[Samba] Samba on AIX with security = ads - does it actually work?

Rowland penny rpenny at samba.org
Sun May 23 19:54:27 UTC 2021 

On 23/05/2021 20:19, Ben Huntsman via samba wrote:
> Does anyone on here actually use Samba on AIX, with security = ads?


Probably, but the OS shouldn't matter, it should work.

>
> Appologies for the long post, but I wanted to be thorough.
>
> With Windows 10 1709 and higher, they disabled any of the "guest" features.  So basically, in a Windows domain environment, if we don't want to make any changes to the Windows clients, we have to set up Samba as a domain member server and Samba has to be able to accept and validate all the domain users.  There are a few ramifications:
>
> 1. All users should be able to browse to \\<aix server hostname> and see all the shares Samba is presenting.


this is correct.

>
> 2. Samba should be able to fully authenticate and authorize users via Active Directory entirely even if there is not a local user account set up for that user.  If every AD user might access a share on the AIX Samba server, it would be impractical to add an AIX account to the server for every AD user.


Ah, I begin to see the light, you want to use the users in /etc/passwd 
and AD, well, if so, then stop there, you cannot have the same user in 
/etc/passwd and in AD. Further to this, Samba will not know who the 
users in /etc/passwd are.

>
> 3. So long as we are talking about only one or few AIX servers, the rid backend should be sufficient for mapping users, and we should not require schema extensions to AD or the additional administrative overhead of populating the gid field in AD for every user that might connect to our AIX system.


You don't actually have to extend the schema, all the rfc2307 attributes 
are in the AD schema as standard. If all your users and groups are in 
AD, then the rid backend will make them Unix users and groups.

>
> Do all of those seem reasonable?
>
> I have this set up on AIX 7.1 with Samba 4.12.10.  As you'll see in the configuration below, we have a less-than-ideal security configuration in that all the shares basically have read/write permissions as root.  Unfortunately that is by design, but it is beside the point. The goal here is that any AD user can connect to the AIX system's Samba shares without having to change any default security settings on Windows.


You might use root by design, but can I introduce you to the concept of 
security ? Also this isn't how AD works.

Can I suggest you read this: 
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

It might also help if you read this: 
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member


>
> Joining to the AD domain was successful, wbinfo works in pretty much every way I can think of.  But, I can browse the shares only if an AIX account exists that matches the name of the AD user.  If the AIX user doesn't exist, Samba logs show that it successfully authenticates the user, but we get an NT_STATUS_UNSUCCESSFUL and Windows gets an error message.
>
> Here is the smb.conf, with appropriate sanitization:
>
> [global]
> lock dir = /var/locks
> pid directory = /var/locks
> force user = root
> read only = no
> #log level = 1
> log file = /var/log/samba/log.smbd
> max log size = 5000k
> disable netbios = yes
> workgroup = MY
> security = ADS
> realm = MY.LOCAL.DOMAIN
> vfs objects = acl_xattr
> map acl inherit = yes
> winbind use default domain = yes
> winbind nested groups = yes
> winbind enum users = yes
> winbind enum groups = yes
> #map to guest = bad uid
> guest account = root
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config NSI : backend = rid
> idmap config NSI : range = 10000-999999
> template shell = /bin/ksh
> template homedir = /home/%U
> local master = no
> username map = /etc/samba/user.map
> ### Debug settings ###
> max log size = 0
> log level = 3
> debug pid = yes
> debug uid = yes
> debug class = yes
>
> [share1]
> path = /export/share1
>
>

Is the workgroup 'MY' or 'NSI' ? They should match.

Are you aware that the share shown is read only ?

If you have any further questions, please feel free to ask.

Rowland

More information about the samba mailing list