[Samba] SAMBA configuration nightmare (AIX) - idmaps do not work
(core dump), ldap/nss_ldap and pam fail
David Shapiro
David.Shapiro at bcbsnc.com
Thu Feb 9 14:09:30 GMT 2006
Well, I have tried really hard to get any of the idmaps to work--in
that, idmap_ads, idmap_rid, and I have tried to use idmap stroage in
ldap with padl (nss_ldap) too, but I have had no luck. If I enable pam
in /usr/lib/security/methods.cfg or nss_ldap, I cannot log into the
system anymore. If I enable pam in /etc/pam.conf and use in
/etc/security/users SYSTEM = "WINBINd or WINBIND[UNAVAIL] AND COMPAT I
cannot log into the system anymore. If I enable idmap_ads or idmap_rid
in smb.conf, winbindd core dumps. I think, and I have not verified this
yet, that if I start up samba without idmap_ad or idmap_rid so that
winbindd starts and then add idmap_rid or idmap_ad once it has started,
winbindd does not core, but I cannot 100% tell if idmapping is
happening. (After messing with all this, I was wondering why I even
need idmap, pam, or ldap capability anyway.) Still, it bugs me that I
cannot get any of this to work.
Here are my notes:
I changed the separator to + from / and now when I use
users=DOMAIN+mylogin, I get access to a share finally. However, when I
run chown DOMAIN+mylogin testdir, testdir is not set to
DOMAIN+mylogin,
it is set to tempfn (temporary id is what the gecos/description says).
In aix land, what do I need to do to get it to use WINBIND to set the
diretory ownership now? My /usr/lib/security/methods.cfg has authonly
for WINBIND. I take it that is not enough? I saw something where they
wanted me to change SYSTEM=compat to
SYSTEM = "WINBIND OR WINBIND[UNAVAIL] AND compat", but when I do
that,
nobody can log in to the system anymore.
My smb.conf now looks like the following:
[global]
workgroup = DOMAIN
realm = DOMAIN.COM
server string = User management Server
security = ADS
password server = ad.domain.com
log level = 10
log file = /usr/local/samba/var/log.%m
max log size = 50
name resolve order = hosts wins lmhosts bcast
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
preferred master = No
local master = No
dns proxy = No
wins server = svcmc02, svcmc03
idmap uid = 100000-200000
idmap gid = 100000-200000
winbind separator = +
winbind use default domain = Yes
winbind nested groups = Yes
aio read size = 1
aio write size = 1
[home]
path = /home/%D/%u
valid users = %S
read only = No
browseable = No
[samba]
path = /usr/local/samba
username = DOMAIN+mylogin
valid users = DOMAIN+mylogin
My /usr/lib/security/methods.cfg:
NIS:
program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64
DCE:
program = /usr/lib/security/DCE
* PAM:
* program = /usr/lib/security/PAM
WINBIND:
program = /usr/lib/security/WINBIND
options = authonly
* options = auth=PAM,db=BUILTIN
* LDAP:
* program = /usr/lib/security/NSS_LDAP
(haven't had luck with pam either. It will not let me log in if I use
it too)
PAM:
Added to pam.conf:
sshd auth required /usr/lib/security/pam_aix
OTHER auth required /usr/lib/security/pam_aix
# Account management
sshd account required /usr/lib/security/pam_aix
OTHER account required /usr/lib/security/pam_aix
# Password management
sshd password required /usr/lib/security/pam_aix
OTHER password required /usr/lib/security/pam_aix
# Session management
sshd session required /usr/lib/security/pam_aix
OTHER session required /usr/lib/security/pam_aix
OTHER auth required /usr/lib/security/pam_winbind.so debug
use_first_pass unknown_ok DOMAIN
OTHER account required /usr/lib/security/pam_winbind.so debug
use_first_pass unknown_ok DOMAIN
OTHER session required /usr/lib/security/pam_winbind.so debug
use_first_pass unknown_ok DOMAIN
OTHER password required /usr/lib/security/pam_winbind.so debug
use_first_pass unknown_ok DOMAIN
During build I had to add in Makefile's CFLAG line to get pam to
compile:
-DPAM_AUTHTOK_RECOVER_ERR=PAM_AUTHTOK_RECOVERY_ERR -DPAM_EXTERN=extern
or load with env CC=gcc as CFLAGs.
LDAP:
copied samba/source/example/LDAP/samba.schema to
/usr/local/openldap/etc/openldap/schema folder
Added to /usr/local/openldap/etc/slapd.conf:
# Samba required schemas
include /usr/local/openldap/etc/openldap/cosine.schema
include /usr/local/openldap/etc/openldap/inetorgperson.schema
include /usr/local/openldap/etc/openldap/nis.schema
include /usr/local/openldap/etc/openldap/samba.schema
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=DOMAIN,dc=COM"
rootdn "cn=Manager,dc=DOMAIN,dc=COM"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw mypassword
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/openldap/var/openldap-data
#######################################################################
# Cache
#######################################################################
# dbcachesize if database is ldbm instead of bdb
cachesize 40000
# dbcachesize 60000000
checkpoint 512 720
#######################################################################
# Samba Indexes
#######################################################################
index objectClass eq
index cn,sn,uid,displayName pres,sub,eq
index uidNumber,gidNumber eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index objectClass pres,eq
index sambaDomainName eq
index rid,primaryGroupID eq
index default sub
access to *
by self write
by * read
Made directory /usr/local/openldap/var/openldap-data and set chmod 700
Ran /usr/local/openldap/sbin/slapindex -f slapd.conf after loading
samba.ldif with slapadd -f slapd.conf.
AIO:
AIO support is installed in this package. If you have problems starting
Samba,
try the following:
$ lsdev -Cc posix_aio
posix_aio0 Available Posix Asynchronous I/O
If the above says "Defined" instead of "Available":
$ mkdev -l posix_aio0
posix_aio0 Available
$ chdev -l posix_aio0 -a autoconfig=available -P
posix_aio0 changed
David Shapiro
Unix Team Lead
919-765-2011
More information about the samba
mailing list