Ben Huntsman
2021-May-26 00:11 UTC
[Samba] Samba on AIX with security = ads - does it actually work?
I take it there are not many AIX users here. I have continued to dig on this and I discovered this: https://www.ibm.com/support/pages/apar/IJ29552 That APAR from IBM covers a bug that prevents some LAM modules from working. And indeed, installing it improved the situation for winbind on AIX. With that ifix (or with upgrading to AIX 7100-05-08), I can now log into the AIX system via ssh or telnet using AD username/passwords that aren't defined on the system! That's a huge step in the right direction! And also an indicator that Samba on AIX may be broken due to AIX bugs. Unfortunately, there is still the problem that if a user isn't defined on AIX, it can't connect to \\<aix host name>, despite the fact that the log clearly shows that it successfully authenticates the user, but then the session bombs out: # smbclient //testhost/share1 -U MY\\testuser Enter MY\testuser's password: <correct password> session setup failed: NT_STATUS_UNSUCCESSFUL # smbclient //testhost/share1 -U MY\\testuser Enter MY\testuser's password: <purposefully-typed incorrect password> session setup failed: NT_STATUS_LOGON_FAILURE I'm pretty sure it all comes down to this: May 25 17:05:55 testhost daemon:err|error smbd[5308666]: [2021/05/25 17:05:55.001540, 0] ../../source3/lib/system_smbd.c:226(getgroups_unix_user) May 25 17:05:55 testhost daemon:err|error smbd[5308666]: get_user_groups: failed to get the unix group list Somehow, even though winbind can clearly get information about the groups via lsgroup, wbinfo -g, etc, when a user browses to \\<aix host name>, it fails to return the list of groups and then our SMB session fails to get established. Has anyone seen this, or know more about it, or if it's resolved in newer Samba builds? Thank you very much to all who have replied so far! Your help is greatly appreciated! -Ben
Rowland penny
2021-May-26 08:25 UTC
[Samba] Samba on AIX with security = ads - does it actually work?
On 26/05/2021 01:11, Ben Huntsman via samba wrote:> I take it there are not many AIX users here. I have continued to dig on this and I discovered this: > > https://www.ibm.com/support/pages/apar/IJ29552 > > That APAR from IBM covers a bug that prevents some LAM modules from working. And indeed, installing it improved the situation for winbind on AIX. With that ifix (or with upgrading to AIX 7100-05-08), I can now log into the AIX system via ssh or telnet using AD username/passwords that aren't defined on the system! That's a huge step in the right direction! And also an indicator that Samba on AIX may be broken due to AIX bugs. > > Unfortunately, there is still the problem that if a user isn't defined on AIX, it can't connect to \\<aix host name>, despite the fact that the log clearly shows that it successfully authenticates the user, but then the session bombs out: > > # smbclient //testhost/share1 -U MY\\testuser > Enter MY\testuser's password: <correct password> > session setup failed: NT_STATUS_UNSUCCESSFUL > # smbclient //testhost/share1 -U MY\\testuser > Enter MY\testuser's password: <purposefully-typed incorrect password> > session setup failed: NT_STATUS_LOGON_FAILURE > > I'm pretty sure it all comes down to this: > > May 25 17:05:55 testhost daemon:err|error smbd[5308666]: [2021/05/25 17:05:55.001540, 0] ../../source3/lib/system_smbd.c:226(getgroups_unix_user) > May 25 17:05:55 testhost daemon:err|error smbd[5308666]: get_user_groups: failed to get the unix group list > > Somehow, even though winbind can clearly get information about the groups via lsgroup, wbinfo -g, etc, when a user browses to \\<aix host name>, it fails to return the list of groups and then our SMB session fails to get established. > > Has anyone seen this, or know more about it, or if it's resolved in newer Samba builds? > > Thank you very much to all who have replied so far! Your help is greatly appreciated! > > -Ben >From everything you have posted, I am fairly convinced that you have an AIX problem and not a Samba problem. I can assure you that Samba works on Linux, it just doesn't seem to work on AIX. Rowland