Kevin Newman
2009-Nov-12 22:54 UTC
[Samba] Looking for AIX Users of Winbind -- Authorization and SSH Problems
Hi all, I've got Samba with Winbind working on AIX 5.3 and 6.1 fairly well with Active Directory 2003. In fact, I'd say short of 2 very important services, it's working almost perfectly. Unfortunately, these 2 services are quite critical, and without them I'm afraid we'll have to resort to some sort of proprietary identity solution like Novell, which I'm not crazy about. Assume that these examples are all from Samba 3.3.4, though I have tried a few versions back to 3.0.0 and forward to 3.3.9, with no different results. These are also from pWare's compiled versions (linked here: http://pware.hvcc.edu/download/). The two things I can't get working with Winbind on AIX: 1. SSH. Doesn't seem to work on AIX 5.3 with Winbind. I get a "setgroups: Not owner" and "initgroups: Not owner" error in the sshd debug and the session is closed after authentication succeeds. I *can*, however, get this working on AIX 6.1 with pWare's compiled SSH 5.2.1.0. 2. Authorization (e.g., who can log into the box ... NOT just all of AD). I'm pretty good at configuring Winbind on Linux, and on Linux there's a pam_winbind.conf file that I usually use to lock down the box to specific AD users or groups -- I use the require_membership_of line and it works just fine. Unfortunately, I don't see any pam_winbind.conf file in AIX by default. I've tried placing it in /etc/security/ or in other locations, but it doesn't seem to be used. I've also tried adding pam_winbind lines to the /etc/pam.conf and manually adding the "require_membership_of" after the stanza, like so: telnet account required /usr/lib/security/pam_winbind.so require_membership_of=someGroup ... also with no success. To me, it's simply unacceptable to implement this Winbind configuration without being able to choose who logs onto the box. Without implementing some form of authorization, I might as well just set everyone's password blank. So, my question to everyone is: is there anyone out there using Winbind with AIX? If so, have you overcome those 2 issues I'm describing? Thanks, Kevin
Matt Delves
2009-Nov-12 23:05 UTC
[Samba] Looking for AIX Users of Winbind -- Authorization and SSHProblems
>>> On 13/11/2009 at 9:54 am, Kevin Newman <kevinjnewman at gmail.com> wrote: > 2. Authorization (e.g., who can log into the box ... NOT just all of AD). > I'm pretty good at configuring Winbind on Linux, and on Linux there's a > pam_winbind.conf file that I usually use to lock down the box to specific AD > users or groups -- I use the require_membership_of line and it works just > fine. Unfortunately, I don't see any pam_winbind.conf file in AIX by > default. I've tried placing it in /etc/security/ or in other locations, but > it doesn't seem to be used. I've also tried adding pam_winbind lines to the > /etc/pam.conf and manually adding the "require_membership_of" after the > stanza, like so: > > telnet account required /usr/lib/security/pam_winbind.so > require_membership_of=someGroup >How I use winbind to lock down group membership is by using the /etc/security/access.conf file and to restrict the groups who can log in. This does mean you will have to use the pam_access module as well. This works quite well for me under Linux and may (I stress may as I haven't worked with AIX) provide a solution under AIX. Hope this helps. Thanks, Matt Delves
Andrew Masterson
2009-Nov-13 18:24 UTC
[Samba] Looking for AIX Users of Winbind -- Authorization and SSHProblems
> -----Original Message----- > From: samba-bounces at lists.samba.org[mailto:samba-bounces at lists.samba.org]> On Behalf Of Kevin Newman > Sent: Thursday, November 12, 2009 3:55 PM > To: samba at lists.samba.org > Subject: [Samba] Looking for AIX Users of Winbind -- Authorization and > SSHProblems > > Hi all, > > I've got Samba with Winbind working on AIX 5.3 and 6.1 fairly wellwith> Active Directory 2003. In fact, I'd say short of 2 very importantservices,> it's working almost perfectly. Unfortunately, these 2 services arequite> critical, and without them I'm afraid we'll have to resort to somesort of> proprietary identity solution like Novell, which I'm not crazy about. > Assume that these examples are all from Samba 3.3.4, though I havetried a> few versions back to 3.0.0 and forward to 3.3.9, with no differentresults.> These are also from pWare's compiled versions (linked here: > http://pware.hvcc.edu/download/). > > The two things I can't get working with Winbind on AIX: > > 1. SSH. Doesn't seem to work on AIX 5.3 with Winbind. I get a"setgroups:> Not owner" and "initgroups: Not owner" error in the sshd debug and the > session is closed after authentication succeeds. I *can*, however,get this> working on AIX 6.1 with pWare's compiled SSH 5.2.1.0. > > 2. Authorization (e.g., who can log into the box ... NOT just all ofAD).> I'm pretty good at configuring Winbind on Linux, and on Linux there'sa> pam_winbind.conf file that I usually use to lock down the box tospecific AD> users or groups -- I use the require_membership_of line and it worksjust> fine. Unfortunately, I don't see any pam_winbind.conf file in AIX by > default. I've tried placing it in /etc/security/ or in otherlocations, but> it doesn't seem to be used. I've also tried adding pam_winbind linesto the> /etc/pam.conf and manually adding the "require_membership_of" afterthe> stanza, like so: > > telnet account required /usr/lib/security/pam_winbind.so > require_membership_of=someGroup > > ... also with no success. To me, it's simply unacceptable toimplement this> Winbind configuration without being able to choose who logs onto thebox.> Without implementing some form of authorization, I might as well justset> everyone's password blank. > > So, my question to everyone is: is there anyone out there usingWinbind with> AIX? If so, have you overcome those 2 issues I'm describing? > > Thanks, > > Kevin > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaWe are using winbind on AIX, and this is my documentation on how I got it to work: To use WINBIND: cp -p /opt/pware/samba/3.0.28/lib/security/WINBIND /usr/lib/security ------------- edit /usr/lib/security/methods.cfg and add ------------- WINBIND: program = /usr/lib/security/WINBIND options = authonly ------------- edit the default stanza in /etc/security/user to have ------------- SYSTEM = "WINBIND OR compat" -=Andrew