[Samba] AIX 5.3 Active Directory Synchronisation using Winbind

Craig Green cgreen at ultradata.com.au
Wed Mar 31 23:28:11 MDT 2010 

I have been trying to get AIX 5.3 ML-11 integrated with MS AD (MS-2003 with SP2 and SFU 3.5). It has given me a few y hairs. I have not been able to get it to function correctly.

I have followed various tech articles and installation notes that I have found on the web.  They are all basically the same in that they suggest to either compile the required components from scratch or to use the precompiled packages from the pware.hvcc.edu site.

I originally tried compiling from scratch/source which I have always done in the past when using samba as a NT4 domain member.  This is the first time I have tried integrating into MS AD.

My latest attempt is with using the pre compiled packages from the hvcc site.

I run into the same issues with both types of setup (i.e.: compiling samba from scratch or using the pware53 packages).

When I have samba installed and joined to the AD the following commands work as expected.
wbinfo -u
wbinfo -g
wbinfo -a username

However if I try and telnet to the AIX server or connect to a share the AD is not using for authenticating the password.   When trying a telnet login I get back “3004-007 You entered an invalid login name or password.”

Following is a list of what I have installed etc.

AIX:  5.3 ML-11-03-1013

  pware53.base.rte           5.3.0.0  COMMITTED  pWare base for 5.3
  pware53.bdb.rte           4.6.21.4  COMMITTED  Berkeley DB 4.6.21
  pware53.cyrus-sasl.rte    2.1.22.2  COMMITTED  cyrus-sasl 2.1.22
  pware53.gettext.rte       0.17.0.0  COMMITTED  GNU gettext 0.17
  pware53.krb5.rte           1.7.1.0  COMMITTED  MIT Kerberos 1.7.1
  pware53.libiconv.rte      1.13.1.0  COMMITTED  GNU libiconv 1.13.1
  pware53.ncurses.rte        5.7.0.1  COMMITTED  ncurses 5.7.0.1
  pware53.openldap.rte      2.4.19.0  COMMITTED  OpenLDAP 2.4.19
  pware53.openssl.rte       0.9.8.13  COMMITTED  OpenSSL 0.9.8m
  pware53.popt.rte          1.10.4.0  COMMITTED  popt 1.10.4
  pware53.readline.rte       6.1.0.0  COMMITTED  GNU readline 6.1
  pware53.samba.rte          3.5.0.0  COMMITTED  Samba 3.5.0
  pware53.zlib.rte           1.2.3.0  COMMITTED  zlib 1.2.3

The kerberos krb5.conf. Below is the one I'm using in my environment

--- krb5.conf - start ---

[libdefaults]
        default_realm = TESTREALM.COM.AU
        dns_lookup_realm = false
        dns_lookup_kdc = false
        ticket_lifetime = 24h
        forwardable = yes

[realms]
        TESTREALM.COM.AU = {
                kdc = ad01.testrealm.com.au:88
                default_domain = testrealm.com.au
                admin_server = ad01.testrealm.com.au:749
        }

[domain_realm]
        .kerberos.server = TESTREALM.COM.AU
        .domain.com = TESTREALM.COM.AU
        domain.com = TESTREALM.COM.AU
        .testrealm.com.au = TESTREALM.COM.AU
        testrealm.com.au = TESTREALM.COM.AU

[logging]
        default = FILE:/var/log/krb5/krb5libs.log
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log

[appdefaults]
        pam = {
            debug = false
            ticket_lifetime = 36000
            renew_lifetime = 36000
            forwardable = true
            krb4_convert = false
        }
--- krb5.conf - ends ---

I can execute $> kinit [AD username] and this asks me for a password, I fill that in and if everything goes well.

Here is the global section of my smb.conf file.

--- smb.conf [global] section - start ---

        comment = AIX Internal Services - Samba %v
        workgroup = TESTREALM
        netbios name = %h
        security = ADS
        realm = TESTREALM.COM.AU
        encrypt passwords = Yes
        password server = ab01
        username map = /etc/samba/lib/smbusers.map
        log file = /etc/samba/var/%m.log
        log level = 2
        interfaces = en0 lo0
        bind interfaces only = yes
        name resolve order = host wins bcast
        keepalive = 30
        printcap name = /etc/qconfig
        os level = 0
        lm announce = False
        preferred master = False
        local master = No
        domain master = False
        wins server = 172.16.xxx.yyy  ← I have obfuscated the last two octets.
        guest account = guest
        admin users = sh, root, cgr
        read only = No
        create mask = 0770
        directory mask = 0770
        map archive = No
        follow symlinks = No
        dont descend = /dev,/proc,/root,/stand
        load printers = no
        passdb backend = tdbsam
        smb passwd file = /etc/samba/private/tdbsam
        unix extensions = no
        winbind use default domain = yes
        idmap uid = 10000-200000
        idmap gid = 10000-200000
        auth methods = winbind
        winbind enum users = yes
        winbind enum groups = yes

--- smb.conf [globa] section - end ---

I can join the AIX server to the AD domain using

$> net ads join -U[AD username]
Enter [AD username]'s password:
Using short domain name -- TESTREAM
Joined 'AIXSERVER' to realm 'testrealm.com.au'
$>

I can then start nmbd, smbd and winbindd as daemons.

I can then do a query to the Ad server like this $> wbinfo -u or $> wbinfo -g and I get back a complete list of the users and groups in the domain.  I can also use wbinfo -a username I get prompted for the password and when I enter the relevant AD password and it says it can authenticate.

So at this point, it appears that the server is authenticating with AD, so to make it available when logging into the box I have changed the default user stanza and the login methods. That is I edited the /etc/security/user file and changed the SYSTEM and registry variables to:

SYSTEM = "WINBIND or compat"
registry = WINBIND

I also edited the /usr/lib/security/methods.cfg and added at the end:

WINBIND:
        program = /usr/lib/security/WINBIND
        options = authonly

Hopefully I am telling AIX, that from now on it should use winbind as the authentication method for users (default users). Users that are already defined on the system and are not on AD will be able to log in. I also left the compat method on the default stanza so if winbind fails it will check locally.

At this point I have tried telnet from another AIX server and also from a PC to see if I can log in using the AD account and password. I understand that I should be able to log in. I have manually created the relevant home directory that samba expects to find.

I hope the above will help someone understand what I have done and hopefully what I need to do to resolve my issue(s).


Disclaimer Notice

This message contains privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that you must not disseminate, copy or take any action or place any reliance on it. If you have received this message in error please notify Ultradata immediately on +61 3 9291 1600. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Ultradata Australia Pty. Ltd.

To unsubscribe from receiving commercial electronic messages from Ultradata Australia please email unsubscribe at ultradata.com.au with the subject heading "Unsubscribe".

More information about the samba mailing list