[Samba] Authentication issues - One problem found, another discovered

[Doug VanLeuven]

Ric Tibbetts wrote:
> All;
> Okay, I'm narrowing the problem down.
> 
> With all other things configured, I'm down to and ADS problem.
> The reason Samba can't verify my username/passwords (as specified in 
> password server = xxx.xxx.xxx.xxx) is because that address points to an 
> ADS, and I didn't compile ADS into Samba (best answer I can find...If 
> I'm way off base on that one, just let me know).
> 
> So, the next effort would be to compile in ADS.
> THAT fails with errors relating to Kerberos.
> I'm running AIX 5.2, with the IBM Kerberos. I have no authority to 
> change the Kerberos distribution.
> Has ANYONE come across this, and have a solution? I can post the exact 
> compile error if anyone needs that.

Yeah, I came across it.  Last year, on 5.2 with stock IBM Kerberos,
the include files were missing some defines that samba needed to
compile in Kerberos support.  Also the stock IBM Kerberos, at that
time, didn't support rc4-hmac which is the native encryption type
of MS windows.

I solved it by compiling the latest Kerberos from MIT and installing
it via rpm aka linux affinity.

Earlier this year, IBM released an updated encryption pack (which
is free) and I didn't have a chance to test against the latest
versions.

You might enquire if your 5.2 AIX has the latest Kerberos from IBM
and if not, activate for the system to be upgraded.

Once you get past Kerberos, you'll run into a requirement for LDAP
as well.  IBM implements openldap on top of DB2.  Again, older
versions of the product were missing some source defines required
to compile in ADS support in samba, but I didn't have the
opportunity to test against current versions.

Really, unless you need unified logon, you can install a non-ads
samba and have it work, provided you create local accounts and
syncronize the passwords to the windows ADS password.
Then you wouldn't have to worry about Kerberos and LDAP.

Regards, Doug