[Samba] AIX 5.3 Active Directory Synchronisation using Winbind
Craig Green
cgreen at ultradata.com.au
Thu Apr 8 21:31:21 MDT 2010
Hi William,
OK. I have installed samba 3.5.2 from your site along with its required dependencies.
I have been able to join the AIX server to the domain, etc, without any issues.
However I am still having some issues, though they are now slightly different from what I was originally having.
Here is the output from "wbinfo -i" and "lsuser -R WINBIND" with slightly different settings in smb.conf.
The first is with the following entries commented out
; idmap config ULTRADATA : default = yes
; idmap config ULTRADATA : backend = ad
; idmap config ULTRADATA : range = 1000-9999
; winbind nss info = sfu
Without these implicit settings then the shell is definitely "/bin/false".
$ wbinfo -i jcitizen
jcitizen:*:1009:10000:John Citizen:/home/ULTRADATA/jcitizen:/bin/false
$ lsuser -R WINBIND jcitizen
jcitizen id=1009 pgrp=domain users home=/home/ULTRADATA/jcitizen shell=/bin/false gecos=John Citizen login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=WINBIND SYSTEM=WINBIND or compat logintimes= loginretries=4 pwdwarntime=21 account_locked=false minage=0 maxage=0 maxexpired=1 minalpha=2 minother=2 mindiff=4 maxrepeats=2 minlen=8 histexpire=8 histsize=2 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=524288 stack=524288 core=2097151 rss=524288 nofiles=-1 time_last_login=1267768837 time_last_unsuccessful_login=1270702351 tty_last_login=ssh tty_last_unsuccessful_login=/dev/pts/2 host_last_login=jcitizen.ultradata.com.au host_last_unsuccessful_login=jcitizen.ultradata.com.au unsuccessful_login_count=0 roles= pgid=10000 SID=S-1-5-21-2908653425-2220236570-374614302-7401
If I activate these settings within smb.conf (uncomment them and stop/start samba), so as to get the relevant home dir, login shell, etc from the AD values set within SFU, then the shell is "/bin/ksh" and the home dir is correct. These are the values set in the Unix Attributes tab of the properties settings of the user on the AD server. If I change the shell or home directory settings then it is reflected by the "wbinfo -i" or lsuser commands.
$ wbinfo -i jcitizen
jcitizen:*:1009:10000::/home/support/jci:/bin/ksh
$ lsuser -R WINBIND jcitizen
jcitizen id=1009 pgrp=domain users home=/home/support/jci shell=/bin/ksh gecos= login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=WINBIND SYSTEM=WINBIND or compat logintimes= loginretries=4 pwdwarntime=21 account_locked=false minage=0 maxage=0 maxexpired=1 minalpha=2 minother=2 mindiff=4 maxrepeats=2 minlen=8 histexpire=8 histsize=2 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=524288 stack=524288 core=2097151 rss=524288 nofiles=-1 time_last_login=1267768837 time_last_unsuccessful_login=1270767969 tty_last_login=ssh tty_last_unsuccessful_login=/dev/pts/2 host_last_login=jcitizen.ultradata.com.au host_last_unsuccessful_login=jcitizen.ultradata.com.au unsuccessful_login_count=1 roles= pgid=10000 SID=S-1-5-21-2908653425-2220236570-374614302-7401
With either of these settings I can telnet into the server using the login of "jcitizen" and the password as set in the AD.
Of course when the shell is set as "/bin/false" the session gets logged off. Which is understandable.
When the settings for the shell etc are obtained from the AD I can login and get access to a shell prompt.
However if I try another account, one that is definitely defined within the AD, I get the following.
$ wbinfo -i shommey
Could not get info for user shommey
$ lsuser -R WINBIND shommey
User "shommey" does not exist.
Now this is strange I am now getting a response for "wbinfo -i shommey" and "lsuser shommey"
$ wbinfo - shommey
shommey:*:10000:10000::/home/support/sh:/bin/ksh
$ lsuser shommey
shommey id=10000 pgrp=domain users home=/home/support/sh shell=/bin/ksh gecos= login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=WINBIND SYSTEM=WINBIND or compat logintimes= loginretries=4 pwdwarntime=21 account_locked=false minage=0 maxage=0 maxexpired=1 minalpha=2 minother=2 mindiff=4 maxrepeats=2 minlen=8 histexpire=8 histsize=2 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=524288 stack=524288 core=2097151 rss=524288 nofiles=-1 time_last_unsuccessful_login=1268790251 tty_last_unsuccessful_login=/dev/pts/2 host_last_unsuccessful_login=operations.ultradata.com.au unsuccessful_login_count=1 roles= pgid=10000 SID=S-1-5-21-2908653425-2220236570-374614302-1189
Another strange thing is that the uid for jcitizen is defined as 1009 which is correct and is what is defined in the AD. However the uid for shommey is 10000 and it is defined in the AD as 1038. Also the gids for both users is coming back as 10000 and not what is defined in the AD.
If I get user shommey to try and telnet into the server, they can, but their relevant userid is incorrect as well as their group id.
Also if i try and use still another login - "abloggs" I get the following when using "wbinfo -i" and "lsuser abloggs".
$ wbinfo -i abloggs
Could not get info for user abloggs
$ lsuser abloggs
User "abloggs" does not exist.
However the "wbinfo -n" command returns the relevant SID.
$ wbinfo -n abloggs
S-1-5-21-2908653425-2220236570-374614302-7403 SID_USER (1)
If I check the "log.wb-ULTRADATA" file I can see the info for "abloggs" as held in the AD.
[2010/04/09 10:59:00.166520, 3] winbindd/winbindd_ads.c:572(query_user)
ads query_user gave abloggs
[2010/04/09 10:59:00.167218, 10] winbindd/winbindd_cache.c:536(refresh_sequence_number)
refresh_sequence_number: ULTRADATA time ok
[2010/04/09 10:59:00.167821, 10] winbindd/winbindd_cache.c:581(refresh_sequence_number)
refresh_sequence_number: ULTRADATA seq number is now 25356801
[2010/04/09 10:59:00.169370, 10] winbindd/winbindd_cache.c:962(wcache_save_user)
wcache_save_user: S-1-5-21-2908653425-2220236570-374614302-7403 (acct_name abloggs)
[2010/04/09 10:59:00.170043, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
wbint_QueryUser: struct wbint_QueryUser
out: struct wbint_QueryUser
info : *
info: struct wbint_userinfo
acct_name : *
acct_name : 'abloggs'
full_name : *
full_name : 'Andrew Bloggs'
homedir : *
homedir : '/home/support/amu'
shell : *
shell : '/bin/ksh'
primary_gid : 0x00000000000000d0 (208)
user_sid : S-1-5-21-2908653425-2220236570-374614302-7403
group_sid : S-1-5-21-2908653425-2220236570-374614302-513
result : NT_STATUS_OK
After waiting over two hours, to see if for some reason it was a timing issue, I still cannot get info on the account "abloggs". It is definitely defined in the AD and has the relevant Unix Attributes set.
So in summary:
- installing 3.5.2 seems to have resolved the telnet login for accounts that wbinfo -i can return data for
- the uid's and gid's for given users are not being assigned as I would expect
- cannot access information for all AD logins in a consistent manner
Any assistance or any insights into what I must be doing incorrectly would be greatly appreciated.
Regards,
Craig Green
Support Consultant - Unix
Ultradata - Vision to Reality
+61 3 9291 1742
www.ultradata.com.au
> -----Original Message-----
> From: William Jojo [mailto:w.jojo at hvcc.edu]
> Sent: Thursday, 8 April 2010 10:09 PM
> To: Craig Green
> Cc: 'John Welch'; samba at lists.samba.org
> Subject: Re: [Samba] AIX 5.3 Active Directory Synchronisation
> using Winbind
>
> Craig Green wrote:
> > Hi John,
> >
> > Thank you for your reply. I really appreciate your input.
> >
> > I have been using Samba on our AIX servers for last few
> years. Up unto recently I have always used "security =
> DOMAIN", (with versions 3.0.28 and 3.3.9). I have had no
> issues with that type of setup. It is only now that I have
> been testing integration into MS AD and using "security =
> ADS" that I am having problems. The Samba versions I have
> tried with ADS are 3.3.9 and 3.5.0. Version 3.3.9 was
> compiled from scratch. I get the same issues with both
> versions. Originally I thought the issues must be with my
> compiled version. However it seems it be some sort of AIX
> config issue since I get the same issues with version 3.5.0
> which is the pre-compiled version from the hvcc.edu site.
> >
> > I am stumped as to what the issue is. Everything I can
> find on the net re using samba and winbind implies I have the
> correct setup but this cannot be the case since I cannot get
> it to work. I must have something wrong but for the life of
> me I cannot figure it out.
> >
> > Re the question of "do you really need ADS security mode".
> Well, most likely not, we could integrate using ldap but my
> understanding is that using winbind is a less complicated
> method or it is supposed to be. In regards to the correct
> version of WINBIND, I have checked this previously and the
> correct version is being used.
> >
> > In the past I have been able to connect a Linux server to
> an MS-AD but the Linux server uses NSS. AIX does not have
> NSS but I believe the changes to the "/etc/security/user"
> file are supposed to replace this. I am guessing the issue
> has something to do with this. However I have found info on
> the www that says other users of AIX have been able to Samba
> and WINBIND to join and ADS and to authenticate back to the
> AD without issues once they have made the alterations to the
> /etc/security/user and methods.cfg files.
> >
> > If I perform a test to verify that communications between
> Samba-3 winbind and the Active Directory server is using
> Kerberos protocols I get the correct data back.
> >
> > $ net ads info
> > LDAP server: 172.16.xxx.xxx
> > LDAP server name: blue.testrealm.com.au
> > Realm: TESTREALM.COM.AU
> > Bind Path: dc=TESTREALM,dc=COM,dc=AU
> > LDAP port: 389
> > Server time: Tue, 06 Apr 2010 11:27:22 EET KDC server:
> 172.16.xxx.xxx
> > Server time offset: 0
> >
> > The "net ads status" command also returns the correct data.
> >
> > So everything I do implies I am communicating correctly
> with the AD. However authentication does not work.
> >
> > I also agree with you that the hvcc.edu site it is an
> awesome project. Without it my life would certainly be more
> difficult.
> >
> >
> > Regards,
> >
> > Craig Green
> > Support Consultant - Unix
> >
> > Ultradata - Vision to Reality
> > +61 3 9291 1742
> > www.ultradata.com.au
> >
> > -----Original Message-----
> > From: John Welch [mailto:jwelch at brosco.com]
> > Sent: Saturday, 3 April 2010 1:10 AM
> > To: William Jojo
> > Cc: samba at lists.samba.org; Craig Green
> > Subject: Re: [Samba] AIX 5.3 Active Directory Synchronisation using
> > Winbind
> >
> >
> > ----- "William Jojo" <w.jojo at hvcc.edu> wrote:
> >
> >
> >> ---- Original message ----
> >>
> >>> Date: Fri, 2 Apr 2010 08:15:38 -0400 (EDT)
> >>> From: John Welch <jwelch at brosco.com>
> >>> Subject: Re: [Samba] AIX 5.3 Active Directory
> Synchronisation using
> >>>
> >> Winbind
> >>
> >>> To: cgreen at ultradata.com.au
> >>> Cc: samba at lists.samba.org
> >>>
> >>> I know one issue I ran into when I recently upgraded Samba on the
> >>> AIX
> >>>
> >> box was that the WINBIND file in /usr/lib/security was a symbolic
> >> link that was not linked to the correct version of Samba.
> Have you
> >> looked at this file and verified that it is correct?
> >>
> >> John,
> >>
> >> Can you provide a little more on the problem you had? I'm
> not able to
> >> find the broken link in my development servers (32 or 64
> bit), and I
> >> *really* want to improve our quality control.
> >>
> >> Glad to hear the project is working out for you otherwise. :-)
> >>
> >>
> >> Cheers,
> >> Bill
> >>
> >
> > Hi Bill,
> >
> > Prior to the recent upgrade to 3.4.5 we had been using an
> "old" 3.0 version (3.0.28) from your pware project. At that
> level of Samba at least the directory structure was
> "/opt/pware/samba/<version>". I did the upgrade a few months
> ago, so I'm trying to recall from memory the exact issue, but
> I believe after upgrading the WINBIND symbolic link was still
> pointing to the 3.0.28 binary. Not sure if the upgrade
> should have fixed this automatically or not. Really a minor
> thing, but something I overlooked initially.
> >
> > Your project is awesome... Keep up the good work!
> >
> >
>
> Thanks!
>
> I just posted 3.5.2 yesterday. I was able to join AIX to ADS
> (w2k8r2) and I can telnet into AIX without issue.
>
> Can you tell me what lsuser returns for the shell? I bet it
> is /bin/false. If so, you may want to set:
>
> template shell = /opt/pware/bin/bash
>
> or
>
> template shell = /bin/ksh
>
>
> Depending on the shell you wish users to use.
>
> If this is not it, I'm happy to help figure out what is going on.
>
>
> Cheers,
> Bill
>
>
> > Thanks,
> > John
> >
> > Disclaimer Notice
> >
> > This message contains privileged and confidential
> information intended only for the use of the addressee named
> above. If you are not the intended recipient of this message
> you are hereby notified that you must not disseminate, copy
> or take any action or place any reliance on it. If you have
> received this message in error please notify Ultradata
> immediately on +61 3 9291 1600. Any views expressed in this
> message are those of the individual sender, except where the
> sender specifically states them to be the views of Ultradata
> Australia Pty. Ltd.
> >
> > To unsubscribe from receiving commercial electronic
> messages from Ultradata Australia please email
> unsubscribe at ultradata.com.au with the subject heading "Unsubscribe".
> >
>
>
Disclaimer Notice
This message contains privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that you must not disseminate, copy or take any action or place any reliance on it. If you have received this message in error please notify Ultradata immediately on +61 3 9291 1600. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Ultradata Australia Pty. Ltd.
To unsubscribe from receiving commercial electronic messages from Ultradata Australia please email unsubscribe at ultradata.com.au with the subject heading "Unsubscribe".
More information about the samba
mailing list