samba - May 2021 - Samba on AIX with security = ads - does it actually work?

On 26/05/2021 01:11, Ben Huntsman via samba wrote:
> I take it there are not many AIX users here.  I have continued to dig on
this and I discovered this:
>
> https://www.ibm.com/support/pages/apar/IJ29552
>
> That APAR from IBM covers a bug that prevents some LAM modules from
working.  And indeed, installing it improved the situation for winbind on AIX. 
With that ifix (or with upgrading to AIX 7100-05-08), I can now log into the AIX
system via ssh or telnet using AD username/passwords that aren't defined on
the system!  That's a huge step in the right direction!  And also an
indicator that Samba on AIX may be broken due to AIX bugs.
>
> Unfortunately, there is still the problem that if a user isn't defined
on AIX, it can't connect to \\<aix host name>, despite the fact that
the log clearly shows that it successfully authenticates the user, but then the
session bombs out:
>
> # smbclient //testhost/share1 -U MY\\testuser
> Enter MY\testuser's password: <correct password>
> session setup failed: NT_STATUS_UNSUCCESSFUL
> # smbclient //testhost/share1 -U MY\\testuser
> Enter MY\testuser's password: <purposefully-typed incorrect
password>
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> I'm pretty sure it all comes down to this:
>
> May 25 17:05:55 testhost daemon:err|error smbd[5308666]: [2021/05/25
17:05:55.001540,  0] ../../source3/lib/system_smbd.c:226(getgroups_unix_user)
> May 25 17:05:55 testhost daemon:err|error smbd[5308666]:   get_user_groups:
failed to get the unix group list
>
> Somehow, even though winbind can clearly get information about the groups
via lsgroup, wbinfo -g, etc, when a user browses to \\<aix host name>, it
fails to return the list of groups and then our SMB session fails to get
established.
>
> Has anyone seen this, or know more about it, or if it's resolved in
newer Samba builds?
>
> Thank you very much to all who have replied so far!  Your help is greatly
appreciated!
>
> -Ben
>
 From everything you have posted, I am fairly convinced that you have an 
AIX problem and not a Samba problem. I can assure you that Samba works 
on Linux, it just doesn't seem to work on AIX.

Rowland

>From everything you have posted, I am fairly convinced that you have an
>AIX problem and not a Samba problem. I can assure you that Samba works
>on Linux, it just doesn't seem to work on AIX.
I concur.  I never suggested there was any problem on Linux, it's just not a
Linux server we need this working on.  I was hoping that maybe we could gather
enough info that a bug could be identified and perhaps fixed...

Thanks again!

-Ben