Looking for AIX Users of Winbind -- Authorization and SSHProblems
in [Samba]
|
Prev: [Samba] Samba permission through Windows security tab
Next: [Samba] windows 7 on samba 3.4.2 slow
From: Andrew Masterson on 13 Nov 2009 13:30 > -----Original Message----- > From: samba-bounces(a)lists.samba.org [mailto:samba-bounces(a)lists.samba.org] > On Behalf Of Kevin Newman > Sent: Thursday, November 12, 2009 3:55 PM > To: samba(a)lists.samba.org > Subject: [Samba] Looking for AIX Users of Winbind -- Authorization and > SSHProblems > > Hi all, > > I've got Samba with Winbind working on AIX 5.3 and 6.1 fairly well with > Active Directory 2003. In fact, I'd say short of 2 very important services, > it's working almost perfectly. Unfortunately, these 2 services are quite > critical, and without them I'm afraid we'll have to resort to some sort of > proprietary identity solution like Novell, which I'm not crazy about. > Assume that these examples are all from Samba 3.3.4, though I have tried a > few versions back to 3.0.0 and forward to 3.3.9, with no different results. > These are also from pWare's compiled versions (linked here: > http://pware.hvcc.edu/download/). > > The two things I can't get working with Winbind on AIX: > > 1. SSH. Doesn't seem to work on AIX 5.3 with Winbind. I get a "setgroups: > Not owner" and "initgroups: Not owner" error in the sshd debug and the > session is closed after authentication succeeds. I *can*, however, get this > working on AIX 6.1 with pWare's compiled SSH 5.2.1.0. > > 2. Authorization (e.g., who can log into the box ... NOT just all of AD). > I'm pretty good at configuring Winbind on Linux, and on Linux there's a > pam_winbind.conf file that I usually use to lock down the box to specific AD > users or groups -- I use the require_membership_of line and it works just > fine. Unfortunately, I don't see any pam_winbind.conf file in AIX by > default. I've tried placing it in /etc/security/ or in other locations, but > it doesn't seem to be used. I've also tried adding pam_winbind lines to the > /etc/pam.conf and manually adding the "require_membership_of" after the > stanza, like so: > > telnet account required /usr/lib/security/pam_winbind.so > require_membership_of=someGroup > > ... also with no success. To me, it's simply unacceptable to implement this > Winbind configuration without being able to choose who logs onto the box. > Without implementing some form of authorization, I might as well just set > everyone's password blank. > > So, my question to everyone is: is there anyone out there using Winbind with > AIX? If so, have you overcome those 2 issues I'm describing? > > Thanks, > > Kevin > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba We are using winbind on AIX, and this is my documentation on how I got it to work: To use WINBIND: cp -p /opt/pware/samba/3.0.28/lib/security/WINBIND /usr/lib/security ------------- edit /usr/lib/security/methods.cfg and add ------------- WINBIND: program = /usr/lib/security/WINBIND options = authonly ------------- edit the default stanza in /etc/security/user to have ------------- SYSTEM = "WINBIND OR compat" -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Kevin Newman on 14 Nov 2009 11:10 Andrew: I have the same setup, but is it working with SSH and do you have away to restrict *which* AD users can log into the box? That is what I'm interested in here. Any AD user can log on with telnet, ftp, or su right now. Matt: I don't think pam_access exists for AIX. Searching for it literally brought me back to this very thread. -Kevin -----Original Message----- From: Andrew Masterson [mailto:Andrew.Masterson(a)nuvistaenergy.com] Sent: Friday, November 13, 2009 12:24 PM To: Kevin Newman; samba(a)lists.samba.org Subject: RE: [Samba] Looking for AIX Users of Winbind -- Authorization and SSHProblems > So, my question to everyone is: is there anyone out there using Winbind with > AIX? If so, have you overcome those 2 issues I'm describing? > > Thanks, > > Kevin > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba We are using winbind on AIX, and this is my documentation on how I got it to work: To use WINBIND: cp -p /opt/pware/samba/3.0.28/lib/security/WINBIND /usr/lib/security ------------- edit /usr/lib/security/methods.cfg and add ------------- WINBIND: program = /usr/lib/security/WINBIND options = authonly ------------- edit the default stanza in /etc/security/user to have ------------- SYSTEM = "WINBIND OR compat" -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
|
Pages: 1 Prev: [Samba] Samba permission through Windows security tab Next: [Samba] windows 7 on samba 3.4.2 slow |