I have next configuration :
- AIX 5.3 (5300-11-03-1013)
- pWare.SAMBA 3.5.8.1
- OpenSSH 5.2.0
- OpenSSL 0.9.8
Now, to be more clearly I'll explain what I need indeed.
My task is set up integration AIX server to Active Directory 2008 with Samba (Winbind) for chrooted SSH connections.
It means our developers should login into AIX server by own AD acounts with SFTP and upload/download files on it.
Chroot environment is recommended for it.
Ok, lets look at my krb5.conf
[root@wb53tst /]$ cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = TST.TST
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts
default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts
[realms]
TST.TST = {
kdc = dc1.tst.com:88
admin_server = dc1.tst.com:749
default_domain = tst.com
}
[domain_realm]
.tst.com = TST.COM
dc1.tst.com = TST.COM
[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
kadmin_local = FILE:/var/krb5/log/kadmin_local.log
default = FILE:/var/krb5/log/krb5lib.log
and smb.conf
[root@wb53tst /]$ cat /opt/pware/lib/smb.conf
[global]
workgroup = TST
netbios name = wb53tst
security = ads
passdb backend = tdbsam
realm = TST.COM
password server = dc1.tst.com
load printers = yes
cups options = raw
winbind uid = 10000-65534
winbind gid = 10000-65534
winbind use default domain = yes
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 60
winbind uid = 10000-65534
winbind gid = 10000-65534
winbind use default domain = yes
winbind separator = +
template homedir = /home/FILEBASE/TST/%U
template shell = /bin/bash
winbind offline logon = no
[homes]
comment = Home Directories
browseable = no
writable = yes
Then create dirs ...
[root@wb53tst /]$ mkdir -p /home/FILEBASE/TST
After that we set option for create home dirs automaticaly
[root@wb53tst /]$ vi /etc/security/login.cfg
...
mkhomeatlogin = true
Now we should edit /etc/security/user config file for authentificate new users in our system with Winbind
default:
...
SYSTEM = "WINBIND OR compat"
registry = WINBIND
...
Eventually we join our server in AD and trying to login on it with ssh from other station (PC, or server)
[root@wb53tst /]$ net ads join -U aixadmin
Password:
[root@wb53tst /]$ wbinfo -u | grep a.fox
a.fox
[root@wb53tst /]$ lsuser -r WINBIND a.fox
a.fox id=10000 pgrp=domain users home=/home/FILEBASE/TST/a.fox shell=/bin/bash gecos= login=true su=true rlogin=true daemon=true admin=false sugroups=ALL
admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=WINBIND SYSTEM=WINBIND OR compat logintimes= loginretries=0
pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0
pwdchecks= dictionlist= fsize=2097151 cpu=-1 data=524288 stack=524288 core=2097151 rss=524288 nofiles=-1 time_last_login=1352112067
time_last_unsuccessful_login=1352111337 tty_last_login=ssh tty_last_unsuccessful_login=ssh host_last_login=iosx.tst.com host_last_unsuccessful_login=iosx.tst.com
unsuccessful_login_count=0 roles= pgid=10000 SID=S-1-5-21-1451182435-1389936362-2546935155-38411
$ ssh -l a.fox wb53tst.tst.com
Password:
[a.fox@wb53tst ~]$ pwd
/home/FILEBASE/TST/a.fox
Well. It works. But what should I do for chroot AD users ?
In /etc/ssh/sshd_config option:
ChrootDirectory /home/FILEBASE/TST/%u
Doesn't work. Any idea ?
Because it's test for realization, and my boss just want to know is it possible and how hard it would be.