[Samba] Samba on AIX with security = ads - does it actually work?

Rowland penny rpenny at samba.org
Sun May 23 21:57:21 UTC 2021

On 23/05/2021 22:17, Ben Huntsman wrote:
> Hi there, and thank you for the reply!  Very much appreciated!
> >Ah, I begin to see the light, you want to use the users in /etc/passwd
> >and AD, well, if so, then stop there, you cannot have the same user in
> >/etc/passwd and in AD. Further to this, Samba will not know who the
> >users in /etc/passwd are.
> Right, I want the AD users to *not* be in /etc/passwd.  What I'm 
> saying is that if I don't put them in there, then they can't connect 
> to the server via \\<aix host name> at all.

I have never used AIX, but it sounds like you are missing the AIX 
versions of the Debian packages libnss-winbind and libpam-winbind and/or 
winbind isn't running. By using the 'rid' backend it should just work, 
the other thing is, does AIX have /etc/nsswitch.conf and is it set 
correctly ?

> >You might use root by design, but can I introduce you to the concept of
> >security ? Also this isn't how AD works.
> Agreed, but this isn't part of the actual issue at hand.  I will 
> tighten up security but I want to get basic connectivity working first.


> >Is the workgroup 'MY' or 'NSI' ? They should match.
> Apparently I missed one, but I was trying to sanitize the logs so it 
> didn't contain specifics of my environment.  They should have all said 
> 'MY' in the examples I posted.  The configuration provided works 
> perfectly for users who are in AD and also have a matching AIX account.

Then it isn't working, the AIX users will be used before the AD users if 
they are the same username, you do not need the users in /etc/passwd.

> >Are you aware that the share shown is read only ?
> Yes, but I also have "read only = no" in the [global] section.

Not a good idea, that sets it for all shares, just set it in the shares.

>  Regardless, the individual shares are beside the point.  Right now AD 
> users not in /etc/passwd can't even get to \\<aix host name> whereas 
> users in /etc/passwd (with matching AD accounts) can.

Going round in circles here, you need to fix the links, try reading this:


> I followed those two links you sent as closely as I was able given 
> that they are written for Linux and not AIX.  AIX has no nsswitch.conf 
> and uses the stanza in /etc/methods.cfg I provided for the same 
> purpose.  But, I didn't see in those articles an answer to why Samba 
> realizes that the user is valid but we still get an 
> NT_STATUS_UNSUCCESSFUL when the user doesn't have an AIX account. 
>  Security ramifications aside, my read of the documentation suggests 
> that my configs as provided should work.  I feel like I'm missing 
> something very AIX-specific here, or that this is a bug...
> Thanks again, and I look forward to getting to the bottom of this!
Ah, we need someone who does use AIX, I can only tell you how to use 
Samba on Debian etc.


More information about the samba mailing list