I?m trying to get an AIX + samba + ADS system working properly. The samba
server is a domain member and I can use the wbinfo ?u and wbinfo ?g
commands with no problem. We?re running pware64 version 3.5.11 on AIX 6.1.
I need to know if as a group member of the ADS, do I still need to do a
net groupmap to map ADS groups to AIX groups or does this happen
automatically with this version of samba? The users can log in, but can?t
access their shares. The only way they?ve been able to access their shares
is if I change the directory permissions to 777. Here?s our configuration:
Smb.conf
#======================= Global Settings
====================================[global]
workgroup = CINTASFIT
server string = CINSD20 Samba Server
netbios name = CINSD20
security = ADS
encrypt passwords = yes
password server = *
realm = CINTAS.FIT
local master = no
domain master = no
wins support = no
dns proxy = no
load printers = no
admin users = root
allow trusted domains = yes
map untrusted to domain = yes
client use spnego = yes
log file = /var/log/samba/%m.log
max log size = 1000
log level = 3
nmbd bind explicit broadcast = no
winbind enum users = no
winbind enum groups = no
winbind separator = +
winbind nested groups = yes
winbind use default domain = yes
nt acl support = yes
inherit acls = yes
map acl inherit = yes
map to guest = Never
store dos attributes = yes
inherit permissions = yes
idmap uid = 200000 - 500000
idmap gid = 200000 - 500000
#============================ Share Definitions
=============================[don]
comment = Sample share
path = /tmp
create mask = 0644
directory mask = 0775
writeable=yes
guest ok = no
valid users = CINTASFIT+aixuser, root
admin users = root
[BISHAREDDEV]
path = /BI_SHARED
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+c_acct_cptr_app_g, @CINTAS+sap_cintas_pp,
@CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G, @CINTAS+C_Payroll_G
write list = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G,
@CINTAS+C_Payroll_G
admin users = root
[FIFTHTHDEV]
path = /interface_secure/FifthThird
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G
write list = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G
admin users = root
[NOVASCOTDEV]
path = /interface_secure/NovaScotia
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G
write list = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G
admin users = root
[HEWITTDEV]
path = /interface_secure/Hewitt
create mask = 0644
directory mask = 0c = yes
public = no
writeable = no
guest ok = no
valid users = @CINTAS+c_sap_hewitt_u, @CINTAS+C_MIS_Finance_G,
@CINTAS+C_Payroll_G
write list = @CINTAS+c_sap_hewitt_u, @CINTAS+C_MIS_Finance_G,
@CINTAS+C_Payroll_G
admin users = root
[INTSECUREDEV]
path = /interface_secure
create mask = 0644
directory mask = 0775
writeable = no
guest ok = no
valid users = @CINTAS+C_MIS_Finance_G
admin users = root
[INOVISDEV]
path = /interface/Inovis
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+C_MIS_EDI
write list = @CINTAS+C_MIS_EDI
admin users = root
[OPTIPLANDEV]
path = /interface/Optiplan
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+SAPITTech, @CINTAS+SAP_Cintas_PP
write list = @CINTAS+SAPITTech, @CINTAS+SAP_Cintas_PP
admin users = root
[CONCURDEV]
path = /interface_secure/Concur
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G
write list = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G
admin users = root
[INTERFACEDEV]
path = /interface
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+C_MIS_Finance_G
write list = @CINTAS+C_MIS_Finance_G
admin users = root
[PITNEYBOWDEV]
path = /interface_secure/PitneyBowes
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G
write list = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G
admin users = root
[IRSAUDITDEV]
path = /interface_secure/IRSAUDITDEV
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+C_Acct_Cptr_App_G, @CINTAS+C_MIS_Finance_G
write list = @CINTAS+C_Acct_Cptr_App_G, @CINTAS+C_MIS_Finance_G
admin users = root
[PNCDEV]
path = /interface_secure/PNCDEV
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G
write list = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G
admin users = root
[PROJDEVARCH]
path = /interface_secure/Projections/I-780683-1-ECC/Archive
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+C_Acct_Alchemy_AP
write list = @CINTAS+C_Acct_Alchemy_AP
admin users = root
[PROJECTNDEV]
path = /interface_secure/Projections
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+C_MIS_Finance_G, @CINTAS+C_Acct_Cptr_App_G
write list = @CINTAS+C_MIS_Finance_G, @CINTAS+C_Acct_Cptr_App_G
admin users = root
[RYANDEV]
path = /interface_secure/Ryan
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+C_MIS_Finance_G, @CINTAS+C_Acct_Cptr_App_G
write list = @CINTAS+C_MIS_Finance_G, @CINTAS+C_Acct_Cptr_App_G
admin users = root
krb5.conf
[logging]
default = /var/log/samba/krb5.log
kdc = /var/log/samba/krb5.log
kdc_rotate = {
period = 1d
version = 5
}
[libdefaults]
ticket_lifetime = 1d
default_realm = CINTAS.FIT
dns_lookup_kdc = true
verify_ap_req_nofail = false
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
des3-hmac-sha1
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
des3-hmac-sha1
clockskew = 1000
[realms]
cintas.fit = {
kdc = cinw08v100.cintas.fit
kdc = cinw09v101.cintas.fit
default_domain = cintas.fit
}
[domain_realm]
cintas.fit = CINTAS.FIT
.cintas.fit = CINTAS.FIT
[appdefaults]
pam = {
debug = false
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 500
try_first_pass = true
}
/etc/pam.conf
#Added for Samba
auth sufficient pam_winbind.so use_first_pass
account sufficient pam_winbind.so use_first_pass
password sufficient pam_winbind.so use_first_pass
session optional pam_winbind.so use_first_pass
/etc/security/user
Changed SYSTEMSYSTEM = "compat" to SYSTEM = "DCE OR DCE[UNAVAIL]
AND compat"
/usr/lib/security/methods.cfg
WINDBIND:
program = /opt/pware64/lib/security/WINBIND
program_64 = /opt/pware64/lib/security/WINBIND
options = authonly
LDAP:
program = /usr/lib/security/LDAP
program_64 = /usr/lib/security/LDAP_64
I?ve been combing the documentation to try and figure this out, but my head
is spinning right now and I just haven?t been able to put things together
to get this to work.
Thanks for any help?
--
Jim Thompson
needgod.com