[Samba] Looking for AIX Users of Winbind -- Authorization and SSH Problems
in [Samba]
|
Prev: [Samba] function error on driver
Next: Looking for AIX Users of Winbind -- Authorization and SSHProblems
From: Kevin Newman on 12 Nov 2009 18:00 Hi all, I've got Samba with Winbind working on AIX 5.3 and 6.1 fairly well with Active Directory 2003. In fact, I'd say short of 2 very important services, it's working almost perfectly. Unfortunately, these 2 services are quite critical, and without them I'm afraid we'll have to resort to some sort of proprietary identity solution like Novell, which I'm not crazy about. Assume that these examples are all from Samba 3.3.4, though I have tried a few versions back to 3.0.0 and forward to 3.3.9, with no different results. These are also from pWare's compiled versions (linked here: http://pware.hvcc.edu/download/). The two things I can't get working with Winbind on AIX: 1. SSH. Doesn't seem to work on AIX 5.3 with Winbind. I get a "setgroups: Not owner" and "initgroups: Not owner" error in the sshd debug and the session is closed after authentication succeeds. I *can*, however, get this working on AIX 6.1 with pWare's compiled SSH 5.2.1.0. 2. Authorization (e.g., who can log into the box ... NOT just all of AD). I'm pretty good at configuring Winbind on Linux, and on Linux there's a pam_winbind.conf file that I usually use to lock down the box to specific AD users or groups -- I use the require_membership_of line and it works just fine. Unfortunately, I don't see any pam_winbind.conf file in AIX by default. I've tried placing it in /etc/security/ or in other locations, but it doesn't seem to be used. I've also tried adding pam_winbind lines to the /etc/pam.conf and manually adding the "require_membership_of" after the stanza, like so: telnet account required /usr/lib/security/pam_winbind.so require_membership_of=someGroup .... also with no success. To me, it's simply unacceptable to implement this Winbind configuration without being able to choose who logs onto the box. Without implementing some form of authorization, I might as well just set everyone's password blank. So, my question to everyone is: is there anyone out there using Winbind with AIX? If so, have you overcome those 2 issues I'm describing? Thanks, Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |