Hi. Ive recently upgraded Samba on an AIX server to Samba 4. The aim is to allow a specific group of Windows AD users to access some AIX file shares (with no requirement to enter passwords) - using AD to authenticate.
Currently I have:
- Samba 4 installed ( and 3 daemons running)
- Installed Kerberos with windbind in config
Joined domain using kinit and net join using regular domain username.
wbinfo -u - lists all users in Windows AD
wbinfo -g - lists all groups in Windows AD
wbinfo -n "ad group" - gives me an aix uid
I had initial problems when trying to access my AIX shares with SID mapping errors in the samba logs.
To resolve this I created a user mapping file called users.map as follows
root = *
Then added this line to smb.conf
username map = /etc/users.map
Now any AD Windows user can access my AIX file shares without needing to enter a password. I can change this map file to a single domain user or list of specific users to lock it down but this isnt what I need. I want to only allow one specific AD group to access this fileshare.
If people join or leave the company Id have to keep editing this file..
How do I go about getting this working with access by one AD group only?. If I remove the username map entry I cant access the file shares at all and prompted for login/pass. I saw references to valid users = @"DOMAIN\AD Group" but this wont allow access. Its as if samba is looking for a local user called this on the AIX box not to check AD for it as I expected..
Is this linked to config changes in
etc/security/user for WINBIND or are these only needed for ssh access to AIX with AD logins?
Or could this be down to not using a domain admin account when I joined the AD domain using kinit and net join?
Im thinking of installing ldap if I cant get this working with winbind but surely its overkill.. Any help is appreciated with this final hurdle..