John P Janosik
2021-May-24 18:52 UTC
[Samba] Samba on AIX with security = ads - does it actually work?
Ben Huntsman <ben at huntsmans.net> wrote on 05/24/2021 11:38:29 AM: Hi Ben,> Hi there! Thank you for the reply, John! > > >Look at the default value of "registry" in /etc/security/user, that > >specifies which method from /etc/methods.cfg will be used for userlookup.> >Watch out if you change the default to WINBIND to make sure youoverride> >that back to the old setting on a per user stanza basis for non ADusers> >on the system. > > I have the following set in /etc/security/user: > > default: > ... > SYSTEM = "compat OR WINBIND" > ... > > Earlier I had tried adding "registry = WINBIND" to that as well, but > it did not change the behavior. > > Do you have Samba working on any of your AIX systems with "security > = ads"? Would you be willing to share your smb.cfg's [global] > section, krb5.conf, methods.cfg, and /etc/security/user's default: > section (appropriately sanitized, of course)? >I haven't used Samba on AIX with AD for many years so can't help with Samba specifics. The "SYSTEM" setting in /etc/security/user sets which modules are used to authenticate users via the AIX LAM. Since Samba isn't using AIX LAM for authentication I would not think you would need WINBIND there unless you want to allow AD users to log into the system for shell or access to applications that use the AIX authenticate API. If "lsuser ALL" or "lsuser SOMEADUSER" doesn't show user information for AD users then seems there is some issue with the configuration of the WINBIND module. I can't provide any more help than that, perhaps a case with AIX support could help with how to debug communication between AIX and and the modules in methods.cfg.> I can't thank you enough! > > -BenJohn
Rowland penny
2021-May-24 19:07 UTC
[Samba] Samba on AIX with security = ads - does it actually work?
On 24/05/2021 19:52, John P Janosik via samba wrote:> Ben Huntsman <ben at huntsmans.net> wrote on 05/24/2021 11:38:29 AM: > > Hi Ben, > >> Hi there! Thank you for the reply, John! >> >>> Look at the default value of "registry" in /etc/security/user, that >>> specifies which method from /etc/methods.cfg will be used for user > lookup. >> >Watch out if you change the default to WINBIND to make sure you > override >>> that back to the old setting on a per user stanza basis for non AD > users >>> on the system. >> I have the following set in /etc/security/user: >> >> default: >> ... >> SYSTEM = "compat OR WINBIND" >> ... >> >> Earlier I had tried adding "registry = WINBIND" to that as well, but >> it did not change the behavior. >> >> Do you have Samba working on any of your AIX systems with "security >> = ads"? Would you be willing to share your smb.cfg's [global] >> section, krb5.conf, methods.cfg, and /etc/security/user's default: >> section (appropriately sanitized, of course)? >> > I haven't used Samba on AIX with AD for many years so can't help with > Samba specifics. The "SYSTEM" setting in /etc/security/user sets which > modules are used to authenticate users via the AIX LAM. Since Samba isn't > using AIX LAM for authentication I would not think you would need WINBIND > there unless you want to allow AD users to log into the system for shell > or access to applications that use the AIX authenticate API.Problem is, from Samba 4.8.0 , with 'security = ADS', you must run winbind.> > If "lsuser ALL" or "lsuser SOMEADUSER" doesn't show user information for > AD users then seems there is some issue with the configuration of the > WINBIND module. I can't provide any more help than that, perhaps a case > with AIX support could help with how to debug communication between AIX > and and the modules in methods.cfg.Until the AIX tools show the AD users & groups, you cannot use them on the AIX machine. On Linux machines, Samba is connected via PAM and nsswitch with the winbind links, you need to find out if AIX can use these links and, if so, how. Sorry, but I cannot help any further than this. Rowland