[Samba] Samba ADS on AIX 6.1 TL04
William Jojo
w.jojo at hvcc.edu
Tue Apr 27 06:02:33 MDT 2010
Yashpal Nagar wrote:
> Hi All
>
> I'm trying to intergrate samba server with ADS on AIX 6.1 TL04, for last one
> week, with idmap / winbind but no satisfactory results. I have gone through
> various links at samba.org relating to winbind, idmapper and followed
> http://pware.hvcc.edu/ for precompiled binaries and
> http://pware.hvcc.edu/AIX-Samba.pdf which is for AIX 6.1 TL03 though.
>
>
It shouldn't matter. The TL's are just IBM's way of drawing lines for
patch sets. The documentation was updated when TL-03 was released. The
code compiled on 5.3 should run just fine under 6.1.
> I have found the samba which is provided by IBM with expansion pack doesn't
> have support for ADS. The binaries I have tried with is both 32 bit and
> 64bit of samba, neither of them has worked for me. ADS join is ok, I am able
> to see all good ouput for wbinfo -t/-m/-p etc.
>
> I have copied the WINBIND module under /usr/lib/security and changed
> /usr/lib/security/methods.cfg
> as
> WINBIND:
> program = /usr/lib/security/WINBIND
> options = authonly
>
Please remove the authonly, it's not necessary.
> the /etc/security/user the default stanza with
>
> SYSTEM = "WINBIND OR compat"
>
> The errors I have repeatedly encountered is --
> Could not trigger lookup sid
> sid2gid returned an error
> Could not lookup name for user MYDOMAIN\USER1
>
> Some other errors are
> Error GID range is full!!
>
>
This is an indication that the winbind configuration may be incorrect.
In general, the AD configurations work as expected on AIX.
Could you post your smb.conf for review? Also, are you using the LDAP
backend or TDB? The IDMAP piece has been significantly modified from
3.3.x through 3.5.x, so some docs (including my own) may need some
revision and depending on how yours is written may be getting
misinterpreted.
I am posting info from one of my (old - 5.3-TL6-SP4) AIX machines
running 3.5.2 joined to w2k8R2:
[aixdev:/] # oslevel -s
5300-06-04-0748
[aixdev:/] # lslpp -l pware*
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
pware53.base.rte 5.3.0.0 COMMITTED pWare base for 5.3
pware53.bash.rte 4.0.35.0 COMMITTED GNU bash 4.0
pware53.bdb.rte 4.7.25.4 COMMITTED Berkeley DB 4.7.25
pware53.cyrus-sasl.rte 2.1.23.1 COMMITTED cyrus-sasl 2.1.23
pware53.gettext.rte 0.17.0.0 COMMITTED GNU gettext 0.17
pware53.krb5.rte 1.7.1.1 COMMITTED MIT Kerberos 1.7.1
pware53.libiconv.rte 1.13.1.0 COMMITTED GNU libiconv 1.13.1
pware53.ncurses.rte 5.7.0.1 COMMITTED ncurses 5.7.0.1
pware53.openldap.rte 2.4.21.1 COMMITTED OpenLDAP 2.4.21
pware53.openssl.rte 0.9.8.13 COMMITTED OpenSSL 0.9.8m
pware53.popt.rte 1.10.4.0 COMMITTED popt 1.10.4
pware53.readline.rte 6.1.0.0 COMMITTED GNU readline 6.1
pware53.samba.rte 3.5.2.0 COMMITTED Samba 3.5.2
pware53.tar.rte 1.22.0.0 COMMITTED GNU tar 1.22
pware53.zlib.rte 1.2.4.0 COMMITTED zlib 1.2.4
[aixdev:/] # cat /opt/pware/lib/smb.conf
[global]
security = ads
realm = DEV35.LOCAL
password server = 151.103.35.21
workgroup = DEV35
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
log level = 3
template homedir = /home/%D/%U
template shell = /opt/pware/bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
[netlogon]
path = /netlogon
[aixdev:/] # net ads testjoin
Join is OK
[aixdev:/] # wbinfo -u
administrator
guest
krbtgt
w.jojo
[aixdev:/] # wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
dnsadmins
dnsupdateproxy
ctxpilot
[aixdev:/] # lsuser w.jojo
w.jojo id=10000 pgrp=domain users home=/home/DEV35/w.jojo
shell=/opt/pware/bin/bash gecos=William Jojo login=true su=true
rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak
ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=WINBIND
SYSTEM=compat or WINBIND logintimes= loginretries=0 pwdwarntime=0
account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0
minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0
pwdchecks= dictionlist= fsize=-1 cpu=-1 data=-1 stack=-1 core=2097151
rss=-1 nofiles=-1 roles= id=10000 pgrp=domain users
home=/home/DEV35/w.jojo shell=/opt/pware/bin/bash pgid=10000
gecos=William Jojo shell=/opt/pware/bin/bash pgrp=domain users
SID=S-1-5-21-2261283086-3937381662-459627218-1113
[aixdev:/] # cat /usr/lib/security/methods.cfg
* @(#)78 1.5 src/bos/usr/lib/security/methods.cfg.S, cmdsadm,
bos530 6/11/03 17:06:16
********************************************************************************
*
* Authentication methods:
*
* auth_method:
* program = /any/program
* program_64 = /any/program64
*
* auth_method corresponds to a custom authentication method specified in
* the SYSTEM attribute in /etc/security/user, and /any/program is the
* program to run in order to do the authentication. The program_64
attribute
* should be used for process running in 64 bit mode, /any/program64 is
* a 64 bit program.
*
* Two optional attributes may be defined for load modules. They are:
*
* The "domain" attribute is used by methods which support multiple
* domains.
*
* The "options" attribute provides a means of communicating
* run-time configuration options to the load module. Please refer
* to the documentation for the load module for appropriate values.
*
* If you are using Common Desktop Environment (CDE), you must restart the
* desktop login manager (dtlogin) for any changes to take effect.
* Restarting dtlogin will prevent CDE login failure using the updated
security
* mechanisms. Please read the /usr/dt/README file for more related
* information.
*
********************************************************************************
WINBIND:
program = /usr/lib/security/WINBIND
Here is an example of logging into AIX with telnet:
AIX Version 5
Copyright IBM Corporation, 1982, 2007.
login: w.jojo
w.jojo's Password:
**************************************************************************
* *
* Use of this system is restricted to authorized personnel only and must *
* comply with federal, state and local laws in addition to campus *
* regulations. *
* *
* UNAUTHORIZED USE IS STRICTLY PROHIBITED! *
* *
* dev35 p505 5.3 *
* *
**************************************************************************
w.jojo pts/1 Apr 27 07:07 (somwhere.hvcc.edu)
[aixdev] $ cat /etc/passwd
root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest:
nobody:!:4294967294:4294967294::/:
lpd:!:9:4294967294::/:
lp:*:11:11::/var/spool/lp:/bin/false
invscout:*:6:12::/var/adm/invscout:/usr/bin/ksh
snapp:*:200:13:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd
ipsec:*:201:1::/etc/ipsec:/usr/bin/ksh
nuucp:*:7:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
ldap:*:202:1::/home/ldap:/usr/bin/ksh
sbnet:*:22501:1:Remote Services:/usr/lpp/sysback:/usr/bin/ksh
[aixdev] $
As you can see the user w.jojo is an AD user.
/etc/security/user has in the default stanza:
SYSTEM = "compat or WINBIND"
Hope this helps!
Cheers,
Bill
> No matter I removed *.tdb files, specified new ranges etc, this GID error
> persistenly appears. I have reached to the point where user autentication is
> successful but sid to gig mapping doesn't work, or lookup for that AD user
> fails. The AD seems to be OK , as another server AIX 5.2 is already working
> with samba compiled with ADS support.
>
> What I would like to know.
> 1. How do we compile samba from scratch, I tried 3.5.2 , ./configure was OK,
> but this didn;t created any makefile! , I understand I need to
> compile kerbros , db, openldap before compiling samba, which version of the
> dependent software (kerbros, db, openldap) be used?
> 2. How can I resolve this GID range full error.
> 3. what shall be done to have sid to gid mapping.
>
> Best Regards,
> Yash
>
More information about the samba
mailing list