[Samba] login into AIX using winbind
kleber povoação
okleber at gmail.com
Thu Apr 7 08:05:22 MDT 2011
I´m trying log using just the username: brab10_dbr, without domain
CEABR at login.
**********
ceaulab1:/opt/pware64/var>lslpp -l | grep pware
pware53-64.base.rte 5.3.0.0 COMMITTED 64-bit pWare base for 5.3
pware53-64.bdb.rte 4.7.25.4 COMMITTED Berkeley DB 4.7.25 (64-bit)
pware53-64.cyrus-sasl.rte
pware53-64.gettext.rte 0.17.0.0 COMMITTED GNU gettext 0.17 (64-bit)
pware53-64.krb5.rte 1.8.3.0 COMMITTED MIT Kerberos 1.8.3 (64-bit)
pware53-64.libiconv.rte 1.13.1.0 COMMITTED GNU libiconv 1.13.1 (64-bit)
pware53-64.ncurses.rte 5.7.0.1 COMMITTED ncurses 5.7.0.1 (64-bit)
pware53-64.openldap.rte 2.4.23.0 COMMITTED OpenLDAP 2.4.23 (64-bit)
pware53-64.openssl.rte 0.9.8.15 COMMITTED OpenSSL 0.9.8o (64-bit)
pware53-64.popt.rte 1.10.4.0 COMMITTED popt 1.10.4 (64-bit)
pware53-64.readline.rte 6.1.0.0 COMMITTED GNU readline 6.1 (64-bit)
pware53-64.samba.rte 3.5.6.0 COMMITTED Samba 3.5.6 (64-bit)
pware53-64.zlib.rte 1.2.4.0 COMMITTED zlib 1.2.4 (64-bit)
********
AIX 6100-06
********************
ceaulab1:/>lsuser -R WINBIND brab10_dbr
3004-687 User "brab10_dbr" does not exist.
Do I need not to do a mkuser ok ? Because the user is at AD.
***************************
ceaulab1:/tmp>touch file
ceaulab1:/tmp>chown brab10_dbr file
chown: 3002-131 brab10_dbr is an unknown username.
***********************
ceaulab1:/opt/pware64/var>telnet localhost
Trying...
Connected to localhost.
Escape character is '^]'.
telnet (ceaulab1)
Login: brab10_dbr
brab10_dbr's Password:
3004-007 You entered an invalid login name or password.
login:
******************
file /opt/pware64/var/log.winbind
At the folowing file I noted one line "connection_ok: Connection to
for domain CEABR is not connected" -> CEABR is windows workgroup that
user brab10_db belong.
ceaulab1:/opt/pware64/var>cat log.winbindd
[2011/04/07 10:48:01, 0] winbindd/winbindd.c:1105(main)
winbindd version 3.5.6 started.
Copyright Andrew Tridgell and the Samba Team 1992-2010
[2011/04/07 10:48:01.968181, 2] lib/tallocmsg.c:106(register_msg_pool_usage)
Registered MSG_REQ_POOL_USAGE
[2011/04/07 10:48:01.968302, 2] lib/dmallocmsg.c:77(register_dmalloc_msgs)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2011/04/07 10:48:01.968399, 3] param/loadparm.c:9158(lp_load_ex)
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: rlimit_max (2000) below minimum Windows limit (16384)
[2011/04/07 10:48:01.968567, 3] ../lib/util/params.c:550(pm_process)
params.c:pm_process() - Processing configuration file
"/opt/pware64/lib/smb.conf"
[2011/04/07 10:48:01.968641, 3] param/loadparm.c:7842(do_section)
Processing section "[global]"
[2011/04/07 10:48:01.969161, 3] param/loadparm.c:6313(lp_add_ipc)
adding IPC service
[2011/04/07 10:48:01.976518, 2] lib/interface.c:340(add_interface)
added interface en3 ip=10.x.x.x bcast=10.x.x.255 netmask=
[2011/04/07 10:48:01.976670, 2] lib/interface.c:340(add_interface)
added interface lo0 ip=127.0.0.1 bcast=127.255.255.255 netmask=
[2011/04/07 10:48:01.976832, 2] lib/interface.c:340(add_interface)
added interface en3 ip=10.x.x.x bcast=10.x.x.255 netmask=
[2011/04/07 10:48:01.976912, 2] lib/interface.c:340(add_interface)
added interface lo0 ip=127.0.0.1 bcast=127.255.255.255 netmask=
[2011/04/07 10:48:04.035216, 1] lib/tdb_validate.c:457(tdb_validate_and_backup)
tdb '/opt/pware64/var/locks/winbindd_cache.tdb' is valid
[2011/04/07 10:48:08.296102, 1] lib/tdb_validate.c:467(tdb_validate_and_backup)
Created backup '/opt/pware64/var/locks/winbindd_cache.tdb.bak' of
tdb '/opt/pware64/var/locks/winbindd_cache.tdb'
[2011/04/07 10:48:08.375298, 2]
winbindd/winbindd_util.c:221(add_trusted_domain)
Added domain BUILTIN S-1-5-32
[2011/04/07 10:48:08.375504, 2]
winbindd/winbindd_util.c:221(add_trusted_domain)
Added domain CEAULAB1 S-1-5-21-275589774-1111006802-1142404070
[2011/04/07 10:48:08.375700, 2]
winbindd/winbindd_util.c:221(add_trusted_domain)
Added domain WW S-1-5-21-477278139-4163948897-2641029873
[2011/04/07 10:48:09.095861, 2]
winbindd/winbindd_util.c:221(add_trusted_domain)
Added domain WWW S-1-5-21-4109860217-3884139575-1781413053
[2011/04/07 10:48:09.096544, 2]
winbindd/winbindd_util.c:221(add_trusted_domain)
Added domain CW S-1-5-21-3224037681-1998144755-3803369224
[2011/04/07 10:48:09.104932, 2]
winbindd/winbindd_util.c:221(add_trusted_domain)
Added domain xxx S-1-5-21-1125475667-1308779437-1236795852
[2011/04/07 10:48:09.105264, 2]
winbindd/winbindd_util.c:221(add_trusted_domain)
Added domain WWW S-1-5-21-858964348-3275466132-3667905073
[2011/04/07 10:48:13.512247, 3] winbindd/winbindd_cm.c:1633(connection_ok)
connection_ok: Connection to for domain CEABR is not connected
[2011/04/07 10:48:13.528483, 3]
libsmb/cliconnect.c:991(cli_session_setup_spnego)
Doing spnego session setup (blob length=115)
[2011/04/07 10:48:13.535011, 3]
libsmb/cliconnect.c:1020(cli_session_setup_spnego)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
[2011/04/07 10:48:13.535212, 3]
libsmb/cliconnect.c:1030(cli_session_setup_spnego)
got principal=ceaadbrp1$@XXX
[2011/04/07 10:48:13.567241, 2]
libsmb/cliconnect.c:795(cli_session_setup_kerberos)
Doing kerberos session setup
[2011/04/07 10:48:13.575172, 3] libsmb/clikrb5.c:622(ads_cleanup_expired_creds)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
expiration Thu, 07 Apr 2011 20:48:13 GMT-03:00
[2011/04/07 10:48:13.575364, 3] libsmb/clikrb5.c:840(ads_krb5_mk_req)
ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT
**********************
ceaulab1:/opt/pware64/var>cat log.wb-CEABR
[2011/04/07 10:48:08.446242, 3] winbindd/winbindd_cm.c:1633(connection_ok)
connection_ok: Connection to for domain CEABR is not connected
[2011/04/07 10:48:08.495255, 3]
libsmb/cliconnect.c:991(cli_session_setup_spnego)
Doing spnego session setup (blob length=115)
[2011/04/07 10:48:08.495545, 3]
libsmb/cliconnect.c:1020(cli_session_setup_spnego)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
[2011/04/07 10:48:08.495666, 3]
libsmb/cliconnect.c:1030(cli_session_setup_spnego)
got principal=ceaadbrp1$@xxxx
[2011/04/07 10:48:08.529939, 2]
libsmb/cliconnect.c:795(cli_session_setup_kerberos)
Doing kerberos session setup
[2011/04/07 10:48:08.538272, 3] libsmb/clikrb5.c:622(ads_cleanup_expired_creds)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
expiration Thu, 07 Apr 2011 20:48:08 GMT-03:00
[2011/04/07 10:48:08.538440, 3] libsmb/clikrb5.c:840(ads_krb5_mk_req)
ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT
[2011/04/07 10:48:08.871177, 3] winbindd/winbindd_ads.c:1206(sequence_number)
ads: fetch sequence_number for CEABR
[2011/04/07 10:48:08.871449, 3] libsmb/namequery.c:1880(get_dc_list)
get_dc_list: preferred server list: "ceaadbrp1.xxx, *"
[2011/04/07 10:48:08.877761, 3] libads/ldap.c:634(ads_connect)
Successfully contacted LDAP server 10.16.1.203
[2011/04/07 10:48:08.877989, 3] libsmb/namequery.c:1880(get_dc_list)
get_dc_list: preferred server list: "ceaadbrp1.xxx, *"
[2011/04/07 10:48:08.878252, 3] libsmb/namequery.c:1880(get_dc_list)
get_dc_list: preferred server list: "ceaadbrp1.xxx, *"
[2011/04/07 10:48:08.943625, 3] libsmb/namequery.c:1880(get_dc_list)
get_dc_list: preferred server list: "ceaadbrp1.xxx, *"
[2011/04/07 10:48:08.946330, 3] libads/ldap.c:634(ads_connect)
Successfully contacted LDAP server 10.x.x.x
[2011/04/07 10:48:08.946581, 3] libsmb/namequery.c:1880(get_dc_list)
get_dc_list: preferred server list: "ceaadbrp1.xxx, *"
[2011/04/07 10:48:08.946852, 3] libsmb/namequery.c:1880(get_dc_list)
get_dc_list: preferred server list: "ceaadbrp1.xxx, *"
[2011/04/07 10:48:09.004434, 3] libads/ldap.c:634(ads_connect)
Successfully contacted LDAP server 10.16.1.203
[2011/04/07 10:48:09.006830, 3] libads/ldap.c:688(ads_connect)
Connected to LDAP server ceaadbrp1.xxx
[2011/04/07 10:48:09.008109, 3] libads/sasl.c:782(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2011/04/07 10:48:09.008190, 3] libads/sasl.c:782(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2011/04/07 10:48:09.008267, 3] libads/sasl.c:782(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
[2011/04/07 10:48:09.008343, 3] libads/sasl.c:782(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
[2011/04/07 10:48:09.008418, 3] libads/sasl.c:791(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got server principal name = ceaadbrp1$@xxx
[2011/04/07 10:48:09.008672, 3] libsmb/clikrb5.c:787(ads_krb5_mk_req)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2011/04/07 10:48:09.054672, 3] libsmb/clikrb5.c:622(ads_cleanup_expired_creds)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
expiration Thu, 07 Apr 2011 20:48:09 GMT-03:00
[2011/04/07 10:48:09.054867, 3] libsmb/clikrb5.c:840(ads_krb5_mk_req)
ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT
[2011/04/07 10:48:09.074603, 3] libsmb/ntlmssp.c:1101(ntlmssp_client_challenge)
Got challenge flags:
[2011/04/07 10:48:09.074743, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898235
[2011/04/07 10:48:09.074819, 3] libsmb/ntlmssp.c:1123(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2011/04/07 10:48:09.074888, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x60088235
[2011/04/07 10:48:09.075079, 3] libsmb/ntlmssp_sign.c:343(ntlmssp_sign_init)
NTLMSSP Sign/Seal - Initialising with flags:
[2011/04/07 10:48:09.075167, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x60088235
[2011/04/07 10:48:09.081098, 3]
winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains)
[6553754]: list trusted domains
[2011/04/07 10:48:09.081206, 3] winbindd/winbindd_ads.c:1269(trusted_domains)
ads: trusted_domains
[2011/04/07 10:48:09.105515, 3]
winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains)
[6553754]: list trusted domains
[2011/04/07 10:48:09.105620, 3] winbindd/winbindd_ads.c:1269(trusted_domains)
ads: trusted_domains
[2011/04/07 10:53:08.428859, 3]
winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains)
[6553754]: list trusted domains
[2011/04/07 10:53:08.429039, 3] winbindd/winbindd_ads.c:1269(trusted_domains)
ads: trusted_domains
TKS
Em 6 de abril de 2011 22:08, William E Jojo <w.jojo at hvcc.edu> escreveu:
>
> ----- Original Message -----
>> From: "kleber povoação" <okleber at gmail.com>
>> To: samba at lists.samba.org
>> Sent: Wednesday, April 6, 2011 6:33:10 PM
>> Subject: [Samba] login into AIX using winbind
>> Can someone help me ?
>>
>> I can´t login at the AIX machine using an Active directory user.
>> ****************************
>> /etc/smb.conf
>>
>> [global]
>> security = ads
>> realm = XXXXXXXX
>> password server = *
>> workgroup = YYYYY
>> idmap uid = 10000-20000
>> idmap gid = 10000-20000
>> winbind use default domain = yes
>> log level = 3
>> template homedir = /home/%D/%U
>> template shell = /usr/bin/ksh
>> server string = %h server
>> winbind nested groups = Yes
>> winbind offline logon = true
>> interfaces = en3 lo0
>> bind interfaces only = yes
>> name resolve order = host wins bcast
>> lm announce = False
>> preferred master = False
>> keepalive = 30
>> auth methods = winbind
>> client use spnego = Yes
>> encrypt passwords = Yes
>> domain master = no
>> local master = no
>> preferred master = no
>> passdb backend = tdbsam
>> unix extensions = no
>> idmap config YYYYY : default = yes
>> idmap config YYYYY : backend = ad
>> idmap config YYYYY : range = 10000-20000
>> ********************************************
>> /usr/lib/security/methods.cfg
>>
>> WINBIND:
>> program = /usr/lib/security/WINBIND
>>
>> KRB5A:
>> program = /usr/lib/security/KRB5A
>> options = authonly
>> program_64 = /usr/lib/security/KRB5A_64
>>
>> KRB5Afiles:
>> options = db=BUILTIN,auth=KRB5A
>>
>> NIS:
>> program = /usr/lib/security/NIS
>> program_64 = /usr/lib/security/NIS_64
>>
>>
>> DCE:
>> program = /usr/lib/security/DCE
>>
>>
>> ***************************
>> /etc/security/user
>>
>> default:
>> admin = false
>> login = true
>> su = true
>> daemon = true
>> rlogin = true
>> sugroups = ALL
>> admgroups =
>> ttys = ALL
>> auth1 = SYSTEM
>> auth2 = NONE
>> tpath = nosak
>> umask = 22
>> expires = 0
>> SYSTEM = "WINBIND OR compat"
>> registry = WINBIND
>> logintimes =
>> pwdwarntime = 3
>> account_locked = false
>> loginretries = 5
>> histexpire = 48
>> histsize = 8
>> minage = 1
>> maxage = 0
>> maxexpired = -1
>> minalpha = 4
>> minother = 2
>> minlen = 8
>> mindiff = 3
>> maxrepeats = 8
>> dictionlist =
>> pwdchecks =
>> default_roles =
>> *************************
>> /etc/krb5.conf
>> [libdefaults]
>> default_realm = wwww
>> default_keytab_name = FILE:/etc/krb5/krb5.keytab
>> forwardable = true
>> clockskew = 300
>>
>> [realms]
>> BRASIL.LATAM.CEA = {
>> kdc = www:88
>> admin_server = www:749
>> default_domain = wwww
>> }
>>
>> [domain_realm]
>> .xxx.xx.xx = XXXX
>> xxx.xx.xx = XXXX
>>
>> [logging]
>> kdc = FILE:/var/krb5/log/krb5kdc.log
>> admin_server = FILE:/var/krb5/log/kadmin.log
>> kadmin_local = FILE:/var/krb5/log/kadmin_local.log
>> default = FILE:/var/krb5/log/krb5lib.log
>>
>> ******************
>> what´s works ?
>>
>>
>> lab1:/>wbinfo -i brab10_dbr
>> brab10_dbr:*:10000:10000:Anderson:/home/XXX/brab10_dbr:/usr/bin/ksh
>>
>> wbinfo -g
>>
>> net ads info
>>
>> klist
>> ***********************
>> what´s not work
>>
>> lab1:/>lsuser -R WINBIND ALL -> show no error but not return any user.
>> lab1:/>
>>
>
> ALL has never worked. There is a timeout issue within AIX that I was never able to track down.
>
>
>> login with AD user at telnet or ssh or locally at console
>
>
> How are you logging in? Is the user fully-qualified? (Should not be necessary with winbind use default domain). Is there a home dir ready to receive them?
>
> Does "lsuser -R WINBIND username" return what you expect?
>
> Does chown allow you to specify an AD user?
>
> Anything in your log level 3 that may help?
>
>
> Cheers,
> Bill
>
>
>>
>> *******************
>>
>> tks all
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list