[Samba] Samba on AIX with security = ads - does it actually work?
John P Janosik
jpjanosi at us.ibm.com
Mon May 24 18:52:03 UTC 2021
Ben Huntsman <ben at huntsmans.net> wrote on 05/24/2021 11:38:29 AM:
Hi Ben,
> Hi there! Thank you for the reply, John!
>
> >Look at the default value of "registry" in /etc/security/user, that
> >specifies which method from /etc/methods.cfg will be used for user
lookup.
> >Watch out if you change the default to WINBIND to make sure you
override
> >that back to the old setting on a per user stanza basis for non AD
users
> >on the system.
>
> I have the following set in /etc/security/user:
>
> default:
> ...
> SYSTEM = "compat OR WINBIND"
> ...
>
> Earlier I had tried adding "registry = WINBIND" to that as well, but
> it did not change the behavior.
>
> Do you have Samba working on any of your AIX systems with "security
> = ads"? Would you be willing to share your smb.cfg's [global]
> section, krb5.conf, methods.cfg, and /etc/security/user's default:
> section (appropriately sanitized, of course)?
>
I haven't used Samba on AIX with AD for many years so can't help with
Samba specifics. The "SYSTEM" setting in /etc/security/user sets which
modules are used to authenticate users via the AIX LAM. Since Samba isn't
using AIX LAM for authentication I would not think you would need WINBIND
there unless you want to allow AD users to log into the system for shell
or access to applications that use the AIX authenticate API.
If "lsuser ALL" or "lsuser SOMEADUSER" doesn't show user information for
AD users then seems there is some issue with the configuration of the
WINBIND module. I can't provide any more help than that, perhaps a case
with AIX support could help with how to debug communication between AIX
and and the modules in methods.cfg.
> I can't thank you enough!
>
> -Ben
John
More information about the samba
mailing list