Rowland penny
2021-May-23 21:57 UTC
[Samba] Samba on AIX with security = ads - does it actually work?
On 23/05/2021 22:17, Ben Huntsman wrote:> Hi there, and thank you for the reply! ?Very much appreciated! > > >Ah, I begin to see the light, you want to use the users in /etc/passwd > >and AD, well, if so, then stop there, you cannot have the same user in > >/etc/passwd and in AD. Further to this, Samba will not know who the > >users in /etc/passwd are. > > Right, I want the AD users to *not* be in /etc/passwd. ?What I'm > saying is that if I don't put them in there, then they can't connect > to the server via \\<aix host name> at all.I have never used AIX, but it sounds like you are missing the AIX versions of the Debian packages libnss-winbind and libpam-winbind and/or winbind isn't running. By using the 'rid' backend it should just work, the other thing is, does AIX have /etc/nsswitch.conf and is it set correctly ?> > > >You might use root by design, but can I introduce you to the concept of > >security ? Also this isn't how AD works. > > Agreed, but this isn't part of the actual issue at hand. ?I will > tighten up security but I want to get basic connectivity working first.Understood> > > >Is the workgroup 'MY' or 'NSI' ? They should match. > > Apparently I missed one, but I was trying to sanitize the logs so it > didn't contain specifics of my environment. ?They should have all said > 'MY' in the examples I posted. ?The configuration provided works > perfectly for users who are in AD and also have a matching AIX account.Then it isn't working, the AIX users will be used before the AD users if they are the same username, you do not need the users in /etc/passwd.> > > >Are you aware that the share shown is read only ? > > Yes, but I also have "read only = no" in the [global] section.Not a good idea, that sets it for all shares, just set it in the shares.> ?Regardless, the individual shares are beside the point. ?Right now AD > users not in /etc/passwd can't even get to \\<aix host name> whereas > users in /etc/passwd (with matching AD accounts) can.Going round in circles here, you need to fix the links, try reading this: https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC#Libnss_winbind_Links> > I followed those two links you sent as closely as I was able given > that they are written for Linux and not AIX. ?AIX has no nsswitch.conf > and uses the stanza in /etc/methods.cfg I provided for the same > purpose. ?But, I didn't see in those articles an answer to why Samba > realizes that the user is valid but we still get an > NT_STATUS_UNSUCCESSFUL when the user doesn't have an AIX account. > ?Security ramifications aside, my read of the documentation suggests > that my configs as provided should work. ?I feel like I'm missing > something very AIX-specific here, or that this is a bug... > > Thanks again, and I look forward to getting to the bottom of this! >Ah, we need someone who does use AIX, I can only tell you how to use Samba on Debian etc. Rowland
Rowland penny
2021-May-23 22:08 UTC
[Samba] Samba on AIX with security = ads - does it actually work?
On 23/05/2021 22:57, Rowland penny via samba wrote:> On 23/05/2021 22:17, Ben Huntsman wrote: >> Hi there, and thank you for the reply! ?Very much appreciated! >> >> >Ah, I begin to see the light, you want to use the users in /etc/passwd >> >and AD, well, if so, then stop there, you cannot have the same user in >> >/etc/passwd and in AD. Further to this, Samba will not know who the >> >users in /etc/passwd are. >> >> Right, I want the AD users to *not* be in /etc/passwd. ?What I'm >> saying is that if I don't put them in there, then they can't connect >> to the server via \\<aix host name> at all. > > > I have never used AIX, but it sounds like you are missing the AIX > versions of the Debian packages libnss-winbind and libpam-winbind > and/or winbind isn't running. By using the 'rid' backend it should > just work, the other thing is, does AIX have /etc/nsswitch.conf and is > it set correctly ? > >> >> >> >You might use root by design, but can I introduce you to the concept of >> >security ? Also this isn't how AD works. >> >> Agreed, but this isn't part of the actual issue at hand. ?I will >> tighten up security but I want to get basic connectivity working first. > > > Understood > > >> >> >> >Is the workgroup 'MY' or 'NSI' ? They should match. >> >> Apparently I missed one, but I was trying to sanitize the logs so it >> didn't contain specifics of my environment. ?They should have all >> said 'MY' in the examples I posted. ?The configuration provided works >> perfectly for users who are in AD and also have a matching AIX account. > > > Then it isn't working, the AIX users will be used before the AD users > if they are the same username, you do not need the users in /etc/passwd. > >> >> >> >Are you aware that the share shown is read only ? >> >> Yes, but I also have "read only = no" in the [global] section. > > > Not a good idea, that sets it for all shares, just set it in the shares. > >> ?Regardless, the individual shares are beside the point. ?Right now >> AD users not in /etc/passwd can't even get to \\<aix host name> >> whereas users in /etc/passwd (with matching AD accounts) can. > > > Going round in circles here, you need to fix the links, try reading this: > > https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC#Libnss_winbind_Links > > >> >> I followed those two links you sent as closely as I was able given >> that they are written for Linux and not AIX. ?AIX has no >> nsswitch.conf and uses the stanza in /etc/methods.cfg I provided for >> the same purpose. ?But, I didn't see in those articles an answer to >> why Samba realizes that the user is valid but we still get an >> NT_STATUS_UNSUCCESSFUL when the user doesn't have an AIX account. >> ?Security ramifications aside, my read of the documentation suggests >> that my configs as provided should work. ?I feel like I'm missing >> something very AIX-specific here, or that this is a bug... >> >> Thanks again, and I look forward to getting to the bottom of this! >> > Ah, we need someone who does use AIX, I can only tell you how to use > Samba on Debian etc. > > > Rowland > > >And that someone seems to be Bjorn Jacke, try looking at this: https://www.youtube.com/watch?v=FwQpcnb-jTs Rowland