[Samba] Samba 4.10.6-1 Configuration on AIX

Bob Wyatt bwyatt_sub at comcast.net
Fri Feb 7 04:08:31 UTC 2020 

Sorry... A couple more questions...

I've installed krb5-libs and krb-workstation... this is all I need?
I ask because the krb5 config file was not created on the system...
One was "installed" to /opt/freeware/etc/krb5.conf, which could be copied over...

Do I need to install samba-winbind-krb5-locator?

Thank you for everything!

Regards,

Bob Wyatt
-----Original Message-----
From: Bob Wyatt <bwyatt_sub at comcast.net> 
Sent: Thursday, February 6, 2020 9:27 PM
To: 'Rowland penny' <rpenny at samba.org>; 'sambalist' <samba at lists.samba.org>
Subject: RE: [Samba] Samba 4.10.6-1 Configuration on AIX

Thanks again for the continued help...

Current thinking is using rid for the backend does not place any new administrative functions on the staff - agree?
Begs questions of what is being written in smbpasswd, and do we have administrative work on AIX?
Such as adding users and a group or two in the range specified for idmap? A mapping "table"?

If rid is hands-off administration, that's likely the way they want to go.

Going with rid - security is still ads?

Thanks again!

Bob Wyatt

-----Original Message-----
From: Rowland penny <rpenny at samba.org> 
Sent: Wednesday, February 5, 2020 4:11 PM
To: sambalist <samba at lists.samba.org>
Subject: Re: [Samba] Samba 4.10.6-1 Configuration on AIX

On 05/02/2020 20:00, Bob Wyatt wrote:
> Thanks to you and Louis for your guidance.
> I really apologize for my lack of knowledge of AD and Samba; and I appreciate your patience and willingness to help.
> And I apologize for not trimming the reply - don't know how much to retain...
>
> The referenced document seems to be leveraging domain services that we're not using.
> We are only using AD user authentication to access shares on AIX.
> No single sign-on, no user administration/manipulation anywhere, no printer sharing.
>
> Kerberos shouldn’t be required, which one might think also means the imap settings shouldn’t be required.

Perhaps you should tell Microsoft that ;-)

> Although they may eventually embrace NTP, is it not configured today; without Kerberos, it isn’t required.
> We're not wanting to save any user credentials necessary in AIX to acquire access to the shares in AIX.
No, sorry, but your client needs to have the same time as the DC (+/- 5 
mins), so if you haven't installed an NTP client, I suggest you do.
>
> Testing DNS, everything is good until the "set type=SRV" _ldap_... test; it fails.
> Kerberos is not installed on AIX.
Then install the AIX versions of the kerberos client packages, but do 
not install a kerberos server (kdc), that is on your DC.
>
> The server name (hostname) was changed from the old FQDN to the new FQDN, and the /etc/hosts file was updated.
> The security was changed from domain to ADS.
>
> Testparm still reports the imap errors (see below).

That is because you still haven't got the correct 'idmap config' lines.

Do you have, or want to have rfc2307 attributes in AD, if so, read this:

https://wiki.samba.org/index.php/Idmap_config_ad

If haven't any rfc2307 attributes and do not want to add them, see here:

https://wiki.samba.org/index.php/Idmap_config_rid

More information about the samba mailing list