[Samba] Looking for AIX Users of Winbind -- Authorization and SSHProblems
Andrew Masterson
Andrew.Masterson at nuvistaenergy.com
Fri Nov 13 11:24:23 MST 2009
> -----Original Message-----
> From: samba-bounces at lists.samba.org
[mailto:samba-bounces at lists.samba.org]
> On Behalf Of Kevin Newman
> Sent: Thursday, November 12, 2009 3:55 PM
> To: samba at lists.samba.org
> Subject: [Samba] Looking for AIX Users of Winbind -- Authorization and
> SSHProblems
>
> Hi all,
>
> I've got Samba with Winbind working on AIX 5.3 and 6.1 fairly well
with
> Active Directory 2003. In fact, I'd say short of 2 very important
services,
> it's working almost perfectly. Unfortunately, these 2 services are
quite
> critical, and without them I'm afraid we'll have to resort to some
sort of
> proprietary identity solution like Novell, which I'm not crazy about.
> Assume that these examples are all from Samba 3.3.4, though I have
tried a
> few versions back to 3.0.0 and forward to 3.3.9, with no different
results.
> These are also from pWare's compiled versions (linked here:
> http://pware.hvcc.edu/download/).
>
> The two things I can't get working with Winbind on AIX:
>
> 1. SSH. Doesn't seem to work on AIX 5.3 with Winbind. I get a
"setgroups:
> Not owner" and "initgroups: Not owner" error in the sshd debug and the
> session is closed after authentication succeeds. I *can*, however,
get this
> working on AIX 6.1 with pWare's compiled SSH 5.2.1.0.
>
> 2. Authorization (e.g., who can log into the box ... NOT just all of
AD).
> I'm pretty good at configuring Winbind on Linux, and on Linux there's
a
> pam_winbind.conf file that I usually use to lock down the box to
specific AD
> users or groups -- I use the require_membership_of line and it works
just
> fine. Unfortunately, I don't see any pam_winbind.conf file in AIX by
> default. I've tried placing it in /etc/security/ or in other
locations, but
> it doesn't seem to be used. I've also tried adding pam_winbind lines
to the
> /etc/pam.conf and manually adding the "require_membership_of" after
the
> stanza, like so:
>
> telnet account required /usr/lib/security/pam_winbind.so
> require_membership_of=someGroup
>
> ... also with no success. To me, it's simply unacceptable to
implement this
> Winbind configuration without being able to choose who logs onto the
box.
> Without implementing some form of authorization, I might as well just
set
> everyone's password blank.
>
> So, my question to everyone is: is there anyone out there using
Winbind with
> AIX? If so, have you overcome those 2 issues I'm describing?
>
> Thanks,
>
> Kevin
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
We are using winbind on AIX, and this is my documentation on how I got
it to work:
To use WINBIND:
cp -p /opt/pware/samba/3.0.28/lib/security/WINBIND /usr/lib/security
-------------
edit /usr/lib/security/methods.cfg and add
-------------
WINBIND:
program = /usr/lib/security/WINBIND
options = authonly
-------------
edit the default stanza in /etc/security/user to have
-------------
SYSTEM = "WINBIND OR compat"
-=Andrew
More information about the samba
mailing list