Rowland penny
2021-May-23 22:08 UTC
[Samba] Samba on AIX with security = ads - does it actually work?
On 23/05/2021 22:57, Rowland penny via samba wrote:> On 23/05/2021 22:17, Ben Huntsman wrote: >> Hi there, and thank you for the reply! ?Very much appreciated! >> >> >Ah, I begin to see the light, you want to use the users in /etc/passwd >> >and AD, well, if so, then stop there, you cannot have the same user in >> >/etc/passwd and in AD. Further to this, Samba will not know who the >> >users in /etc/passwd are. >> >> Right, I want the AD users to *not* be in /etc/passwd. ?What I'm >> saying is that if I don't put them in there, then they can't connect >> to the server via \\<aix host name> at all. > > > I have never used AIX, but it sounds like you are missing the AIX > versions of the Debian packages libnss-winbind and libpam-winbind > and/or winbind isn't running. By using the 'rid' backend it should > just work, the other thing is, does AIX have /etc/nsswitch.conf and is > it set correctly ? > >> >> >> >You might use root by design, but can I introduce you to the concept of >> >security ? Also this isn't how AD works. >> >> Agreed, but this isn't part of the actual issue at hand. ?I will >> tighten up security but I want to get basic connectivity working first. > > > Understood > > >> >> >> >Is the workgroup 'MY' or 'NSI' ? They should match. >> >> Apparently I missed one, but I was trying to sanitize the logs so it >> didn't contain specifics of my environment. ?They should have all >> said 'MY' in the examples I posted. ?The configuration provided works >> perfectly for users who are in AD and also have a matching AIX account. > > > Then it isn't working, the AIX users will be used before the AD users > if they are the same username, you do not need the users in /etc/passwd. > >> >> >> >Are you aware that the share shown is read only ? >> >> Yes, but I also have "read only = no" in the [global] section. > > > Not a good idea, that sets it for all shares, just set it in the shares. > >> ?Regardless, the individual shares are beside the point. ?Right now >> AD users not in /etc/passwd can't even get to \\<aix host name> >> whereas users in /etc/passwd (with matching AD accounts) can. > > > Going round in circles here, you need to fix the links, try reading this: > > https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC#Libnss_winbind_Links > > >> >> I followed those two links you sent as closely as I was able given >> that they are written for Linux and not AIX. ?AIX has no >> nsswitch.conf and uses the stanza in /etc/methods.cfg I provided for >> the same purpose. ?But, I didn't see in those articles an answer to >> why Samba realizes that the user is valid but we still get an >> NT_STATUS_UNSUCCESSFUL when the user doesn't have an AIX account. >> ?Security ramifications aside, my read of the documentation suggests >> that my configs as provided should work. ?I feel like I'm missing >> something very AIX-specific here, or that this is a bug... >> >> Thanks again, and I look forward to getting to the bottom of this! >> > Ah, we need someone who does use AIX, I can only tell you how to use > Samba on Debian etc. > > > Rowland > > >And that someone seems to be Bjorn Jacke, try looking at this: https://www.youtube.com/watch?v=FwQpcnb-jTs Rowland
John P Janosik
2021-May-24 13:14 UTC
[Samba] Samba on AIX with security = ads - does it actually work?
> On 23/05/2021 22:57, Rowland penny via samba wrote: > > On 23/05/2021 22:17, Ben Huntsman wrote: > >> Hi there, and thank you for the reply! Very much appreciated! > >> > >> >Ah, I begin to see the light, you want to use the users in/etc/passwd> >> >and AD, well, if so, then stop there, you cannot have the same userin> >> >/etc/passwd and in AD. Further to this, Samba will not know who the > >> >users in /etc/passwd are. > >> > >> Right, I want the AD users to *not* be in /etc/passwd. What I'm > >> saying is that if I don't put them in there, then they can't connect > >> to the server via \\<aix host name> at all. > > > > > > I have never used AIX, but it sounds like you are missing the AIX > > versions of the Debian packages libnss-winbind and libpam-winbind > > and/or winbind isn't running. By using the 'rid' backend it should > > just work, the other thing is, does AIX have /etc/nsswitch.conf and is> > it set correctly ? > > > >> > >> > >> >You might use root by design, but can I introduce you to the conceptof> >> >security ? Also this isn't how AD works. > >> > >> Agreed, but this isn't part of the actual issue at hand. I will > >> tighten up security but I want to get basic connectivity workingfirst.> > > > > > Understood > > > > > >> > >> > >> >Is the workgroup 'MY' or 'NSI' ? They should match. > >> > >> Apparently I missed one, but I was trying to sanitize the logs so it > >> didn't contain specifics of my environment. They should have all > >> said 'MY' in the examples I posted. The configuration provided works> >> perfectly for users who are in AD and also have a matching AIXaccount.> > > > > > Then it isn't working, the AIX users will be used before the AD users > > if they are the same username, you do not need the users in/etc/passwd.> > > >> > >> > >> >Are you aware that the share shown is read only ? > >> > >> Yes, but I also have "read only = no" in the [global] section. > > > > > > Not a good idea, that sets it for all shares, just set it in theshares.> > > >> Regardless, the individual shares are beside the point. Right now > >> AD users not in /etc/passwd can't even get to \\<aix host name> > >> whereas users in /etc/passwd (with matching AD accounts) can. > > > > > > Going round in circles here, you need to fix the links, try readingthis:> > > > INVALID URI REMOVED >u=https-3A__wiki.samba.org_index.php_Configuring-5FWinbindd-5Fon-5Fa-5FSamba-5FAD-5FDC-23Libnss-5Fwinbind-5FLinks&d=DwIF-> g&c=jf_iaSHvJObTbx-siA1ZOg&r=0Dp1Q- >C82_YdGZkYbRCzwwF7MPW3Xm2J3i_0sW8Izuc&m=FH4219Sm1N4o1J25Cc6kf6qsgzX6rD0V4QbiA-> ziEeE&s=CVp1jjI89QFGlZ8IL44MXzsMtACt6beTnb70fa_LdmE&e= > > > > > >> > >> I followed those two links you sent as closely as I was able given > >> that they are written for Linux and not AIX. AIX has no > >> nsswitch.conf and uses the stanza in /etc/methods.cfg I provided for > >> the same purpose. But, I didn't see in those articles an answer to > >> why Samba realizes that the user is valid but we still get an > >> NT_STATUS_UNSUCCESSFUL when the user doesn't have an AIX account. > >> Security ramifications aside, my read of the documentation suggests > >> that my configs as provided should work. I feel like I'm missing > >> something very AIX-specific here, or that this is a bug... > >> > >> Thanks again, and I look forward to getting to the bottom of this! > >> > > Ah, we need someone who does use AIX, I can only tell you how to use > > Samba on Debian etc. > >Look at the default value of "registry" in /etc/security/user, that specifies which method from /etc/methods.cfg will be used for user lookup. Watch out if you change the default to WINBIND to make sure you override that back to the old setting on a per user stanza basis for non AD users on the system.> > > > Rowland > > > > > > > > And that someone seems to be Bjorn Jacke, try looking at this: > INVALID URI REMOVED > u=https-3A__www.youtube.com_watch-3Fv-3DFwQpcnb-2DjTs&d=DwIF- > g&c=jf_iaSHvJObTbx-siA1ZOg&r=0Dp1Q- >C82_YdGZkYbRCzwwF7MPW3Xm2J3i_0sW8Izuc&m=FH4219Sm1N4o1J25Cc6kf6qsgzX6rD0V4QbiA-> ziEeE&s=fSCVr0vi9g-zom894qHy7APWEAqC5-4nyIgLLpp-g6I&e= > > Rowland > > >John Janosik