Well, I have tried really hard to get any of the idmaps to work--in
that, idmap_ads, idmap_rid, and I have tried to use idmap stroage in
ldap with padl (nss_ldap) too, but I have had no luck. If I enable pam
in /usr/lib/security/methods.cfg or nss_ldap, I cannot log into the
system anymore. If I enable pam in /etc/pam.conf and use in
/etc/security/users SYSTEM = "WINBINd or WINBIND[UNAVAIL] AND COMPAT I
cannot log into the system anymore. If I enable idmap_ads or idmap_rid
in smb.conf, winbindd core dumps. I think, and I have not verified this
yet, that if I start up samba without idmap_ad or idmap_rid so that
winbindd starts and then add idmap_rid or idmap_ad once it has started,
winbindd does not core, but I cannot 100% tell if idmapping is
happening. (After messing with all this, I was wondering why I even
need idmap, pam, or ldap capability anyway.) Still, it bugs me that I
cannot get any of this to work.

Here are my notes:

I changed the separator to + from / and now when I use
users=DOMAIN+mylogin, I get access to a share finally. However, when I
run chown DOMAIN+mylogin testdir, testdir is not set to
DOMAIN+mylogin,
it is set to tempfn (temporary id is what the gecos/description says).

In aix land, what do I need to do to get it to use WINBIND to set the
diretory ownership now? My /usr/lib/security/methods.cfg has authonly
for WINBIND. I take it that is not enough? I saw something where they
wanted me to change SYSTEM=compat to

SYSTEM = "WINBIND OR WINBIND[UNAVAIL] AND compat", but when I do
that,
nobody can log in to the system anymore.

My smb.conf now looks like the following:

[global]

workgroup = DOMAIN
realm = DOMAIN.COM
server string = User management Server
security = ADS
password server = ad.domain.com
log level = 10
log file = /usr/local/samba/var/log.%m
max log size = 50
name resolve order = hosts wins lmhosts bcast
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
preferred master = No
local master = No
dns proxy = No
wins server = svcmc02, svcmc03
idmap uid = 100000-200000
idmap gid = 100000-200000
winbind separator = +
winbind use default domain = Yes
winbind nested groups = Yes
aio read size = 1
aio write size = 1

[home]

path = /home/%D/%u
valid users = %S
read only = No
browseable = No

[samba]

path = /usr/local/samba
username = DOMAIN+mylogin
valid users = DOMAIN+mylogin


My /usr/lib/security/methods.cfg:

NIS:

program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64

DCE:

program = /usr/lib/security/DCE

* PAM:
* program = /usr/lib/security/PAM

WINBIND:

program = /usr/lib/security/WINBIND
options = authonly
* options = auth=PAM,db=BUILTIN

* LDAP:
* program = /usr/lib/security/NSS_LDAP

(haven't had luck with pam either. It will not let me log in if I use
it too)

PAM:

Added to pam.conf:

sshd auth required /usr/lib/security/pam_aix
OTHER auth required /usr/lib/security/pam_aix

# Account management
sshd account required /usr/lib/security/pam_aix
OTHER account required /usr/lib/security/pam_aix

# Password management
sshd password required /usr/lib/security/pam_aix
OTHER password required /usr/lib/security/pam_aix

# Session management
sshd session required /usr/lib/security/pam_aix
OTHER session required /usr/lib/security/pam_aix

OTHER auth required /usr/lib/security/pam_winbind.so debug
use_first_pass unknown_ok DOMAIN
OTHER account required /usr/lib/security/pam_winbind.so debug
use_first_pass unknown_ok DOMAIN
OTHER session required /usr/lib/security/pam_winbind.so debug
use_first_pass unknown_ok DOMAIN
OTHER password required /usr/lib/security/pam_winbind.so debug
use_first_pass unknown_ok DOMAIN


During build I had to add in Makefile's CFLAG line to get pam to
compile:

-DPAM_AUTHTOK_RECOVER_ERR=PAM_AUTHTOK_RECOVERY_ERR -DPAM_EXTERN=extern
or load with env CC=gcc as CFLAGs.


LDAP:
copied samba/source/example/LDAP/samba.schema to
/usr/local/openldap/etc/openldap/schema folder
Added to /usr/local/openldap/etc/slapd.conf:

# Samba required schemas
include /usr/local/openldap/etc/openldap/cosine.schema
include /usr/local/openldap/etc/openldap/inetorgperson.schema
include /usr/local/openldap/etc/openldap/nis.schema
include /usr/local/openldap/etc/openldap/samba.schema

################################################## #####################
# BDB database definitions
################################################## #####################
database bdb
suffix "dc=DOMAIN,dc=COM"
rootdn "cn=Manager,dc=DOMAIN,dc=COM"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw mypassword
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/openldap/var/openldap-data
################################################## #####################
# Cache
################################################## #####################
# dbcachesize if database is ldbm instead of bdb
cachesize 40000
# dbcachesize 60000000
checkpoint 512 720
################################################## #####################
# Samba Indexes
################################################## #####################
index objectClass eq
index cn,sn,uid,displayName pres,sub,eq
index uidNumber,gidNumber eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index objectClass pres,eq
index sambaDomainName eq
index rid,primaryGroupID eq
index default sub

access to *
by self write
by * read

Made directory /usr/local/openldap/var/openldap-data and set chmod 700
Ran /usr/local/openldap/sbin/slapindex -f slapd.conf after loading
samba.ldif with slapadd -f slapd.conf.


AIO:
AIO support is installed in this package. If you have problems starting
Samba,
try the following:

$ lsdev -Cc posix_aio
posix_aio0 Available Posix Asynchronous I/O

If the above says "Defined" instead of "Available":

$ mkdev -l posix_aio0
posix_aio0 Available

$ chdev -l posix_aio0 -a autoconfig=available -P
posix_aio0 changed




David Shapiro
Unix Team Lead
919-765-2011
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba