Ben Huntsman
2021-May-24 15:38 UTC
[Samba] Samba on AIX with security = ads - does it actually work?
Hi there! Thank you for the reply, John!>Look at the default value of "registry" in /etc/security/user, that >specifies which method from /etc/methods.cfg will be used for user lookup.>Watch out if you change the default to WINBIND to make sure you override>that back to the old setting on a per user stanza basis for non AD users >on the system.<https://lists.samba.org/mailman/options/samba> I have the following set in /etc/security/user: default: ... SYSTEM = "compat OR WINBIND" ... Earlier I had tried adding "registry = WINBIND" to that as well, but it did not change the behavior. Do you have Samba working on any of your AIX systems with "security = ads"? Would you be willing to share your smb.cfg's [global] section, krb5.conf, methods.cfg, and /etc/security/user's default: section (appropriately sanitized, of course)? I can't thank you enough! -Ben
John P Janosik
2021-May-24 18:52 UTC
[Samba] Samba on AIX with security = ads - does it actually work?
Ben Huntsman <ben at huntsmans.net> wrote on 05/24/2021 11:38:29 AM: Hi Ben,> Hi there! Thank you for the reply, John! > > >Look at the default value of "registry" in /etc/security/user, that > >specifies which method from /etc/methods.cfg will be used for userlookup.> >Watch out if you change the default to WINBIND to make sure youoverride> >that back to the old setting on a per user stanza basis for non ADusers> >on the system. > > I have the following set in /etc/security/user: > > default: > ... > SYSTEM = "compat OR WINBIND" > ... > > Earlier I had tried adding "registry = WINBIND" to that as well, but > it did not change the behavior. > > Do you have Samba working on any of your AIX systems with "security > = ads"? Would you be willing to share your smb.cfg's [global] > section, krb5.conf, methods.cfg, and /etc/security/user's default: > section (appropriately sanitized, of course)? >I haven't used Samba on AIX with AD for many years so can't help with Samba specifics. The "SYSTEM" setting in /etc/security/user sets which modules are used to authenticate users via the AIX LAM. Since Samba isn't using AIX LAM for authentication I would not think you would need WINBIND there unless you want to allow AD users to log into the system for shell or access to applications that use the AIX authenticate API. If "lsuser ALL" or "lsuser SOMEADUSER" doesn't show user information for AD users then seems there is some issue with the configuration of the WINBIND module. I can't provide any more help than that, perhaps a case with AIX support could help with how to debug communication between AIX and and the modules in methods.cfg.> I can't thank you enough! > > -BenJohn