[Samba] Samba on AIX with security = ads - does it actually work?
Ben Huntsman
ben at huntsmans.net
Sun May 23 19:19:22 UTC 2021
Does anyone on here actually use Samba on AIX, with security = ads?
Appologies for the long post, but I wanted to be thorough.
With Windows 10 1709 and higher, they disabled any of the "guest" features. So basically, in a Windows domain environment, if we don't want to make any changes to the Windows clients, we have to set up Samba as a domain member server and Samba has to be able to accept and validate all the domain users. There are a few ramifications:
1. All users should be able to browse to \\<aix server hostname> and see all the shares Samba is presenting.
2. Samba should be able to fully authenticate and authorize users via Active Directory entirely even if there is not a local user account set up for that user. If every AD user might access a share on the AIX Samba server, it would be impractical to add an AIX account to the server for every AD user.
3. So long as we are talking about only one or few AIX servers, the rid backend should be sufficient for mapping users, and we should not require schema extensions to AD or the additional administrative overhead of populating the gid field in AD for every user that might connect to our AIX system.
Do all of those seem reasonable?
I have this set up on AIX 7.1 with Samba 4.12.10. As you'll see in the configuration below, we have a less-than-ideal security configuration in that all the shares basically have read/write permissions as root. Unfortunately that is by design, but it is beside the point. The goal here is that any AD user can connect to the AIX system's Samba shares without having to change any default security settings on Windows.
Joining to the AD domain was successful, wbinfo works in pretty much every way I can think of. But, I can browse the shares only if an AIX account exists that matches the name of the AD user. If the AIX user doesn't exist, Samba logs show that it successfully authenticates the user, but we get an NT_STATUS_UNSUCCESSFUL and Windows gets an error message.
Here is the smb.conf, with appropriate sanitization:
[global]
lock dir = /var/locks
pid directory = /var/locks
force user = root
read only = no
#log level = 1
log file = /var/log/samba/log.smbd
max log size = 5000k
disable netbios = yes
workgroup = MY
security = ADS
realm = MY.LOCAL.DOMAIN
vfs objects = acl_xattr
map acl inherit = yes
winbind use default domain = yes
winbind nested groups = yes
winbind enum users = yes
winbind enum groups = yes
#map to guest = bad uid
guest account = root
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config NSI : backend = rid
idmap config NSI : range = 10000-999999
template shell = /bin/ksh
template homedir = /home/%U
local master = no
username map = /etc/samba/user.map
### Debug settings ###
max log size = 0
log level = 3
debug pid = yes
debug uid = yes
debug class = yes
[share1]
path = /export/share1
here is the krb5.conf:
[libdefaults]
default_realm = MY.LOCAL.DOMAIN
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
MY.LOCAL.DOMAIN = {
kdc = my.local.domain:88
admin_server = my.local.domain:749
default_domain = my.local.domain
}
[domain_realm]
.my.local.domain = MY.LOCAL.DOMAIN
my.local.domain = MY.LOCAL.DOMAIN
[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
kadmin_local = FILE:/var/krb5/log/kadmin_local.log
default = FILE:/var/krb5/log/krb5lib.log
Here is my stanza from /etc/methods.cfg:
WINBIND:
program = /opt/freeware/lib/WINBIND.so
options = debug
And here is an excerpt from the modification to /etc/security/user:
default:
...
SYSTEM = "compat OR WINBIND
...
As I said, share access works fine when the user has a local AIX account. Here is a log excerpt from when a user doesn't:
[2021/05/23 12:01:25.934788, 3, pid=15007794, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:201(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [MY]\[testuser]@[TESTSERVER] with the new password interface
[2021/05/23 12:01:25.934898, 3, pid=15007794, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:204(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [MY]\[testuser]@[TESTSERVER]
[2021/05/23 12:01:25.935334, 3, pid=15728798, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_misc.c:432(winbindd_interface_version)
winbindd_interface_version: [<unknown> (15007794)]: request interface version (version = 31)
[2021/05/23 12:01:25.935593, 3, pid=15728798, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_misc.c:470(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (15007794)]: request location of privileged pipe
[2021/05/23 12:01:25.935744, 3, pid=15728798, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_misc.c:483(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (15007794)]: response location of privileged pipe: (NULL)
[2021/05/23 12:01:25.936158, 3, pid=15728798, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_pam_auth_crap.c:113(winbindd_pam_auth_crap_send)
[15007794]: pam auth crap domain: [MY] user: testuser
[2021/05/23 12:01:25.941600, 3, pid=15728798, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (15007794)] getpwnam my\testuser
[2021/05/23 12:01:25.942593, 3, pid=15007794, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:268(auth_check_ntlm_password)
auth_check_ntlm_password: winbind authentication for user [testuser] succeeded
[2021/05/23 12:01:25.942859, 3, pid=15007794, effective(0, 0), real(0, 0), class=auth_audit] ../../auth/auth_log.c:653(log_authentication_event_human_readable)
Auth: [SMB2,(NULL)] user [MY]\[testuser] at [Sun, 23 May 2021 12:01:25.942750 PDT] with [NTLMv2] status [NT_STATUS_OK] workstation [TESTSERVER] remote host [ipv4:192.168.1.20:62441] became [MY]\[testuser] [S-1-5-21-4249303916-4241796776-1217518425-1681]. local host [ipv4:192.168.1.20:445]
[2021/05/23 12:01:25.943065, 3, pid=15007794, effective(0, 0), real(0, 0)] ../../auth/auth_log.c:485(log_no_json)
log_no_json: JSON auth logs not available unless compiled with jansson
[2021/05/23 12:01:25.943156, 2, pid=15007794, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:329(auth_check_ntlm_password)
check_ntlm_password: authentication for user [testuser] -> [testuser] -> [MY\testuser] succeeded
[2021/05/23 12:01:25.943386, 3, pid=15007794, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2021/05/23 12:01:25.943472, 3, pid=15007794, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe2088215
[2021/05/23 12:01:25.943655, 3, pid=15007794, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2021/05/23 12:01:25.943756, 3, pid=15007794, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe2088215
[2021/05/23 12:01:25.944042, 3, pid=15728798, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_misc.c:407(winbindd_ping)
winbindd_ping: [<unknown> (15007794)]: ping
[2021/05/23 12:01:25.945318, 3, pid=15728798, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_getpwuid.c:52(winbindd_getpwuid_send)
winbindd_getpwuid_send: [<unknown> (15007794)] getpwuid 11681
[2021/05/23 12:01:25.949845, 0, pid=15007794, effective(0, 0), real(0, 0)] ../../source3/lib/system_smbd.c:226(getgroups_unix_user)
get_user_groups: failed to get the unix group list
[2021/05/23 12:01:25.950012, 1, pid=15007794, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:601(add_local_groups)
getgroups_unix_user for user testuser failed
[2021/05/23 12:01:25.950103, 3, pid=15007794, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:403(create_local_nt_token_from_info3)
Failed to add local groups
[2021/05/23 12:01:25.950218, 3, pid=15007794, effective(0, 0), real(0, 0), class=smb2] ../../source3/smbd/smb2_server.c:3280(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_UNSUCCESSFUL] || at ../../source3/smbd/smb2_sesssetup.c:146
[2021/05/23 12:01:25.962375, 3, pid=15007794, effective(0, 0), real(0, 0)] ../../source3/smbd/server_exit.c:250(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
And here is the debug output from WINBIND.so (via the /etc/methods.cfg and AIX LAM system):
open name='WINBIND' mode=0 domain='' options='debug'
getpwnam 'my\testuser'
getpwnam gave ptr 300b37d8
open name='WINBIND' mode=0 domain='' options='debug'
getpwuid '11681'
getpwuid gave ptr 300b8288
open name='WINBIND' mode=0 domain='' options='debug'
getgrset 'testuser'
open name='WINBIND' mode=0 domain='' options='debug'
getgrset 'testuser'
open name='WINBIND' mode=0 domain='' options='debug'
getpwnam 'my\testuser'
getpwnam gave ptr 300b37d8
open name='WINBIND' mode=0 domain='' options='debug'
getpwuid '11681'
getpwuid gave ptr 300b9aa8
open name='WINBIND' mode=0 domain='' options='debug'
getgrset 'testuser'
open name='WINBIND' mode=0 domain='' options='debug'
getgrset 'testuser'
My suspicion here is that this is a problem with the AIX NSS LAM stuff and WINBIND.so. It appears that Samba and winbind aren't coming up with a proper list of groups or gid's when a user doesn't have any AIX groups. But clearly, it is able to know that the user is a valid and authenticated AD user.
As I don't care who writes the files on AIX, I'd even be fine with an override to force users to appear to belong to the AIX group 'staff'. Either way, this is a showstopper for letting AD users who don't have a local AIX account access the AIX system.
But regardless, has anyone seen this behavior? Is this exactly corresponding to bug #14230: https://bugzilla.samba.org/show_bug.cgi?id=14230
This is a huge issue for us, and I can't thank you enough for any assistance!
-Ben
More information about the samba
mailing list