[Samba] Samba on AIX with security = ads - does it actually work?

John P Janosik jpjanosi at us.ibm.com
Mon May 24 13:14:08 UTC 2021 

> On 23/05/2021 22:57, Rowland penny via samba wrote:
> > On 23/05/2021 22:17, Ben Huntsman wrote:
> >> Hi there, and thank you for the reply!  Very much appreciated!
> >>
> >> >Ah, I begin to see the light, you want to use the users in 
/etc/passwd
> >> >and AD, well, if so, then stop there, you cannot have the same user 
in
> >> >/etc/passwd and in AD. Further to this, Samba will not know who the
> >> >users in /etc/passwd are.
> >>
> >> Right, I want the AD users to *not* be in /etc/passwd.  What I'm 
> >> saying is that if I don't put them in there, then they can't connect 
> >> to the server via \\<aix host name> at all.
> >
> >
> > I have never used AIX, but it sounds like you are missing the AIX 
> > versions of the Debian packages libnss-winbind and libpam-winbind 
> > and/or winbind isn't running. By using the 'rid' backend it should 
> > just work, the other thing is, does AIX have /etc/nsswitch.conf and is 

> > it set correctly ?
> >
> >>
> >>
> >> >You might use root by design, but can I introduce you to the concept 
of
> >> >security ? Also this isn't how AD works.
> >>
> >> Agreed, but this isn't part of the actual issue at hand.  I will 
> >> tighten up security but I want to get basic connectivity working 
first.
> >
> >
> > Understood
> >
> >
> >>
> >>
> >> >Is the workgroup 'MY' or 'NSI' ? They should match.
> >>
> >> Apparently I missed one, but I was trying to sanitize the logs so it 
> >> didn't contain specifics of my environment.  They should have all 
> >> said 'MY' in the examples I posted.  The configuration provided works 

> >> perfectly for users who are in AD and also have a matching AIX 
account.
> >
> >
> > Then it isn't working, the AIX users will be used before the AD users 
> > if they are the same username, you do not need the users in 
/etc/passwd.
> >
> >>
> >>
> >> >Are you aware that the share shown is read only ?
> >>
> >> Yes, but I also have "read only = no" in the [global] section.
> >
> >
> > Not a good idea, that sets it for all shares, just set it in the 
shares.
> >
> >>  Regardless, the individual shares are beside the point.  Right now 
> >> AD users not in /etc/passwd can't even get to \\<aix host name> 
> >> whereas users in /etc/passwd (with matching AD accounts) can.
> >
> >
> > Going round in circles here, you need to fix the links, try reading 
this:
> >
> > INVALID URI REMOVED
> 
u=https-3A__wiki.samba.org_index.php_Configuring-5FWinbindd-5Fon-5Fa-5FSamba-5FAD-5FDC-23Libnss-5Fwinbind-5FLinks&d=DwIF-
> g&c=jf_iaSHvJObTbx-siA1ZOg&r=0Dp1Q-
> 
C82_YdGZkYbRCzwwF7MPW3Xm2J3i_0sW8Izuc&m=FH4219Sm1N4o1J25Cc6kf6qsgzX6rD0V4QbiA-
> ziEeE&s=CVp1jjI89QFGlZ8IL44MXzsMtACt6beTnb70fa_LdmE&e= 
> >
> >
> >>
> >> I followed those two links you sent as closely as I was able given 
> >> that they are written for Linux and not AIX.  AIX has no 
> >> nsswitch.conf and uses the stanza in /etc/methods.cfg I provided for 
> >> the same purpose.  But, I didn't see in those articles an answer to 
> >> why Samba realizes that the user is valid but we still get an 
> >> NT_STATUS_UNSUCCESSFUL when the user doesn't have an AIX account. 
> >>  Security ramifications aside, my read of the documentation suggests 
> >> that my configs as provided should work.  I feel like I'm missing 
> >> something very AIX-specific here, or that this is a bug...
> >>
> >> Thanks again, and I look forward to getting to the bottom of this!
> >>
> > Ah, we need someone who does use AIX, I can only tell you how to use 
> > Samba on Debian etc.
> >

Look at the default value of "registry" in /etc/security/user, that 
specifies which method from /etc/methods.cfg will be used for user lookup. 
 Watch out if you change the default to WINBIND to make sure you override 
that back to the old setting on a per user stanza basis for non AD users 
on the system.

> >
> > Rowland
> >
> >
> >
> 
> And that someone seems to be Bjorn Jacke, try looking at this: 
> INVALID URI REMOVED
> u=https-3A__www.youtube.com_watch-3Fv-3DFwQpcnb-2DjTs&d=DwIF-
> g&c=jf_iaSHvJObTbx-siA1ZOg&r=0Dp1Q-
> 
C82_YdGZkYbRCzwwF7MPW3Xm2J3i_0sW8Izuc&m=FH4219Sm1N4o1J25Cc6kf6qsgzX6rD0V4QbiA-
> ziEeE&s=fSCVr0vi9g-zom894qHy7APWEAqC5-4nyIgLLpp-g6I&e= 
> 
> Rowland
> 
> 
> 

John Janosik

More information about the samba mailing list