samba - May 2021 - Samba on AIX with security = ads - does it actually work?

> On 23/05/2021 22:57, Rowland penny via samba wrote:
> > On 23/05/2021 22:17, Ben Huntsman wrote:
> >> Hi there, and thank you for the reply!  Very much appreciated!
> >>
> >> >Ah, I begin to see the light, you want to use the users in 
/etc/passwd
> >> >and AD, well, if so, then stop there, you cannot have the same
user
in
> >> >/etc/passwd and in AD. Further to this, Samba will not know
who the
> >> >users in /etc/passwd are.
> >>
> >> Right, I want the AD users to *not* be in /etc/passwd.  What
I'm
> >> saying is that if I don't put them in there, then they
can't connect
> >> to the server via \\<aix host name> at all.
> >
> >
> > I have never used AIX, but it sounds like you are missing the AIX 
> > versions of the Debian packages libnss-winbind and libpam-winbind 
> > and/or winbind isn't running. By using the 'rid' backend
it should
> > just work, the other thing is, does AIX have /etc/nsswitch.conf and is
> > it set correctly ?
> >
> >>
> >>
> >> >You might use root by design, but can I introduce you to the
concept
of
> >> >security ? Also this isn't how AD works.
> >>
> >> Agreed, but this isn't part of the actual issue at hand.  I
will
> >> tighten up security but I want to get basic connectivity working 
first.
> >
> >
> > Understood
> >
> >
> >>
> >>
> >> >Is the workgroup 'MY' or 'NSI' ? They should
match.
> >>
> >> Apparently I missed one, but I was trying to sanitize the logs so
it
> >> didn't contain specifics of my environment.  They should have
all
> >> said 'MY' in the examples I posted.  The configuration
provided works
> >> perfectly for users who are in AD and also have a matching AIX 
account.
> >
> >
> > Then it isn't working, the AIX users will be used before the AD
users
> > if they are the same username, you do not need the users in 
/etc/passwd.
> >
> >>
> >>
> >> >Are you aware that the share shown is read only ?
> >>
> >> Yes, but I also have "read only = no" in the [global]
section.
> >
> >
> > Not a good idea, that sets it for all shares, just set it in the 
shares.
> >
> >>  Regardless, the individual shares are beside the point.  Right
now
> >> AD users not in /etc/passwd can't even get to \\<aix host
name>
> >> whereas users in /etc/passwd (with matching AD accounts) can.
> >
> >
> > Going round in circles here, you need to fix the links, try reading 
this:
> >
> > INVALID URI REMOVED
> 
u=https-3A__wiki.samba.org_index.php_Configuring-5FWinbindd-5Fon-5Fa-5FSamba-5FAD-5FDC-23Libnss-5Fwinbind-5FLinks&d=DwIF-
> g&c=jf_iaSHvJObTbx-siA1ZOg&r=0Dp1Q-
> 
C82_YdGZkYbRCzwwF7MPW3Xm2J3i_0sW8Izuc&m=FH4219Sm1N4o1J25Cc6kf6qsgzX6rD0V4QbiA-
> ziEeE&s=CVp1jjI89QFGlZ8IL44MXzsMtACt6beTnb70fa_LdmE&e= 
> >
> >
> >>
> >> I followed those two links you sent as closely as I was able given
> >> that they are written for Linux and not AIX.  AIX has no 
> >> nsswitch.conf and uses the stanza in /etc/methods.cfg I provided
for
> >> the same purpose.  But, I didn't see in those articles an
answer to
> >> why Samba realizes that the user is valid but we still get an 
> >> NT_STATUS_UNSUCCESSFUL when the user doesn't have an AIX
account.
> >>  Security ramifications aside, my read of the documentation
suggests
> >> that my configs as provided should work.  I feel like I'm
missing
> >> something very AIX-specific here, or that this is a bug...
> >>
> >> Thanks again, and I look forward to getting to the bottom of this!
> >>
> > Ah, we need someone who does use AIX, I can only tell you how to use 
> > Samba on Debian etc.
> >
Look at the default value of "registry" in /etc/security/user, that 
specifies which method from /etc/methods.cfg will be used for user lookup. 
 Watch out if you change the default to WINBIND to make sure you override 
that back to the old setting on a per user stanza basis for non AD users 
on the system.
> >
> > Rowland
> >
> >
> >
> 
> And that someone seems to be Bjorn Jacke, try looking at this: 
> INVALID URI REMOVED
> u=https-3A__www.youtube.com_watch-3Fv-3DFwQpcnb-2DjTs&d=DwIF-
> g&c=jf_iaSHvJObTbx-siA1ZOg&r=0Dp1Q-
> 
C82_YdGZkYbRCzwwF7MPW3Xm2J3i_0sW8Izuc&m=FH4219Sm1N4o1J25Cc6kf6qsgzX6rD0V4QbiA-
> ziEeE&s=fSCVr0vi9g-zom894qHy7APWEAqC5-4nyIgLLpp-g6I&e= 
> 
> Rowland
> 
> 
> 
John Janosik

Hi there! Thank you for the reply, John!
>Look at the default value of "registry" in /etc/security/user,
that
>specifies which method from /etc/methods.cfg will be used for user lookup.
 >Watch out if you change the default to WINBIND to make sure you
override
>that back to the old setting on a per user stanza basis for non AD users
>on the system.
<https://lists.samba.org/mailman/options/samba>
I have the following set in /etc/security/user:

default:
  ...
  SYSTEM = "compat OR WINBIND"
  ...

Earlier I had tried adding "registry = WINBIND" to that as well, but
it did not change the behavior.

Do you have Samba working on any of your AIX systems with "security =
ads"? Would you be willing to share your smb.cfg's [global] section,
krb5.conf, methods.cfg, and /etc/security/user's default: section
(appropriately sanitized, of course)?

I can't thank you enough!

-Ben