[Samba] Looking for AIX Users of Winbind -- Authorization and SSH Problems
kevinjnewman at gmail.com
Thu Nov 12 15:54:34 MST 2009
I've got Samba with Winbind working on AIX 5.3 and 6.1 fairly well with
Active Directory 2003. In fact, I'd say short of 2 very important services,
it's working almost perfectly. Unfortunately, these 2 services are quite
critical, and without them I'm afraid we'll have to resort to some sort of
proprietary identity solution like Novell, which I'm not crazy about.
Assume that these examples are all from Samba 3.3.4, though I have tried a
few versions back to 3.0.0 and forward to 3.3.9, with no different results.
These are also from pWare's compiled versions (linked here:
The two things I can't get working with Winbind on AIX:
1. SSH. Doesn't seem to work on AIX 5.3 with Winbind. I get a "setgroups:
Not owner" and "initgroups: Not owner" error in the sshd debug and the
session is closed after authentication succeeds. I *can*, however, get this
working on AIX 6.1 with pWare's compiled SSH 18.104.22.168.
2. Authorization (e.g., who can log into the box ... NOT just all of AD).
I'm pretty good at configuring Winbind on Linux, and on Linux there's a
pam_winbind.conf file that I usually use to lock down the box to specific AD
users or groups -- I use the require_membership_of line and it works just
fine. Unfortunately, I don't see any pam_winbind.conf file in AIX by
default. I've tried placing it in /etc/security/ or in other locations, but
it doesn't seem to be used. I've also tried adding pam_winbind lines to the
/etc/pam.conf and manually adding the "require_membership_of" after the
stanza, like so:
telnet account required /usr/lib/security/pam_winbind.so
... also with no success. To me, it's simply unacceptable to implement this
Winbind configuration without being able to choose who logs onto the box.
Without implementing some form of authorization, I might as well just set
everyone's password blank.
So, my question to everyone is: is there anyone out there using Winbind with
AIX? If so, have you overcome those 2 issues I'm describing?
More information about the samba