feel free to contact us directly to see what we can acutally do here for you, see signature for contact details.
Original Message:
Sent: Mon March 04, 2024 12:32 AM
From: David Little
Subject: AIX Winbind LDAP Group Authorization Restrictions
Hi Björn, I checked out Samba+, the project looks good but unfortunately the cost is simply too high. Even at the listed 3 year discount, the ~$650(+tax)/year/LPAR will put our operating costs into the stratosphere. We have hundreds of LPARs, simply wont work.
------------------------------
David Little
Original Message:
Sent: Tue January 02, 2024 04:52 AM
From: Samba Support SerNet
Subject: AIX Winbind LDAP Group Authorization Restrictions
Hi David,
the pam_winbind modiule has the require_membership_of option to do tha you want but the corresponding AIX LAM module of Winbind does not have that feature. Ify you're interested in getting that implemented for AIX, feel free to contact us.
Björn
------------------------------
--
Samba Support: https://samba.plus
SAMBA+ for AIX: https://samba.plus/samba-aix
Samba Webinars: https://samba.plus/samba-webinars
phone: +1 415 248-7818
mailto:samba@sernet.de
Original Message:
Sent: Mon January 01, 2024 07:40 PM
From: David Little
Subject: AIX Winbind LDAP Group Authorization Restrictions
> Please explain. What is your specific goal?
The usual authentical+authorisation.
We have 10,000 something users that connect to various CHUIs across the environment, with many onboarding/offboarding daily. A sister site has set up the LDAP integration using Ansible and workflows to manage 'fiddliness'. I'd rather avoid that.
Winbind has filled the gaps in all of my testing, so I figured I'd use it. The only gap remaining is this group restriction, which I've 'filled' using SSHD group restrictions. But, group policy might be the way to go to make it global.
------------------------------
David Little
Original Message:
Sent: Mon January 01, 2024 06:42 PM
From: Russell Adams
Subject: AIX Winbind LDAP Group Authorization Restrictions
On Mon, Jan 01, 2024 at 11:30:59PM +0000, David Little via IBM TechXchange Community wrote:
> I wanted to use Winbind because I wanted to avoid the fiddly setup
> on the AD side, especially as every user needs that fiddling! The
> Winbind setup avoids a lot of work, both short and long-term.
Please explain. What is your specific goal? I've integrated many AIX
systems with AD and never considered Winbind.
> You mentioned that using LDAP integration doesn't force the AIX
> server to become part of the AD domain. True, but why is that a
> positive? Is it better to fiddle with every user account instead of
> the AD joining?
LDAP integration for AIX can be at a number of levels. At no point
does it "become part" of an AD domain. It just uses LDAP as a
directory service. There is no AD GPO integration or other controls
from AD. You're integrating LDAP services, not AD services.
Most of the complications I've seen have been related to the RFC2307
integration at the AD layer. That's where you have to update users on
AD with POSIX attributes. Whether that's a problem or not depends on
your use case.
Filtering users by membership in an AD group can be done by setting a
filter in /etc/security/ldap/ldap.cfg. It's not supported on the
command line by mksecldap.
------------------------------------------------------------------
Russell Adams Russell.Adams@AdamsSystems.nl
Principal Consultant Adams Systems Consultancy
https://adamssystems.nl/
Original Message:
Sent: 1/1/2024 6:31:00 PM
From: David Little
Subject: RE: AIX Winbind LDAP Group Authorization Restrictions
Thanks Phill.
I wanted to use Winbind because I wanted to avoid the fiddly setup on the AD side, especially as every user needs that fiddling! The Winbind setup avoids a lot of work, both short and long-term.
You mentioned that using LDAP integration doesn't force the AIX server to become part of the AD domain. True, but why is that a positive? Is it better to fiddle with every user account instead of the AD joining?
Thank you for the links, I've seen the AIX LDAP ones, but not the last Spiceworks link. I had been approaching this as though I'd be limiting the groups on the AIX servers themselves, didn't even cross my mind to use group policy. I'll look into it, thanks!
------------------------------
David Little
Original Message:
Sent: Fri December 29, 2023 05:09 AM
From: Phill Rowbottom
Subject: AIX Winbind LDAP Group Authorization Restrictions
Hi David,
Have you looked at AIX's LDAP integration with AD? It can restrict by groups (I don't know about individual users, that's not been a requirement for me). It does take some fiddly setup on the AD side and some mucking around with the LDAP group filters. When using this method, the AIX machine doesn't become a part of the AD domain like I take it does with winbind (which I haven't used, I have used realm on Linux for AD integration which binds the linux machine to AD)?
https://www.ibm.com/support/pages/active-directory-ad-aix-step-step-instructions-integrate-active-directory-2016-aix-ldap-protocol
https://thornelabs.net/posts/aix-restrict-server-login-via-ldap-groups/
With winbind, as the AIX machine becomes part of AD you might be able to do something with AD policy to restrict who can login, it might be something to have your AD admins look at. I did find this - https://community.spiceworks.com/how_to/2797-restrict-computer-logons-to-a-group-of-users
------------------------------
Phill Rowbottom
Original Message:
Sent: Thu December 28, 2023 06:52 PM
From: David Little
Subject: AIX Winbind LDAP Group Authorization Restrictions
Hi All,
I have Winbind hooked up to AD to allow LDAP users in on one of my AIX 7.2 LPARs.
How do I configure the host to only allow users to log in if they are members of specific groups in LDAP? I assume this is something in PAM, but it's a weakness of mine. I've done some reading but just cannot easily wrap my head around what is required.
When the user logs into AIX, they do inherit the AD groups, for example:
domain\user@SERVER:/home/domain/user $ groupsdomain\user domain\domain_users domain\group1 domain\group2 domain\group3
I would like to limit logins to users who are members of domain\group1 or domain\group3 (non-exclusive). Additionally it might be good to know how to exclude certain groups from logging in, or even allow/deny access to individual users.
In case it matters, my /etc/methods.cfg:
NIS: program = /usr/lib/security/NIS program_64 = /usr/lib/security/NIS_64 DCE: program = /usr/lib/security/DCE WINBIND: program = /opt/freeware/lib/WINBIND.so program_64 = /opt/freeware/lib/WINBIND.so
and my /etc/security/user default stanza has SYSTEM=WINBIND or compat:
chsec -f /etc/security/user -s default -a "SYSTEM=WINBIND or compat"
------------------------------
David Little
------------------------------