[Samba] AIX 5.3 Active Directory Synchronisation using Winbind
John Welch
jwelch at brosco.com
Fri Apr 2 06:15:38 MDT 2010
> Message: 7
> Date: Thu, 1 Apr 2010 16:28:11 +1100
> From: Craig Green <cgreen at ultradata.com.au>
> To: "'samba at lists.samba.org'" <samba at lists.samba.org>
> Subject: [Samba] AIX 5.3 Active Directory Synchronisation using
> Winbind
> Message-ID:
>
> <D53959C7005777449E60859257F6CC7648C3A58D at grey.ultradata.com.au>
> Content-Type: text/plain; charset="iso-2022-jp"
>
> I have been trying to get AIX 5.3 ML-11 integrated with MS AD (MS-2003
> with SP2 and SFU 3.5). It has given me a few y hairs. I have not been
> able to get it to function correctly.
>
> I have followed various tech articles and installation notes that I
> have found on the web. They are all basically the same in that they
> suggest to either compile the required components from scratch or to
> use the precompiled packages from the pware.hvcc.edu site.
>
> I originally tried compiling from scratch/source which I have always
> done in the past when using samba as a NT4 domain member. This is the
> first time I have tried integrating into MS AD.
>
> My latest attempt is with using the pre compiled packages from the
> hvcc site.
>
> I run into the same issues with both types of setup (i.e.: compiling
> samba from scratch or using the pware53 packages).
>
> When I have samba installed and joined to the AD the following
> commands work as expected.
> wbinfo -u
> wbinfo -g
> wbinfo -a username
>
> However if I try and telnet to the AIX server or connect to a share
> the AD is not using for authenticating the password. When trying a
> telnet login I get back ?3004-007 You entered an invalid login name or
> password.?
>
> Following is a list of what I have installed etc.
>
> AIX: 5.3 ML-11-03-1013
>
> pware53.base.rte 5.3.0.0 COMMITTED pWare base for 5.3
> pware53.bdb.rte 4.6.21.4 COMMITTED Berkeley DB 4.6.21
> pware53.cyrus-sasl.rte 2.1.22.2 COMMITTED cyrus-sasl 2.1.22
> pware53.gettext.rte 0.17.0.0 COMMITTED GNU gettext 0.17
> pware53.krb5.rte 1.7.1.0 COMMITTED MIT Kerberos 1.7.1
> pware53.libiconv.rte 1.13.1.0 COMMITTED GNU libiconv 1.13.1
> pware53.ncurses.rte 5.7.0.1 COMMITTED ncurses 5.7.0.1
> pware53.openldap.rte 2.4.19.0 COMMITTED OpenLDAP 2.4.19
> pware53.openssl.rte 0.9.8.13 COMMITTED OpenSSL 0.9.8m
> pware53.popt.rte 1.10.4.0 COMMITTED popt 1.10.4
> pware53.readline.rte 6.1.0.0 COMMITTED GNU readline 6.1
> pware53.samba.rte 3.5.0.0 COMMITTED Samba 3.5.0
> pware53.zlib.rte 1.2.3.0 COMMITTED zlib 1.2.3
>
> The kerberos krb5.conf. Below is the one I'm using in my environment
>
> --- krb5.conf - start ---
>
> [libdefaults]
> default_realm = TESTREALM.COM.AU
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> TESTREALM.COM.AU = {
> kdc = ad01.testrealm.com.au:88
> default_domain = testrealm.com.au
> admin_server = ad01.testrealm.com.au:749
> }
>
> [domain_realm]
> .kerberos.server = TESTREALM.COM.AU
> .domain.com = TESTREALM.COM.AU
> domain.com = TESTREALM.COM.AU
> .testrealm.com.au = TESTREALM.COM.AU
> testrealm.com.au = TESTREALM.COM.AU
>
> [logging]
> default = FILE:/var/log/krb5/krb5libs.log
> kdc = FILE:/var/log/krb5/krb5kdc.log
> admin_server = FILE:/var/log/krb5/kadmind.log
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
> --- krb5.conf - ends ---
>
> I can execute $> kinit [AD username] and this asks me for a password,
> I fill that in and if everything goes well.
>
> Here is the global section of my smb.conf file.
>
> --- smb.conf [global] section - start ---
>
> comment = AIX Internal Services - Samba %v
> workgroup = TESTREALM
> netbios name = %h
> security = ADS
> realm = TESTREALM.COM.AU
> encrypt passwords = Yes
> password server = ab01
> username map = /etc/samba/lib/smbusers.map
> log file = /etc/samba/var/%m.log
> log level = 2
> interfaces = en0 lo0
> bind interfaces only = yes
> name resolve order = host wins bcast
> keepalive = 30
> printcap name = /etc/qconfig
> os level = 0
> lm announce = False
> preferred master = False
> local master = No
> domain master = False
> wins server = 172.16.xxx.yyy ? I have obfuscated the last two
> octets.
> guest account = guest
> admin users = sh, root, cgr
> read only = No
> create mask = 0770
> directory mask = 0770
> map archive = No
> follow symlinks = No
> dont descend = /dev,/proc,/root,/stand
> load printers = no
> passdb backend = tdbsam
> smb passwd file = /etc/samba/private/tdbsam
> unix extensions = no
> winbind use default domain = yes
> idmap uid = 10000-200000
> idmap gid = 10000-200000
> auth methods = winbind
> winbind enum users = yes
> winbind enum groups = yes
>
> --- smb.conf [globa] section - end ---
>
> I can join the AIX server to the AD domain using
>
> $> net ads join -U[AD username]
> Enter [AD username]'s password:
> Using short domain name -- TESTREAM
> Joined 'AIXSERVER' to realm 'testrealm.com.au'
> $>
>
> I can then start nmbd, smbd and winbindd as daemons.
>
> I can then do a query to the Ad server like this $> wbinfo -u or $>
> wbinfo -g and I get back a complete list of the users and groups in
> the domain. I can also use wbinfo -a username I get prompted for the
> password and when I enter the relevant AD password and it says it can
> authenticate.
>
> So at this point, it appears that the server is authenticating with
> AD, so to make it available when logging into the box I have changed
> the default user stanza and the login methods. That is I edited the
> /etc/security/user file and changed the SYSTEM and registry variables
> to:
>
> SYSTEM = "WINBIND or compat"
> registry = WINBIND
>
> I also edited the /usr/lib/security/methods.cfg and added at the end:
>
> WINBIND:
> program = /usr/lib/security/WINBIND
> options = authonly
>
> Hopefully I am telling AIX, that from now on it should use winbind as
> the authentication method for users (default users). Users that are
> already defined on the system and are not on AD will be able to log
> in. I also left the compat method on the default stanza so if winbind
> fails it will check locally.
>
> At this point I have tried telnet from another AIX server and also
> from a PC to see if I can log in using the AD account and password. I
> understand that I should be able to log in. I have manually created
> the relevant home directory that samba expects to find.
>
> I hope the above will help someone understand what I have done and
> hopefully what I need to do to resolve my issue(s).
>
>
Hi Craig,
Not sure how much I'll be able to help, but we are using Samba/Winbind on an AIX machine in an Active Directory 2003 environment, so I figured I would at least pass along our setup and maybe it will trigger something that will help you solve your problem.
A couple of differences in our environment... We are running AIX 6.1.2 and Samba 3.4.5, which was the latest available from the hvcc.edu site when I upgraded a few months back. We are only using Samba/Winbind for files sharing with Windows clients; not for user log-in authentication. We also use DOMAIN level security mode in smb.conf, as opposed to ADS mode.
I guess my first question is do you really need ADS security mode? We have integrated both Linux and AIX servers into our Active Directory environment for several years now (upgrading from NT environment) and have always stuck with DOMAIN mode. I tried ADS mode a few times and ran into some issues. I think this might be easier now, but have not had the time nor inclination to mess with a something that has been working fine.
I know one issue I ran into when I recently upgraded Samba on the AIX box was that the WINBIND file in /usr/lib/security was a symbolic link that was not linked to the correct version of Samba. Have you looked at this file and verified that it is correct?
Hope this helps a little.
John
More information about the samba
mailing list