winbind + ad + ssh + aix 6.1 working for anyone?

John E. Kimberly jkimb at kimberlyconsulting.com
Tue Oct 11 10:29:35 MDT 2011 

BTW - to do all this with Centrify, use the Express version, which is FREE

John

On 10/11/2011 10:34 AM, sean finney wrote:
> Hi *,
>
> Okay, I've spent the better part of two days trying to get this beast
> running, and it feels really, really close but something is just not
> clicking into place.
>
> The goal is to have a domain-joined system with NSS/authentication
> configured against AD (no file shares).  AD does not have any of the
> sfu/rfc2307 exctensions enabled.  On our linux systems we use the hash
> backend, though this seems to reliably crash on the AIX systems, so we've
> fallen back to trying to get it working with tdb (whcih does seem to
> work).
>
> I'll document the config/setup steps below in case i've missed something.
>
> What works:
>
>   * kinit, klist
>   * net ads join
>   * wbinfo -i<user>, wbinfo -a<user>, wbinfo -u, wbinfo -g, etc
>   * id<user>
>   * lsuser -R WINBIND<user>, lsgroup -R WINBIND ALL, etc
>
> What doesn't:
>
>   * su -<user>
>   stderr output is "Cannot set process credentials."
>   in syslog: auth|security:crit su: BAD SU from root to<user>  at /dev/pts/0
>
>   * ssh logins (I assume for the same reason su is failing)
>
> Googling around I've found a few posts of people ending up in a similar
> situation, though every discussion seems to end in a dead end with no
> follow-up.
>
> Note that this is with 3.5.x packages, I tried the 3.6.x
> packages (and even tried compiling from source, wheeee), but winbind
> crashed quite a bit and/or did not work at all depending on the configured
> backends (hash vs rid vs tdb), whereas 3.5.x didn't seem to have those
> problems.
>
> So if anyone has any ideas/thoughts/questions/comments/etc pretty please
> feel encouraged to share them.  otherwise i'll have to nuke the samba
> installation from orbit and install VAS/QAS instead :/.
>
>
> Thanks...
>
> 	Sean
>
>
>
> Setup details:
>
>   * AIX 6.1 (oslevel -r == -06)
>   * KERNEL_BITMODE:                         64
>   * install samba+deps pware bff packages from hpvcc (both 32-bit and 64-bit)
>   * configure smb.conf:
>
> [global]
> 	workgroup = DOMAIN
> 	realm = DOMAIN.NET
> 	server string = %h server (Samba, AIX.  No, really.)
> 	interfaces = 127.0.0.0/8 en1
> 	bind interfaces only = yes
> 	log file = /opt/pware64/var/log/log.%m
> 	max log size = 1000
> 	syslog = 0
> 	security = ads
> 	encrypt passwords = true
> 	obey pam restrictions = no
> 	map to guest = bad user
> 	domain master = no
> 	local master = no
> 	preferred master = no
> 	idmap backend = tdb
> 	idmap uid = 1000-4000000000
> 	idmap gid = 1000-4000000000
> 	template shell = /usr/bin/ksh
> 	winbind use default domain = yes
> 	winbind separator = \\
> 	winbind enum groups = no
> 	winbind enum users = no
> 	winbind nss info = template
> 	winbind normalize names = No
> 	winbind offline logon = Yes
> 	winbind nested groups = no
> 	winbind expand groups = 0
> 	kerberos method = system keytab
> 	password server = *
> 	auth methods = winbind
>
>   * join machine to domain with net ads join
>   * start winbind
>   * configure /usr/lib/security/methods.cfg (place as topmost entry):
>
> WINBIND:
> 	program = /usr/lib/security/WINBIND
> 	program_64 = /usr/lib/security/WINBIND_64
> 	options = debug
>
>   * configure /etc/security/user to contain the following in "default:":
>
> 	SYSTEM = "WINBIND OR compat"
> 	registry = WINBIND
>
>
>

More information about the samba-technical mailing list