ROOTVG - AIX & POWER Portal

PB with SAMBA 3 on AIX4.3.3 to AD W2K3

Home

Help

Login

Register

	Welcome, Guest. Please login or register.	November 22, 2008, 07:16:31 AM
		Login with username, password and session length

ROOTVG > AIX > Administration > PB with SAMBA 3 on AIX4.3.3 to AD W2K3

Pages: [1] Go Down

« previous next »

Print

	Author	Topic: PB with SAMBA 3 on AIX4.3.3 to AD W2K3 (Read 1441 times)
0 Members and 1 Guest are viewing this topic.

Michael

Administrator
Hero Member

Posts: 526

Re: PB with SAMBA 3 on AIX4.3.3 to AD W2K3

« Reply #3 on: January 16, 2007, 06:56:14 PM »

Great!

Could you summarize what line/lines you changed from the first setup to get it to work?

Not being that familiar with samba and kerberos setups, I am reading over you changes I think.


	Logged

OdO

Jr. Member

Posts: 5

Re: PB with SAMBA 3 on AIX4.3.3 to AD W2K3

« Reply #2 on: January 16, 2007, 04:59:14 PM »

Hello Mickael

That work's !!! ^^
I use telnetd provide by kerberos5 MIT in /etc/inetd.conf or
on sshd_config file, enable kerberos5 autentification.
I can log on AIX with W2K3 domain user.

MY CONFIGURATION
###############################
# /etc/krb5.conf
[libdefaults]
default_realm = PSL.LOCAL
ticket_lifetime = 24000
forwardable = true
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
PSL.LOCAL = {
kdc = psl2k3.psl.local:88
admin_server = psl2k3.psl.local:749
default_domain = PSL.LOCAL
}

[domain_realm]
.psl.local= PSL.LOCAL
psl.local = PSL.LOCAL
###############################
# /usr/local/samba/lib/smb.conf
[global]
workgroup = PSL
realm = PSL.LOCAL
netbios name = B50
server string = AIX-4.3.3
security = ADS
;encrypt passwords = yes
show add printer wizard = No
winbind use default domain = yes
winbind cache time = 10
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind enum users = yes
winbind enum groups = yes
client use spnego = yes
template homedir = /home/%D/%U
template shell = /bin/bash
browseable = yes
obey pam restrictions = yes
auth methods = winbind

[tmp]
comment = Temporary file space
path = /tmp
read only = No
public = yes

[homes]
comment = Home Directories
path = /home/%D/%U
browseable = no
writable = yes
###############################
#/usr/local/etc/openldap/ldap.conf
HOST psl2k3.psl.local
BASE dc=PSL,dc=LOCAL
ldap_version 3
port 389
scope sub
timelimit 120
bind_timelimit 120idle_timelimit 3600
###############################
grep telnetd /etc/inetd.conf
telnet stream tcp6 nowait root /usr/local/sbin/telnetd telnetd
###############################
make change with WINBIND on /usr/lib/security ...etc ...
look my first post....
###############################
show user "aa" information:
#wbinfo -i aa
aa:*:15012:15000:aa:/home/PSL/aa:/bin/bash
#mkdir -p /home/PSL/aa
#chown 15012:15000 /home/PSL/aa
###############################
telnet or ssh with user aa on AIX server : ok

bye


	Logged

Michael

Administrator
Hero Member

Posts: 526

Re: PB with SAMBA 3 on AIX4.3.3 to AD W2K3

« Reply #1 on: December 31, 2006, 01:18:35 PM »

I have always tried to avoid kerb5 if I could, it might be there.

As you have been very complete, not sure how much wisdom I can add. However, I would start by adding a 'FAILED' block to the SYSTEM setting, and I don't see the registry setting anywhere.

From memory, it is the combination of registry + SYSTEM that determines where login looks for the authentification files. WINDBIND is probably looking by default where it should, but AIX might still be confused (a bit).

Also check a *.debug output to syslog files, just incase something useful shows up there.

And when you get this working, please let me know Wink

as I have never taken the time to get samba to work - although it would be nice now that my kids all have comps in their rooms.

And then I guess the last part - is samba file/print sharing working or not?


	Logged

OdO

Jr. Member

Posts: 5

PB with SAMBA 3 on AIX4.3.3 to AD W2K3

« on: December 29, 2006, 11:43:45 AM »

Hello world,
I try to add samba 3 on AIX 4.3.3-ML11 to windows 2003 AD (DNS,WINS) but i can't connect with a windows AD user on AIX telnet console. su commande work but telnet ftp failed.

My installation:

#install bos.adt.*

#installp rpm.rte

#rpm -ivh --nodeps *.rpm
autoconf-2.53-1.aix4.3.noarch.rpm
   automake-1.5-1.aix4.3.noarch.rpm
   bash-2.05a-1.aix4.3.ppc.rpm
   bison-1.34-2.aix4.3.ppc.rpm
   db-3.3.11-3.aix4.3.ppc.rpm
   flex-2.5.4a-6.aix4.3.ppc.rpm
   gawk-3.1.0-2.aix4.3.ppc.rpm
   gettext-0.10.39-2.aix4.3.ppc.rpm
   glib-1.2.10-2.aix4.3.ppc.rpm
   glib-devel-1.2.10-2.aix4.3.ppc.rpm
   glib2-2.2.1-3.aix4.3.ppc.rpm
   glib2-devel-2.2.1-3.aix4.3.ppc.rpm
   gzip-1.2.4a-7.aix4.3.ppc.rpm
   libtool-1.4.2-1.aix4.3.ppc.rpm
   m4-1.4-14.aix4.3.ppc.rpm
   make-3.79.1-3.aix4.3.ppc.rpm
   pkgconfig-0.15.0-1.aix4.3.ppc.rpm
   rpm-3.0.5-30.aix4.3.ppc.rpm
   sed-3.02-8.aix4.3.ppc.rpm
   tar-1.13-4.aix4.3.ppc.rpm

#Install binutils.2.9.1

#Install gcc.3.3.4

#Update PATH and LD_LIBRARY_PATH
PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin:/usr/local/bin:/usr/local/sbin:/usr/local/samba/bin:/usr/local/samba/sbin:/usr/local/rs6000-ibm-aix4.2/bin:/usr/linux/bin
LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/lib:/usr/local/rs6000-ibm-aix4.2/lib

KERBEROS krb5-1.3.5
#./configure --enable-dns --enable-dns-for-kdc --enable-dns-for-realm --disable-thread-support ac_cv_func_setutent=no
make
make install

OPENLDAP openldap-2.2.18
#./configure --disable-slurpd --disable-bdb --disable-slapd --without-threads
make depend
make
make install

SAMBA samba-3.0.23d
#./configure --with-winbind --with-ldap --with-ads --with-krb5=/usr/local
make
make install

--------------------------------------------------------------------------------

/etc/resolv.conf

domain psl.local
nameserver 10.98.176.181

#nslookup
Default Server: psl2k3
Address: 10.98.176.181

> 10.98.176.181
Server: psl2k3
Address: 10.98.176.181

> b50
Server: psl2k3
Address: 10.98.176.181

Name: b50.psl.local
Address: 10.98.176.156

--------------------------------------------------------------------------------

/etc/krb5.conf

[logging]
default = FILE:/var/log/krb5/libs.log
kdc = FILE:/var/log/krb5/kdc.log
admin_server = FILE:/var/log/krb5/admin.log

[libdefaults]
default_realm = PSL.LOCAL
ticket_lifetime = 24000
forwardable = true
proxiable = true
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
PSL.LOCAL = {
kdc = PSL2K3
admin_server = PSL2K3
}

[domain_realm]
.psl.local= PSL.LOCAL
psl.local = PSL.LOCAL

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

--------------------------------------------------------------------------------

/usr/local/samba/lib/smb.conf

[global]
workgroup = PSL
netbios name = B50
server string = AIX-4.3.3
security = ADS
realm = PSL.LOCAL
password server = PSL2K3
wins server = PSL2K3
client use spnego = yes
client signing = yes
encrypt passwords = yes
show add printer wizard = No
winbind use default domain = yes
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
use sendfile = Yes
ldap suffix = "dc=PSL,dc=LOCAL"
winbind cache time = 0
log level = 8
log file = /var/log/samba.log
max log size = 5000000
debug timestamp = yes
browseable = yes
obey pam restrictions = yes
auth methods = winbind

[homes]
comment = User Home
path = /home/%U
force group = %U
read only = No
browseable = yes

[tmp]
comment = tmp
path = /tmp
read only = No
browseable = yes
public = yes

--------------------------------------------------------------------------------

#kinit administrator
Password for administrator@PSL.LOCAL:
b50.psl.local / #klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@PSL.LOCAL

Valid starting Expires Service principal
12/29/06 10:20:53 12/29/06 20:20:57 krbtgt/PSL.LOCAL@PSL.LOCAL
renew until 12/30/06 10:20:53

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

--------------------------------------------------------------------------------

#net ads join -U administrator
administrator's password:
Using short domain name -- PSL
Joined 'B50' to realm 'PSL.LOCAL'

--------------------------------------------------------------------------------

/usr/local/etc/openldap/ldap.conf

HOST 10.98.176.181
BASE cn=Users,dc=PSL,dc=LOCAL
binddn cn=ldapuser,cn=Users, dc=PSL,dc=LOCAL
bindpw $Azert*
scope sub
ssl no

--------------------------------------------------------------------------------

#cp /path/to/samba-source/nsswitch/WINBIND /usr/lib/security

--------------------------------------------------------------------------------

/usr/security/method.cfg

WINBIND:
program = /usr/lib/security/WINBIND
options = authonly

--------------------------------------------------------------------------------

/etc/security/user

default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups = ALL
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 =
tpath = nosak
umask = 022
expires = 0
SYSTEM = "WINDBIND"
logintimes =
pwdwarntime = 0
account_locked = false
loginretries = 0
histexpire = 0
histsize = 0
minage = 0
maxage = 0
maxexpired = -1
minalpha = 0
minother = 0
minlen = 0
mindiff = 0
maxrepeats = 8
dictionlist =
pwdchecks =

--------------------------------------------------------------------------------

Start SAMBA services

/usr/local/samba/sbin/smbd -D
/usr/local/samba/sbin/nmbd -D
/usr/local/samba/sbin/winbindd

--------------------------------------------------------------------------------

#wbinfo -u
administrator
guest
krbtgt
aa
ldapuser

#wbinfo -g
BUILTIN\administrators
BUILTIN\users
domain computers
domain controllers
schema admins
enterprise admins
domain admins
domain users
domain guests
group policy creator owners
dnsupdateproxy

#wbinfo -i aa
aa:*:15012:15000:aa:/home/aa:/bin/bash

#wbinfo -a aa%passw0rd
plaintext password authentication succeeded
challenge/response password authentication succeeded

#mkdir /home/aa ; chown 15012:15000 /home/aa ; ls -l /home/aa
drwxr-xr-x 2 aa domain u 512 Dec 29 12:01 aa

#ls -l /bin/bash
lrwxrwxrwx 1 root system 27 Dec 18 15:33 /bin/bash -> ../../opt/freeware/bin/bash

#lsuser aa
aa id=15012 pgrp=domain users groups=15000,15003 home=/home/aa shell=/bin/bash gecos=aa login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2= umask=22 registry=WINBIND SYSTEM=WINDBIND logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=

#su - aa
bash-2.05a$ id
uid=15012(aa) gid=15000(domain users)

--------------------------------------------------------------------------------

su commande or telnet connection failed by telnet with user aa
login: aa
aa's Password:
3004-007 You entered an invalid login name or password.

#syslog.out
Dec 29 12:05:16 b50 su: BAD SU from aa to aa at /dev/pts/0
Dec 29 12:06:52 b50 syslog: pts/1: failed login attempt for aa from b50

If there is some little light on the black unix univers for help me to understand this problem.
thank's.