winbind + ad + ssh + aix 6.1 working for anyone?
John E. Kimberly
jkimb at kimberlyconsulting.com
Tue Oct 11 10:28:42 MDT 2011
You really should just use Centrify www.centrify.com. It will do all
of this right out of the shoot, in 15 minutes or less, with full AIX 6.1
support. You will also get Kerberos SSO included within that 15 minutes
or less.
John
On 10/11/2011 10:34 AM, sean finney wrote:
> Hi *,
>
> Okay, I've spent the better part of two days trying to get this beast
> running, and it feels really, really close but something is just not
> clicking into place.
>
> The goal is to have a domain-joined system with NSS/authentication
> configured against AD (no file shares). AD does not have any of the
> sfu/rfc2307 exctensions enabled. On our linux systems we use the hash
> backend, though this seems to reliably crash on the AIX systems, so we've
> fallen back to trying to get it working with tdb (whcih does seem to
> work).
>
> I'll document the config/setup steps below in case i've missed something.
>
> What works:
>
> * kinit, klist
> * net ads join
> * wbinfo -i<user>, wbinfo -a<user>, wbinfo -u, wbinfo -g, etc
> * id<user>
> * lsuser -R WINBIND<user>, lsgroup -R WINBIND ALL, etc
>
> What doesn't:
>
> * su -<user>
> stderr output is "Cannot set process credentials."
> in syslog: auth|security:crit su: BAD SU from root to<user> at /dev/pts/0
>
> * ssh logins (I assume for the same reason su is failing)
>
> Googling around I've found a few posts of people ending up in a similar
> situation, though every discussion seems to end in a dead end with no
> follow-up.
>
> Note that this is with 3.5.x packages, I tried the 3.6.x
> packages (and even tried compiling from source, wheeee), but winbind
> crashed quite a bit and/or did not work at all depending on the configured
> backends (hash vs rid vs tdb), whereas 3.5.x didn't seem to have those
> problems.
>
> So if anyone has any ideas/thoughts/questions/comments/etc pretty please
> feel encouraged to share them. otherwise i'll have to nuke the samba
> installation from orbit and install VAS/QAS instead :/.
>
>
> Thanks...
>
> Sean
>
>
>
> Setup details:
>
> * AIX 6.1 (oslevel -r == -06)
> * KERNEL_BITMODE: 64
> * install samba+deps pware bff packages from hpvcc (both 32-bit and 64-bit)
> * configure smb.conf:
>
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.NET
> server string = %h server (Samba, AIX. No, really.)
> interfaces = 127.0.0.0/8 en1
> bind interfaces only = yes
> log file = /opt/pware64/var/log/log.%m
> max log size = 1000
> syslog = 0
> security = ads
> encrypt passwords = true
> obey pam restrictions = no
> map to guest = bad user
> domain master = no
> local master = no
> preferred master = no
> idmap backend = tdb
> idmap uid = 1000-4000000000
> idmap gid = 1000-4000000000
> template shell = /usr/bin/ksh
> winbind use default domain = yes
> winbind separator = \\
> winbind enum groups = no
> winbind enum users = no
> winbind nss info = template
> winbind normalize names = No
> winbind offline logon = Yes
> winbind nested groups = no
> winbind expand groups = 0
> kerberos method = system keytab
> password server = *
> auth methods = winbind
>
> * join machine to domain with net ads join
> * start winbind
> * configure /usr/lib/security/methods.cfg (place as topmost entry):
>
> WINBIND:
> program = /usr/lib/security/WINBIND
> program_64 = /usr/lib/security/WINBIND_64
> options = debug
>
> * configure /etc/security/user to contain the following in "default:":
>
> SYSTEM = "WINBIND OR compat"
> registry = WINBIND
>
>
>
More information about the samba-technical
mailing list