samba - Apr 2010 - AIX 5.3 Active Directory Synchronisation using Winbind

I have been trying to get AIX 5.3 ML-11 integrated with MS AD (MS-2003 with SP2
and SFU 3.5). It has given me a few y hairs. I have not been able to get it to
function correctly.

I have followed various tech articles and installation notes that I have found
on the web.  They are all basically the same in that they suggest to either
compile the required components from scratch or to use the precompiled packages
from the pware.hvcc.edu site.

I originally tried compiling from scratch/source which I have always done in the
past when using samba as a NT4 domain member.  This is the first time I have
tried integrating into MS AD.

My latest attempt is with using the pre compiled packages from the hvcc site.

I run into the same issues with both types of setup (i.e.: compiling samba from
scratch or using the pware53 packages).

When I have samba installed and joined to the AD the following commands work as
expected.
wbinfo -u
wbinfo -g
wbinfo -a username

However if I try and telnet to the AIX server or connect to a share the AD is
not using for authenticating the password.   When trying a telnet login I get
back ?3004-007 You entered an invalid login name or password.?

Following is a list of what I have installed etc.

AIX:  5.3 ML-11-03-1013

  pware53.base.rte           5.3.0.0  COMMITTED  pWare base for 5.3
  pware53.bdb.rte           4.6.21.4  COMMITTED  Berkeley DB 4.6.21
  pware53.cyrus-sasl.rte    2.1.22.2  COMMITTED  cyrus-sasl 2.1.22
  pware53.gettext.rte       0.17.0.0  COMMITTED  GNU gettext 0.17
  pware53.krb5.rte           1.7.1.0  COMMITTED  MIT Kerberos 1.7.1
  pware53.libiconv.rte      1.13.1.0  COMMITTED  GNU libiconv 1.13.1
  pware53.ncurses.rte        5.7.0.1  COMMITTED  ncurses 5.7.0.1
  pware53.openldap.rte      2.4.19.0  COMMITTED  OpenLDAP 2.4.19
  pware53.openssl.rte       0.9.8.13  COMMITTED  OpenSSL 0.9.8m
  pware53.popt.rte          1.10.4.0  COMMITTED  popt 1.10.4
  pware53.readline.rte       6.1.0.0  COMMITTED  GNU readline 6.1
  pware53.samba.rte          3.5.0.0  COMMITTED  Samba 3.5.0
  pware53.zlib.rte           1.2.3.0  COMMITTED  zlib 1.2.3

The kerberos krb5.conf. Below is the one I'm using in my environment

--- krb5.conf - start ---

[libdefaults]
        default_realm = TESTREALM.COM.AU
        dns_lookup_realm = false
        dns_lookup_kdc = false
        ticket_lifetime = 24h
        forwardable = yes

[realms]
        TESTREALM.COM.AU = {
                kdc = ad01.testrealm.com.au:88
                default_domain = testrealm.com.au
                admin_server = ad01.testrealm.com.au:749
        }

[domain_realm]
        .kerberos.server = TESTREALM.COM.AU
        .domain.com = TESTREALM.COM.AU
        domain.com = TESTREALM.COM.AU
        .testrealm.com.au = TESTREALM.COM.AU
        testrealm.com.au = TESTREALM.COM.AU

[logging]
        default = FILE:/var/log/krb5/krb5libs.log
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log

[appdefaults]
        pam = {
            debug = false
            ticket_lifetime = 36000
            renew_lifetime = 36000
            forwardable = true
            krb4_convert = false
        }
--- krb5.conf - ends ---

I can execute $> kinit [AD username] and this asks me for a password, I fill
that in and if everything goes well.

Here is the global section of my smb.conf file.

--- smb.conf [global] section - start ---

        comment = AIX Internal Services - Samba %v
        workgroup = TESTREALM
        netbios name = %h
        security = ADS
        realm = TESTREALM.COM.AU
        encrypt passwords = Yes
        password server = ab01
        username map = /etc/samba/lib/smbusers.map
        log file = /etc/samba/var/%m.log
        log level = 2
        interfaces = en0 lo0
        bind interfaces only = yes
        name resolve order = host wins bcast
        keepalive = 30
        printcap name = /etc/qconfig
        os level = 0
        lm announce = False
        preferred master = False
        local master = No
        domain master = False
        wins server = 172.16.xxx.yyy  ? I have obfuscated the last two octets.
        guest account = guest
        admin users = sh, root, cgr
        read only = No
        create mask = 0770
        directory mask = 0770
        map archive = No
        follow symlinks = No
        dont descend = /dev,/proc,/root,/stand
        load printers = no
        passdb backend = tdbsam
        smb passwd file = /etc/samba/private/tdbsam
        unix extensions = no
        winbind use default domain = yes
        idmap uid = 10000-200000
        idmap gid = 10000-200000
        auth methods = winbind
        winbind enum users = yes
        winbind enum groups = yes

--- smb.conf [globa] section - end ---

I can join the AIX server to the AD domain using

$> net ads join -U[AD username]
Enter [AD username]'s password:
Using short domain name -- TESTREAM
Joined 'AIXSERVER' to realm 'testrealm.com.au'
$>

I can then start nmbd, smbd and winbindd as daemons.

I can then do a query to the Ad server like this $> wbinfo -u or $> wbinfo
-g and I get back a complete list of the users and groups in the domain.  I can
also use wbinfo -a username I get prompted for the password and when I enter the
relevant AD password and it says it can authenticate.

So at this point, it appears that the server is authenticating with AD, so to
make it available when logging into the box I have changed the default user
stanza and the login methods. That is I edited the /etc/security/user file and
changed the SYSTEM and registry variables to:

SYSTEM = "WINBIND or compat"
registry = WINBIND

I also edited the /usr/lib/security/methods.cfg and added at the end:

WINBIND:
        program = /usr/lib/security/WINBIND
        options = authonly

Hopefully I am telling AIX, that from now on it should use winbind as the
authentication method for users (default users). Users that are already defined
on the system and are not on AD will be able to log in. I also left the compat
method on the default stanza so if winbind fails it will check locally.

At this point I have tried telnet from another AIX server and also from a PC to
see if I can log in using the AD account and password. I understand that I
should be able to log in. I have manually created the relevant home directory
that samba expects to find.

I hope the above will help someone understand what I have done and hopefully
what I need to do to resolve my issue(s).


Disclaimer Notice

This message contains privileged and confidential information intended only for
the use of the addressee named above. If you are not the intended recipient of
this message you are hereby notified that you must not disseminate, copy or take
any action or place any reliance on it. If you have received this message in
error please notify Ultradata immediately on +61 3 9291 1600. Any views
expressed in this message are those of the individual sender, except where the
sender specifically states them to be the views of Ultradata Australia Pty. Ltd.

To unsubscribe from receiving commercial electronic messages from Ultradata
Australia please email unsubscribe at ultradata.com.au with the subject heading
"Unsubscribe".

> Message: 7
> Date: Thu, 1 Apr 2010 16:28:11 +1100
> From: Craig Green <cgreen at ultradata.com.au>
> To: "'samba at lists.samba.org'" <samba at
lists.samba.org>
> Subject: [Samba] AIX 5.3 Active Directory Synchronisation using
>         Winbind
> Message-ID:
>        
> <D53959C7005777449E60859257F6CC7648C3A58D at grey.ultradata.com.au>
> Content-Type: text/plain; charset="iso-2022-jp"
> 
> I have been trying to get AIX 5.3 ML-11 integrated with MS AD (MS-2003
> with SP2 and SFU 3.5). It has given me a few y hairs. I have not been
> able to get it to function correctly.
> 
> I have followed various tech articles and installation notes that I
> have found on the web.  They are all basically the same in that they
> suggest to either compile the required components from scratch or to
> use the precompiled packages from the pware.hvcc.edu site.
> 
> I originally tried compiling from scratch/source which I have always
> done in the past when using samba as a NT4 domain member.  This is the
> first time I have tried integrating into MS AD.
> 
> My latest attempt is with using the pre compiled packages from the
> hvcc site.
> 
> I run into the same issues with both types of setup (i.e.: compiling
> samba from scratch or using the pware53 packages).
> 
> When I have samba installed and joined to the AD the following
> commands work as expected.
> wbinfo -u
> wbinfo -g
> wbinfo -a username
> 
> However if I try and telnet to the AIX server or connect to a share
> the AD is not using for authenticating the password.   When trying a
> telnet login I get back ?3004-007 You entered an invalid login name or
> password.?
> 
> Following is a list of what I have installed etc.
> 
> AIX:  5.3 ML-11-03-1013
> 
>   pware53.base.rte           5.3.0.0  COMMITTED  pWare base for 5.3
>   pware53.bdb.rte           4.6.21.4  COMMITTED  Berkeley DB 4.6.21
>   pware53.cyrus-sasl.rte    2.1.22.2  COMMITTED  cyrus-sasl 2.1.22
>   pware53.gettext.rte       0.17.0.0  COMMITTED  GNU gettext 0.17
>   pware53.krb5.rte           1.7.1.0  COMMITTED  MIT Kerberos 1.7.1
>   pware53.libiconv.rte      1.13.1.0  COMMITTED  GNU libiconv 1.13.1
>   pware53.ncurses.rte        5.7.0.1  COMMITTED  ncurses 5.7.0.1
>   pware53.openldap.rte      2.4.19.0  COMMITTED  OpenLDAP 2.4.19
>   pware53.openssl.rte       0.9.8.13  COMMITTED  OpenSSL 0.9.8m
>   pware53.popt.rte          1.10.4.0  COMMITTED  popt 1.10.4
>   pware53.readline.rte       6.1.0.0  COMMITTED  GNU readline 6.1
>   pware53.samba.rte          3.5.0.0  COMMITTED  Samba 3.5.0
>   pware53.zlib.rte           1.2.3.0  COMMITTED  zlib 1.2.3
> 
> The kerberos krb5.conf. Below is the one I'm using in my environment
> 
> --- krb5.conf - start ---
> 
> [libdefaults]
>         default_realm = TESTREALM.COM.AU
>         dns_lookup_realm = false
>         dns_lookup_kdc = false
>         ticket_lifetime = 24h
>         forwardable = yes
> 
> [realms]
>         TESTREALM.COM.AU = {
>                 kdc = ad01.testrealm.com.au:88
>                 default_domain = testrealm.com.au
>                 admin_server = ad01.testrealm.com.au:749
>         }
> 
> [domain_realm]
>         .kerberos.server = TESTREALM.COM.AU
>         .domain.com = TESTREALM.COM.AU
>         domain.com = TESTREALM.COM.AU
>         .testrealm.com.au = TESTREALM.COM.AU
>         testrealm.com.au = TESTREALM.COM.AU
> 
> [logging]
>         default = FILE:/var/log/krb5/krb5libs.log
>         kdc = FILE:/var/log/krb5/krb5kdc.log
>         admin_server = FILE:/var/log/krb5/kadmind.log
> 
> [appdefaults]
>         pam = {
>             debug = false
>             ticket_lifetime = 36000
>             renew_lifetime = 36000
>             forwardable = true
>             krb4_convert = false
>         }
> --- krb5.conf - ends ---
> 
> I can execute $> kinit [AD username] and this asks me for a password,
> I fill that in and if everything goes well.
> 
> Here is the global section of my smb.conf file.
> 
> --- smb.conf [global] section - start ---
> 
>         comment = AIX Internal Services - Samba %v
>         workgroup = TESTREALM
>         netbios name = %h
>         security = ADS
>         realm = TESTREALM.COM.AU
>         encrypt passwords = Yes
>         password server = ab01
>         username map = /etc/samba/lib/smbusers.map
>         log file = /etc/samba/var/%m.log
>         log level = 2
>         interfaces = en0 lo0
>         bind interfaces only = yes
>         name resolve order = host wins bcast
>         keepalive = 30
>         printcap name = /etc/qconfig
>         os level = 0
>         lm announce = False
>         preferred master = False
>         local master = No
>         domain master = False
>         wins server = 172.16.xxx.yyy  ? I have obfuscated the last two
> octets.
>         guest account = guest
>         admin users = sh, root, cgr
>         read only = No
>         create mask = 0770
>         directory mask = 0770
>         map archive = No
>         follow symlinks = No
>         dont descend = /dev,/proc,/root,/stand
>         load printers = no
>         passdb backend = tdbsam
>         smb passwd file = /etc/samba/private/tdbsam
>         unix extensions = no
>         winbind use default domain = yes
>         idmap uid = 10000-200000
>         idmap gid = 10000-200000
>         auth methods = winbind
>         winbind enum users = yes
>         winbind enum groups = yes
> 
> --- smb.conf [globa] section - end ---
> 
> I can join the AIX server to the AD domain using
> 
> $> net ads join -U[AD username]
> Enter [AD username]'s password:
> Using short domain name -- TESTREAM
> Joined 'AIXSERVER' to realm 'testrealm.com.au'
> $>
> 
> I can then start nmbd, smbd and winbindd as daemons.
> 
> I can then do a query to the Ad server like this $> wbinfo -u or $>
> wbinfo -g and I get back a complete list of the users and groups in
> the domain.  I can also use wbinfo -a username I get prompted for the
> password and when I enter the relevant AD password and it says it can
> authenticate.
> 
> So at this point, it appears that the server is authenticating with
> AD, so to make it available when logging into the box I have changed
> the default user stanza and the login methods. That is I edited the
> /etc/security/user file and changed the SYSTEM and registry variables
> to:
> 
> SYSTEM = "WINBIND or compat"
> registry = WINBIND
> 
> I also edited the /usr/lib/security/methods.cfg and added at the end:
> 
> WINBIND:
>         program = /usr/lib/security/WINBIND
>         options = authonly
> 
> Hopefully I am telling AIX, that from now on it should use winbind as
> the authentication method for users (default users). Users that are
> already defined on the system and are not on AD will be able to log
> in. I also left the compat method on the default stanza so if winbind
> fails it will check locally.
> 
> At this point I have tried telnet from another AIX server and also
> from a PC to see if I can log in using the AD account and password. I
> understand that I should be able to log in. I have manually created
> the relevant home directory that samba expects to find.
> 
> I hope the above will help someone understand what I have done and
> hopefully what I need to do to resolve my issue(s).
> 
> 
Hi Craig,

Not sure how much I'll be able to help, but we are using Samba/Winbind on an
AIX machine in an Active Directory 2003 environment, so I figured I would at
least pass along our setup and maybe it will trigger something that will help
you solve your problem.

A couple of differences in our environment... We are running AIX 6.1.2 and Samba
3.4.5, which was the latest available from the hvcc.edu site when I upgraded a
few months back.  We are only using Samba/Winbind for files sharing with Windows
clients; not for user log-in authentication.  We also use DOMAIN level security
mode in smb.conf, as opposed to ADS mode.

I guess my first question is do you really need ADS security mode?  We have
integrated both Linux and AIX servers into our Active Directory environment for
several years now (upgrading from NT environment) and have always stuck with
DOMAIN mode.  I tried ADS mode a few times and ran into some issues.  I think
this might be easier now, but have not had the time nor inclination to mess with
a something that has been working fine.

I know one issue I ran into when I recently upgraded Samba on the AIX box was
that the WINBIND file in /usr/lib/security was a symbolic link that was not
linked to the correct version of Samba.  Have you looked at this file and
verified that it is correct?

Hope this helps a little.

John

---- Original message ----
>Date: Fri, 2 Apr 2010 08:15:38 -0400 (EDT)
>From: John Welch <jwelch at brosco.com>  
>Subject: Re: [Samba] AIX 5.3 Active Directory Synchronisation using Winbind
>To: cgreen at ultradata.com.au
>Cc: samba at lists.samba.org
>I know one issue I ran into when I recently upgraded Samba on the AIX box
was that the WINBIND file in /usr/lib/security was a symbolic link that was not
linked to the correct version of Samba.  Have you looked at this file and
verified that it is correct?
>
John,

Can you provide a little more on the problem you had? I'm not able to find
the broken link in my development servers (32 or 64 bit), and I *really* want to
improve our quality control.

Glad to hear the project is working out for you otherwise. :-)


Cheers,
Bill

----- "William Jojo" <w.jojo at hvcc.edu> wrote:
> ---- Original message ----
> >Date: Fri, 2 Apr 2010 08:15:38 -0400 (EDT)
> >From: John Welch <jwelch at brosco.com>  
> >Subject: Re: [Samba] AIX 5.3 Active Directory Synchronisation using
> Winbind  
> >To: cgreen at ultradata.com.au
> >Cc: samba at lists.samba.org
> 
> >I know one issue I ran into when I recently upgraded Samba on the AIX
> box was that the WINBIND file in /usr/lib/security was a symbolic link
> that was not linked to the correct version of Samba.  Have you looked
> at this file and verified that it is correct?
> >
> 
> John,
> 
> Can you provide a little more on the problem you had? I'm not able to
> find the broken link in my development servers (32 or 64 bit), and I
> *really* want to improve our quality control.
> 
> Glad to hear the project is working out for you otherwise. :-)
> 
> 
> Cheers,
> Bill
Hi Bill,

Prior to the recent upgrade to 3.4.5 we had been using an "old" 3.0
version (3.0.28) from your pware project.  At that level of Samba at least the
directory structure was "/opt/pware/samba/<version>".  I did the
upgrade a few months ago, so I'm trying to recall from memory the exact
issue, but I believe after upgrading the WINBIND symbolic link was still
pointing to the 3.0.28 binary.  Not sure if the upgrade should have fixed this
automatically or not.  Really a minor thing, but something I overlooked
initially.

Your project is awesome... Keep up the good work!

Thanks,
John