[Samba] Samba on AIX with security = ads - does it actually work?
Ben Huntsman
ben at huntsmans.net
Wed May 26 00:11:36 UTC 2021
I take it there are not many AIX users here. I have continued to dig on this and I discovered this:
https://www.ibm.com/support/pages/apar/IJ29552
That APAR from IBM covers a bug that prevents some LAM modules from working. And indeed, installing it improved the situation for winbind on AIX. With that ifix (or with upgrading to AIX 7100-05-08), I can now log into the AIX system via ssh or telnet using AD username/passwords that aren't defined on the system! That's a huge step in the right direction! And also an indicator that Samba on AIX may be broken due to AIX bugs.
Unfortunately, there is still the problem that if a user isn't defined on AIX, it can't connect to \\<aix host name>, despite the fact that the log clearly shows that it successfully authenticates the user, but then the session bombs out:
# smbclient //testhost/share1 -U MY\\testuser
Enter MY\testuser's password: <correct password>
session setup failed: NT_STATUS_UNSUCCESSFUL
# smbclient //testhost/share1 -U MY\\testuser
Enter MY\testuser's password: <purposefully-typed incorrect password>
session setup failed: NT_STATUS_LOGON_FAILURE
I'm pretty sure it all comes down to this:
May 25 17:05:55 testhost daemon:err|error smbd[5308666]: [2021/05/25 17:05:55.001540, 0] ../../source3/lib/system_smbd.c:226(getgroups_unix_user)
May 25 17:05:55 testhost daemon:err|error smbd[5308666]: get_user_groups: failed to get the unix group list
Somehow, even though winbind can clearly get information about the groups via lsgroup, wbinfo -g, etc, when a user browses to \\<aix host name>, it fails to return the list of groups and then our SMB session fails to get established.
Has anyone seen this, or know more about it, or if it's resolved in newer Samba builds?
Thank you very much to all who have replied so far! Your help is greatly appreciated!
-Ben
More information about the samba
mailing list