Hello,
We're using samba 3.6 on our AIX server and are looking to upgrade it.
So I installed samba 4.12.10 (using yum) on a AIX 7.2 server. All good.
But I run into a problem when using winbind...

AIX-server is joined in the Windows AD Domain.
Share is defined on AIX and I want to mount it on my Windows Client (so with AD credentials without supplying username/password).
I have a separate user on AIX, it is the same username but completely separate from AD.
When I startup only smbd, it is working. I can mount the share and access the files on it.
But when I start winbind, it asks me for a password.
I get the following error in log.smbd:
[2021/03/22 15:47:36.599054, 0] ../../source3/auth/token_util.c:567(add_local_groups)
add_local_groups: SID S-1-5-21-275554308-2290508350-2432341797-3882 -> getpwuid(13882) failed, is nsswitch configured?
[2021/03/22 15:47:36.599288, 3] ../../source3/auth/token_util.c:403(create_local_nt_token_from_info3)
Failed to add local groups
[2021/03/22 15:47:36.599402, 1] ../../source3/auth/auth_generic.c:174(auth3_generate_session_info_pac)
Failed to map kerberos pac to server info (NT_STATUS_NO_SUCH_USER)

When I create /etc/nsswitch.conf with entries for winbind, the error is still there.
Is nsswitch used in AIX? I have seen referrals to /etc/netsvc.conf on internet, bu that seems to me for hostname resolution only.
Plus: I can't seem to locate the libnss_winbindd.so library.

wbinfo is working properly (i can get all kind of information out of AD), so I must be missing something here.

All the above is working under Samba 3.6 (without /etc/nsswitch.conf).

Can anyone point me in the right direction?

smb.conf:
[global]
workgroup = MYDOMAIN
interfaces = en0
hosts allow = 127.0.0.1, <somesubnets>
hosts deny = ALL
max log size = 10000
log level = 3
security = ads
realm = MYDOMAIN.LOCAL
wins server = <some_ip>
winbind separator = +
winbind nested groups = Yes
idmap config * : range = 5000-8999
idmap config * : backend = tdb
idmap config MYDOMAIN : range = 10000-99999
idmap config MYDOMAIN : backend = rid
template shell = /usr/bin/ksh
template homedir = /home/%U

[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
path = "/home/%S"
read only = no
create mask = 0750


------------------------------
Jeroen Verbeiren
------------------------------

There is no /etc/nsswitch.conf in AIX . 
I hope you have configured /etc/methods.cfg like below.

WINBIND:
program = /usr/lib/security/WINBIND

And in /etc/security/user
SYSTEM = "WINBIND OR compat"

And "/usr/lib/security/WINBIND" symbolic linked to "/opt/freeware/lib/WINBIND.so" 

You can also use testparm command to test your smb.conf.

------------------------------
Ayappan P
------------------------------

Original Message:
Sent: Tue March 23, 2021 01:26 PM
From: Jeroen Verbeiren
Subject: samba winbind on AIX

Hello,
We're using samba 3.6 on our AIX server and are looking to upgrade it.
So I installed samba 4.12.10 (using yum) on a AIX 7.2 server. All good.
But I run into a problem when using winbind...

AIX-server is joined in the Windows AD Domain.
Share is defined on AIX and I want to mount it on my Windows Client (so with AD credentials without supplying username/password).
I have a separate user on AIX, it is the same username but completely separate from AD.
When I startup only smbd, it is working. I can mount the share and access the files on it.
But when I start winbind, it asks me for a password.
I get the following error in log.smbd:
[2021/03/22 15:47:36.599054, 0] ../../source3/auth/token_util.c:567(add_local_groups)
add_local_groups: SID S-1-5-21-275554308-2290508350-2432341797-3882 -> getpwuid(13882) failed, is nsswitch configured?
[2021/03/22 15:47:36.599288, 3] ../../source3/auth/token_util.c:403(create_local_nt_token_from_info3)
Failed to add local groups
[2021/03/22 15:47:36.599402, 1] ../../source3/auth/auth_generic.c:174(auth3_generate_session_info_pac)
Failed to map kerberos pac to server info (NT_STATUS_NO_SUCH_USER)

When I create /etc/nsswitch.conf with entries for winbind, the error is still there.
Is nsswitch used in AIX? I have seen referrals to /etc/netsvc.conf on internet, bu that seems to me for hostname resolution only.
Plus: I can't seem to locate the libnss_winbindd.so library.

wbinfo is working properly (i can get all kind of information out of AD), so I must be missing something here.

All the above is working under Samba 3.6 (without /etc/nsswitch.conf).

Can anyone point me in the right direction?

smb.conf:
[global]
workgroup = MYDOMAIN
interfaces = en0
hosts allow = 127.0.0.1, <somesubnets>
hosts deny = ALL
max log size = 10000
log level = 3
security = ads
realm = MYDOMAIN.LOCAL
wins server = <some_ip>
winbind separator = +
winbind nested groups = Yes
idmap config * : range = 5000-8999
idmap config * : backend = tdb
idmap config MYDOMAIN : range = 10000-99999
idmap config MYDOMAIN : backend = rid
template shell = /usr/bin/ksh
template homedir = /home/%U

[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
path = "/home/%S"
read only = no
create mask = 0750

2.13.0.0

------------------------------
Jeroen Verbeiren
------------------------------