to our AIX system.You don't actually have to extend the schema, all the rfc2307 attributes are in the AD schema as standard. If all your users and groups are in AD, then the rid backend will make them Unix users and groups.> > Do all of those seem reasonable? > > I have this set up on AIX 7.1 with Samba 4.12.10. As you'll see in the configuration below, we have a less-than-ideal security configuration in that all the shares basically have read/write permissions as root. Unfortunately that is by design, but it is beside the point. The goal here is that any AD user can connect to the AIX system's Samba shares without having to change any default security settings on Windows.You might use root by design, but can I introduce you to the concept of security ? Also this isn't how AD works. Can I suggest you read this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs It might also help if you read this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member> > Joining to the AD domain was successful, wbinfo works in pretty much every way I can think of. But, I can browse the shares only if an AIX account exists that matches the name of the AD user. If the AIX user doesn't exist, Samba logs show that it successfully authenticates the user, but we get an NT_STATUS_UNSUCCESSFUL and Windows gets an error message. > > Here is the smb.conf, with appropriate sanitization: > > [global] > lock dir = /var/locks > pid directory = /var/locks > force user = root > read only = no > #log level = 1 > log file = /var/log/samba/log.smbd > max log size = 5000k > disable netbios = yes > workgroup = MY > security = ADS > realm = MY.LOCAL.DOMAIN > vfs objects = acl_xattr > map acl inherit = yes > winbind use default domain = yes > winbind nested groups = yes > winbind enum users = yes > winbind enum groups = yes > #map to guest = bad uid > guest account = root > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config NSI : backend = rid > idmap config NSI : range = 10000-999999 > template shell = /bin/ksh > template homedir = /home/%U > local master = no > username map = /etc/samba/user.map > ### Debug settings ### > max log size = 0 > log level = 3 > debug pid = yes > debug uid = yes > debug class = yes > > [share1] > path = /export/share1 > >Is the workgroup 'MY' or 'NSI' ? They should match. Are you aware that the share shown is read only ? If you have any further questions, please feel free to ask. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
2021-May-23 21:57 UTC
[Samba] Samba on AIX with security = ads - does it actually work?
On 23/05/2021 22:17, Ben Huntsman wrote:> Hi there, and thank you for the reply! ?Very much appreciated! > > >Ah, I begin to see the light, you want to use the users in /etc/passwd > >and AD, well, if so, then stop there, you cannot have the same user in > >/etc/passwd and in AD. Further to this, Samba will not know who the > >users in /etc/passwd are. > > Right, I want the AD users to *not* be in /etc/passwd. ?What I'm > saying is that if I don't put them in there, then they can't connect > to the server via \\<aix host name> at all.I have never used AIX, but it sounds like you are missing the AIX versions of the Debian packages libnss-winbind and libpam-winbind and/or winbind isn't running. By using the 'rid' backend it should just work, the other thing is, does AIX have /etc/nsswitch.conf and is it set correctly ?> > > >You might use root by design, but can I introduce you to the concept of > >security ? Also this isn't how AD works. > > Agreed, but this isn't part of the actual issue at hand. ?I will > tighten up security but I want to get basic connectivity working first.Understood> > > >Is the workgroup 'MY' or 'NSI' ? They should match. > > Apparently I missed one, but I was trying to sanitize the logs so it > didn't contain specifics of my environment. ?They should have all said > 'MY' in the examples I posted. ?The configuration provided works > perfectly for users who are in AD and also have a matching AIX account.Then it isn't working, the AIX users will be used before the AD users if they are the same username, you do not need the users in /etc/passwd.> > > >Are you aware that the share shown is read only ? > > Yes, but I also have "read only = no" in the [global] section.Not a good idea, that sets it for all shares, just set it in the shares.> ?Regardless, the individual shares are beside the point. ?Right now AD > users not in /etc/passwd can't even get to \\<aix host name> whereas > users in /etc/passwd (with matching AD accounts) can.Going round in circles here, you need to fix the links, try reading this: https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC#Libnss_winbind_Links> > I followed those two links you sent as closely as I was able given > that they are written for Linux and not AIX. ?AIX has no nsswitch.conf > and uses the stanza in /etc/methods.cfg I provided for the same > purpose. ?But, I didn't see in those articles an answer to why Samba > realizes that the user is valid but we still get an > NT_STATUS_UNSUCCESSFUL when the user doesn't have an AIX account. > ?Security ramifications aside, my read of the documentation suggests > that my configs as provided should work. ?I feel like I'm missing > something very AIX-specific here, or that this is a bug... > > Thanks again, and I look forward to getting to the bottom of this! >Ah, we need someone who does use AIX, I can only tell you how to use Samba on Debian etc. Rowland