[Samba] AIX, Samba and ADS issue

Jim Thompson jgt157 at gmail.com
Mon Jul 22 08:06:30 MDT 2013 

I’m trying to get an AIX + samba + ADS system working properly.  The samba
server is a domain member and I can use the wbinfo –u and wbinfo –g
commands with no problem. We’re running pware64 version 3.5.11 on AIX 6.1.
 I need to know if as a group member of the ADS, do I still need to do a
net groupmap to map ADS groups to AIX groups or does this happen
automatically with this version of samba?  The users can log in, but can’t
access their shares.  The only way they’ve been able to access their shares
is if I change the directory permissions to 777. Here’s our configuration:

Smb.conf

#======================= Global Settings
=====================================
[global]
workgroup = CINTASFIT
server string = CINSD20 Samba Server
netbios name = CINSD20
security = ADS
encrypt passwords = yes
password server = *
realm = CINTAS.FIT
local master = no
domain master = no
wins support = no
dns proxy = no
load printers = no
admin users = root
allow trusted domains = yes
map untrusted to domain = yes
client use spnego = yes
log file = /var/log/samba/%m.log
max log size = 1000
log level = 3
nmbd bind explicit broadcast = no
winbind enum users = no
winbind enum groups = no
winbind separator = +
winbind nested groups = yes
winbind use default domain = yes
nt acl support = yes
inherit acls = yes
map acl inherit = yes
map to guest = Never
store dos attributes = yes
inherit permissions = yes
idmap uid = 200000 - 500000
idmap gid = 200000 - 500000

#============================ Share Definitions
==============================
[don]
comment = Sample share
path = /tmp
create mask = 0644
directory mask = 0775
writeable=yes
guest ok = no
valid users = CINTASFIT+aixuser, root
admin users = root

[BISHAREDDEV]
path = /BI_SHARED
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+c_acct_cptr_app_g, @CINTAS+sap_cintas_pp,
@CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G, @CINTAS+C_Payroll_G
write list = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G,
@CINTAS+C_Payroll_G
admin users = root

[FIFTHTHDEV]
path = /interface_secure/FifthThird
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G
write list = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G
admin users = root

[NOVASCOTDEV]
path = /interface_secure/NovaScotia
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G
write list = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G
admin users = root

[HEWITTDEV]
path = /interface_secure/Hewitt
create mask = 0644
directory mask = 0c = yes
public = no
writeable = no
guest ok = no
valid users = @CINTAS+c_sap_hewitt_u, @CINTAS+C_MIS_Finance_G,
@CINTAS+C_Payroll_G
write list = @CINTAS+c_sap_hewitt_u, @CINTAS+C_MIS_Finance_G,
@CINTAS+C_Payroll_G
admin users = root

[INTSECUREDEV]
path = /interface_secure
create mask = 0644
directory mask = 0775
writeable = no
guest ok = no
valid users = @CINTAS+C_MIS_Finance_G
admin users = root

[INOVISDEV]
path = /interface/Inovis
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+C_MIS_EDI
write list = @CINTAS+C_MIS_EDI
admin users = root

[OPTIPLANDEV]
path = /interface/Optiplan
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+SAPITTech, @CINTAS+SAP_Cintas_PP
write list = @CINTAS+SAPITTech, @CINTAS+SAP_Cintas_PP
admin users = root

[CONCURDEV]
path = /interface_secure/Concur
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G
write list = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G
admin users = root

[INTERFACEDEV]
path = /interface
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+C_MIS_Finance_G
write list = @CINTAS+C_MIS_Finance_G
admin users = root

[PITNEYBOWDEV]
path = /interface_secure/PitneyBowes
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G
write list = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G
admin users = root

[IRSAUDITDEV]
path = /interface_secure/IRSAUDITDEV
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+C_Acct_Cptr_App_G, @CINTAS+C_MIS_Finance_G
write list = @CINTAS+C_Acct_Cptr_App_G, @CINTAS+C_MIS_Finance_G
admin users = root

[PNCDEV]
path = /interface_secure/PNCDEV
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G
write list = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G
admin users = root

[PROJDEVARCH]
path = /interface_secure/Projections/I-780683-1-ECC/Archive
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+C_Acct_Alchemy_AP
write list = @CINTAS+C_Acct_Alchemy_AP
admin users = root

[PROJECTNDEV]
path = /interface_secure/Projections
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+C_MIS_Finance_G, @CINTAS+C_Acct_Cptr_App_G
write list = @CINTAS+C_MIS_Finance_G, @CINTAS+C_Acct_Cptr_App_G
admin users = root

[RYANDEV]
path = /interface_secure/Ryan
create mask = 0644
directory mask = 0775
public = no
writeable = no
guest ok = no
valid users = @CINTAS+C_MIS_Finance_G, @CINTAS+C_Acct_Cptr_App_G
write list = @CINTAS+C_MIS_Finance_G, @CINTAS+C_Acct_Cptr_App_G
admin users = root

krb5.conf

[logging]
default = /var/log/samba/krb5.log
kdc = /var/log/samba/krb5.log
        kdc_rotate = {
        period = 1d
        version = 5
        }

[libdefaults]
        ticket_lifetime = 1d
        default_realm = CINTAS.FIT
        dns_lookup_kdc = true
        verify_ap_req_nofail = false
        default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
des3-hmac-sha1
        default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
des3-hmac-sha1
        clockskew = 1000

[realms]
  cintas.fit = {
    kdc = cinw08v100.cintas.fit
    kdc = cinw09v101.cintas.fit
    default_domain = cintas.fit
}

[domain_realm]
  cintas.fit = CINTAS.FIT
  .cintas.fit = CINTAS.FIT

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 1d
    renew_lifetime = 1d
    forwardable = true
    proxiable = false
    retain_after_close = false
    minimum_uid = 500
    try_first_pass = true
}

/etc/pam.conf

#Added for Samba
auth        sufficient    pam_winbind.so use_first_pass
account     sufficient    pam_winbind.so use_first_pass
password    sufficient    pam_winbind.so use_first_pass
session     optional      pam_winbind.so use_first_pass

/etc/security/user
Changed SYSTEM=
SYSTEM = "compat" to SYSTEM = "DCE OR DCE[UNAVAIL] AND compat"

/usr/lib/security/methods.cfg
WINDBIND:
        program = /opt/pware64/lib/security/WINBIND
        program_64 = /opt/pware64/lib/security/WINBIND
        options = authonly

LDAP:
        program = /usr/lib/security/LDAP
        program_64 = /usr/lib/security/LDAP_64

I’ve been combing the documentation to try and figure this out, but my head
is spinning right now and I just haven’t been able to put things together
to get this to work.

Thanks for any help…

-- 
Jim Thompson
needgod.com

More information about the samba mailing list