While cleaning up one of my other websites, I stumbled upon this guide I wrote five years ago. Although the content of this guide is already five years old, I don’t want to remove it from the net. I suppose it should work also with a Windows 2008 Active Directory domain as well. But please do not ask me questions about AIX5L as I do not have access to any of those machines any more.
Preperations
First install some packages which are required for the setup. This includes the Kerberos Client as well as the Samba 3.x Server. They are called pware.samba-3.0.23d, krb5.client and strong>krb5.lic
Now make sure your system uses the same timeserver as your domain controller. On most systems this is done by making changes to the xntp server’s configuration file /etc/ntp.conf. Afterwards set up your active directory controller as your system’s nameserver in /etc/resolv.conf.
Kerberos 5 setup
Edit your Kerberos client configuration in /etc/krb5/krb5.conf, that it look similar to this one:
# /etc/krb5/krb5.conf
[libdefaults]
default_realm = MYCOMPANY.LOCAL
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc
[realms]
MYCOMPANY.LOCAL = {
kdc = dc.mycompany.local:88
admin_server = dc.mycompany.local:749
default_domain = mycompany.local
}
[domain_realm]
.mycompany.local = MYCOMPANY.LOCAL
dc.mycompany.local = MYCOMPANY.LOCAL
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmind.log
Add the KRB5 authentication methods to /usr/lib/security/methods.cfg.
[..]
KRB5A:
program = /usr/lib/security/KRB5A
options = authonly
KRB5Afiles:
options = db=BUILTIN,auth=KRB5A
[..]
Now it is time to test your Kerberos 5 configuration by running kinit with an existing domain user as parameter e.g.
kinit Administrator
Samba 3.x server setup
Now that Kerberos is working for the underlying AIX System you can start to configure your Samba server. To make things easier, create the smb.conf in /etc and link it to the directory where samba expects it to be:
touch /etc/smb.conf ln -s /etc/smb.conf /opt/pware/samba/3.0.23d/lib/smb.conf
Here is the beginning of a working /etc/smb.conf file.
# /etc/smb.conf
[global]
workgroup = MYCOMPANY
netbios name = AIXHOSTNAME
security = ADS
realm = MYCOMPANY.LOCAL
password server = dc.mycompany.local
client use spnego = yes
client signing = yes
encrypt passwords = yes
printcap name = cups
disable spoolss = Yes
show add printer wizard = No
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind use default domain = Yes
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
use sendfile = Yes
printing = cups
ldap suffix = "dc=mycompany,dc=local"
winbind cache time = 0
#Uncomment to allow these options
log level = 5
log file = /var/log/samba3/log.%m
#max log size = 5000000
#debug timestamp = yes
browseable = yes
obey pam restrictions = yes
auth methods = winbind
[..]
If testparm is not complaining about any errors try joining your domain.
net join -S dc -UAdministrator
Putting it all together with winbind
In order to make WINBIND available to your AIX system copy the winbind security module to /usr/lib/security,
cp /opt/pware/samba/3.0.23d/lib/WINBIND /usr/lib/security/
and add WINBIND config to /usr/lib/security/methods.cfg
[..]
WINBIND:
program = /usr/lib/security/WINBIND
options = authonly
[..]
To make winbind the default user database change the SYSTEM value to WINBIND in the default section of /etc/security/user. You can check wether winbind is working with wbinfo.
After you successfully joined your domain and set up windbind, make sure that the smbd, nmbd and windbind gets started at system startup. The easiest way for me was to add the SysV init scripts to /etc/rc.tcpip.