[Samba] AIX 5.3 Active Directory Synchronisation using Winbind
Craig Green
cgreen at ultradata.com.au
Wed Mar 31 23:28:11 MDT 2010
I have been trying to get AIX 5.3 ML-11 integrated with MS AD (MS-2003 with SP2 and SFU 3.5). It has given me a few y hairs. I have not been able to get it to function correctly.
I have followed various tech articles and installation notes that I have found on the web. They are all basically the same in that they suggest to either compile the required components from scratch or to use the precompiled packages from the pware.hvcc.edu site.
I originally tried compiling from scratch/source which I have always done in the past when using samba as a NT4 domain member. This is the first time I have tried integrating into MS AD.
My latest attempt is with using the pre compiled packages from the hvcc site.
I run into the same issues with both types of setup (i.e.: compiling samba from scratch or using the pware53 packages).
When I have samba installed and joined to the AD the following commands work as expected.
wbinfo -u
wbinfo -g
wbinfo -a username
However if I try and telnet to the AIX server or connect to a share the AD is not using for authenticating the password. When trying a telnet login I get back “3004-007 You entered an invalid login name or password.”
Following is a list of what I have installed etc.
AIX: 5.3 ML-11-03-1013
pware53.base.rte 5.3.0.0 COMMITTED pWare base for 5.3
pware53.bdb.rte 4.6.21.4 COMMITTED Berkeley DB 4.6.21
pware53.cyrus-sasl.rte 2.1.22.2 COMMITTED cyrus-sasl 2.1.22
pware53.gettext.rte 0.17.0.0 COMMITTED GNU gettext 0.17
pware53.krb5.rte 1.7.1.0 COMMITTED MIT Kerberos 1.7.1
pware53.libiconv.rte 1.13.1.0 COMMITTED GNU libiconv 1.13.1
pware53.ncurses.rte 5.7.0.1 COMMITTED ncurses 5.7.0.1
pware53.openldap.rte 2.4.19.0 COMMITTED OpenLDAP 2.4.19
pware53.openssl.rte 0.9.8.13 COMMITTED OpenSSL 0.9.8m
pware53.popt.rte 1.10.4.0 COMMITTED popt 1.10.4
pware53.readline.rte 6.1.0.0 COMMITTED GNU readline 6.1
pware53.samba.rte 3.5.0.0 COMMITTED Samba 3.5.0
pware53.zlib.rte 1.2.3.0 COMMITTED zlib 1.2.3
The kerberos krb5.conf. Below is the one I'm using in my environment
--- krb5.conf - start ---
[libdefaults]
default_realm = TESTREALM.COM.AU
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
TESTREALM.COM.AU = {
kdc = ad01.testrealm.com.au:88
default_domain = testrealm.com.au
admin_server = ad01.testrealm.com.au:749
}
[domain_realm]
.kerberos.server = TESTREALM.COM.AU
.domain.com = TESTREALM.COM.AU
domain.com = TESTREALM.COM.AU
.testrealm.com.au = TESTREALM.COM.AU
testrealm.com.au = TESTREALM.COM.AU
[logging]
default = FILE:/var/log/krb5/krb5libs.log
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
--- krb5.conf - ends ---
I can execute $> kinit [AD username] and this asks me for a password, I fill that in and if everything goes well.
Here is the global section of my smb.conf file.
--- smb.conf [global] section - start ---
comment = AIX Internal Services - Samba %v
workgroup = TESTREALM
netbios name = %h
security = ADS
realm = TESTREALM.COM.AU
encrypt passwords = Yes
password server = ab01
username map = /etc/samba/lib/smbusers.map
log file = /etc/samba/var/%m.log
log level = 2
interfaces = en0 lo0
bind interfaces only = yes
name resolve order = host wins bcast
keepalive = 30
printcap name = /etc/qconfig
os level = 0
lm announce = False
preferred master = False
local master = No
domain master = False
wins server = 172.16.xxx.yyy ← I have obfuscated the last two octets.
guest account = guest
admin users = sh, root, cgr
read only = No
create mask = 0770
directory mask = 0770
map archive = No
follow symlinks = No
dont descend = /dev,/proc,/root,/stand
load printers = no
passdb backend = tdbsam
smb passwd file = /etc/samba/private/tdbsam
unix extensions = no
winbind use default domain = yes
idmap uid = 10000-200000
idmap gid = 10000-200000
auth methods = winbind
winbind enum users = yes
winbind enum groups = yes
--- smb.conf [globa] section - end ---
I can join the AIX server to the AD domain using
$> net ads join -U[AD username]
Enter [AD username]'s password:
Using short domain name -- TESTREAM
Joined 'AIXSERVER' to realm 'testrealm.com.au'
$>
I can then start nmbd, smbd and winbindd as daemons.
I can then do a query to the Ad server like this $> wbinfo -u or $> wbinfo -g and I get back a complete list of the users and groups in the domain. I can also use wbinfo -a username I get prompted for the password and when I enter the relevant AD password and it says it can authenticate.
So at this point, it appears that the server is authenticating with AD, so to make it available when logging into the box I have changed the default user stanza and the login methods. That is I edited the /etc/security/user file and changed the SYSTEM and registry variables to:
SYSTEM = "WINBIND or compat"
registry = WINBIND
I also edited the /usr/lib/security/methods.cfg and added at the end:
WINBIND:
program = /usr/lib/security/WINBIND
options = authonly
Hopefully I am telling AIX, that from now on it should use winbind as the authentication method for users (default users). Users that are already defined on the system and are not on AD will be able to log in. I also left the compat method on the default stanza so if winbind fails it will check locally.
At this point I have tried telnet from another AIX server and also from a PC to see if I can log in using the AD account and password. I understand that I should be able to log in. I have manually created the relevant home directory that samba expects to find.
I hope the above will help someone understand what I have done and hopefully what I need to do to resolve my issue(s).
Disclaimer Notice
This message contains privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that you must not disseminate, copy or take any action or place any reliance on it. If you have received this message in error please notify Ultradata immediately on +61 3 9291 1600. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Ultradata Australia Pty. Ltd.
To unsubscribe from receiving commercial electronic messages from Ultradata Australia please email unsubscribe at ultradata.com.au with the subject heading "Unsubscribe".
More information about the samba
mailing list