[Samba] Samba ADS on AIX 6.1 TL04

William Jojo w.jojo at hvcc.edu
Tue Apr 27 12:59:03 MDT 2010 

Yashpal Nagar wrote:
>  
>  
> Thanks a lot Bill for your reply.
>  
> My smb.conf
> -------------------------------------------------
> [global]

As a member server, I would have expected workgroup to be "AA", that is, 
the prefix of the realm.

>   workgroup = MYGRP
>   domain master = no
>   local master = no
>   server string = Test Samba Server
>   netbios name = FOO
>   realm = AA.DK <http://AA.DK>
>   allow trusted domains = no
>   security = ADS
>   encrypt passwords = yes
>   password server = *
>   dns proxy = no
>   log level = 3
>   max log size = 100
>   log file = /var/log/samba/%m.log
>   client use spnego = yes

Remove the following:

>   idmap domains = MYGRP
>   idmap config MYGRP:default = yes
>   idmap config MYGRP:backend = tdb
>   idmap config MYGRP:range   = 200000  -  500000
>   idmap alloc backend = tdb
>   idmap alloc config:range  = 200000  -  500000

Add the following:

      idmap uid = 200000-500000
      idmap gid = 200000-500000


Please see the following:

http://samba.org/samba/docs/man/manpages-3/idmap_tdb.8.html

But ignore the last example. :-)


The "idmap alloc" is only necessary if the allocator it not going to the 
tdb model specified by "idmap backend"


The man pages are very out of sync with the reality of IDMAP, but IDMAP 
is not a simple component and not always easy to debug, but I think it 
is in a better place now than previously.


>   restrict anonymous = yes
>   wins server = namesrv04 namesrv03
>   name resolve order = wins bcast
> -----------------------------------------------------
> When I run testparm, it say unrecognised " idmap domains = MYGRP". If 
> I comment that out this throws no error for 'net ads testjoin' etc. No 
> matter whichever samba ver I use it complains about this line, I may 
> notice you have mentioned same example in one of your examples in your 
> pdf, under IDMAP_TDB.
>  

Yeah, as of 3.3, that's not the case any longer. I will update my docs 
to reflect the truth. :-)


> Other smb.conf, I have tried which works well on AIX 5.2, but didn't 
> work with precompiled binaries on AIX 6.1
> -------------------------------------------------------
> [global]
>   workgroup = MYGRP
>   domain master = no
>   local master = no
>   server string = Test Samba Server
>   netbios name = foo
>   realm = AA.DK <http://AA.DK>
>   allow trusted domains = no
>   security = ADS
>   encrypt passwords = yes
>   password server = *
>   dns proxy = no
>   log level = 1
>   max log size = 100
>   log file = /var/log/samba/%m.log
>   idmap uid = 100000-999999
>   idmap gid = 1000000-1999999
>   restrict anonymous = yes
>   wins server = namesrv04 namesrv03
>   name resolve order = wins bcast
>   winbind enum groups = no
>   winbind enum users = no
>   winbind cache time = 300
>   winbind use default domain = yes
> --------------------------------------------------
> Since the existing setup (AIX5.2) works well with tdb backend, though 
> it is not explicitly mentioned into the config above, But i can see a 
> large winbindd_idmap.tdb under $SAMBA/var. I would keep the same tdb 
> (default?) backend.
>  
>  


The default is TDB, so yes, it would stay the same. You should (and 
probably want to)  copy the winbindd_idmap.tdb to the new server to keep 
your mappings unless this is not desired.

> What I would like know -
>  
> 1. Which samba binaries you have installed, I believe it is 32 
> bit. Can I use 64 bit binaries on a production server? You have mentioned
> *The 64-bit code is to be treated as PRODUCTION. *
> what does this mean? if this PRODUCTION means it shall be used for 
> production servers or it is for you/SAMBA development team currently 
> using for development/production of samba. Some more information here 
> on your website surely would help more.

Sorry about that. All of my package were initially 32-bit, then I 
offered the 64-bit code as BETA for about 6 months, and after  some 
testing and feedback from users, I marked it as production quality. The 
Samba Team makes no guarantees whatsoever on what I produce. This is 
simply a statement of usability.

I will remove that line from the site.

>  
> 3. After changing mehtods.cfg, user file, Is there any program need to 
> be restarted apart from samba or server reboot?
>  

The most you may need to do is stop Samba and run "slibclean", then 
restart Samba.


> 4. I understand AIX uses LAM, instead of PAM which is used on Linux. 
> Is there any setting related to LAM we got to do on AIX. There is no 
> nsswitch.conf file as well, I assume since these binaries are already 
> compiled for that platform, it should take care automatically?
>  

The package(s) I provide also support PAM. The IBM LAM framework is in 
use with the WINBIND product Andrew Tridgell wrote some time ago.

You are correct that there no nsswitch.conf. Effectively, methods.cfg 
and /etc/security/user are the equivalent.


Let me know how you get on.


Cheers,
Bill

More information about the samba mailing list