[Samba] Samba ADS on AIX 6.1 TL04

William Jojo w.jojo at hvcc.edu
Tue Apr 27 06:02:33 MDT 2010

Yashpal Nagar wrote:
> Hi All
> I'm trying to intergrate samba server with ADS on AIX 6.1 TL04, for last one
> week, with idmap / winbind but no satisfactory results. I have gone through
> various links at samba.org relating to winbind, idmapper and followed
> http://pware.hvcc.edu/  for precompiled binaries and
> http://pware.hvcc.edu/AIX-Samba.pdf which is for AIX 6.1 TL03 though.

It shouldn't matter. The TL's are just IBM's way of drawing lines for 
patch sets. The documentation was updated when TL-03 was released. The 
code compiled on 5.3 should run just fine under 6.1.

> I have found the samba which is provided by IBM with expansion pack doesn't
> have support for ADS. The binaries I have tried with is both 32 bit and
> 64bit of samba, neither of them has worked for me. ADS join is ok, I am able
> to see all good ouput for wbinfo -t/-m/-p etc.
> I have copied the WINBIND module under /usr/lib/security and changed
> /usr/lib/security/methods.cfg
> as
>         program = /usr/lib/security/WINBIND
>         options = authonly

Please remove the authonly, it's not necessary.

> the /etc/security/user the default stanza with
> SYSTEM = "WINBIND OR compat"
> The errors I have repeatedly encountered is --
> Could not trigger lookup sid
> sid2gid returned an error
> Could not lookup name for user MYDOMAIN\USER1
> Some other errors are
> Error GID range is full!!

This is an indication that the winbind configuration may be incorrect. 
In general, the AD configurations work as expected on AIX.

Could you post your smb.conf for review? Also, are you using the LDAP 
backend or TDB? The IDMAP piece has been significantly modified from 
3.3.x through 3.5.x, so some docs (including my own) may need some 
revision and depending on how yours is written may be getting 

I am posting info from one of my (old - 5.3-TL6-SP4) AIX machines 
running 3.5.2 joined to w2k8R2:

[aixdev:/] # oslevel -s

[aixdev:/] # lslpp -l pware*
  Fileset                      Level  State      Description        
Path: /usr/lib/objrepos
  pware53.base.rte   COMMITTED  pWare base for 5.3
  pware53.bash.rte  COMMITTED  GNU bash 4.0
  pware53.bdb.rte   COMMITTED  Berkeley DB 4.7.25
  pware53.cyrus-sasl.rte  COMMITTED  cyrus-sasl 2.1.23
  pware53.gettext.rte  COMMITTED  GNU gettext 0.17
  pware53.krb5.rte   COMMITTED  MIT Kerberos 1.7.1
  pware53.libiconv.rte  COMMITTED  GNU libiconv 1.13.1
  pware53.ncurses.rte  COMMITTED  ncurses
  pware53.openldap.rte  COMMITTED  OpenLDAP 2.4.21
  pware53.openssl.rte  COMMITTED  OpenSSL 0.9.8m
  pware53.popt.rte  COMMITTED  popt 1.10.4
  pware53.readline.rte  COMMITTED  GNU readline 6.1
  pware53.samba.rte  COMMITTED  Samba 3.5.2
  pware53.tar.rte   COMMITTED  GNU tar 1.22
  pware53.zlib.rte   COMMITTED  zlib 1.2.4

[aixdev:/] # cat /opt/pware/lib/smb.conf
        security = ads
        realm = DEV35.LOCAL
        password server =
        workgroup = DEV35
        winbind separator = +
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        log level = 3
        template homedir = /home/%D/%U
        template shell = /opt/pware/bin/bash
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2
        path = /netlogon

[aixdev:/] # net ads testjoin
Join is OK

[aixdev:/] # wbinfo -u

[aixdev:/] # wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
[aixdev:/] # lsuser w.jojo
w.jojo id=10000 pgrp=domain users home=/home/DEV35/w.jojo 
shell=/opt/pware/bin/bash gecos=William Jojo login=true su=true 
rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak 
ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=WINBIND 
SYSTEM=compat or WINBIND logintimes= loginretries=0 pwdwarntime=0 
account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 
minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 
pwdchecks= dictionlist= fsize=-1 cpu=-1 data=-1 stack=-1 core=2097151 
rss=-1 nofiles=-1 roles= id=10000 pgrp=domain users 
home=/home/DEV35/w.jojo shell=/opt/pware/bin/bash pgid=10000 
gecos=William Jojo shell=/opt/pware/bin/bash pgrp=domain users 

[aixdev:/] # cat /usr/lib/security/methods.cfg
* @(#)78        1.5  src/bos/usr/lib/security/methods.cfg.S, cmdsadm, 
bos530 6/11/03 17:06:16
* Authentication methods:
* auth_method:
*       program = /any/program
*       program_64 = /any/program64
* auth_method corresponds to a custom authentication method specified in
* the SYSTEM attribute in /etc/security/user, and /any/program is the
* program to run in order to do the authentication.  The program_64 
* should be used for process running in 64 bit mode, /any/program64 is
* a 64 bit program.
* Two optional attributes may be defined for load modules.  They are:    

* The "domain" attribute is used by methods which support multiple       
* domains.                                                               

* The "options" attribute provides a means of communicating             
* run-time configuration options to the load module.  Please refer       
* to the documentation for the load module for appropriate values.       
* If you are using Common Desktop Environment (CDE), you must restart the
* desktop login manager (dtlogin) for any changes to take effect.
* Restarting dtlogin will prevent CDE login failure using the updated 
* mechanisms. Please read the /usr/dt/README file for more related
* information.

        program = /usr/lib/security/WINBIND

Here is an example of logging into AIX with telnet:

AIX Version 5
Copyright IBM Corporation, 1982, 2007.
login: w.jojo
w.jojo's Password:
*                                                                        *
* Use of this system is restricted to authorized personnel only and must *
* comply with federal, state and local laws in addition to campus        *
* regulations.                                                           *
*                                                                        *
*              UNAUTHORIZED USE IS STRICTLY PROHIBITED!                  *
*                                                                        *
* dev35 p505 5.3                                                         *
*                                                                        *

w.jojo      pts/1       Apr 27 07:07     (somwhere.hvcc.edu)

[aixdev] $ cat /etc/passwd
snapp:*:200:13:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd
nuucp:*:7:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
sbnet:*:22501:1:Remote Services:/usr/lpp/sysback:/usr/bin/ksh
[aixdev] $

As you can see the user w.jojo is an AD user.

/etc/security/user has in the default stanza:

        SYSTEM = "compat or WINBIND"

Hope this helps!


> No matter I removed *.tdb files, specified new ranges etc, this GID error
> persistenly appears. I have reached to the point where user autentication is
> successful but sid to gig mapping doesn't work, or lookup for that AD user
> fails. The AD seems to be OK , as another server AIX 5.2 is already working
> with samba compiled with ADS support.
> What I would like to know.
> 1. How do we compile samba from scratch, I tried 3.5.2 , ./configure was OK,
> but this didn;t created any makefile! , I understand I need to
> compile kerbros , db, openldap before compiling samba, which version of the
> dependent software (kerbros, db, openldap) be used?
> 2. How can I resolve this GID range full error.
> 3. what shall be done to have sid to gid mapping.
> Best Regards,
> Yash

More information about the samba mailing list