AIX5L with Samba 3.x and Kerberos 5 as a Windows 2003 ActiveDirctory Member Server


While cleaning up one of my other websites, I stumbled upon this guide I wrote  five years ago. Although the content of this guide is already five years old, I don’t want to remove it from the net. I suppose it should work also with a Windows 2008 Active Directory domain as well. But please do not ask me questions about AIX5L as I do not have access to any of those machines any more.


First install some packages which are required for the setup. This includes the Kerberos Client as well as the Samba 3.x Server. They are called pware.samba-3.0.23d, krb5.client and strong>krb5.lic

Now make sure your system uses the same timeserver as your domain controller. On most systems this is done by making changes to the xntp server’s configuration file /etc/ntp.conf. Afterwards set up your active directory controller as your system’s nameserver in /etc/resolv.conf.

Kerberos 5 setup

Edit your Kerberos client configuration in /etc/krb5/krb5.conf, that it look similar to this one:

# /etc/krb5/krb5.conf
        default_realm = MYCOMPANY.LOCAL
        default_tkt_enctypes = des-cbc-md5 des-cbc-crc
        default_tgs_enctypes = des-cbc-md5 des-cbc-crc

                kdc = dc.mycompany.local:88
                admin_server = dc.mycompany.local:749
                default_domain = mycompany.local

        .mycompany.local = MYCOMPANY.LOCAL
        dc.mycompany.local = MYCOMPANY.LOCAL

        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/kdc.log
        admin_server = FILE:/var/log/kadmind.log

Add the KRB5 authentication methods to /usr/lib/security/methods.cfg.

        program = /usr/lib/security/KRB5A
        options = authonly

        options = db=BUILTIN,auth=KRB5A

Now it is time to test your Kerberos 5 configuration by running kinit with an existing domain user as parameter e.g.

kinit Administrator

Samba 3.x server setup

Now that Kerberos is working for the underlying AIX System you can start to configure your Samba server. To make things easier, create the smb.conf in /etc and link it to the directory where samba expects it to be:

touch /etc/smb.conf
ln -s /etc/smb.conf /opt/pware/samba/3.0.23d/lib/smb.conf

Here is the beginning of a working /etc/smb.conf file.

# /etc/smb.conf
        workgroup = MYCOMPANY
        netbios name = AIXHOSTNAME
        security = ADS
        realm = MYCOMPANY.LOCAL
        password server = dc.mycompany.local
        client use spnego = yes
        client signing = yes
        encrypt passwords = yes
        printcap name = cups
        disable spoolss = Yes
        show add printer wizard = No
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = +
        winbind use default domain = Yes
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%U
        template shell = /bin/bash
        use sendfile = Yes
        printing = cups
        ldap suffix = "dc=mycompany,dc=local"
        winbind cache time = 0
        #Uncomment to allow these options
        log level = 5
        log file = /var/log/samba3/log.%m
        #max log size = 5000000
        #debug timestamp = yes
        browseable = yes
        obey pam restrictions = yes
        auth methods = winbind

If testparm is not complaining about any errors try joining your domain.

net join -S dc -UAdministrator

Putting it all together with winbind

In order to make WINBIND available to your AIX system copy the winbind security module to /usr/lib/security,

cp /opt/pware/samba/3.0.23d/lib/WINBIND /usr/lib/security/

and add WINBIND config to /usr/lib/security/methods.cfg

        program = /usr/lib/security/WINBIND
        options = authonly

To make winbind the default user database change the SYSTEM value to WINBIND in the default section of /etc/security/user. You can check wether winbind is working with wbinfo.

After you successfully joined your domain and set up windbind, make sure that the smbd, nmbd and windbind gets started at system startup. The easiest way for me was to add the SysV init scripts to /etc/rc.tcpip.

Howto: Ubuntu 10.04 LTS Client mit Kerberos und LDAP


Ich habe in den letzten Tagen mal in meinem LAN das Kerberos-Zeitalter ausgerufen. LDAP habe ich schon lange im Einsatz, aber bisher nicht zu Authentifizierung. Folgende Anforderungen habe ich für mich definiert:

  1. Sichere Anmeldung am System mittels Kerberos
  2. Benutzer und Gruppeninformationen sollen aus dem zentralen LDAP-Verzeichnis kommen
  3. LDAP-Benutzer sollen automatisch Mitglieder lokaler Systemgruppen werden, um z.B. Zugriff auf Geräte zu habe
  4. Nicht existierende Home-Directories sollen beim ersten Anmelden erstellt werden
  5. Mobile Geräte müssen auch ohne Netzwerkverbindung eine Authentifizierung ermöglichen

Auf Serverseite habe ich ebenfalls ein Ubuntu 10.04 LTS laufen (mein Mediacenter System). Dort habe ich bereits Kerberos und LDAP nach der Anleitung aus dem Ubuntu Serverguide eingerichtet.

Die anderen Anleitungen des Serverguides sind leider nun dann hilfreich, wenn man nur Kerberos oder nur LDAP-Authentifizierung machen möchte. Abgesehen davon schießen sich die Tools pam-auth-update und auth-client-config gegenseitig in’s Knie, weshalb man schon genau wissen sollte was man tut. Andernfalls hat man sich schneller aus dem eigenen System ausgesperrt als man Kerberos rückwärts buchstabieren kann. Ich verwende daher ein eigenes auth-client-config Profil für die Anpassungen an der nsswitch.conf und alle Änderungen an PAM nehme ich mittels pam-auth-update vor.
Continue reading