[Samba] AIX 5.3 Active Directory Synchronisation using Winbind
Craig Green
cgreen at ultradata.com.au
Sun Apr 11 23:08:26 MDT 2010
Hi William,
I appear to have resolved the main issue.
I have had to include both "idmap config ULTRADATA : schema_mode = sfu" and "winbind nss info = sfu" in the smb.conf file.
Without either of these settings "wbinfo -i" does not work correctly.
I found this fix listed in a posting labeled "Windows server 2003 SP2, SFU 3.5 and Samba 3.0.28".
When I have the entry in smb.conf I can readily resolve AD users and login via a telnet session using their AD password.
I now only have one issue left and that is the allocation if the primary group id from that specified in the SFU setup for a user account.
The user id as specified in the SFU setup is being used but the group id is not.
EG: "wbinfo -i abloggs" returns
abloggs:*:1300:10000::/home/support/amu:/bin/ksh
The correct uid of 1300 is used but the group id of 208 that is set is not.
I have tried using the setting of "idmap config ULTRADATA : range = 200-9999" in case this controls the uid and gid.
However the gid stays set to 10000.
Over the next few days I am going to try uninstalling and reinstalling samba.
Setting smb.conf to the required settings that I have discovered before I join the domain and or start samba/winbind etc.
Regards,
Craig Green
Support Consultant - Unix
Ultradata - Vision to Reality
+61 3 9291 1742
www.ultradata.com.au
> -----Original Message-----
> From: samba-bounces at lists.samba.org
> [mailto:samba-bounces at lists.samba.org] On Behalf Of Craig Green
> Sent: Friday, 9 April 2010 1:31 PM
> To: 'William Jojo'
> Cc: samba at lists.samba.org; 'John Welch'
> Subject: Re: [Samba] AIX 5.3 Active Directory Synchronisation
> using Winbind
>
> Hi William,
>
> OK. I have installed samba 3.5.2 from your site along with
> its required dependencies.
> I have been able to join the AIX server to the domain, etc,
> without any issues.
>
> However I am still having some issues, though they are now
> slightly different from what I was originally having.
>
> Here is the output from "wbinfo -i" and "lsuser -R WINBIND"
> with slightly different settings in smb.conf.
>
> The first is with the following entries commented out
>
> ; idmap config ULTRADATA : default = yes
> ; idmap config ULTRADATA : backend = ad
> ; idmap config ULTRADATA : range = 1000-9999
> ; winbind nss info = sfu
>
> Without these implicit settings then the shell is definitely
> "/bin/false".
>
> $ wbinfo -i jcitizen
> jcitizen:*:1009:10000:John Citizen:/home/ULTRADATA/jcitizen:/bin/false
>
> $ lsuser -R WINBIND jcitizen
> jcitizen id=1009 pgrp=domain users
> home=/home/ULTRADATA/jcitizen shell=/bin/false gecos=John
> Citizen login=true su=true rlogin=true daemon=true
> admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL
> expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=WINBIND
> SYSTEM=WINBIND or compat logintimes= loginretries=4
> pwdwarntime=21 account_locked=false minage=0 maxage=0
> maxexpired=1 minalpha=2 minother=2 mindiff=4 maxrepeats=2
> minlen=8 histexpire=8 histsize=2 pwdchecks= dictionlist=
> fsize=-1 cpu=-1 data=524288 stack=524288 core=2097151
> rss=524288 nofiles=-1 time_last_login=1267768837
> time_last_unsuccessful_login=1270702351 tty_last_login=ssh
> tty_last_unsuccessful_login=/dev/pts/2
> host_last_login=jcitizen.ultradata.com.au
> host_last_unsuccessful_login=jcitizen.ultradata.com.au
> unsuccessful_login_count=0 roles= pgid=10000
> SID=S-1-5-21-2908653425-2220236570-374614302-7401
>
>
> If I activate these settings within smb.conf (uncomment them
> and stop/start samba), so as to get the relevant home dir,
> login shell, etc from the AD values set within SFU, then the
> shell is "/bin/ksh" and the home dir is correct. These are
> the values set in the Unix Attributes tab of the properties
> settings of the user on the AD server. If I change the shell
> or home directory settings then it is reflected by the
> "wbinfo -i" or lsuser commands.
>
> $ wbinfo -i jcitizen
> jcitizen:*:1009:10000::/home/support/jci:/bin/ksh
>
> $ lsuser -R WINBIND jcitizen
> jcitizen id=1009 pgrp=domain users home=/home/support/jci
> shell=/bin/ksh gecos= login=true su=true rlogin=true
> daemon=true admin=false sugroups=ALL admgroups= tpath=nosak
> ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22
> registry=WINBIND SYSTEM=WINBIND or compat logintimes=
> loginretries=4 pwdwarntime=21 account_locked=false minage=0
> maxage=0 maxexpired=1 minalpha=2 minother=2 mindiff=4
> maxrepeats=2 minlen=8 histexpire=8 histsize=2 pwdchecks=
> dictionlist= fsize=-1 cpu=-1 data=524288 stack=524288
> core=2097151 rss=524288 nofiles=-1 time_last_login=1267768837
> time_last_unsuccessful_login=1270767969 tty_last_login=ssh
> tty_last_unsuccessful_login=/dev/pts/2
> host_last_login=jcitizen.ultradata.com.au
> host_last_unsuccessful_login=jcitizen.ultradata.com.au
> unsuccessful_login_count=1 roles= pgid=10000
> SID=S-1-5-21-2908653425-2220236570-374614302-7401
>
> With either of these settings I can telnet into the server
> using the login of "jcitizen" and the password as set in the AD.
> Of course when the shell is set as "/bin/false" the session
> gets logged off. Which is understandable.
>
> When the settings for the shell etc are obtained from the AD
> I can login and get access to a shell prompt.
>
> However if I try another account, one that is definitely
> defined within the AD, I get the following.
>
> $ wbinfo -i shommey
> Could not get info for user shommey
>
> $ lsuser -R WINBIND shommey
> User "shommey" does not exist.
>
> Now this is strange I am now getting a response for "wbinfo
> -i shommey" and "lsuser shommey"
> $ wbinfo - shommey
> shommey:*:10000:10000::/home/support/sh:/bin/ksh
>
> $ lsuser shommey
> shommey id=10000 pgrp=domain users home=/home/support/sh
> shell=/bin/ksh gecos= login=true su=true rlogin=true
> daemon=true admin=false sugroups=ALL admgroups= tpath=nosak
> ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22
> registry=WINBIND SYSTEM=WINBIND or compat logintimes=
> loginretries=4 pwdwarntime=21 account_locked=false minage=0
> maxage=0 maxexpired=1 minalpha=2 minother=2 mindiff=4
> maxrepeats=2 minlen=8 histexpire=8 histsize=2 pwdchecks=
> dictionlist= fsize=-1 cpu=-1 data=524288 stack=524288
> core=2097151 rss=524288 nofiles=-1
> time_last_unsuccessful_login=1268790251
> tty_last_unsuccessful_login=/dev/pts/2
> host_last_unsuccessful_login=operations.ultradata.com.au
> unsuccessful_login_count=1 roles= pgid=10000
> SID=S-1-5-21-2908653425-2220236570-374614302-1189
>
> Another strange thing is that the uid for jcitizen is defined
> as 1009 which is correct and is what is defined in the AD.
> However the uid for shommey is 10000 and it is defined in the
> AD as 1038. Also the gids for both users is coming back as
> 10000 and not what is defined in the AD.
>
> If I get user shommey to try and telnet into the server, they
> can, but their relevant userid is incorrect as well as their group id.
>
> Also if i try and use still another login - "abloggs" I get
> the following when using "wbinfo -i" and "lsuser abloggs".
>
> $ wbinfo -i abloggs
> Could not get info for user abloggs
>
> $ lsuser abloggs
> User "abloggs" does not exist.
>
> However the "wbinfo -n" command returns the relevant SID.
>
> $ wbinfo -n abloggs
> S-1-5-21-2908653425-2220236570-374614302-7403 SID_USER (1)
>
> If I check the "log.wb-ULTRADATA" file I can see the info for
> "abloggs" as held in the AD.
>
> [2010/04/09 10:59:00.166520, 3]
> winbindd/winbindd_ads.c:572(query_user)
> ads query_user gave abloggs
> [2010/04/09 10:59:00.167218, 10]
> winbindd/winbindd_cache.c:536(refresh_sequence_number)
> refresh_sequence_number: ULTRADATA time ok
> [2010/04/09 10:59:00.167821, 10]
> winbindd/winbindd_cache.c:581(refresh_sequence_number)
> refresh_sequence_number: ULTRADATA seq number is now 25356801
> [2010/04/09 10:59:00.169370, 10]
> winbindd/winbindd_cache.c:962(wcache_save_user)
> wcache_save_user:
> S-1-5-21-2908653425-2220236570-374614302-7403 (acct_name abloggs)
> [2010/04/09 10:59:00.170043, 1]
> ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
> wbint_QueryUser: struct wbint_QueryUser
> out: struct wbint_QueryUser
> info : *
> info: struct wbint_userinfo
> acct_name : *
> acct_name : 'abloggs'
> full_name : *
> full_name : 'Andrew Bloggs'
> homedir : *
> homedir :
> '/home/support/amu'
> shell : *
> shell : '/bin/ksh'
> primary_gid :
> 0x00000000000000d0 (208)
> user_sid :
> S-1-5-21-2908653425-2220236570-374614302-7403
> group_sid :
> S-1-5-21-2908653425-2220236570-374614302-513
> result : NT_STATUS_OK
>
>
> After waiting over two hours, to see if for some reason it
> was a timing issue, I still cannot get info on the account
> "abloggs". It is definitely defined in the AD and has the
> relevant Unix Attributes set.
>
> So in summary:
>
> - installing 3.5.2 seems to have resolved the telnet login
> for accounts that wbinfo -i can return data for
> - the uid's and gid's for given users are not being assigned
> as I would expect
> - cannot access information for all AD logins in a consistent manner
>
> Any assistance or any insights into what I must be doing
> incorrectly would be greatly appreciated.
>
> Regards,
>
> Craig Green
> Support Consultant - Unix
>
> Ultradata - Vision to Reality
> +61 3 9291 1742
> www.ultradata.com.au
>
>
> > -----Original Message-----
> > From: William Jojo [mailto:w.jojo at hvcc.edu]
> > Sent: Thursday, 8 April 2010 10:09 PM
> > To: Craig Green
> > Cc: 'John Welch'; samba at lists.samba.org
> > Subject: Re: [Samba] AIX 5.3 Active Directory Synchronisation using
> > Winbind
> >
> > Craig Green wrote:
> > > Hi John,
> > >
> > > Thank you for your reply. I really appreciate your input.
> > >
> > > I have been using Samba on our AIX servers for last few
> > years. Up unto recently I have always used "security =
> DOMAIN", (with
> > versions 3.0.28 and 3.3.9). I have had no issues with that type of
> > setup. It is only now that I have been testing integration
> into MS AD
> > and using "security = ADS" that I am having problems. The Samba
> > versions I have tried with ADS are 3.3.9 and 3.5.0.
> Version 3.3.9 was
> > compiled from scratch. I get the same issues with both versions.
> > Originally I thought the issues must be with my compiled version.
> > However it seems it be some sort of AIX config issue since
> I get the
> > same issues with version 3.5.0 which is the pre-compiled
> version from
> > the hvcc.edu site.
> > >
> > > I am stumped as to what the issue is. Everything I can
> > find on the net re using samba and winbind implies I have
> the correct
> > setup but this cannot be the case since I cannot get it to work. I
> > must have something wrong but for the life of me I cannot figure it
> > out.
> > >
> > > Re the question of "do you really need ADS security mode".
> > Well, most likely not, we could integrate using ldap but my
> > understanding is that using winbind is a less complicated
> method or it
> > is supposed to be. In regards to the correct version of WINBIND, I
> > have checked this previously and the correct version is being used.
> > >
> > > In the past I have been able to connect a Linux server to
> > an MS-AD but the Linux server uses NSS. AIX does not have
> NSS but I
> > believe the changes to the "/etc/security/user"
> > file are supposed to replace this. I am guessing the issue has
> > something to do with this. However I have found info on
> the www that
> > says other users of AIX have been able to Samba and WINBIND to join
> > and ADS and to authenticate back to the AD without issues once they
> > have made the alterations to the /etc/security/user and methods.cfg
> > files.
> > >
> > > If I perform a test to verify that communications between
> > Samba-3 winbind and the Active Directory server is using Kerberos
> > protocols I get the correct data back.
> > >
> > > $ net ads info
> > > LDAP server: 172.16.xxx.xxx
> > > LDAP server name: blue.testrealm.com.au
> > > Realm: TESTREALM.COM.AU
> > > Bind Path: dc=TESTREALM,dc=COM,dc=AU LDAP port: 389 Server time:
> > > Tue, 06 Apr 2010 11:27:22 EET KDC server:
> > 172.16.xxx.xxx
> > > Server time offset: 0
> > >
> > > The "net ads status" command also returns the correct data.
> > >
> > > So everything I do implies I am communicating correctly
> > with the AD. However authentication does not work.
> > >
> > > I also agree with you that the hvcc.edu site it is an
> > awesome project. Without it my life would certainly be more
> > difficult.
> > >
> > >
> > > Regards,
> > >
> > > Craig Green
> > > Support Consultant - Unix
> > >
> > > Ultradata - Vision to Reality
> > > +61 3 9291 1742
> > > www.ultradata.com.au
> > >
> > > -----Original Message-----
> > > From: John Welch [mailto:jwelch at brosco.com]
> > > Sent: Saturday, 3 April 2010 1:10 AM
> > > To: William Jojo
> > > Cc: samba at lists.samba.org; Craig Green
> > > Subject: Re: [Samba] AIX 5.3 Active Directory
> Synchronisation using
> > > Winbind
> > >
> > >
> > > ----- "William Jojo" <w.jojo at hvcc.edu> wrote:
> > >
> > >
> > >> ---- Original message ----
> > >>
> > >>> Date: Fri, 2 Apr 2010 08:15:38 -0400 (EDT)
> > >>> From: John Welch <jwelch at brosco.com>
> > >>> Subject: Re: [Samba] AIX 5.3 Active Directory
> > Synchronisation using
> > >>>
> > >> Winbind
> > >>
> > >>> To: cgreen at ultradata.com.au
> > >>> Cc: samba at lists.samba.org
> > >>>
> > >>> I know one issue I ran into when I recently upgraded
> Samba on the
> > >>> AIX
> > >>>
> > >> box was that the WINBIND file in /usr/lib/security was a
> symbolic
> > >> link that was not linked to the correct version of Samba.
> > Have you
> > >> looked at this file and verified that it is correct?
> > >>
> > >> John,
> > >>
> > >> Can you provide a little more on the problem you had? I'm
> > not able to
> > >> find the broken link in my development servers (32 or 64
> > bit), and I
> > >> *really* want to improve our quality control.
> > >>
> > >> Glad to hear the project is working out for you otherwise. :-)
> > >>
> > >>
> > >> Cheers,
> > >> Bill
> > >>
> > >
> > > Hi Bill,
> > >
> > > Prior to the recent upgrade to 3.4.5 we had been using an
> > "old" 3.0 version (3.0.28) from your pware project. At
> that level of
> > Samba at least the directory structure was
> > "/opt/pware/samba/<version>". I did the upgrade a few
> months ago, so
> > I'm trying to recall from memory the exact issue, but I
> believe after
> > upgrading the WINBIND symbolic link was still pointing to
> the 3.0.28
> > binary. Not sure if the upgrade should have fixed this
> automatically
> > or not. Really a minor thing, but something I overlooked initially.
> > >
> > > Your project is awesome... Keep up the good work!
> > >
> > >
> >
> > Thanks!
> >
> > I just posted 3.5.2 yesterday. I was able to join AIX to ADS
> > (w2k8r2) and I can telnet into AIX without issue.
> >
> > Can you tell me what lsuser returns for the shell? I bet it is
> > /bin/false. If so, you may want to set:
> >
> > template shell = /opt/pware/bin/bash
> >
> > or
> >
> > template shell = /bin/ksh
> >
> >
> > Depending on the shell you wish users to use.
> >
> > If this is not it, I'm happy to help figure out what is going on.
> >
> >
> > Cheers,
> > Bill
> >
> >
> > > Thanks,
> > > John
> > >
> > > Disclaimer Notice
> > >
> > > This message contains privileged and confidential
> > information intended only for the use of the addressee
> named above. If
> > you are not the intended recipient of this message you are hereby
> > notified that you must not disseminate, copy or take any action or
> > place any reliance on it. If you have received this message
> in error
> > please notify Ultradata immediately on +61 3 9291 1600. Any views
> > expressed in this message are those of the individual
> sender, except
> > where the sender specifically states them to be the views
> of Ultradata
> > Australia Pty. Ltd.
> > >
> > > To unsubscribe from receiving commercial electronic
> > messages from Ultradata Australia please email
> > unsubscribe at ultradata.com.au with the subject heading "Unsubscribe".
> > >
> >
> >
>
> Disclaimer Notice
>
> This message contains privileged and confidential information
> intended only for the use of the addressee named above. If
> you are not the intended recipient of this message you are
> hereby notified that you must not disseminate, copy or take
> any action or place any reliance on it. If you have received
> this message in error please notify Ultradata immediately on
> +61 3 9291 1600. Any views expressed in this message are
> those of the individual sender, except where the sender
> specifically states them to be the views of Ultradata
> Australia Pty. Ltd.
>
> To unsubscribe from receiving commercial electronic messages
> from Ultradata Australia please email
> unsubscribe at ultradata.com.au with the subject heading "Unsubscribe".
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Disclaimer Notice
This message contains privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that you must not disseminate, copy or take any action or place any reliance on it. If you have received this message in error please notify Ultradata immediately on +61 3 9291 1600. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Ultradata Australia Pty. Ltd.
To unsubscribe from receiving commercial electronic messages from Ultradata Australia please email unsubscribe at ultradata.com.au with the subject heading "Unsubscribe".
More information about the samba
mailing list