winbind + ad + ssh + aix 6.1 working for anyone?

sean finney seanius at seanius.net
Tue Oct 11 08:34:53 MDT 2011


Hi *,

Okay, I've spent the better part of two days trying to get this beast
running, and it feels really, really close but something is just not
clicking into place.  

The goal is to have a domain-joined system with NSS/authentication
configured against AD (no file shares).  AD does not have any of the
sfu/rfc2307 exctensions enabled.  On our linux systems we use the hash
backend, though this seems to reliably crash on the AIX systems, so we've
fallen back to trying to get it working with tdb (whcih does seem to
work).

I'll document the config/setup steps below in case i've missed something.

What works:

 * kinit, klist
 * net ads join
 * wbinfo -i <user>, wbinfo -a <user>, wbinfo -u, wbinfo -g, etc
 * id <user>
 * lsuser -R WINBIND <user>, lsgroup -R WINBIND ALL, etc

What doesn't:

 * su - <user>
 stderr output is "Cannot set process credentials."
 in syslog: auth|security:crit su: BAD SU from root to <user> at /dev/pts/0

 * ssh logins (I assume for the same reason su is failing)

Googling around I've found a few posts of people ending up in a similar
situation, though every discussion seems to end in a dead end with no
follow-up.  

Note that this is with 3.5.x packages, I tried the 3.6.x
packages (and even tried compiling from source, wheeee), but winbind
crashed quite a bit and/or did not work at all depending on the configured
backends (hash vs rid vs tdb), whereas 3.5.x didn't seem to have those
problems.

So if anyone has any ideas/thoughts/questions/comments/etc pretty please
feel encouraged to share them.  otherwise i'll have to nuke the samba
installation from orbit and install VAS/QAS instead :/.


Thanks...

	Sean



Setup details:

 * AIX 6.1 (oslevel -r == -06)
 * KERNEL_BITMODE:                         64
 * install samba+deps pware bff packages from hpvcc (both 32-bit and 64-bit)
 * configure smb.conf:

[global]
	workgroup = DOMAIN
	realm = DOMAIN.NET
	server string = %h server (Samba, AIX.  No, really.)
	interfaces = 127.0.0.0/8 en1
	bind interfaces only = yes
	log file = /opt/pware64/var/log/log.%m
	max log size = 1000
	syslog = 0
	security = ads
	encrypt passwords = true
	obey pam restrictions = no
	map to guest = bad user
	domain master = no
	local master = no
	preferred master = no
	idmap backend = tdb
	idmap uid = 1000-4000000000
	idmap gid = 1000-4000000000
	template shell = /usr/bin/ksh
	winbind use default domain = yes
	winbind separator = \\
	winbind enum groups = no
	winbind enum users = no
	winbind nss info = template
	winbind normalize names = No
	winbind offline logon = Yes
	winbind nested groups = no
	winbind expand groups = 0
	kerberos method = system keytab
	password server = *
	auth methods = winbind

 * join machine to domain with net ads join
 * start winbind
 * configure /usr/lib/security/methods.cfg (place as topmost entry):

WINBIND:
	program = /usr/lib/security/WINBIND
	program_64 = /usr/lib/security/WINBIND_64
	options = debug

 * configure /etc/security/user to contain the following in "default:":

	SYSTEM = "WINBIND OR compat"
	registry = WINBIND


-- 


More information about the samba-technical mailing list