Ben Huntsman
2021-May-24 19:32 UTC
[Samba] Samba on AIX with security = ads - does it actually work?
>Problem is, from Samba 4.8.0 , with 'security = ADS', you must run winbind.I am running winbind. Happy to do so. It just uses different config files and stuff than Linux.>Until the AIX tools show the AD users & groups, you cannot use them on >the AIX machine.The "lsuser -R WIBIND ALL" command not returning any data is a known bug. The equivalent lsgroup command works.>Sorry, but I cannot help any further than this.No worries. Thank you so much for your time thus far! Hoping someone else who has a working AIX setup will comment... Thanks again everyone! -Ben
Ben Huntsman
2021-May-26 00:11 UTC
[Samba] Samba on AIX with security = ads - does it actually work?
I take it there are not many AIX users here. I have continued to dig on this and I discovered this: https://www.ibm.com/support/pages/apar/IJ29552 That APAR from IBM covers a bug that prevents some LAM modules from working. And indeed, installing it improved the situation for winbind on AIX. With that ifix (or with upgrading to AIX 7100-05-08), I can now log into the AIX system via ssh or telnet using AD username/passwords that aren't defined on the system! That's a huge step in the right direction! And also an indicator that Samba on AIX may be broken due to AIX bugs. Unfortunately, there is still the problem that if a user isn't defined on AIX, it can't connect to \\<aix host name>, despite the fact that the log clearly shows that it successfully authenticates the user, but then the session bombs out: # smbclient //testhost/share1 -U MY\\testuser Enter MY\testuser's password: <correct password> session setup failed: NT_STATUS_UNSUCCESSFUL # smbclient //testhost/share1 -U MY\\testuser Enter MY\testuser's password: <purposefully-typed incorrect password> session setup failed: NT_STATUS_LOGON_FAILURE I'm pretty sure it all comes down to this: May 25 17:05:55 testhost daemon:err|error smbd[5308666]: [2021/05/25 17:05:55.001540, 0] ../../source3/lib/system_smbd.c:226(getgroups_unix_user) May 25 17:05:55 testhost daemon:err|error smbd[5308666]: get_user_groups: failed to get the unix group list Somehow, even though winbind can clearly get information about the groups via lsgroup, wbinfo -g, etc, when a user browses to \\<aix host name>, it fails to return the list of groups and then our SMB session fails to get established. Has anyone seen this, or know more about it, or if it's resolved in newer Samba builds? Thank you very much to all who have replied so far! Your help is greatly appreciated! -Ben