[Samba] Samba on AIX with security = ads - does it actually work?
Rowland penny
rpenny at samba.org
Sun May 23 21:57:21 UTC 2021
On 23/05/2021 22:17, Ben Huntsman wrote:
> Hi there, and thank you for the reply! Very much appreciated!
>
> >Ah, I begin to see the light, you want to use the users in /etc/passwd
> >and AD, well, if so, then stop there, you cannot have the same user in
> >/etc/passwd and in AD. Further to this, Samba will not know who the
> >users in /etc/passwd are.
>
> Right, I want the AD users to *not* be in /etc/passwd. What I'm
> saying is that if I don't put them in there, then they can't connect
> to the server via \\<aix host name> at all.
I have never used AIX, but it sounds like you are missing the AIX
versions of the Debian packages libnss-winbind and libpam-winbind and/or
winbind isn't running. By using the 'rid' backend it should just work,
the other thing is, does AIX have /etc/nsswitch.conf and is it set
correctly ?
>
>
> >You might use root by design, but can I introduce you to the concept of
> >security ? Also this isn't how AD works.
>
> Agreed, but this isn't part of the actual issue at hand. I will
> tighten up security but I want to get basic connectivity working first.
Understood
>
>
> >Is the workgroup 'MY' or 'NSI' ? They should match.
>
> Apparently I missed one, but I was trying to sanitize the logs so it
> didn't contain specifics of my environment. They should have all said
> 'MY' in the examples I posted. The configuration provided works
> perfectly for users who are in AD and also have a matching AIX account.
Then it isn't working, the AIX users will be used before the AD users if
they are the same username, you do not need the users in /etc/passwd.
>
>
> >Are you aware that the share shown is read only ?
>
> Yes, but I also have "read only = no" in the [global] section.
Not a good idea, that sets it for all shares, just set it in the shares.
> Regardless, the individual shares are beside the point. Right now AD
> users not in /etc/passwd can't even get to \\<aix host name> whereas
> users in /etc/passwd (with matching AD accounts) can.
Going round in circles here, you need to fix the links, try reading this:
https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC#Libnss_winbind_Links
>
> I followed those two links you sent as closely as I was able given
> that they are written for Linux and not AIX. AIX has no nsswitch.conf
> and uses the stanza in /etc/methods.cfg I provided for the same
> purpose. But, I didn't see in those articles an answer to why Samba
> realizes that the user is valid but we still get an
> NT_STATUS_UNSUCCESSFUL when the user doesn't have an AIX account.
> Security ramifications aside, my read of the documentation suggests
> that my configs as provided should work. I feel like I'm missing
> something very AIX-specific here, or that this is a bug...
>
> Thanks again, and I look forward to getting to the bottom of this!
>
Ah, we need someone who does use AIX, I can only tell you how to use
Samba on Debian etc.
Rowland
More information about the samba
mailing list