Craig Green wrote:
Hi John,
Thank you for your reply. I really appreciate your input.
I have been using Samba on our AIX servers for last few years. Up unto recently I have always used
"security = DOMAIN", (with versions 3.0.28 and 3.3.9). I have had no issues with that
type of setup. It is only now that I have been testing integration into MS AD and using
"security = ADS" that I am having problems. The Samba versions I have tried with ADS are
3.3.9 and 3.5.0. Version 3.3.9 was compiled from scratch. I get the same issues with both
versions. Originally I thought the issues must be with my compiled version. However it seems it
be some sort of AIX config issue since I get the same issues with version 3.5.0 which is the
pre-compiled version from the hvcc.edu site.
I am stumped as to what the issue is. Everything I can find on the net re
using samba and winbind implies I have the correct setup but this cannot be the
case since I cannot get it to work. I must have something wrong but for the
life of me I cannot figure it out.
Re the question of "do you really need ADS security mode". Well, most likely
not, we could integrate using ldap but my understanding is that using winbind is a less
complicated method or it is supposed to be. In regards to the correct version of
WINBIND, I have checked this previously and the correct version is being used.
In the past I have been able to connect a Linux server to an MS-AD but the Linux server
uses NSS. AIX does not have NSS but I believe the changes to the
"/etc/security/user" file are supposed to replace this. I am guessing the
issue has something to do with this. However I have found info on the www that says
other users of AIX have been able to Samba and WINBIND to join and ADS and to
authenticate back to the AD without issues once they have made the alterations to the
/etc/security/user and methods.cfg files.
If I perform a test to verify that communications between Samba-3 winbind and
the Active Directory server is using Kerberos protocols I get the correct data
back.
$ net ads info
LDAP server: 172.16.xxx.xxx
LDAP server name: blue.testrealm.com.au
Realm: TESTREALM.COM.AU
Bind Path: dc=TESTREALM,dc=COM,dc=AU
LDAP port: 389
Server time: Tue, 06 Apr 2010 11:27:22 EET
KDC server: 172.16.xxx.xxx
Server time offset: 0
The "net ads status" command also returns the correct data.
So everything I do implies I am communicating correctly with the AD. However
authentication does not work.
I also agree with you that the hvcc.edu site it is an awesome project. Without
it my life would certainly be more difficult.
Regards,
Craig Green
Support Consultant - Unix
Ultradata - Vision to Reality
+61 3 9291 1742
www.ultradata.com.au
-----Original Message-----
From: John Welch [mailto:[email protected]]
Sent: Saturday, 3 April 2010 1:10 AM
To: William Jojo
Cc: [email protected]; Craig Green
Subject: Re: [Samba] AIX 5.3 Active Directory Synchronisation using Winbind
----- "William Jojo" <[email protected]> wrote:
---- Original message ----
Date: Fri, 2 Apr 2010 08:15:38 -0400 (EDT)
From: John Welch <[email protected]>
Subject: Re: [Samba] AIX 5.3 Active Directory Synchronisation using
Winbind
To: [email protected]
Cc: [email protected]
I know one issue I ran into when I recently upgraded Samba on the AIX
box was that the WINBIND file in /usr/lib/security was a symbolic link
that was not linked to the correct version of Samba. Have you looked
at this file and verified that it is correct?
John,
Can you provide a little more on the problem you had? I'm not able to
find the broken link in my development servers (32 or 64 bit), and I
*really* want to improve our quality control.
Glad to hear the project is working out for you otherwise. :-)
Cheers,
Bill
Hi Bill,
Prior to the recent upgrade to 3.4.5 we had been using an "old" 3.0 version (3.0.28) from your
pware project. At that level of Samba at least the directory structure was
"/opt/pware/samba/<version>". I did the upgrade a few months ago, so I'm trying to
recall from memory the exact issue, but I believe after upgrading the WINBIND symbolic link was still
pointing to the 3.0.28 binary. Not sure if the upgrade should have fixed this automatically or not.
Really a minor thing, but something I overlooked initially.
Your project is awesome... Keep up the good work!
Thanks!
I just posted 3.5.2 yesterday. I was able to join AIX to ADS (w2k8r2)
and I can telnet into AIX without issue.
Can you tell me what lsuser returns for the shell? I bet it is
/bin/false. If so, you may want to set:
template shell = /opt/pware/bin/bash
or
template shell = /bin/ksh
Depending on the shell you wish users to use.
If this is not it, I'm happy to help figure out what is going on.
Cheers,
Bill
Thanks,
John
Disclaimer Notice
This message contains privileged and confidential information intended only for
the use of the addressee named above. If you are not the intended recipient of
this message you are hereby notified that you must not disseminate, copy or
take any action or place any reliance on it. If you have received this message
in error please notify Ultradata immediately on +61 3 9291 1600. Any views
expressed in this message are those of the individual sender, except where the
sender specifically states them to be the views of Ultradata Australia Pty. Ltd.
To unsubscribe from receiving commercial electronic messages from Ultradata Australia
please email [email protected] with the subject heading
"Unsubscribe".
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
