winbind + ad + ssh + aix 6.1 working for anyone?

Jeremy Allison jra at samba.org
Tue Oct 11 11:10:14 MDT 2011


On Tue, Oct 11, 2011 at 04:34:53PM +0200, sean finney wrote:
> Hi *,
> 
> Okay, I've spent the better part of two days trying to get this beast
> running, and it feels really, really close but something is just not
> clicking into place.  
> 
> The goal is to have a domain-joined system with NSS/authentication
> configured against AD (no file shares).  AD does not have any of the
> sfu/rfc2307 exctensions enabled.  On our linux systems we use the hash
> backend, though this seems to reliably crash on the AIX systems, so we've
> fallen back to trying to get it working with tdb (whcih does seem to
> work).
> 
> I'll document the config/setup steps below in case i've missed something.
> 
> What works:
> 
>  * kinit, klist
>  * net ads join
>  * wbinfo -i <user>, wbinfo -a <user>, wbinfo -u, wbinfo -g, etc
>  * id <user>
>  * lsuser -R WINBIND <user>, lsgroup -R WINBIND ALL, etc
> 
> What doesn't:
> 
>  * su - <user>
>  stderr output is "Cannot set process credentials."
>  in syslog: auth|security:crit su: BAD SU from root to <user> at /dev/pts/0
> 
>  * ssh logins (I assume for the same reason su is failing)
> 
> Googling around I've found a few posts of people ending up in a similar
> situation, though every discussion seems to end in a dead end with no
> follow-up.  
> 
> Note that this is with 3.5.x packages, I tried the 3.6.x
> packages (and even tried compiling from source, wheeee), but winbind
> crashed quite a bit and/or did not work at all depending on the configured
> backends (hash vs rid vs tdb), whereas 3.5.x didn't seem to have those
> problems.

We have quite a few IBM/AIX users on this list (many from IBM), so hopefully
they'll be able to give you some hints here.

winbindd should not crash under *any* circumstances. If you can
reliably repeat this please report the bug at bugzilla.samba.org
and I'll walk you through giving us the information we'll need to
get any crash bugs fixed.

Thanks,

Jeremy.


More information about the samba-technical mailing list