[Samba] Samba on AIX with security = ads - does it actually work?

Ben Huntsman ben at huntsmans.net
Sun May 23 21:17:09 UTC 2021


Hi there, and thank you for the reply!  Very much appreciated!

>Ah, I begin to see the light, you want to use the users in /etc/passwd
>and AD, well, if so, then stop there, you cannot have the same user in
>/etc/passwd and in AD. Further to this, Samba will not know who the
>users in /etc/passwd are.

Right, I want the AD users to *not* be in /etc/passwd.  What I'm saying is that if I don't put them in there, then they can't connect to the server via \\<aix host name> at all.


>You might use root by design, but can I introduce you to the concept of
>security ? Also this isn't how AD works.

Agreed, but this isn't part of the actual issue at hand.  I will tighten up security but I want to get basic connectivity working first.


>Is the workgroup 'MY' or 'NSI' ? They should match.

Apparently I missed one, but I was trying to sanitize the logs so it didn't contain specifics of my environment.  They should have all said 'MY' in the examples I posted.  The configuration provided works perfectly for users who are in AD and also have a matching AIX account.


>Are you aware that the share shown is read only ?

Yes, but I also have "read only = no" in the [global] section.  Regardless, the individual shares are beside the point.  Right now AD users not in /etc/passwd can't even get to \\<aix host name> whereas users in /etc/passwd (with matching AD accounts) can.

I followed those two links you sent as closely as I was able given that they are written for Linux and not AIX.  AIX has no nsswitch.conf and uses the stanza in /etc/methods.cfg I provided for the same purpose.  But, I didn't see in those articles an answer to why Samba realizes that the user is valid but we still get an NT_STATUS_UNSUCCESSFUL when the user doesn't have an AIX account.  Security ramifications aside, my read of the documentation suggests that my configs as provided should work.  I feel like I'm missing something very AIX-specific here, or that this is a bug...

Thanks again, and I look forward to getting to the bottom of this!

-Ben




________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland penny via samba <samba at lists.samba.org>
Sent: Sunday, May 23, 2021 12:54 PM
To: samba at lists.samba.org <samba at lists.samba.org>
Subject: Re: [Samba] Samba on AIX with security = ads - does it actually work?

On 23/05/2021 20:19, Ben Huntsman via samba wrote:
> Does anyone on here actually use Samba on AIX, with security = ads?


Probably, but the OS shouldn't matter, it should work.

>
> Appologies for the long post, but I wanted to be thorough.
>
> With Windows 10 1709 and higher, they disabled any of the "guest" features.  So basically, in a Windows domain environment, if we don't want to make any changes to the Windows clients, we have to set up Samba as a domain member server and Samba has to be able to accept and validate all the domain users.  There are a few ramifications:
>
> 1. All users should be able to browse to \\<aix server hostname> and see all the shares Samba is presenting.


this is correct.

>
> 2. Samba should be able to fully authenticate and authorize users via Active Directory entirely even if there is not a local user account set up for that user.  If every AD user might access a share on the AIX Samba server, it would be impractical to add an AIX account to the server for every AD user.


Ah, I begin to see the light, you want to use the users in /etc/passwd
and AD, well, if so, then stop there, you cannot have the same user in
/etc/passwd and in AD. Further to this, Samba will not know who the
users in /etc/passwd are.

>
> 3. So long as we are talking about only one or few AIX servers, the rid backend should be sufficient for mapping users, and we should not require schema extensions to AD or the additional administrative overhead of populating the gid field in AD for every user that might connect to our AIX system.


You don't actually have to extend the schema, all the rfc2307 attributes
are in the AD schema as standard. If all your users and groups are in
AD, then the rid backend will make them Unix users and groups.

>
> Do all of those seem reasonable?
>
> I have this set up on AIX 7.1 with Samba 4.12.10.  As you'll see in the configuration below, we have a less-than-ideal security configuration in that all the shares basically have read/write permissions as root.  Unfortunately that is by design, but it is beside the point. The goal here is that any AD user can connect to the AIX system's Samba shares without having to change any default security settings on Windows.


You might use root by design, but can I introduce you to the concept of
security ? Also this isn't how AD works.

Can I suggest you read this:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

It might also help if you read this:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member


>
> Joining to the AD domain was successful, wbinfo works in pretty much every way I can think of.  But, I can browse the shares only if an AIX account exists that matches the name of the AD user.  If the AIX user doesn't exist, Samba logs show that it successfully authenticates the user, but we get an NT_STATUS_UNSUCCESSFUL and Windows gets an error message.
>
> Here is the smb.conf, with appropriate sanitization:
>
> [global]
> lock dir = /var/locks
> pid directory = /var/locks
> force user = root
> read only = no
> #log level = 1
> log file = /var/log/samba/log.smbd
> max log size = 5000k
> disable netbios = yes
> workgroup = MY
> security = ADS
> realm = MY.LOCAL.DOMAIN
> vfs objects = acl_xattr
> map acl inherit = yes
> winbind use default domain = yes
> winbind nested groups = yes
> winbind enum users = yes
> winbind enum groups = yes
> #map to guest = bad uid
> guest account = root
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config NSI : backend = rid
> idmap config NSI : range = 10000-999999
> template shell = /bin/ksh
> template homedir = /home/%U
> local master = no
> username map = /etc/samba/user.map
> ### Debug settings ###
> max log size = 0
> log level = 3
> debug pid = yes
> debug uid = yes
> debug class = yes
>
> [share1]
> path = /export/share1
>
>

Is the workgroup 'MY' or 'NSI' ? They should match.

Are you aware that the share shown is read only ?

If you have any further questions, please feel free to ask.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list