[Samba] Samba ADS on AIX 6.1 TL04
William Jojo
w.jojo at hvcc.edu
Tue Apr 27 12:59:03 MDT 2010
Yashpal Nagar wrote:
>
>
> Thanks a lot Bill for your reply.
>
> My smb.conf
> -------------------------------------------------
> [global]
As a member server, I would have expected workgroup to be "AA", that is,
the prefix of the realm.
> workgroup = MYGRP
> domain master = no
> local master = no
> server string = Test Samba Server
> netbios name = FOO
> realm = AA.DK <http://AA.DK>
> allow trusted domains = no
> security = ADS
> encrypt passwords = yes
> password server = *
> dns proxy = no
> log level = 3
> max log size = 100
> log file = /var/log/samba/%m.log
> client use spnego = yes
Remove the following:
> idmap domains = MYGRP
> idmap config MYGRP:default = yes
> idmap config MYGRP:backend = tdb
> idmap config MYGRP:range = 200000 - 500000
> idmap alloc backend = tdb
> idmap alloc config:range = 200000 - 500000
Add the following:
idmap uid = 200000-500000
idmap gid = 200000-500000
Please see the following:
http://samba.org/samba/docs/man/manpages-3/idmap_tdb.8.html
But ignore the last example. :-)
The "idmap alloc" is only necessary if the allocator it not going to the
tdb model specified by "idmap backend"
The man pages are very out of sync with the reality of IDMAP, but IDMAP
is not a simple component and not always easy to debug, but I think it
is in a better place now than previously.
> restrict anonymous = yes
> wins server = namesrv04 namesrv03
> name resolve order = wins bcast
> -----------------------------------------------------
> When I run testparm, it say unrecognised " idmap domains = MYGRP". If
> I comment that out this throws no error for 'net ads testjoin' etc. No
> matter whichever samba ver I use it complains about this line, I may
> notice you have mentioned same example in one of your examples in your
> pdf, under IDMAP_TDB.
>
Yeah, as of 3.3, that's not the case any longer. I will update my docs
to reflect the truth. :-)
> Other smb.conf, I have tried which works well on AIX 5.2, but didn't
> work with precompiled binaries on AIX 6.1
> -------------------------------------------------------
> [global]
> workgroup = MYGRP
> domain master = no
> local master = no
> server string = Test Samba Server
> netbios name = foo
> realm = AA.DK <http://AA.DK>
> allow trusted domains = no
> security = ADS
> encrypt passwords = yes
> password server = *
> dns proxy = no
> log level = 1
> max log size = 100
> log file = /var/log/samba/%m.log
> idmap uid = 100000-999999
> idmap gid = 1000000-1999999
> restrict anonymous = yes
> wins server = namesrv04 namesrv03
> name resolve order = wins bcast
> winbind enum groups = no
> winbind enum users = no
> winbind cache time = 300
> winbind use default domain = yes
> --------------------------------------------------
> Since the existing setup (AIX5.2) works well with tdb backend, though
> it is not explicitly mentioned into the config above, But i can see a
> large winbindd_idmap.tdb under $SAMBA/var. I would keep the same tdb
> (default?) backend.
>
>
The default is TDB, so yes, it would stay the same. You should (and
probably want to) copy the winbindd_idmap.tdb to the new server to keep
your mappings unless this is not desired.
> What I would like know -
>
> 1. Which samba binaries you have installed, I believe it is 32
> bit. Can I use 64 bit binaries on a production server? You have mentioned
> *The 64-bit code is to be treated as PRODUCTION. *
> what does this mean? if this PRODUCTION means it shall be used for
> production servers or it is for you/SAMBA development team currently
> using for development/production of samba. Some more information here
> on your website surely would help more.
Sorry about that. All of my package were initially 32-bit, then I
offered the 64-bit code as BETA for about 6 months, and after some
testing and feedback from users, I marked it as production quality. The
Samba Team makes no guarantees whatsoever on what I produce. This is
simply a statement of usability.
I will remove that line from the site.
>
> 3. After changing mehtods.cfg, user file, Is there any program need to
> be restarted apart from samba or server reboot?
>
The most you may need to do is stop Samba and run "slibclean", then
restart Samba.
> 4. I understand AIX uses LAM, instead of PAM which is used on Linux.
> Is there any setting related to LAM we got to do on AIX. There is no
> nsswitch.conf file as well, I assume since these binaries are already
> compiled for that platform, it should take care automatically?
>
The package(s) I provide also support PAM. The IBM LAM framework is in
use with the WINBIND product Andrew Tridgell wrote some time ago.
You are correct that there no nsswitch.conf. Effectively, methods.cfg
and /etc/security/user are the equivalent.
Let me know how you get on.
Cheers,
Bill
More information about the samba
mailing list