[Samba] Samba on AIX with security = ads - does it actually work?
Rowland penny
rpenny at samba.org
Sun May 23 22:08:50 UTC 2021
On 23/05/2021 22:57, Rowland penny via samba wrote:
> On 23/05/2021 22:17, Ben Huntsman wrote:
>> Hi there, and thank you for the reply! Very much appreciated!
>>
>> >Ah, I begin to see the light, you want to use the users in /etc/passwd
>> >and AD, well, if so, then stop there, you cannot have the same user in
>> >/etc/passwd and in AD. Further to this, Samba will not know who the
>> >users in /etc/passwd are.
>>
>> Right, I want the AD users to *not* be in /etc/passwd. What I'm
>> saying is that if I don't put them in there, then they can't connect
>> to the server via \\<aix host name> at all.
>
>
> I have never used AIX, but it sounds like you are missing the AIX
> versions of the Debian packages libnss-winbind and libpam-winbind
> and/or winbind isn't running. By using the 'rid' backend it should
> just work, the other thing is, does AIX have /etc/nsswitch.conf and is
> it set correctly ?
>
>>
>>
>> >You might use root by design, but can I introduce you to the concept of
>> >security ? Also this isn't how AD works.
>>
>> Agreed, but this isn't part of the actual issue at hand. I will
>> tighten up security but I want to get basic connectivity working first.
>
>
> Understood
>
>
>>
>>
>> >Is the workgroup 'MY' or 'NSI' ? They should match.
>>
>> Apparently I missed one, but I was trying to sanitize the logs so it
>> didn't contain specifics of my environment. They should have all
>> said 'MY' in the examples I posted. The configuration provided works
>> perfectly for users who are in AD and also have a matching AIX account.
>
>
> Then it isn't working, the AIX users will be used before the AD users
> if they are the same username, you do not need the users in /etc/passwd.
>
>>
>>
>> >Are you aware that the share shown is read only ?
>>
>> Yes, but I also have "read only = no" in the [global] section.
>
>
> Not a good idea, that sets it for all shares, just set it in the shares.
>
>> Regardless, the individual shares are beside the point. Right now
>> AD users not in /etc/passwd can't even get to \\<aix host name>
>> whereas users in /etc/passwd (with matching AD accounts) can.
>
>
> Going round in circles here, you need to fix the links, try reading this:
>
> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC#Libnss_winbind_Links
>
>
>>
>> I followed those two links you sent as closely as I was able given
>> that they are written for Linux and not AIX. AIX has no
>> nsswitch.conf and uses the stanza in /etc/methods.cfg I provided for
>> the same purpose. But, I didn't see in those articles an answer to
>> why Samba realizes that the user is valid but we still get an
>> NT_STATUS_UNSUCCESSFUL when the user doesn't have an AIX account.
>> Security ramifications aside, my read of the documentation suggests
>> that my configs as provided should work. I feel like I'm missing
>> something very AIX-specific here, or that this is a bug...
>>
>> Thanks again, and I look forward to getting to the bottom of this!
>>
> Ah, we need someone who does use AIX, I can only tell you how to use
> Samba on Debian etc.
>
>
> Rowland
>
>
>
And that someone seems to be Bjorn Jacke, try looking at this:
https://www.youtube.com/watch?v=FwQpcnb-jTs
Rowland
More information about the samba
mailing list