samba - Nov 2009 - Looking for AIX Users of Winbind -- Authorization and SSH Problems

Hi all,

I've got Samba with Winbind working on AIX 5.3 and 6.1 fairly well with
Active Directory 2003.  In fact, I'd say short of 2 very important services,
it's working almost perfectly.  Unfortunately, these 2 services are quite
critical, and without them I'm afraid we'll have to resort to some sort
of
proprietary identity solution like Novell, which I'm not crazy about.
Assume that these examples are all from Samba 3.3.4, though I have tried a
few versions back to 3.0.0 and forward to 3.3.9, with no different results.
These are also from pWare's compiled versions (linked here:
http://pware.hvcc.edu/download/).

The two things I can't get working with Winbind on AIX:

1. SSH.  Doesn't seem to work on AIX 5.3 with Winbind.  I get a
"setgroups:
Not owner" and "initgroups: Not owner" error in the sshd debug
and the
session is closed after authentication succeeds.  I *can*, however, get this
working on AIX 6.1 with pWare's compiled SSH 5.2.1.0.

2. Authorization (e.g., who can log into the box ... NOT just all of AD).
I'm pretty good at configuring Winbind on Linux, and on Linux there's a
pam_winbind.conf file that I usually use to lock down the box to specific AD
users or groups -- I use the require_membership_of line and it works just
fine.  Unfortunately,  I don't see any pam_winbind.conf file in AIX by
default.  I've tried placing it in /etc/security/ or in other locations, but
it doesn't seem to be used.  I've also tried adding pam_winbind lines to
the
/etc/pam.conf and manually adding the "require_membership_of" after
the
stanza, like so:

telnet  account required        /usr/lib/security/pam_winbind.so
require_membership_of=someGroup

... also with no success.  To me, it's simply unacceptable to implement this
Winbind configuration without being able to choose who logs onto the box.
Without implementing some form of authorization, I might as well just set
everyone's password blank.

So, my question to everyone is: is there anyone out there using Winbind with
AIX?  If so, have you overcome those 2 issues I'm describing?

Thanks,

Kevin

>>> On 13/11/2009 at 9:54 am, Kevin Newman <kevinjnewman at
gmail.com> wrote:
> 2. Authorization (e.g., who can log into the box ... NOT just all of AD).
> I'm pretty good at configuring Winbind on Linux, and on Linux
there's a
> pam_winbind.conf file that I usually use to lock down the box to specific
AD
> users or groups -- I use the require_membership_of line and it works just
> fine.  Unfortunately,  I don't see any pam_winbind.conf file in AIX by
> default.  I've tried placing it in /etc/security/ or in other
locations, but
> it doesn't seem to be used.  I've also tried adding pam_winbind
lines to the
> /etc/pam.conf and manually adding the "require_membership_of"
after the
> stanza, like so:
> 
> telnet  account required        /usr/lib/security/pam_winbind.so
> require_membership_of=someGroup
> 
How I use winbind to lock down group membership is by using the
/etc/security/access.conf file and to restrict the groups who can log in. This
does mean you will have to use the pam_access module as well. This works quite
well for me under Linux and may (I stress may as I haven't worked with AIX)
provide a solution under AIX.

Hope this helps.

Thanks,
Matt Delves

> -----Original Message-----
> From: samba-bounces at lists.samba.org
[mailto:samba-bounces at lists.samba.org]
> On Behalf Of Kevin Newman
> Sent: Thursday, November 12, 2009 3:55 PM
> To: samba at lists.samba.org
> Subject: [Samba] Looking for AIX Users of Winbind -- Authorization and
> SSHProblems
> 
> Hi all,
> 
> I've got Samba with Winbind working on AIX 5.3 and 6.1 fairly well
with
> Active Directory 2003.  In fact, I'd say short of 2 very important
services,
> it's working almost perfectly.  Unfortunately, these 2 services are
quite
> critical, and without them I'm afraid we'll have to resort to some
sort of
> proprietary identity solution like Novell, which I'm not crazy about.
> Assume that these examples are all from Samba 3.3.4, though I have
tried a
> few versions back to 3.0.0 and forward to 3.3.9, with no different
results.
> These are also from pWare's compiled versions (linked here:
> http://pware.hvcc.edu/download/).
> 
> The two things I can't get working with Winbind on AIX:
> 
> 1. SSH.  Doesn't seem to work on AIX 5.3 with Winbind.  I get a
"setgroups:
> Not owner" and "initgroups: Not owner" error in the sshd
debug and the
> session is closed after authentication succeeds.  I *can*, however,
get this
> working on AIX 6.1 with pWare's compiled SSH 5.2.1.0.
> 
> 2. Authorization (e.g., who can log into the box ... NOT just all of
AD).
> I'm pretty good at configuring Winbind on Linux, and on Linux
there's
a
> pam_winbind.conf file that I usually use to lock down the box to
specific AD
> users or groups -- I use the require_membership_of line and it works
just
> fine.  Unfortunately,  I don't see any pam_winbind.conf file in AIX by
> default.  I've tried placing it in /etc/security/ or in other
locations, but
> it doesn't seem to be used.  I've also tried adding pam_winbind
lines
to the
> /etc/pam.conf and manually adding the "require_membership_of"
after
the
> stanza, like so:
> 
> telnet  account required        /usr/lib/security/pam_winbind.so
> require_membership_of=someGroup
> 
> ... also with no success.  To me, it's simply unacceptable to
implement this
> Winbind configuration without being able to choose who logs onto the
box.
> Without implementing some form of authorization, I might as well just
set
> everyone's password blank.
> 
> So, my question to everyone is: is there anyone out there using
Winbind with
> AIX?  If so, have you overcome those 2 issues I'm describing?
> 
> Thanks,
> 
> Kevin
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


We are using winbind on AIX, and this is my documentation on how I got
it to work:

To use WINBIND:

cp -p /opt/pware/samba/3.0.28/lib/security/WINBIND /usr/lib/security

-------------
edit /usr/lib/security/methods.cfg and add
-------------

WINBIND:
        program = /usr/lib/security/WINBIND
        options = authonly


-------------
edit the default stanza in /etc/security/user to have
-------------

        SYSTEM = "WINBIND OR compat"

-=Andrew