[Samba] AIX 5.3 Active Directory Synchronisation using Winbind
cgreen at ultradata.com.au
Mon Apr 5 20:10:35 MDT 2010
Thank you for your reply. I really appreciate your input.
I have been using Samba on our AIX servers for last few years. Up unto recently I have always used "security = DOMAIN", (with versions 3.0.28 and 3.3.9). I have had no issues with that type of setup. It is only now that I have been testing integration into MS AD and using "security = ADS" that I am having problems. The Samba versions I have tried with ADS are 3.3.9 and 3.5.0. Version 3.3.9 was compiled from scratch. I get the same issues with both versions. Originally I thought the issues must be with my compiled version. However it seems it be some sort of AIX config issue since I get the same issues with version 3.5.0 which is the pre-compiled version from the hvcc.edu site.
I am stumped as to what the issue is. Everything I can find on the net re using samba and winbind implies I have the correct setup but this cannot be the case since I cannot get it to work. I must have something wrong but for the life of me I cannot figure it out.
Re the question of "do you really need ADS security mode". Well, most likely not, we could integrate using ldap but my understanding is that using winbind is a less complicated method or it is supposed to be. In regards to the correct version of WINBIND, I have checked this previously and the correct version is being used.
In the past I have been able to connect a Linux server to an MS-AD but the Linux server uses NSS. AIX does not have NSS but I believe the changes to the "/etc/security/user" file are supposed to replace this. I am guessing the issue has something to do with this. However I have found info on the www that says other users of AIX have been able to Samba and WINBIND to join and ADS and to authenticate back to the AD without issues once they have made the alterations to the /etc/security/user and methods.cfg files.
If I perform a test to verify that communications between Samba-3 winbind and the Active Directory server is using Kerberos protocols I get the correct data back.
$ net ads info
LDAP server: 172.16.xxx.xxx
LDAP server name: blue.testrealm.com.au
Bind Path: dc=TESTREALM,dc=COM,dc=AU
LDAP port: 389
Server time: Tue, 06 Apr 2010 11:27:22 EET
KDC server: 172.16.xxx.xxx
Server time offset: 0
The "net ads status" command also returns the correct data.
So everything I do implies I am communicating correctly with the AD. However authentication does not work.
I also agree with you that the hvcc.edu site it is an awesome project. Without it my life would certainly be more difficult.
Support Consultant - Unix
Ultradata - Vision to Reality
+61 3 9291 1742
From: John Welch [mailto:jwelch at brosco.com]
Sent: Saturday, 3 April 2010 1:10 AM
To: William Jojo
Cc: samba at lists.samba.org; Craig Green
Subject: Re: [Samba] AIX 5.3 Active Directory Synchronisation using Winbind
----- "William Jojo" <w.jojo at hvcc.edu> wrote:
> ---- Original message ----
> >Date: Fri, 2 Apr 2010 08:15:38 -0400 (EDT)
> >From: John Welch <jwelch at brosco.com>
> >Subject: Re: [Samba] AIX 5.3 Active Directory Synchronisation using
> >To: cgreen at ultradata.com.au
> >Cc: samba at lists.samba.org
> >I know one issue I ran into when I recently upgraded Samba on the AIX
> box was that the WINBIND file in /usr/lib/security was a symbolic link
> that was not linked to the correct version of Samba. Have you looked
> at this file and verified that it is correct?
> Can you provide a little more on the problem you had? I'm not able to
> find the broken link in my development servers (32 or 64 bit), and I
> *really* want to improve our quality control.
> Glad to hear the project is working out for you otherwise. :-)
Prior to the recent upgrade to 3.4.5 we had been using an "old" 3.0 version (3.0.28) from your pware project. At that level of Samba at least the directory structure was "/opt/pware/samba/<version>". I did the upgrade a few months ago, so I'm trying to recall from memory the exact issue, but I believe after upgrading the WINBIND symbolic link was still pointing to the 3.0.28 binary. Not sure if the upgrade should have fixed this automatically or not. Really a minor thing, but something I overlooked initially.
Your project is awesome... Keep up the good work!
This message contains privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that you must not disseminate, copy or take any action or place any reliance on it. If you have received this message in error please notify Ultradata immediately on +61 3 9291 1600. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Ultradata Australia Pty. Ltd.
To unsubscribe from receiving commercial electronic messages from Ultradata Australia please email unsubscribe at ultradata.com.au with the subject heading "Unsubscribe".
More information about the samba