[Samba] Samba on AIX with security = ads - does it actually work?

John P Janosik jpjanosi at us.ibm.com
Mon May 24 18:52:03 UTC 2021

Ben Huntsman <ben at huntsmans.net> wrote on 05/24/2021 11:38:29 AM:

Hi Ben,

> Hi there! Thank you for the reply, John! 
> >Look at the default value of "registry" in /etc/security/user, that
> >specifies which method from /etc/methods.cfg will be used for user 
>  >Watch out if you change the default to WINBIND to make sure you 
> >that back to the old setting on a per user stanza basis for non AD 
> >on the system. 
> I have the following set in /etc/security/user:
> default:
>   ...
>   SYSTEM = "compat OR WINBIND"
>   ...
> Earlier I had tried adding "registry = WINBIND" to that as well, but
> it did not change the behavior.
> Do you have Samba working on any of your AIX systems with "security 
> = ads"? Would you be willing to share your smb.cfg's [global] 
> section, krb5.conf, methods.cfg, and /etc/security/user's default: 
> section (appropriately sanitized, of course)?

I haven't used Samba on AIX with AD for many years so can't help with 
Samba specifics.  The "SYSTEM" setting in /etc/security/user sets which 
modules are used to authenticate users via the AIX LAM.  Since Samba isn't 
using AIX LAM for authentication I would not think you would need WINBIND 
there unless you want to allow AD users to log into the system for shell 
or access to applications that use the AIX authenticate API.

If "lsuser ALL" or "lsuser SOMEADUSER" doesn't show user information for 
AD users then seems there is some issue with the configuration of the 
WINBIND module.  I can't provide any more help than that, perhaps a case 
with AIX support could help with how to debug communication between AIX 
and and the modules in methods.cfg.

> I can't thank you enough!
> -Ben


More information about the samba mailing list