winbind + ad + ssh + aix 6.1 working for anyone?
sean finney
seanius at seanius.net
Tue Oct 11 08:34:53 MDT 2011
Hi *,
Okay, I've spent the better part of two days trying to get this beast
running, and it feels really, really close but something is just not
clicking into place.
The goal is to have a domain-joined system with NSS/authentication
configured against AD (no file shares). AD does not have any of the
sfu/rfc2307 exctensions enabled. On our linux systems we use the hash
backend, though this seems to reliably crash on the AIX systems, so we've
fallen back to trying to get it working with tdb (whcih does seem to
work).
I'll document the config/setup steps below in case i've missed something.
What works:
* kinit, klist
* net ads join
* wbinfo -i <user>, wbinfo -a <user>, wbinfo -u, wbinfo -g, etc
* id <user>
* lsuser -R WINBIND <user>, lsgroup -R WINBIND ALL, etc
What doesn't:
* su - <user>
stderr output is "Cannot set process credentials."
in syslog: auth|security:crit su: BAD SU from root to <user> at /dev/pts/0
* ssh logins (I assume for the same reason su is failing)
Googling around I've found a few posts of people ending up in a similar
situation, though every discussion seems to end in a dead end with no
follow-up.
Note that this is with 3.5.x packages, I tried the 3.6.x
packages (and even tried compiling from source, wheeee), but winbind
crashed quite a bit and/or did not work at all depending on the configured
backends (hash vs rid vs tdb), whereas 3.5.x didn't seem to have those
problems.
So if anyone has any ideas/thoughts/questions/comments/etc pretty please
feel encouraged to share them. otherwise i'll have to nuke the samba
installation from orbit and install VAS/QAS instead :/.
Thanks...
Sean
Setup details:
* AIX 6.1 (oslevel -r == -06)
* KERNEL_BITMODE: 64
* install samba+deps pware bff packages from hpvcc (both 32-bit and 64-bit)
* configure smb.conf:
[global]
workgroup = DOMAIN
realm = DOMAIN.NET
server string = %h server (Samba, AIX. No, really.)
interfaces = 127.0.0.0/8 en1
bind interfaces only = yes
log file = /opt/pware64/var/log/log.%m
max log size = 1000
syslog = 0
security = ads
encrypt passwords = true
obey pam restrictions = no
map to guest = bad user
domain master = no
local master = no
preferred master = no
idmap backend = tdb
idmap uid = 1000-4000000000
idmap gid = 1000-4000000000
template shell = /usr/bin/ksh
winbind use default domain = yes
winbind separator = \\
winbind enum groups = no
winbind enum users = no
winbind nss info = template
winbind normalize names = No
winbind offline logon = Yes
winbind nested groups = no
winbind expand groups = 0
kerberos method = system keytab
password server = *
auth methods = winbind
* join machine to domain with net ads join
* start winbind
* configure /usr/lib/security/methods.cfg (place as topmost entry):
WINBIND:
program = /usr/lib/security/WINBIND
program_64 = /usr/lib/security/WINBIND_64
options = debug
* configure /etc/security/user to contain the following in "default:":
SYSTEM = "WINBIND OR compat"
registry = WINBIND
--
More information about the samba-technical
mailing list