Originally posted by: sanket

Originally posted by: Mike_AIX

This installs easily as long as you include all of the RPMs including those marked development and libsamba*.  However, I am seeing an issue setting up authentication.  We currently have 45+ AIX servers running Samba 3.  Because of configuration decisions when AD 2003 was installed, we lost our ability to authenticate our Samba users against AD (NT4 authentication dropped) and set up a Samba 3 Domain Controller to centralize management of Samba user passwords.  Apparently, since Samba 4.3.X doesn't support RPC connections to Samba 3, we can't use this new version with our existing Samba PDC.  Since this release to the Toolbox was not compiled with ADS support, it can neither connect to an AD server or be used as a Samba PDC (which is Active Directory).  This should work well in a standalone environment with local authentication but if you need some kind of centralized authentication, this might not be it for you.

Originally posted by: rmeyer5

Are there plans to add Kerberos server support to Samba builds from Developerworks?

June 2016, a Security Update from Microsoft (3165191) affected our environment. Removing the patch restored connectivity.

After installing  the packages below and joining the Domain, access using AD is still available. The organizations objective is to stop using NT 4 authentication AD, which would affect us as well. The URLS referencing the connectivity issues are below.

https://access.redhat.com/discussions/2390751#comment-1066191

https://support.microsoft.com/en-us/help/3165191/ms16-077-security-update-for-wpad-june-14,-2016

=== aix test system===
samba-winbind-clients-4.3.11-1.ppc
samba-devel-4.3.11-1.ppc
samba-4.3.11-1.ppc
samba-winbind-4.3.11-1.ppc
samba-libs-4.3.11-1.ppc
samba-common-4.3.11-1.ppc

Originally posted by: MikeBCBST

Yes we were bit by the June 2016 security update as well.  We were already on a class C subnet structure,  so we thought we were "theoretically" all on 1 subnet even though the 2nd and 3rd octets were different.  That made no difference.  What we discovered was that using a fully qualified server name worked about 90% of the time.  Using the IP address worked just about always worked but that is impractical in production batch.  The patch was backed off on the servers (not desktops) but that is at best a temporary fix because the patch is part of future security patches, especially as Microsoft is starting to bundle their patches.  Our Windows server team is looking at applying the registry fix after applying the patch.  The desktop team has been doing that in those cases where fully qualified names don't fix the issue.

I did not try connecting against our Windows AD (we use LDAP on AIX) because, at least for the time being, we are wanting to keep Samba on a separate domain of its own while we were checking out Samba 4.  The main reason is that we have no control over changes made to the enterprise AD and have been surprised a few times.  However, the messages I received during testing said that ADS support had not been compiled in which may just mean it cannot serve as a PDC (one of the options I was testing).  Worth checking out.  Thanks.

Originally posted by: Manoj Suyal

Hi, I am using local authentication for a samba share, however I do have same user in AD, is ther a way to authenticate samba using AD credentials.

It will be helpful if someone can give me exact configuration that need to be placed in smb configuration.

Regards

Manoj Suyal

Originally posted by: AyappanP

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Steps are same like the above except for the below changes.

1) /etc/netsvc.conf instead of /etc/nsswitch.conf.

passwd: files compat winbind
group: files compat winbind

2) /usr/lib/security/methods.cfg should have this entry. 

WINBIND:
        program = /usr/lib/security/WINBIND
        options = authonly

/usr/lib/security/WINBIND should point to /opt/freeware/lib/WINBIND.so

# ls -l /usr/lib/security/WINBIND
lrwxrwxrwx 1 root system 28 Oct  9  2017 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so

3) Edit /etc/security/user to set the below things under "default"

SYSTEM = "WINBIND OR compat"
registry = WINBIND

Originally posted by: AyappanP

Attaching a sample smb conf file 

Attachment(s)

sample_smb_conf.txt   916 B 1 version

Originally posted by: maxinxavier

Where can I find WINBIND   LAM ( Loadable Authentication Module)  for AIX 6.1/7.1  ?

From SAMBA documentation the above executable should be placed in /usr/lib/security folder ,in order to get the winbind service functioning.

(ref: https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html )

It looks like compiled versions don't include this file , from  Samba version 3.x   on wards.

My client's  requirement is to integrate Samba server to Windows AD , ( Kerberos client is configured , but no plans to configure LDAP client on AIX ).  WINBIND is required to perfrom UID to SID mapping.

Thanks

Max

Originally posted by: AyappanP

Okay so it seems like the WINBIND module is not getting shipped with the package. We will make sure it get shipped in the future releases. 

BTW, i doubt you can integrate Samba server to Windows AD without ADS support. 

Originally posted by: AyappanP

Kerberos (or NAS as we call it ) in AIX is pretty old to support ADS feature in Samba. We are examining various ways to fix this (by updating NAS or by making use of separate standalone kerberos rpm).

Originally posted by: dieter_mosbach

Were you able to compile with AD support  successfully  ? 

Originally posted by: dhcolesj

I would LOVE for you to answer this question!!!!   Was the AD support able to get compiled into a newer version?  I have Samba 4.6.4-2 and there is NO Winbind "libnss_winbind" library. 

Originally posted by: AyappanP

Yes, the current version 4.6.4-2 has Active Directory support. In AIX, the libnss_winbind equivalent library is WINBIND.so. 

You can get more info from https://github.com/samba-team/samba/blob/master/nsswitch/winbind_nss_aix.c 

Originally posted by: LT_John

Am I missing something obvious here? Samba has always been the bane of my life and that's still the case. I need to upgrade to a version that uses SMB3 and I came across this thread. When you state that all the dependencies for Samba-4.3.11 are available, do you mean they're wrapped up within all the various Samba rpms? I've downloaded everything I can find with Samba-4.3.11 in the name and still have the dependencies from hell situation. I tried it with Samba-3.6.11 as well. I can only think that I'm doing something wrong if other people are installing it okay. Do you know if there's a bundle file available?
Cheers,
John

Originally posted by: AyappanP

Samba has lot of dependencies( like openldap, gnuTLS ., etc). Manually installing them is a painful process. So i suggest you to use Yum. You can get this script  yum.sh from https://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/ezinstall/ppc/yum.sh and just run it. This will setup the yum repository and you can start using yum to install packages.