[Samba] Samba on AIX with security = ads - does it actually work?

Rowland penny rpenny at samba.org
Mon May 24 19:07:26 UTC 2021 

On 24/05/2021 19:52, John P Janosik via samba wrote:
> Ben Huntsman <ben at huntsmans.net> wrote on 05/24/2021 11:38:29 AM:
>
> Hi Ben,
>
>> Hi there! Thank you for the reply, John!
>>
>>> Look at the default value of "registry" in /etc/security/user, that
>>> specifies which method from /etc/methods.cfg will be used for user
> lookup.
>>   >Watch out if you change the default to WINBIND to make sure you
> override
>>> that back to the old setting on a per user stanza basis for non AD
> users
>>> on the system.
>> I have the following set in /etc/security/user:
>>
>> default:
>>    ...
>>    SYSTEM = "compat OR WINBIND"
>>    ...
>>
>> Earlier I had tried adding "registry = WINBIND" to that as well, but
>> it did not change the behavior.
>>
>> Do you have Samba working on any of your AIX systems with "security
>> = ads"? Would you be willing to share your smb.cfg's [global]
>> section, krb5.conf, methods.cfg, and /etc/security/user's default:
>> section (appropriately sanitized, of course)?
>>
> I haven't used Samba on AIX with AD for many years so can't help with
> Samba specifics.  The "SYSTEM" setting in /etc/security/user sets which
> modules are used to authenticate users via the AIX LAM.  Since Samba isn't
> using AIX LAM for authentication I would not think you would need WINBIND
> there unless you want to allow AD users to log into the system for shell
> or access to applications that use the AIX authenticate API.


Problem is, from Samba 4.8.0 , with 'security = ADS', you must run winbind.

>
> If "lsuser ALL" or "lsuser SOMEADUSER" doesn't show user information for
> AD users then seems there is some issue with the configuration of the
> WINBIND module.  I can't provide any more help than that, perhaps a case
> with AIX support could help with how to debug communication between AIX
> and and the modules in methods.cfg.


Until the AIX tools show the AD users & groups, you cannot use them on 
the AIX machine.

On Linux machines, Samba is connected via PAM and nsswitch with the 
winbind links, you need to find out if AIX can use these links and, if 
so, how.

Sorry, but I cannot help any further than this.

Rowland

More information about the samba mailing list