SambaforAIX5.3&6.

1
(byWilliamJojo)
(20090624)

1.
2.
3.
4.

5.

6.

Introduction
Installingthebinaries
TuningAIX
Configuringabasicdomaincontroller
(a) Passworddatabaseoptions
i. smbpasswd
ii. tdbsam
iii. ldapsam
(b) GroupMappings
(c) MachineAccounts
(d) User/GroupManipulation
IntegrationwithActiveDirectory
(a) SettingupKerberos
(b) Whattimeisit?
(c) IDMAPOverview
(d) WINBIND
(e) IDMAP_TDB
(f) IDMAP_LDAP
(g) TestingIDMAP
(h) Whatdoesthiserrormean?
BackupsandUpgrades
(a) OpenLDAP
(b) Samba

AIX, POWER and pSeries are a registered trademarks of the IBM Corporation.
EMC is a registered trademark of the EMC Corporation
Samba is copyright Andrew Tridgell and the Samba Team and is licensed under the GPLv3 licensing model (GPLv2 up to
3.0.25b)

SambaforAIX5.3&6.1(20090624)1of37

1.Introduction
Thisdocumentassumesafewthings:
1. YouaretheadministratorofAIXorhavesomedirectaccesstotheoperatingsystemsasa
privilegeduserandyou'vekeptitfairlywelluptodate.Mostproblemscanbeavoidedwith
keepingAIXatrecentlevels.Usethelinkprovidedtogettheupdatesyouneedbeforeyouget
started.ItisrecommendedthatyousticktoTL's(TechnologyLevels)orSP's(ServicePacksto
aTL)andonlyinstallspecificAPARswhenyouneedaspecificfix.
http://www14.software.ibm.com/webapp/set2/sas/f/genunix3/aixfixes.html
2. YouareusingtheAIXbinarypackagingatthepWaresite.
3. You'veplannedyourdiskspace,havearoughcountofthenumberofusersandmachinesthat
willbeparticipatingandhavesomebasicsystemadministrationexperienceinAIX.Thatsaid,
youshouldalreadybethinkingabouttheinfrastructureyouwanttoeitherbuildorenhance.
Therewillbesomepointsalongthewaywhereyouwillpause,reflectandbegintochangeyour
perspectiveabouthowyou'regoingtorolloutSamba.Itisadvisedthatyougowiththatfeeling
(atleastonpaper).
4. You'veconsultedyourusers,othersystemadministratorsanddepartmentheadsasneededtobe
certainyourplansachievethegoalsofallinvolved.Thereisnocookiecuttersolution,noristhis
ablackart.Simplyput,ifyoufailtoplan,youplantofail.
Severaloptionswillbepresentedbasedonthecapabilitiesoftheauthor,thesoftwareandtheoperating
system(butmostlythecapabilitiesoftheauthor).Allofwhichmayshowdeficienciesatsomelevel.
Thisisnaturalandexpectedwithbothhumansandsoftware.Whenthishappensinsoftwaretherewill
oftenbeaworkaroundofferedtoassistyou.
ThiscontentwastestedwithAIX5.2uptoTL1000andAIX5.3uptoTL0902andAIX6.1upto
TL0301
Thefollowingfileswillbemodifiedorcreatedsoyoushouldconsidermakingabackupofeachof
thembeforegettingstarted:
/usr/lib/security/methods.cfg
/etc/security/user
/etc/security/ldap/ldap.cfg
/etc/slapd.conf
/opt/pware/lib/smb.conf

SpecialthankstoallthosewhohavebeentestingtheAIXbinariesagainstActiveDirectory,especially
SambaforAIX5.3&6.1(20090624)2of37

SelwynMarock.SomeveryinterestingerrormessageshavebeencollectedintheWhatdoesthiserror
mean?sectionwithspecificfixesnotedwhentheseerrorsoccur.
Conventions:
mono
monobold
monobolditalic

filenames,commandsandoptionstoconfiguration.
commandlinetexttypedbytheuser.
notabledetails.

SambaforAIX5.3&6.1(20090624)3of37

2.InstallingtheBinaries
Bythistimeyou'vedownloadedorareabouttodownloadthebinariesfromtheSambasite.Ifyou've
downloadedthesebeforeandperformingandupgrade,youmaynotneedtheoptsambabaseagain.
ChecktheREADMEfilefordetails.
YouwillneedthefollowingfromthepWaresitehttp://pware.hvcc.edu:
pware53AIX53Samba3.3.4.tar.gz

Thispackagecanbefoundinthedownloadsectionunderaix53oraix5364.Inaddition,youwillneed
thefollowingIBMfilesetsavailablefromtheAIXinstallationmedia:
ForAIX5.3,theyare:
ldap.client.rte
ldap.client.adt

ForAIX6.1theyare:
idsldap.clt32bit61.rte
idsldap.clt_max_crypto32bit61.rte
idsldap.cltbase61.adt
idsldap.cltbase61.rte

OnAIX6.1youwillalsoneedtorunthefollowingscriptfromIBM(whichcomeswith
idsldap.cltbase61.rte)tomakesurethesymlinksarecorrectforthesecldapclntddaemontoresolve
LDAPlookups:
/opt/IBM/ldap/V6.1/bin/idslink

IfyouareupgradingaversionofthebasesoftwareorSamba,youareadvisedtobackupallofyour
configurationandTDBfilespriortoupgrading.Simplyplaceallofthefilesinadirectoryin/tmp,
uncompressandextractthetarballsandtakeamomenttoponderwhatyouareabouttodo.Thenfollow
theinstallationinstructionsintheREADMEfile.Thatfileisthesourceofuptotheminuteinstallation
instructions,knownissuesandworkaroundsandwillnotberepeatedhere.
Onceinstalled,youshouldseethefollowingwithlslpp:
[tstsmb:/] # lslpp -l pware*
Fileset
Level State
Description
---------------------------------------------------------------------------Path: /usr/lib/objrepos
pware53.base.rte
5.3.0.0 COMMITTED pWare base for 5.3
pware53.bdb.rte
4.6.21.4 COMMITTED Berkeley DB 4.6.21
pware53.cyrus-sasl.rte
2.1.22.2 COMMITTED cyrus-sasl 2.1.22

SambaforAIX5.3&6.1(20090624)4of37

pware53.gettext.rte
pware53.krb5.rte
pware53.libiconv.rte
pware53.ncurses.rte
pware53.openldap.rte
pware53.openssh.rte
pware53.openssl.rte
pware53.popt.rte
pware53.rsync.rte
pware53.samba.rte
pware53.zlib.rte

0.17.0.0
1.6.3.1
1.12.0.0
5.7.0.1
2.4.16.0
5.2.1.0
0.9.8.10
1.10.4.0
3.0.5.0
3.3.5.0
1.2.3.0

COMMITTED
COMMITTED
COMMITTED
COMMITTED
COMMITTED
COMMITTED
COMMITTED
COMMITTED
COMMITTED
COMMITTED
COMMITTED

GNU gettext 0.17

MIT Kerberos 1.6.3
GNU libiconv 1.12
ncurses 5.7.0.1
OpenLDAP 2.4.16
OpenSSH 5.2p1
OpenSSL 0.9.8j
popt 1.10.4
rsync 3.0.5
Samba 3.3.5
zlib 1.2.3

ThissoftwarecanalsobeinstalledthroughtheSMITutilityusing:
smittyinstall

Ifyoureceivederrorsduringtheinstallationprocessbesurethatyouhaveallofthefilesetsinthesame
directorysothatdependenciescanberesolved.Becertaintoothatyou'veagreedtothelicensingterms.
Thelicensingterms,simplyput,arethatthesepackagesareprovidedwithoutwarrantyand,they
aregovernedbyseverallicensingmodels.Ifsomethingbreaks,neitherInormyemployerare
responsible.Ihavemadeeveryefforttomakethisaspainlessandexpeditiousaspossibleandhopeyou
enjoyusingthesefineproducts.

SambaforAIX5.3&6.1(20090624)5of37

3.TuningAIX
TherearetwobasicmeansbywhichtotuneAIXthecommandlineandatthenextboot.Some
tunablevaluesaredynamicandotherrequireareboottotakeeffect.Thethreebasiccategoriesof
tunablevalues(thereareothers,butthesematterthemost)are:
1. VirtualMemory(vmo)
2. I/O(ioo)
3. Network(no)
Theparentheticvalueisthecommandthatdirectlycontrolsthesetunablevalues.Theformatofthese
commandsisverysimpleandisexplainedindetailinthetheirrespectivemanualpages.
WhatfollowsisasetofvaluesusedatoursiteforoptimalthroughputofSANconnecteddisk,Gigabit
networkconnectivityandafairlygoodamountofsystemmemory.Withroamingprofilesandabout
1000studentworkstations,theserveriscurrentlyapSeriesp6506M26way1.2GHzPOWER4+LPAR
(although4wayisenough),14GBofmemoryanddualattachedredundantpathway2GbFiberChannel
backtoanEMCCX700SAN.Youshouldbuildyoursystemtothespecificationsnecessaryforyour
environment.
Thevaluesareasfollowsandaretakenfromthe/etc/tunables/nextbootfile:
ioo:
numclust="1024"
numfsbufs="6144"
j2_nPagesPerWriteBehindCluster="8192"
minpgahead="0"
j2_minPageReadAhead="0"
vmo:
maxperm%="80"
maxclient%="70"
minfree="4096"
maxfree="4608"
strict_maxperm="0"
strict_maxclient="1"
lru_file_repage="0"
no:
arptab_nb="311"
arptab_bsiz="23"
ipqmaxlen="2000"
nbc_limit="0"
tcp_ttl="128"
udp_ttl="128"
extendednetstats="1"

SambaforAIX5.3&6.1(20090624)6of37

rfc1323="1"
tcp_sendspace="262144"
tcp_recvspace="262144"
udp_sendspace="65536"
udp_recvspace="655360"
sb_max="1048576"
use_isno="0"
clean_partial_conns="1"

Justsomequickcomments.Thevaluesforiooreflectthefactthatunderheavyload,theuseof
sequentialreadaheadcanactuallybeapenaltyduringahighdegreeofmultiprogrammingwhen
processesarewaitingaroundforlargechunksofdatatofulfillthetheupperboundonreadahead,
whilsthundredsofotherprocessesdothesame.Liberaluseofwritebehindisusedduetothefactthat
wehavegoodcachingontheSAN.
ThevaluesforvmoreflectthelevelofmultiprogrammingandtheamountofI/O.WedonotwantAIX
swappingprocessesouttodiskforthesakeofbetterI/O,somaxperm%andmaxclient%werelowered.
Theminfreeandmaxfreevaluesaretunedhigherduetotheamountofdatabeingmovedwhichmakes
morepagesavailableforI/Osothatlrud(theleastrecentlyuseddaemoninchargeoffinding/stealing
pages)ismoreefficientinmanybutcertainlynotallcases.
Thevaluesfornorepresenttheuseofexcellentnetworkingequipment,beefyserverhardwareandan
excellentattachmenttoourdisksubsystem.Yourmileagemayvary!
Oneotherplacetomakesomechangesifyouhaven'tsincetheinstallationofAIXfromCDROMisthe
/etc/security/limitsfilewhichusuallycontainsthesedefaults:
default:
fsize=2097151
core=2097151
cpu=1
data=262144
rss=65536
stack=65536
nofiles=2000

Thesenumbersneedtobeincreasedatleastfortherootuser.Thedefaultstanzabelowshowsagood
startingpointtobecertainthatallofyourserviceswillhavesufficientmemoryandfilehandles.
default:
fsize=2097151
core=2097151
cpu=1
data=524288
rss=524288
stack=524288
nofiles=1

SambaforAIX5.3&6.1(20090624)7of37

Thebulkofthisislefttothereadertoassesstheirowntuningneedsasthevaluespresentedmaybetoo
highforyourparticularsite,soreadthemanualpagesandcollectsomemetricdatatodeterminea
baselinefirstbeforemakinganychanges.Itisyourresponsibilitytomakebootablebackupsofyour
systemincasethesevaluesrenderyoursystemnonbootable.
Ifyouwishtosharesomeexperienceswithtunablevaluesonyourhardware,feelfreetodropmealine
andI'llseeaboutgettingthemintofutureversionofthisdocument.

SambaforAIX5.3&6.1(20090624)8of37

4.ConfiguringaBasicDomainController
Thedomaincontroller(DC)isabasicunitofmeasurewhensettingupSamba.Securityissettouser
levelsecurityandtheDCisconfiguredtoacceptauthenticationfrommachinesthathavetrusts
establishedwithSamba.Whatfollowsisaseriesofbasicconfigurationsdependingonyourneedsasfar
aswheretheuserauthenticationdatabaseiskeptandwhetheryouneedtorunwinbindd.Thenmbdand
smbddaemonsareminimallyrequiredtorunSamba.
Hereisabasicsmb.conffiletogetstartedwith.Allsubsequentexamplesplayoffofthisexample
showingthespecificdifferences.Someofthehighlightedportionsarerelatedtosomeupcoming
discussionsandtheadministratorshouldresearchothersforaclearunderstandingoftheirmeanings.
[global]
workgroup=DOMNAME
maptoguest=BadUser
passdbbackend=smbpasswd
maxlogsize=100000
timeserver=Yes
socketoptions=TCP_NODELAYSO_SNDBUF=262144SO_RCVBUF=262144
logonscript=current.bat
logondrive=h:
domainlogons=Yes
encryptpasswords=yes
oslevel=60
preferredmaster=Yes
domainmaster=Yes
shortpreservecase=No
cscpolicy=disable
oplocks=No
level2oplocks=No
strictlocking=No
loglevel=0
#syncunixsidepasswordin/etc/security/passwd
unixpasswordsync=yes
passwdprogram=/opt/pware/sbin/passwd.ksh%u
passwdchat="*password*\n*password:"%n\n"*password:"%n\n"*"
#passwdchatdebug=yes
hostsallow=127.,192.168.
[homes]
comment=HomeDirectories
path=%H
readonly=No
createmask=0644
forcecreatemode=0644
forcedirectorymode=0755
usesendfile=Yes
browseable=No
[netlogon]
comment=NetworkLogonService
path=/netlogon

SambaforAIX5.3&6.1(20090624)9of37

browseable=No

The[homes]and[netlogon]stanzasarestandardfareandthisisatypicalconfigurationtogetyou
started.SeethemanyHowTo'sandmanualpagesattheSambasiteforspecificdetailsoftheseoptions.
Note:Thesmbpasswdcommandisusedinallthreesectionsforpassworddatabaseoptions.Thisisdue
tothefactthatthesmbpasswdcommandisbackendneutralandtheconfigurationfileforSamba
dictateswhereandhowuserattributesshouldbehandled.
4a.PasswordDatabaseOptions
i.smbpasswd
Thedefaultandsimplestchoiceforasmallamountofusersthatrequirestheleastamountofknowledge
andcanbeadministeredbyasingleindividualistheuseofsmbpasswd(5).Thisfileisaflattextfile
thatissimilarinformatto/etc/passwd,thatis,therearecolonseparatedfieldsthatrepresentspecific
datavaluesthatareSambasensitive.
UsersmustfirstbecreatedinAIXusingthemkusercommand.Andthenaddedtothesmbpasswdfile
usingthesmbpasswd(8)command.Thesmbpasswdfileislocatedintheprivatedirectoryofthe
Sambainstallpath(forthisexampleisitin/opt/pware/private/smbpasswd).Allusersandmachine
accountswillhaveentriesinbothfiles.Somemaysaythatthismethodisantiquatedandirrelevant.
Fine,believewhatyouwill,butthesetupofLDAPforlessthan300usersmaynotbeworththeeffort
anddisasterrecoveryplanningnecessary,especiallyifthisSambaserveristheonlyoneandnotgoing
tobetrustingorbetrustedbyotherservers.
Someitemstonoteintheconfigurationisthepassdbbackendwhichisexplicitlysettothedefaultof
smbpasswd.(NOTE:inSamba3.4.0thedefaultbackendwillbetdbsam.)
SynchronizingtheAIXpasswordwiththeSambapasswordisdesirablewhenusersmaybelogginginto
AIXwithtelnet,ftp,sshorscp.Usersmaythengainalternateaccesstotheirdata.Thisnextscript
(saveitaspasswd.ksh)isusedforthepasswdprogramoption.Thatoptionwithpasswordchat
allowsSambatochangetheAIXuserpasswordaswellwhenrequestingtheSambapasswordbe
changed.Thisisnotalwaysnecessary,butifyouwanttologintoAIXwiththesameusernameand
passwordasSamba,thenyou'llneedthis.
#!/bin/ksh
#scripttochangeuserpasswordbecauseofunixpasswds
#secondcommandremovestheADMCHGflagfrom/etc/security/passwd
#puttherebypasswdrunningasroot.
/usr/bin/passwd$1
/usr/bin/pwdadmc$1

Note:IfyouareintendingtosynchronizepasswordswithAIX,youneedthescriptabovetobesaved
SambaforAIX5.3&6.1(20090624)10of37

withtheexecutebiton,andSambamustbestartedforthistowork.Settingthepasswordasroot
accessesthesmbpasswdfiledirectly,butforthepasswdprogramtobeinvoked,youhavetobecome
theuserwhichthenmakesthecallthroughaconnectedsmbd.Checkthe/etc/security/passwdfile
tobecertainyouruser'sAIXpasswordwasset.Ifitwasn't,checkyoursmb.confforcorrectnessand
checkpermissionsonscriptstomakesuretheyhavebeenmadeexecutable.Thissoundsblatantly
obvious,butissoeasytooverlook.
YoucanstartSambawiththefollowingcommands:
/opt/pware/sbin/nmbdD
/opt/pware/sbin/smbdD

Verifythatthedaemonsarerunningbeforeproceeding.Checkthelogsinthe/opt/pware/var
directoryforhintsonwhatmightbewrong.
Thewinbindddaemonisonlynecessaryifyouneedsecurityidentifier(SID)translationofforeign
SID'stolocalAIXUIDorGIDmappings.Thisisnecessarywhenyouareadomainmemberserveror
usingtrustsbetweenSambaservers,betweenSambaandNTorbetweenSambaandAD.Another
reasontousewinbinddisifyouintendtouseanoptionlikeldapsam:editposix(q.v.).Ifyouarenot
usinganytheaforementionedconfigurationsorarerunningasingledomaincontroller,youdonotneed
winbindd.
Usingthemkusercommandandthefollowingscript(saveitassmbpass.ksh),wecanquickly
assemblealistofusersandevenautomatetheprocessintoanotherscriptthatcouldrundailybasedon
userdataacquiredfromanothersource.(Inotherwords,ifyou'reaneducationalinstitutionandthe
administrativecomputingsystemcangiveyoutheneededinformationaboutstudentswho'veregistered
sinceyesterday,youcanautomatetheprocessofaccountcreation.)
#!/bin/ksh
[[$#ne2]]&&echo"Usage:smbpass.kshuserpass\n"&&exit1
#adduserandsetxxxforpassword.
/opt/pware/bin/smbpasswdsa$1<<EOF
xxx
xxx
EOF
#becomeuser,settherealpasswordsothattheAIXpasswdissettoo.
su$1"c/opt/pware/bin/smbpasswds"<<EOF
xxx
$2
$2
EOF

Sousingtheabovescriptsavedintoafilecalledsetpass.ksh(withtheexecutebiton),youwoulddo
thefollowingastherootuser:

SambaforAIX5.3&6.1(20090624)11of37

#mkusernewidgecos=NewUserName
#setpass.kshnewidnewpassword

IfyouneedmoreAIXuserattributes,simplystringalongmoreoptionsforthemkusercommand.
Therearetwosimpletestsyoucannowperformtomakesurethisuserisworking.ThefirstistheAIX
logintesttrytologintoAIXwithsomethingsimpleliketelnetorftp.Thenexttestistotrytoview
yourshareusingsmbclient(8):
[root]#smbclient//127.0.0.1/newiduser=newid
Password:
Domain=[DOMNAME]OS=[Unix]Server=[Samba3.0.25b]
smb:\>dir
.D0ThuJul1207:53:252007
..D0ThuJul1208:00:592007
.profileAH254ThuJul1207:53:252007
32768blocksofsize4096.31570blocksavailable
smb:\>quit

That'sit!smbpasswduserauthenticationisnowconfiguredforSambawithpasswordsynchronization
inAIX.
ii.tdbsam
Usingthesmbpasswdsectionasaguide,wewillchangeonelineinour[global]sectiontothe
following:
passdbbackend=tdbsam

AfterstartingSambathiscreatesapassdb.tdbdirectoryinthe/opt/pware/privatedirectoryofthe
Sambainstallpath.
Youcanusetheexactsametoolsdescribedinthesmbpasswdsectionaboveforaddingyourusersto
AIXandSamba.PasswordsynchronizationwithAIXwillbemaintainableaswell.
TheSambadocumentationhasindicatedthatsomesiteshavehadasmanyat3000+usersinthis
particularbackendwithnonoticeablelatencyissues.Sincethetdbfilesarebinaryinnatureandnotflat
fileslikethesmbpasswdfile,youmaywanttoconsiderlookingintotdbbackup(8)fordisaster
recovery.
iii.ldapsam
Whenfacedwithpossibly10000+usernamesthatneedtobecreatedforauthentication,it'shardtobeat
LDAPforitsabilitytostoreandretrievedatarapidly.Addsomedatabaseindexesandsomedecent
cachingandyouwillhaveasplendidauthenticationsubsystem.
SambaforAIX5.3&6.1(20090624)12of37

OneshouldplanaheadandsetupafilesystemdedicatedtothestorageofLDAPdata.Thiscanget
prettybigandyouwanttohaveplentyofheadroomsothatthereisspaceforthelogfiles(usedfor
recoveryifneeded).Afewgigabytesisgoodtostart.AIXallowsyoutogrowfilesystems,soyoucan
startsmallandmonitoryourusageandincreaseasneeded.
ThisdiscussionislimitedtoRFC2307styleattributesandonlydiscussestheuseofOpenLDAPasitis
packagedwiththeotherSambaAIXbinaries.Wewill,however,discusstheintegrationofLDAPusers
intoAIXsothatitreflectsthesamelevelofabilityaspreviouslystatedinthesmbpasswdandtdbsam
sections.KeepinmindthattheintentionistohaveSambastoreadditionalattributesofusersthathave
beendefinedinLDAPusingAIXcommands.ThisisacommitmentofuseraccountsinLDAPthatare
knowntoAIXandcouldbeusedtologintoAIX.Theseuseraccountswillbefurtherenhancedby
Sambaattributes.
First,wewillstartwithoutSambarunningandanew[global]stanzaforsmb.conf:
[global]
workgroup=DOMNAME
maptoguest=BadUser
maxlogsize=100000
timeserver=Yes
socketoptions=TCP_NODELAYSO_SNDBUF=262144SO_RCVBUF=262144
logonscript=current.bat
logondrive=h:
domainlogons=Yes
encryptpasswords=yes
oslevel=60
preferredmaster=Yes
domainmaster=Yes
shortpreservecase=No
cscpolicy=disable
oplocks=No
level2oplocks=No
strictlocking=No
loglevel=0
passdbbackend=ldapsam:"ldap://127.0.0.1"
ldapadmindn=cn=Manager,dc=domname,dc=local
ldapgroupsuffix=ou=groups
ldapusersuffix=ou=people
ldapmachinesuffix=ou=people
ldapidmapsuffix=ou=idmap
ldapsuffix=dc=domname,dc=local
ldappasswdsync=yes
[homes]
comment=HomeDirectories
path=%H
readonly=No
createmask=0644
forcecreatemode=0644
forcedirectorymode=0755
usesendfile=Yes
browseable=No

SambaforAIX5.3&6.1(20090624)13of37

[netlogon]
comment=NetworkLogonService
path=/netlogon
browseable=No

NowwewillstepawayfromSambaforabitandconfigureLDAP.Thiswillusethefilesystem/ldap
fortheexamplesandwillhaveadirectoryunderthatforthisdatabaseandwilluse
/ldap/db/domname.localforthedatabasepath.Inthatdirectorywewillplaceafilecalled
DB_CONFIGwiththefollowingcontents:
set_cachesize01342177281
set_lg_regionmax262144
set_lg_bsize2097152

ThisDB_CONFIGisagoodplacetostartandprovides128MBofsolidcachingthatrarelyneeds
increasingunlessyou'veagreatdealofdata.Nowletuscreateaslapdconfigurationfile,
/etc/slapd.conf,whichwilllayouttheLDAPdatabaseindetailincludingschemafile,attributesto
beindexedandaccessrights.Itwilllookmuchlikethis:
include/opt/pware/etc/openldap/schema/core.schema
include/opt/pware/etc/openldap/schema/cosine.schema
include/opt/pware/etc/openldap/schema/inetorgperson.schema
include/opt/pware/etc/openldap/schema/nis.schema
include/opt/pware/etc/openldap/schema/misc.schema
include/opt/pware/etc/openldap/schema/samba.schema
include/opt/pware/etc/openldap/schema/aixadmin.schema
pidfile/opt/pware/var/slapd.pid
argsfile/opt/pware/var/slapd.args
loglevel0
reverselookupon
allowbind_v2
passwordhash{crypt}
conn_max_pending1024
conn_max_pending_auth1024
threads16
databasebdb
suffix"dc=domname,dc=local"
sizelimit50000
directory/ldap/db/domname.local
cachesize500000
checkpoint102415
rootdn"cn=Manager,dc=domname,dc=local"
rootpwsecret
indexobjectClasseq
indexcnpres,eq,sub
indexsnpres,eq,sub

SambaforAIX5.3&6.1(20090624)14of37

indexmailpres,eq,sub
indexuidpres,eq,sub
indexmemberUideq
indexuidNumbereq
indexgidNumbereq
indexsambaSIDeq,sub
indexsambaDomainNameeq
indexsambaPrimaryGroupSIDeq
indexdefaultsub,eq
accesstodn.subtree="ou=people,dc=domname,dc=local"attrs=userPassword
bypeername.ip=127.0.0.1read
bypeername.ip=151.103.16.50read
byselfwrite
by*auth
accesstodn.subtree="ou=people,dc=domname,dc=local"
attrs=sambaLMPassword,sambaNTPassword
bypeername.ip=127.0.0.1write
by*none
accesstodn.subtree="ou=people,dc=domname,dc=local"
bypeername.ip=127.0.0.1write
by*none
accesstodn.subtree="ou=groups,dc=domname,dc=local"
bypeername.ip=127.0.0.1write
by*none
accesstodn.subtree="ou=idmap,dc=domname,dc=local"
bypeername.ip=127.0.0.1write
by*none
accesstodn.subtree="dc=domname,dc=local"
bypeername.ip=127.0.0.1write
by*none

ThereisagreatdealbeingsaidinthisconfigurationfileandyoushouldconsulttheOpenLDAP
documentationfordetails.Thisisbasicallybrokendownasthefollowing:

whichschemafilestoinclude

somebasiclocalconfiguration

thedatabasedefinitionincludingindexestobecreated

theaccesscontrollist(ACL's).

ThiswillhelpdefineatreeinLDAPwhoserootorsuffixisdc=domname,dc=local.Beneaththeroot
wewillhaveseveralcontainers,intheformoforganizationalunits(ou)whicharecalledou=peoplefor
theusernames,ou=groupsfortheUnixgroupsandou=idmapforwinbinddinformation(thiscontainer
alongwithwinbinddisonlyusedifSambawillbetrustinganotherSambaserverorwillbeaDomain
MemberServerofanADtree).Ordinarilywewouldputourmachineaccountsinou=computers,but
sincewewillbeusingAIXtocreatetheaccounts,itcannotdiscernthedifference.Thiswillresultin
distinguishednames(dn)thatwilllooklikethefollowing:
SambaforAIX5.3&6.1(20090624)15of37

uid=newid,ou=people,dc=domname,dc=local

ThisdnistheLDAPentryfortheAIXusernamenewidandisalsoshowninIllustation1.Sincewe
wanttoincludeSambaattributes,wewillalsoneedtocopyafilefromtheSambainstallationintothe
schemaasfollows:
cp/opt/pware/examples/LDAP/samba.schema\
/opt/pware/etc/openldap/schema

Illustration1:LDAPTreehierarchy.
AndsinceAIXisprovidingthemeanstogetourusersintoLDAP,createafile
/opt/pware/etc/openldap/schema/aixadmin.schemawiththefollowinglines:
attributetype(1.3.18.0.2.4.756name'AIXAdminGroupId'
DESC'AIXnewadmingroupidstorage'
EQUALITYintegerMatch
SYNTAX1.3.6.1.4.1.1466.115.121.1.27SINGLEVALUE)
attributetype(1.3.18.0.2.4.776name'AIXAdminUserId'
DESC'AIXnewadminuseridstorage'
EQUALITYintegerMatch
SYNTAX1.3.6.1.4.1.1466.115.121.1.27SINGLEVALUE)
attributetype(1.3.18.0.2.4.782name'AIXGroupID'
DESC'AIXnewgroupidstorage'
EQUALITYintegerMatch
SYNTAX1.3.6.1.4.1.1466.115.121.1.27SINGLEVALUE)
attributetype(1.3.18.0.2.4.770name'AIXUserID'
DESC'AIXnewuseridstorage'
EQUALITYintegerMatch
SYNTAX1.3.6.1.4.1.1466.115.121.1.27SINGLEVALUE)
objectclass(1.3.18.0.2.6.169NAME'AIXAdmin'

SambaforAIX5.3&6.1(20090624)16of37

DESC'AIXclasstostoreuser/groupadministrationattributes'
SUPtopSTRUCTURAL
MUSTcn
MAY(AIXAdminGroupId$AIXAdminUserId$AIXGroupID$AIXUserID))

Nowthatthefilesareinplace,weneedabaselineLDIF(lightweightdirectoryinterchangeformat)file
tocreatethetreeinLDAP.Thiswillcreateouremptycontainers.Socreateafiledomname.ldifwith
thefollowing:
dn:dc=domname,dc=local
dc:domname
objectClass:top
objectClass:dcObject
objectClass:organization
o:MyOrganizationName
#removethiscontainerifusingsectoldif
dn:ou=people,dc=domname,dc=local
ou:users
objectClass:organizationalUnit
#removethiscontainerifusingsectoldif
dn:ou=groups,dc=domname,dc=local
ou:groups
objectClass:organizationalUnit
dn:ou=idmap,dc=domname,dc=local
ou:idmap
objectClass:organizationalUnit

WewillnowloadthisdataintotheLDAPdatabasewiththefollowingcommand:
/opt/pware/sbin/slapaddf/etc/slapd.confldomname.ldif

Ifallhasgonewell,anditshouldhave,youshouldnowseemorefilesincludingtheDB_CONFIGfile
withinthe/ldap/db/domname.localdirectory.
NOTE:ThisnextbitofinstructiononlyworksforAIX5.3TL03orlater.
Ifwearemigratingusersfrom/etc/passwdtoLDAP,youcanperformthefollowingtwocommandsto
createtheLDIFfileandloaditintoLDAP:
sectoldifddc=domname,dc=localSRFC2307>/tmp/migrate.ldif
/opt/pware/sbin/slapaddf/etc/slapd.confl/tmp/migrate.ldif

SambaforAIX5.3&6.1(20090624)17of37

IfyouarenotmigratinganythingfromAIXintoLDAP,youwillstillneedtheou=systemcontainerfor
theAIXuid/gidinformationtobeusedforthecreationofsubsequentusersandgroupsviamkuserand
mkgroup.Thecontainercanbeobtainedfromthelastthreestanzasofsectoldifoutputevenifyou're
notmigratingtheexistingusers.Thecontainerisbasedontheinformationcontainedin
/etc/security/.idsandlookslikethis:
dn:ou=System,dc=domname,dc=local
ou:System
objectClass:organizationalUnit
dn:cn=aixid,ou=System,dc=domname,dc=local
cn:aixid
objectClass:aixadmin
aixadminuserid:8
aixuserid:203
aixadmingroupid:14
aixgroupid:202
dn:cn=aixbaseid,ou=System,dc=domname,dc=local
cn:aixbaseid
objectClass:aixadmin
aixadmingroupid:1
aixadminuserid:1
aixuserid:200
aixgroupid:200

YoucanputthisLDIFdataintoafile/tmp/aixid.ldifandimportitusingtheslapaddcommand
similartotheoneabovesubstituting/tmp/aixid.ldiffor/tmp/migrate.ldif.
Thedatabaseisloadedsolet'sgetslapdstartedwiththefollowingcommand:
/opt/pware/libexec/slapdf/etc/slapd.conf

Queryingthedatabasewillrevealthatwehavesuccessfullyloadedthedatabaseandthattheslapd
daemonisrunning.
/opt/pware/bin/ldapsearchLLLxDcn=Manager,dc=domname,dc=local\
wsecretbdc=domname,dc=local

NowwehavetogetAIXreadytodosomeworkforus.ThisstanzaindicateswhereAIXcanfind
informationaboutusersthatcouldlogintotheAIXsystem(notwhatSambacando).Sambaneedsto
askAIXwhattheuid/gidvaluesareforusersandthegroupsforwhichtheyaremembers.The
/etc/security/userfilewillbealteredtoarrangeforsuchknowledge.
Ifwedonotwantanyonedefinedin/etc/passwd(withtheexceptionoftherootuser)tobeableto
logintoAIXandonlyallowLDAPusers,thenwecouldsetthedefaultstanza'sSYSTEMvaluetoLDAP.
AIXusersin/etc/passwdcannotloginunlesstheyweremigratedusingsectoldiforhaveauser
specificstanzathathasSYSTEM=compatinthebody(orwhateverisappropriateforyoursite).However,
SambaforAIX5.3&6.1(20090624)18of37

wecanallowbothasisdemonstratedinthefollowingexample.
Thefile/etc/security/userneedsthedefaultstanzaattributeofSYSTEMsetto"LDAPorcompat",
likeso(theellipsesareshowinglinesremovedtoreduceclutter):
default:
admin=false
login=true
su=true
...
umask=022
expires=0
SYSTEM="LDAPorcompat"
logintimes=
...

NOTE:NeverchangetherootstanzatopointtoLDAP!Ifyouhavefilesystemordatacorruption
intheLDAPdatabaseorifLDAPfailstostart,youwillnotbeabletologin.
ThenextsectionsimplytellsAIXaboutanothermeanstofindusersandgroups.TheLDAPprogram
beingplacedinthisfileisknownasaloadableauthenticationmodule(LAM)andwillassistAIXin
findingourLDAPusers.Nowedit/usr/lib/security/methods.cfgandaddthefollowing:
LDAP:
program=/usr/lib/security/LDAP
program_64=/usr/lib/security/LDAP64

Andfinallywe'llconfigurethesecldapclntddaemontoreportourusersusingourLDAPdatabase.
Thefile/etc/security/ldap/ldap.cfgshouldbebackedupandthecontentsreplacedwith:
ldapservers:127.0.0.1
binddn:cn=Manager,dc=domname,dc=local
bindpwd:secret
authtype:ldap_auth
useSSL:no
userattrmappath:/etc/security/ldap/2307user.map
groupattrmappath:/etc/security/ldap/2307group.map
idattrmappath:/etc/security/ldap/aixid.map
userbasedn:ou=people,dc=domname,dc=local
groupbasedn:ou=groups,dc=domname,dc=local
idbasedn:cn=aixid,ou=system,dc=domname,dc=local
userclasses:posixaccount,shadowaccount,account
groupclasses:posixgroup
ldapport:389
followaliase:NEVER
usercachesize:1000
groupcachesize:100
cachetimeout:300
heartbeatinterval:300

SambaforAIX5.3&6.1(20090624)19of37

numberofthread:10
connectionsperserver:10
searchmode:ALL
defaultentrylocation:local
ldaptimeout:60

NowAIXneedsalittlehelpinunderstandingourtreeanditsattributes.Themapfilesin
/etc/security/ldaphelpAIXtounderstand.The2307user.mapfileneedsalineaddedforthe
passwordattributewhichindicatesiftheaccountisallowedtologin.
usernameSEC_CHARuids
idSEC_INTuidnumbers
pgrpSEC_CHARgidnumbers
homeSEC_CHARhomedirectorys
shellSEC_CHARloginshells
gecosSEC_CHARgecoss
spasswordSEC_CHARuserpasswords
lastupdateSEC_INTshadowlastchanges
passwordSEC_CHARdescriptions

Thedescriptionattributeisselectedbecausewealreadyhaveuserinformationinthegecosattribute
anddescriptioninanacceptableattributeintheaccountstructuralobjectclasslistedinthe
userclasseslineoftheldap.cfgfile.
ThesecldapclntddaemonprovidesAIXwithuserinformationbywayoftheLDAPLAMmentioned
describedabove.Nowwecanstartthesecldapclntdprogramtoprovidethisuserinformationusing
thefollowingcommand:
startsecldapclntd

OncestartedyoushouldbeabletolistallofyourLDAPuserswith:
lsuserRLDAPALL

Andwecancreateauserwith:
mkuserRLDAPgecos="MyNewUserID"newid

Andcheckitwith:
lsuserRLDAPnewid

NowbacktoSamba.We'llneedtostartSambaatthispointandthenwecanaddourusernewidto
SambaforAIX5.3&6.1(20090624)20of37

Samba.
/opt/pware/sbin/nmbdD
/opt/pware/sbin/smbdD
#/opt/pware/bin/smbpasswdanewid
NewSMBpassword:
RetypenewSMBpassword:
Addedusernewid.

Anldapsearchofthenewiduserrevealsthefollowing:
dn:uid=newid,ou=people,dc=domname,dc=local
gidNumber:1
uidNumber:203
homeDirectory:/home/newid
loginShell:/usr/bin/ksh
gecos:MyNewUserID
description:*
uid:newid
cn:newid
objectClass:posixAccount
objectClass:shadowAccount
objectClass:account
objectClass:sambaSamAccount
sambaSID:S152195967770480682096934197762151406
displayName:MyNewUserID
sambaLMPassword:78BCCAEE08C90E29AAD3B435B51404EE
sambaNTPassword:F9E37E83B83C47A93C2F09F66408631B
sambaPasswordHistory:
00000000000000000000000000000000000000000000000000000000
00000000
sambaPwdLastSet:1186884501
sambaAcctFlags:[U]
userPassword::e2NyeXB0fU9ELm1jNlRFNDdrS2M=
shadowLastChange:0

TheattributesaddedbySambahavebeenhighlighted.AIXcreatedtheotherattributesforthisdn.One
thingtonoteistherehadnotpreviouslybeenauserPasswordnorshadowLastChangeattribute.These
werecreatedasaresultofthefactthatwehaveldappasswdsyncenabledinsmb.conf.Thisis
splendidsincewecansettheSambapasswordfortheuserandtheUnixpasswordwillbeupdated
automatically.EvenifthisisnotnecessaryforAIXaccess,manyproductsusetheuserPassword
attributebywayoftheldap_bind()functionwhichisapartoftheOpenLDAPAPI.
Sidebar:Thiswillleadthereadertothelogicalconclusionthatitispossibletohavesinglesignon
acrossmultipleproductssuchasSamba,AIX,Apache,Mirapoint,FreeRADIUSandothers.Donot
confusesinglesignonwithpassthroughauthentication.Thatisnotwhathasbeendescribedhere.
SambaforAIX5.3&6.1(20090624)21of37

Ratherameansforasingleusertogainaccesstomultipleauthenticatedresourcesbywayofasingle
setofcredentials.Thismethodcanonlybeachievedbyallotherauthenticatedresourcesusingthis
sameLDAPserver.IleavethedetailsofsuchasetuptothereaderandperhapsIwilldraftaseparate
documentiftimeallows.
AtthispointtheseuserscannotlogintoAIXsincetheirpasswordfield(thedescriptionattribute)isstill
anasterisk(*)andneedstobeanexclamationpoint(!)forloginstobeallowed.Tochangethissimply
use:
pwdadmcnewid

Nowwecantestouraccounttoseehowwe'vedone.
[root]#smbclient//127.0.0.1/newiduser=newid
Password:
Domain=[DOMNAME]OS=[Unix]Server=[Samba3.0.25b]
smb:\>dir
.D0SatAug1112:35:582007
..D0SatAug1112:35:582007
.profileAH254SatAug1112:35:582007
32768blocksofsize4096.32672blocksavailable
smb:\>quit
[root]#

Excellent!YouarenowreadytobeginyourjourneyofhowtofurtherintegratetheSambaserverinto
yourenvironment.Thisisnotaneasilyprescribedsolutionasmuchofthishasbeen.Youmusttake
greatcareinyourdecisionmakingsinceabadchoicenowmayresultingreatpainandpossiblyawet
cleanupinaisle4.
Inconclusion,whenyourebootyoursystemtheserviceswe'vestartedabovewillnotbeautomatically
restarted.Youcanaddsomelinesto/etc/inittabtoautostarttheseservices,oryoucanwritea
scripttodosoafterthesystemisupandrunningandtherootuserhasbeengrantedaccess.Becertain
allofyourfilesystemshavebeenmountedandyoushouldbeabletogetunderwaywiththefollowing
setofcommands:
/opt/pware/libexec/slapdf/etc/slapd.conf
startsecldapclntd
/opt/pware/sbin/nmbdD
/opt/pware/sbin/smbdD

SambaforAIX5.3&6.1(20090624)22of37

4b.GroupMappings
MappingAIXgroupstoSambagrouprelativeidentifier(RID)valuesisessentialforatleastthebasic
setofwellknowngroupsecurityidentifiers(SID).Thesegroup/RIDpairsareshowninthefollowing
table:
DomainAdmins

512

DomainUsers

513

DomainGuests

514

DomainComputers

515

IfthisisanewAIXinstalltion,youcansimplymatchthegidtotheSID'sRIDforeaseofuse,
otherwiseyou'llhavetocreatetheAIXgroupswithdifferentgidvaluesandmapthosetothewell
knownRIDvaluesi
HereisaSID:
S152195967770480682096934197762151406

ThisSIDisactuallytheonecreatedfornewidfromourprevioussection.TheS1521prefixwillbe
commontonearlyalloftheSID'sinthisdomain.Thenextthreevalues,959677704806820969
3419776215,arerelativetothisdomaincontroller(DC)andthelastvalue,1406,representstheRIDfor
theobjectinquestion.
Ifwedon'tmapourgroups,theSIDvalueswilldefaulttoS1222gid.TohaveourAIXgroups
possessSambaSIDvalues,maketheAIXgroupswiththefollowingcommands:
mkgroupRLDAPid=512domadmin
mkgroupRLDAPid=513domuser
mkgroupRLDAPid=514domguest
mkgroupRLDAPid=515domcomp

Thencreatethegroupmappingswith:
netgroupmapaddrid=512unixgroup=domadmintype=domain\
ntgroup="DomainAdmins"
netgroupmapaddrid=513unixgroup=domusertype=domain\
ntgroup="DomainUsers"
netgroupmapaddrid=514unixgroup=domguesttype=domain\
ntgroup="DomainGuests"
netgroupmapaddrid=515unixgroup=domcomptype=domain\
ntgroup="DomainComputers"

Verifyyourmappingswith:

SambaforAIX5.3&6.1(20090624)23of37

[root]#netgroupmaplist
DomainAdmins(S15219596777048068209693419776215512)>domadmin
DomainUsers(S15219596777048068209693419776215513)>domuser
DomainGuests(S15219596777048068209693419776215514)>domguest
DomainComputers(S15219596777048068209693419776215515)>domcomp

Anldapsearchofthedomadmingrouprevealsthefollowing:
dn:cn=domadmin,ou=groups,dc=domname,dc=local
gidNumber:512
cn:domadmin
objectClass:posixGroup
objectClass:sambaGroupMapping
sambaSID:S15219596777048068209693419776215512
sambaGroupType:2
displayName:DomainAdmins
description:DomainUnixgroup

TheattributesaddedbySambahavebeenhighlighted.AIXcreatedtheUnixgroupwiththenon
highlightedattributes.
Whydowewantthesegroupmappings?Well,theWindowsviewofthesharewillshowthesegroups
andanyothersyouwishtomapwhenlookingatthesecuritytabforanobjectonthatSambashare.For
example,perhapsyouwouldliketomaptheAIXstaff(gid:1)grouptoSiteStaffUsers.Simplyusenet
groupmapaddtodoso,thenontheWindowssidewhenviewingthesecurityinformation,insteadof
seeingtheobject'sgroupmappedtostaff(DomainUnixGroup)youwouldseeitmappedtoSiteStaff
Users.

4c.MachineAccounts
Thisisactuallyaneasytopictodiscuss.Machineaccountsarejustlikeregularuseraccountswiththe
exceptionsthattheyareallinuppercase,endwithadollarsign($)andrepresentactualequipmenton
thenetwork.SoatypicalmachineaccountwilllooklikeCOMP001$asabasicuseraccount.Create
machineaccountsjustlikeyouwouldaregularuseraccount.RememberthatsinceAIXdoesnot
differentiatebetweenusersandmachines,theywillallbeinthesameou=peoplecontainer.Createa
machineaccountusingthefollowingcommands:
[root]#mkuserRLDAPgecos=Computer1pgrp=domcompCOMP001$
[root]#smbpasswdamCOMP001$
AddeduserCOMP001$.

Notethatsmbpasswdwasnotfullyqualifiedwiththeinstallationpath.Theuseofthemoptionon
smbpasswdindicatesthatthisisamachineaccountandthereforedoesn'tpromptyouforapassword
sincetherealpasswordwillbeestablishedwhenthecomputerwiththatnamejoinsthisdomain.
SambaforAIX5.3&6.1(20090624)24of37

AnldapsearchofCOMP001$machineaccountrevealsthefollowing:
dn:uid=COMP001$,ou=people,dc=domname,dc=local
uidNumber:204
homeDirectory:/home/COMP001$
loginShell:/usr/bin/ksh
gecos:Computer1
gidNumber:515
description:*
uid:COMP001$
cn:COMP001$
objectClass:posixAccount
objectClass:shadowAccount
objectClass:account
objectClass:sambaSamAccount
sambaSID:S152195967770480682096934197762151408
displayName:Computer1
sambaLMPassword:37BC2047D596FB57AAD3B435B51404EE
sambaNTPassword:755D4E81FE5D7FA9C10B559481C255E5
sambaPwdLastSet:1186932416
sambaAcctFlags:[W]

TheattributesaddedbySambahavebeenhighlighted.ThedefaultSambapasswordsarethe
encryptionsofthemachineaccountthathasbeenconvertedtolowercaseandthedollarsignremoved
(comp001).

4d.User/GroupManipulation.
Therecomesatimewhenauserneedstobelongtomorethanonegroup,shouldberemovedfroma
grouportheuseraccessneedstobedisabled.
ToaddausernewidtothedomusergroupusingtheAIXchgrpmemcommand:
chgrpmemRLDAPm+newiddomuser

Inversely,youcanremoveremovenewidfromthedomadmingroupusing:
chgrpmemRLDAPmnewiddomadmin

Notetheuseofplus(+)andminux()toaddandremovemembership(m).Youcanalsocheck
membershipasfollows:
[root]#lsuserRLDAPagroupsnewid

SambaforAIX5.3&6.1(20090624)25of37

newidgroups=staff,domuser
[root]#

DisableandenableaSambaaccountwiththefollowing:
[root]#/opt/pware/bin/smbpasswddnewid
Disabledusernewid.
[root]#
[root]#/opt/pware/bin/smbpasswdenewid
Enabledusernewid.
[root]#

SambaforAIX5.3&6.1(20090624)26of37

5.IntegrationWithActiveDirectory
IntegratingSambawithActiveDirectory(AD)isarealsnap.Ifyou'vedoneyourADhomework,have
configuredtheADcontrollercorrectlyandsetupDNS,thenyouarewellonyourway.Allthatis
needednowistoconfigureKerberossowecangetaninitialticketgrantingticket,configureSambato
utilizeKerberosandthenattempttojointhetree.
SettingupKerberos
ThefirststepistoconfigureKerberosandtorunkinittoverifywecantalktoAD.Thefile
/etc/krb5.confwilllooksomethinglikethis:
[logging]
default=FILE:/var/log/krb5/libs.log
kdc=FILE:/var/log/krb5/kdc.log
admin_server=FILE:/var/log/krb5/admin.log
[libdefaults]
default_realm=DOMNAME.LOCAL
[realms]
DOMNAME.LOCAL={
kdc=192.168.100.100
}

Youshouldcreatethedirectory/var/log/krb5fortheloggingsectionoftheconfiguration.
Whattimeisit?
Kerberosistimesensitive.ClockskewcanbethecauseofmanySambaADintegrationissues.Itis
recommendedthatallofyourserversrunntpdorasimilardaemonthatwillkeeptheclocksuptodate.
AIXprovidesthexntpddaemonwhoseconfigurationfileis/etc/ntp.conf.Unfortunatelyitisnot
configuredforyou.Youmayusethefollowingconfigurationwhichincludessomestandardpool
serversintheUnitedStates:
broadcastclient
driftfile/etc/ntp.drift
tracefile/etc/ntp.trace
server0.us.pool.ntp.org
server1.us.pool.ntp.org
server2.us.pool.ntp.org
server3.us.pool.ntp.org

Detailsaboutthepoolserversforyourregioncanbefoundathttp://www.pool.ntp.org/.

SambaforAIX5.3&6.1(20090624)27of37

Youcanstartthentpservicewiththefollowingcommand:
[root]#startsrcsxntpd
0513059ThexntpdSubsystemhasbeenstarted.SubsystemPIDis471286.
[root]#

Thisservicecanbeautomaticallystartedatboottimebyuncommentingthelinein/etc/rc.tcpipthat
startsthisservice.
Nowwecanperformthekinitasfollows:
[root]#kinitadministrator
Passwordforadministrator@DOMNAME.LOCAL:
[root]#

IDMAPOverview
TheIDMAPsubsystemisamethodbywhichusersandgroupsfromaremotedomain(whetherAD,
NToranotherSambadomain)canbemappedtolocalaccountsonaUnixserverandtherebygain
accesstoresourcesorhavetheiraccessrestrictedtoonlycertainresources.Inotherwords,Unixneed
toknowhowtoidentifytheseforeignusersandgroupssinceneitherAIXnorSambaisactually
administeringthem.ThisalsomeansthatforeignSID'saremappedtolocaluid/gidvalues.These
valuesmustnotcollidewithuid/gidvaluesinuseonthissystemandthereformusthavetheirown
separaterangespecified.
Thisalsoprovidesameansbywhichthisdataislonglived.WemusthaveamappingfromaSID<>uid
orSID<>gidthatlasts(presumably)forever.Otherwiseiftheunderlyinguid/gidchanges,itnolonger
representstheuseritoncedid.
Ok,sowedon'treallyknowanythingabouttheforeignusers,butwhyisthisreallynecessary?One
wordpermissions.Unixstorespermissions(rwx),ownershipandgroupinformationperobjectina
filesystem.WithoutIDMAP,howwouldyoumakeanobjectownedbyauserinaforeigndomain?How
wouldyouallowthemembersofgroupsfromthreedifferentdomainsaccesstooneofyourshares?
FaceityouneedIDMAP.Whichalsomeansyouneedwinbindd.Thewinbindddaemonisthe
universaltranslatorforallthingsforeign.Aswewillsee,winbinddwillprovideagreatdealforusas
willtheWINBINDloadableauthenticationmoduleforAIX.
WINBIND
TheWINBINDloadableauthenticationmodulewascreatedasameanstodirectlylinkWindowsusers
intoAIXandsubsequentlyenableallthecommandsthathavetheRoptiontodisplayandworkwith
theseuseraccounts.Oneonlyneedaddanotherstanzato/usr/lib/security/methods.cfglikewas
previouslydonewiththeLDAPmodule.AsymboliclinkforWINBINDisalreadysetup

SambaforAIX5.3&6.1(20090624)28of37

Addthefollowinglinesto/usr/lib/security/methods.cfg:
WINBIND:
program=/usr/lib/security/WINBIND

AIXisnowpreparedtodealwithusersinotherdomainsandusethemasiftheywerelocalaccounts.
ThenextfewsectionsdealwithconnectingSambatothosedomainsandcontaincommandsthatwork
withWINBIND.
IDMAP_TDB
Thesmb.confpresentedhereisforSambatobeasimpledomainmemberserverwhichistheextentof
theADroleforSamba3.Wewillstartwithidmap_tdb,movetoidmap_ldapandconcludewith
idmap_ad.Thesmb.confforidmap_tdblookssimilartothefollowing:
[global]
workgroup=DOMNAME
security=ADS
encryptpasswords=yes
realm=DOMNAME.LOCAL
clientusespnego=yes
winbindseparator=+
idmapdomains=DOMNAME
idmapconfigDOMNAME:default=yes
idmapconfigDOMNAME:backend=tdb
idmapconfigDOMNAME:range=200000500000
idmapallocbackend=tdb
idmapallocconfig:range=200000500000

WehaveinstructedSambatostoreouridmapdatainatdb(trivialdatabase)file.Thismeanswecannot
sharethisinformationwithanotherSambaserver.YoucannowjumpaheadtoTestingIDMAP.

SambaforAIX5.3&6.1(20090624)29of37

IDMAP_LDAP
Followinginthetraditionoftheprevioussection,wewillnowintroducethesmb.confforusingLDAP
astheIDMAPbackend.Youwillnoticethattheinformationissimilar,buttailoredtoadditional
configurationcomplexityofLDAP.Also,Sambaisdownatthemoment.
[global]
workgroup=DOMNAME
security=ADS
encryptpasswords=yes
realm=DOMNAME.LOCAL
clientusespnego=yes
winbindseparator=+
loglevel=2
interfaces=192.168.100.60/24
winsserver=192.168.100.100
ldapadmindn=cn=Manager,dc=domname,dc=local
idmapdomains=DOMNAME
idmapconfigDOMNAME:default=yes
idmapconfigDOMNAME:backend=ldap
idmapconfigDOMNAME:ldap_base_dn=ou=idmap,dc=domname,dc=local
idmapconfigDOMNAME:ldap_user_dn=cn=Manager,dc=domname,dc=local
idmapconfigDOMNAME:ldap_url=ldap://127.0.0.1/
idmapconfigDOMNAME:range=200000500000
idmapallocbackend=ldap
idmapallocconfig:ldap_base_dn=ou=idmap,dc=domname,dc=local
idmapallocconfig:ldap_user_dn=cn=Manager,dc=domname,dc=local
idmapallocconfig:ldap_url=ldap://127.0.0.1/
idmapallocconfig:range=200000500000
[netlogon]
path=/netlogon

Forinformationonsettinguptheou=idmapcontainer,refertotheldapsampartofsection4a.
TheconfigurationonceagainshowsweareadomainmemberserverinADS.Italsodefinesadomain,
DOMNAME,alongwiththerangeusedformappingforeignSIDsandtheallocconfigurationspecifying
whatdnhastherightstomapaSIDtoauid/gidandwhatcontainerinLDAPwillholdthis
information.
StorethesetofsecretsforDOMNAMEandallocusingthefollowingcommands:
[root]#netidmapsecretDOMNAMEsecret
Secretstored
[root]#netidmapsecretallocsecret
Secretstored

Thesecretsarenecessarysincewedonothavethecompleteauthenticationcredentialsforthe
ldap_user_dnspecifiedintheconfiguration.Itisalsopossiblethatwecouldhaveadditionaldomains
specifiedintheconfigurationforwhichwearenotresponsibleforallocating,butcouldaccesswitha
differentsetofcredentials.Thisiswhywesettheldap_user_dnandstoreasecretforeachsection.
SambaforAIX5.3&6.1(20090624)30of37

TestingIDMAP
WithSambashutdownandthekinitalreadydone,wewillnowjointheActiveDirectorytree:
[root]#netadsjoinUadministrator@DOMNAME.LOCAL
administrator@HVCC.LOCAL'spassword:
UsingshortdomainnameHVCC
Joined'DEV53'torealm'HVCC.LOCAL'
[root]#

Oncejoined,startSamba:
/opt/pware/sbin/nmbdD
/opt/pware/sbin/smbdD
/opt/pware/sbin/winbinddD

Nowtheusersfromtheotherdomainshouldbevisibletous.Thewbinfocommandwillhelpusto
determinewhatwecansee.InthefollowingoutputSUBDOMisasubdomainofDOMNAME.LOCAL
soitappearsintheoutput.Thecommandsforlistingusersandgroupsareasfollows:
[root]#wbinfou
SUBDOM+administrator
SUBDOM+guest
SUBDOM+krbtgt
SUBDOM+domname$
SUBDOM+jojowil
DOMNAME+administrator
DOMNAME+guest
DOMNAME+support_388945a0
DOMNAME+krbtgt
DOMNAME+subdom$
[root]#wbinfog
SUBDOM+domaincomputers
SUBDOM+domaincontrollers
SUBDOM+domainadmins
SUBDOM+domainusers
SUBDOM+domainguests
SUBDOM+grouppolicycreatorowners
SUBDOM+dnsupdateproxy
BUILTIN+administrators
BUILTIN+users
DOMNAME+helpservicesgroup
DOMNAME+telnetclients
DOMNAME+dhcpusers
DOMNAME+dhcpadministrators
DOMNAME+domaincomputers
DOMNAME+domaincontrollers
DOMNAME+schemaadmins
DOMNAME+enterpriseadmins

SambaforAIX5.3&6.1(20090624)31of37

DOMNAME+certpublishers
DOMNAME+domainadmins
DOMNAME+domainusers
DOMNAME+domainguests
DOMNAME+grouppolicycreatorowners
DOMNAME+rasandiasservers
DOMNAME+dnsadmins
DOMNAME+dnsupdateproxy

Youmayreceivetheerror,ErrorlookingupdomainusersorErrorlookingupdomain
groups.ThiscanhappenwhenfirststartingSambaandtryingthewbinfocommand.Itmaytakeas
longas15minutedtodisplayusers,otherwise,startlookingatthelogsandverifyyourconfigurations
tobecertaintheyarecorrect.Youshouldalsoverifythatyousetthecorrectidmapsecretswhenusing
IDMAP_LDAP.
Ifyou'veaddedWINBIND,youcanusethelsusercommandtoviewmoreinformationaboutauserin
theSUBDOMdomain.
[root]#lsuserRWINBINDsubdom+jojowil
subdom+jojowilid=200000pgrp=SUBDOM+domainusershome=/home/SUBDOM/jojowil
shell=/bin/falsegecos=WilliamJojologin=truesu=truerlogin=true
daemon=trueadmin=falsesugroups=ALLadmgroups=tpath=nosakttys=ALL
expires=0auth1=SYSTEMauth2=NONEumask=22registry=WINBINDSYSTEM=LDAP
logintimes=loginretries=0pwdwarntime=0account_locked=falseminage=0
maxage=0maxexpired=1minalpha=0minother=0mindiff=0maxrepeats=8minlen=0
histexpire=0histsize=0pwdchecks=dictionlist=fsize=1cpu=1data=524288
stack=524288core=2097151rss=524288nofiles=1roles=id=200000
pgrp=SUBDOM+domainusershome=/home/SUBDOM/jojowilshell=/bin/false
gecos=WilliamJojoshell=/bin/falsepgrp=SUBDOM+domainusersSID=S1521
2077368256285326556115043603471104

Afewnotableitemsintheoutputhavebeenhighlighted.Theidvalueisthefirstvalueintherangewe
previouslyspecifiedintheidmapconfigandidmapallocoptionsofsmb.conf.Theforeignuser's
SIDisalsolisted.
IfyouareusingIDMAP_TDB,theninthe/opt/pware/var/locksdirectory,youshouldnoticeafile
calledwinbindd_idmap.tdb.ThisfilecontainstheforeignSIDtouid/gidmappingsthatwillremain
permanentthroughoutthistrustbetweentheSambaserverandtheActiveDirectoryserver.The
contentsofthefilecanbeviewedwiththefollowingcommand:
[root]#tdbdump/opt/pware/var/locks/winbindd_idmap.tdb
{
key(11)="GID200002\00"
data(8)="S100\00"
}
{
key(47)="S15212077368256285326556115043603471104\00"
data(11)="UID200000\00"
}

SambaforAIX5.3&6.1(20090624)32of37

{
key(46)="S1521207736825628532655611504360347513\00"
data(11)="GID200003\00"
}
{
key(11)="UID200000\00"
data(47)="S15212077368256285326556115043603471104\00"
}
{
key(9)="USERHWM\00"
data(4)="A\0D\03\00"
}
{
key(11)="GID200003\00"
data(46)="S1521207736825628532655611504360347513\00"
}
{
key(8)="S100\00"
data(11)="GID200002\00"
}
{
key(10)="GROUPHWM\00"
data(4)="D\0D\03\00"
}
{
key(14)="IDMAP_VERSION\00"
data(4)="\02\00\00\00"
}

Otherwise,ifyouareusingIDMAP_LDAP,wecandiscoverthesameinformationusingthefollowing
command:
{FIXME}
Atthispoint,wecanseetheusersandgroupsandusethemtoassignpermissionsandownershipas
demonstratedhere:
[root]#mkdir/tmp/billdir
[root]#chowndomname+administrator/tmp/billdir
[root]#aclget/tmp/billdir
*
*ACL_typeAIXC
*
attributes:
basepermissions
owner(DOMNAME+administrator):rwx
group(system):rx
others:rx
extendedpermissions
disabled
[root]#chownsubdom+jojowil/tmp/billdir
[root]#chgrp"domname+domainusers"/tmp/billdir

SambaforAIX5.3&6.1(20090624)33of37

[root]#aclget/tmp/billdir
*
*ACL_typeAIXC
*
attributes:
basepermissions
owner(SUBDOM+jojowil):rwx
group(DOMNAME+domainusers):rx
others:rx
extendedpermissions
disabled

NowtheonlythinglefttodiscussisthefactthatWINBINDuserscannotlogintoAIXdirectly.But,of
course,wecanfixthat.SimplychangetheSYSTEMvaluefordefaultuserstanzain
/etc/security/user:
default:
admin=false
login=true
su=true
...
umask=022
expires=0
SYSTEM="WINBIND"
logintimes=
...

Keepinmindthatanyuserspreviouslydefinedin/etc/passwdwillhavetroublewhencommittingto
thisconfiguration.Withoutastanzaforthoseparticularusers,theywillbelockedout.Awaytoresolve
thiswouldbetolistallthepossiblevaluesappropriatefortheSYSTEMvaluesuchas:
SYSTEM="WINBINDorLDAPorcompat"

SambaforAIX5.3&6.1(20090624)34of37

Whatdoesthiserrormean?
Q:
[dev53:/opt/pware/lib]#kinitadminitrator@HVCC.LOCAL
kinit(v5):ClientnotfoundinKerberosdatabasewhilegettinginitial
credentials

A:
Theusernameismisspelled.

Q:
[svc2:/opt/pware/bin]#kinitadministrator
Passwordforadministrator@HVNET.HVCC.local:
kinit(v5):Preauthenticationfailedwhilegettinginitialcredentials

<or>
Q:
[svc2:/opt/pware/bin]#kinitadministrator
Passwordforadministrator@HVNET.HVCC.local:
kinit(v5):KDCreplydidnotmatchexpectationswhilegettinginitial
credentials

A:TheREALMinformationin/etc/krb5.confisnotinalluppercase.

Q:
[2007/06/2718:20:51,0]utils/net_ads.c:ads_startup_int(286)
ads_connect:Nologonservers
Failedtojoindomain:Nologonservers

A:NoWINSfortheDC.EitherfindaWINSserveroraddtolmhosts.AlsocheckthatDNSresolves
theDCcorrectly.

Q:
[svc2:/opt/pware/bin]#netadsjoinUadministrator
administrator'spassword:
Failedtojoindomain:Operationserror

A:NoavailableDNSdatafortheDC.EitherpointtoafavorableDNSserveroraddtheDCto
/etc/hosts(whichshouldhavebeendonealready).UnlessyourREALMdoesnotfollowtheDNStree
SambaforAIX5.3&6.1(20090624)35of37

foryoursite.Inwhichcasesee"FailedtosetservicePrincipalNames"inthenextQ:.

Q:
[svc2:/opt/pware/bin]#netadsjoinUadministrator
administrator'spassword:
UsingshortdomainnameSUBDOM
FailedtosetservicePrincipalNames.Pleaseensurethat
theDNSdomainofthisservermatchestheADdomain,
OrrejoinwithusingDomainAdmincredentials.
Deletedaccountfor'SVC2'inrealm'SUBDOM.DOM.LOCAL'
Failedtojoindomain:Typeorvalueexists

<or>
Q:
[svc2:/opt/pware/bin]#netadsjoinUadministrator
administrator'spassword:
Failedtojoindomain:Invalidparameter

A:FirsttheformererrorwasgeneratedjoiningW2k3inmixedmodeandthelatterwasgenerated
joiningW2k3in2003mode.
Theremayalsobeaslightvariationintheformererrorwhereitclaims"Disabledaccount"andnot
"Deletedaccount"
Whenusinga.LOCALdomainconfigurationthatdoesn'tmatchyourcurrentDNStree,anentryin
/etc/resolv.confisnotenoughtofinishthecommunication.YouneedtoaddanentryfortheSamba
server(usingitsrealIPandrealFQDNasknowntotheDNS)to/etc/hosts(orfixDNSsoitknows
aboutyourSambaserver'sfullyqualifiedandunqualifiedname):
10.1.1.10svc2.realdom.comsvc2

OnesiteintheU.K.(thankyouSelwynfordiscoveringthis!)neededtosplitthisdataacrosstwolines
forreasonsunknowntous.Soitreadlike:
10.1.1.10svc2.realdom.com
10.1.1.10svc2

SambaforAIX5.3&6.1(20090624)36of37

6.

BackupsandUpgrades

{FIXME}

SambaforAIX5.3&6.1(20090624)37of37