[Samba] AIX 5.3 Active Directory Synchronisation using Winbind

William Jojo w.jojo at hvcc.edu
Thu Apr 8 06:08:31 MDT 2010


Craig Green wrote:
> Hi John,
>
> Thank you for your reply. I really appreciate your input.
>
> I have been using Samba on our AIX servers for last few years.  Up unto recently I have always used "security = DOMAIN", (with versions 3.0.28 and 3.3.9).  I have had no issues with that type of setup.  It is only now that I have been testing integration into MS AD and using "security = ADS" that I am having problems.  The Samba versions I have tried with ADS are 3.3.9 and 3.5.0.  Version 3.3.9 was compiled from scratch.  I get the same issues with both versions.  Originally I thought the issues must be with my compiled version.  However it seems it be some sort of AIX config issue since I get the same issues with version 3.5.0 which is the pre-compiled version from the hvcc.edu site.
>
> I am stumped as to what the issue is.  Everything I can find on the net re using samba and winbind implies I have the correct setup but this cannot be the case since I cannot get it to work.  I must have something wrong but for the life of me I cannot figure it out.
>
> Re the question of "do you really need ADS security mode". Well, most likely not, we could integrate using ldap but my understanding is that using winbind is a less complicated method or it is supposed to be.  In regards to the correct version of WINBIND, I have checked this previously and the correct version is being used.
>
> In the past I have been able to connect a Linux server to an MS-AD but the Linux server uses NSS.  AIX does not have NSS but I believe the changes to the "/etc/security/user" file are supposed to replace this.  I am guessing the issue has something to do with this.  However I have found info on the www that says other users of AIX have been able to Samba and WINBIND to join and ADS and to authenticate back to the AD without issues once they have made the alterations to the /etc/security/user and methods.cfg files.
>
> If I perform a test to verify that communications between Samba-3 winbind and the Active Directory server is using Kerberos protocols I get the correct data back.
>
> $ net ads info
> LDAP server: 172.16.xxx.xxx
> LDAP server name: blue.testrealm.com.au
> Realm: TESTREALM.COM.AU
> Bind Path: dc=TESTREALM,dc=COM,dc=AU
> LDAP port: 389
> Server time: Tue, 06 Apr 2010 11:27:22 EET
> KDC server: 172.16.xxx.xxx
> Server time offset: 0
>
> The "net ads status" command also returns the correct data.
>
> So everything I do implies I am communicating correctly with the AD. However authentication does not work.
>
> I also agree with you that the hvcc.edu site it is an awesome project.  Without it my life would certainly be more difficult.
>
>
> Regards,
>
> Craig Green
> Support Consultant - Unix
>
> Ultradata - Vision to Reality
> +61 3 9291 1742
> www.ultradata.com.au
>
> -----Original Message-----
> From: John Welch [mailto:jwelch at brosco.com]
> Sent: Saturday, 3 April 2010 1:10 AM
> To: William Jojo
> Cc: samba at lists.samba.org; Craig Green
> Subject: Re: [Samba] AIX 5.3 Active Directory Synchronisation using Winbind
>
>
> ----- "William Jojo" <w.jojo at hvcc.edu> wrote:
>
>   
>> ---- Original message ----
>>     
>>> Date: Fri, 2 Apr 2010 08:15:38 -0400 (EDT)
>>> From: John Welch <jwelch at brosco.com>
>>> Subject: Re: [Samba] AIX 5.3 Active Directory Synchronisation using
>>>       
>> Winbind
>>     
>>> To: cgreen at ultradata.com.au
>>> Cc: samba at lists.samba.org
>>>       
>>> I know one issue I ran into when I recently upgraded Samba on the AIX
>>>       
>> box was that the WINBIND file in /usr/lib/security was a symbolic link
>> that was not linked to the correct version of Samba.  Have you looked
>> at this file and verified that it is correct?
>>     
>> John,
>>
>> Can you provide a little more on the problem you had? I'm not able to
>> find the broken link in my development servers (32 or 64 bit), and I
>> *really* want to improve our quality control.
>>
>> Glad to hear the project is working out for you otherwise. :-)
>>
>>
>> Cheers,
>> Bill
>>     
>
> Hi Bill,
>
> Prior to the recent upgrade to 3.4.5 we had been using an "old" 3.0 version (3.0.28) from your pware project.  At that level of Samba at least the directory structure was "/opt/pware/samba/<version>".  I did the upgrade a few months ago, so I'm trying to recall from memory the exact issue, but I believe after upgrading the WINBIND symbolic link was still pointing to the 3.0.28 binary.  Not sure if the upgrade should have fixed this automatically or not.  Really a minor thing, but something I overlooked initially.
>
> Your project is awesome... Keep up the good work!
>
>   

Thanks!

I just posted 3.5.2 yesterday. I was able to join AIX to ADS (w2k8r2) 
and I can telnet into AIX without issue.

Can you tell me what lsuser returns for the shell? I bet it is 
/bin/false. If so, you may want to set:

template shell = /opt/pware/bin/bash

or

template shell = /bin/ksh


Depending on the shell you wish users to use.

If this is not it, I'm happy to help figure out what is going on.


Cheers,
Bill


> Thanks,
> John
>
> Disclaimer Notice
>
> This message contains privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that you must not disseminate, copy or take any action or place any reliance on it. If you have received this message in error please notify Ultradata immediately on +61 3 9291 1600. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Ultradata Australia Pty. Ltd.
>
> To unsubscribe from receiving commercial electronic messages from Ultradata Australia please email unsubscribe at ultradata.com.au with the subject heading "Unsubscribe".
>   



More information about the samba mailing list