[Samba] SAMBA configuration nightmare (AIX) - idmaps do not work (core dump), ldap/nss_ldap and pam fail

David Shapiro David.Shapiro at bcbsnc.com
Thu Feb 9 14:09:30 GMT 2006


Well, I have tried really hard to get any of the idmaps to work--in
that, idmap_ads, idmap_rid, and I have tried to use idmap stroage in
ldap with padl (nss_ldap) too, but I have had no luck.  If I enable pam
in /usr/lib/security/methods.cfg or nss_ldap, I cannot log into the
system anymore.  If I enable pam in /etc/pam.conf and use in
/etc/security/users SYSTEM = "WINBINd or WINBIND[UNAVAIL] AND COMPAT I
cannot log into the system anymore.  If I enable idmap_ads or idmap_rid
in smb.conf, winbindd core dumps.  I think, and I have not verified this
yet, that if I start up samba without idmap_ad or idmap_rid so that
winbindd starts and then add idmap_rid or idmap_ad once it has started,
winbindd does not core, but I cannot 100% tell if idmapping is
happening.  (After messing with all this, I was wondering why I even
need idmap, pam, or ldap capability anyway.)  Still, it bugs me that I
cannot get any of this to work.
 
Here are my notes:
 
I changed the separator to + from / and now when I use
users=DOMAIN+mylogin, I get access to a share finally. However, when I
run chown DOMAIN+mylogin testdir, testdir is not set to
DOMAIN+mylogin,
it is set to tempfn (temporary id is what the gecos/description says).

In aix land, what do I need to do to get it to use WINBIND to set the
diretory ownership now? My /usr/lib/security/methods.cfg has authonly
for WINBIND. I take it that is not enough? I saw something where they
wanted me to change SYSTEM=compat to 
 
 SYSTEM = "WINBIND OR WINBIND[UNAVAIL] AND compat", but when I do
that,
nobody can log in to the system anymore. 
 
My smb.conf now looks like the following:
 
[global]
 
        workgroup = DOMAIN
        realm = DOMAIN.COM
        server string = User management Server
        security = ADS
        password server = ad.domain.com
        log level = 10
        log file = /usr/local/samba/var/log.%m
        max log size = 50
        name resolve order = hosts wins lmhosts bcast
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
        preferred master = No
        local master = No
        dns proxy = No
        wins server = svcmc02, svcmc03
        idmap uid = 100000-200000
        idmap gid = 100000-200000
        winbind separator = +
        winbind use default domain = Yes
        winbind nested groups = Yes
        aio read size = 1
        aio write size = 1
 
[home]
 
        path = /home/%D/%u
        valid users = %S
        read only = No
        browseable = No
 
[samba]
 
        path = /usr/local/samba
        username = DOMAIN+mylogin
        valid users = DOMAIN+mylogin
 

My /usr/lib/security/methods.cfg:
 
NIS:
 
        program = /usr/lib/security/NIS
        program_64 = /usr/lib/security/NIS_64
 
DCE:
 
        program = /usr/lib/security/DCE
 
* PAM:
* program = /usr/lib/security/PAM
 
WINBIND:
 
        program = /usr/lib/security/WINBIND
        options = authonly
* options = auth=PAM,db=BUILTIN
 
* LDAP:
*       program = /usr/lib/security/NSS_LDAP
 
(haven't had luck with pam either. It will not let me log in if I use
it too)
 
PAM:
 
Added to pam.conf:
 
sshd auth required /usr/lib/security/pam_aix
OTHER auth required /usr/lib/security/pam_aix
 
# Account management
sshd account required /usr/lib/security/pam_aix
OTHER account required /usr/lib/security/pam_aix
 
# Password management
sshd password required /usr/lib/security/pam_aix
OTHER password required /usr/lib/security/pam_aix
 
# Session management
sshd session required /usr/lib/security/pam_aix
OTHER session required /usr/lib/security/pam_aix
 
OTHER auth required /usr/lib/security/pam_winbind.so debug
use_first_pass unknown_ok DOMAIN
OTHER account required /usr/lib/security/pam_winbind.so debug
use_first_pass unknown_ok DOMAIN
OTHER session required /usr/lib/security/pam_winbind.so debug
use_first_pass unknown_ok DOMAIN
OTHER password required /usr/lib/security/pam_winbind.so debug
use_first_pass unknown_ok DOMAIN
 

During build I had to add in Makefile's CFLAG line to get pam to
compile:
 
-DPAM_AUTHTOK_RECOVER_ERR=PAM_AUTHTOK_RECOVERY_ERR -DPAM_EXTERN=extern
or load with env CC=gcc as CFLAGs.
 

LDAP:
copied samba/source/example/LDAP/samba.schema to
/usr/local/openldap/etc/openldap/schema folder 
Added to /usr/local/openldap/etc/slapd.conf:
 
# Samba required schemas
include /usr/local/openldap/etc/openldap/cosine.schema
include /usr/local/openldap/etc/openldap/inetorgperson.schema
include /usr/local/openldap/etc/openldap/nis.schema
include /usr/local/openldap/etc/openldap/samba.schema
 
#######################################################################
# BDB database definitions
#######################################################################
database        bdb
suffix          "dc=DOMAIN,dc=COM"
rootdn          "cn=Manager,dc=DOMAIN,dc=COM"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw         mypassword
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /usr/local/openldap/var/openldap-data
#######################################################################
# Cache
#######################################################################
# dbcachesize if database is ldbm instead of bdb
cachesize 40000
# dbcachesize 60000000
checkpoint 512 720
#######################################################################
# Samba Indexes
#######################################################################
index   objectClass     eq
index cn,sn,uid,displayName     pres,sub,eq
index uidNumber,gidNumber       eq
index sambaSID  eq
index sambaPrimaryGroupSID      eq
index objectClass       pres,eq
index sambaDomainName   eq
index rid,primaryGroupID        eq
index default   sub
 
access to *
        by self write
        by *    read
 
Made directory /usr/local/openldap/var/openldap-data and set chmod 700
Ran /usr/local/openldap/sbin/slapindex -f slapd.conf after loading
samba.ldif with slapadd -f  slapd.conf.


AIO:
AIO support is installed in this package. If you have problems starting
Samba,
try the following:
 
 $ lsdev -Cc posix_aio
 posix_aio0 Available  Posix Asynchronous I/O
 
If the above says "Defined" instead of "Available":
 
 $ mkdev -l posix_aio0
 posix_aio0 Available
 
 $ chdev -l posix_aio0 -a autoconfig=available -P
 posix_aio0 changed
 

 
 
David Shapiro
Unix Team Lead
919-765-2011


More information about the samba mailing list