[Samba] Samba ADS on AIX 6.1 TL04
Yashpal Nagar
yashnagar at gmail.com
Tue Apr 27 07:36:00 MDT 2010
On Tue, Apr 27, 2010 at 5:32 PM, William Jojo <w.jojo at hvcc.edu> wrote:
> Yashpal Nagar wrote:
>
>> Hi All
>>
>> I'm trying to intergrate samba server with ADS on AIX 6.1 TL04, for last
>> one
>> week, with idmap / winbind but no satisfactory results. I have gone
>> through
>> various links at samba.org relating to winbind, idmapper and followed
>> http://pware.hvcc.edu/ for precompiled binaries and
>> http://pware.hvcc.edu/AIX-Samba.pdf which is for AIX 6.1 TL03 though.
>>
>>
>>
>
> It shouldn't matter. The TL's are just IBM's way of drawing lines for patch
> sets. The documentation was updated when TL-03 was released. The code
> compiled on 5.3 should run just fine under 6.1.
>
>
> I have found the samba which is provided by IBM with expansion pack doesn't
>> have support for ADS. The binaries I have tried with is both 32 bit and
>> 64bit of samba, neither of them has worked for me. ADS join is ok, I am
>> able
>> to see all good ouput for wbinfo -t/-m/-p etc.
>>
>> I have copied the WINBIND module under /usr/lib/security and changed
>> /usr/lib/security/methods.cfg
>> as
>> WINBIND:
>> program = /usr/lib/security/WINBIND
>> options = authonly
>>
>>
>
> Please remove the authonly, it's not necessary.
>
>
> the /etc/security/user the default stanza with
>>
>> SYSTEM = "WINBIND OR compat"
>>
>> The errors I have repeatedly encountered is --
>> Could not trigger lookup sid
>> sid2gid returned an error
>> Could not lookup name for user MYDOMAIN\USER1
>>
>> Some other errors are
>> Error GID range is full!!
>>
>>
>>
>
> This is an indication that the winbind configuration may be incorrect. In
> general, the AD configurations work as expected on AIX.
>
> Could you post your smb.conf for review? Also, are you using the LDAP
> backend or TDB? The IDMAP piece has been significantly modified from 3.3.x
> through 3.5.x, so some docs (including my own) may need some revision and
> depending on how yours is written may be getting misinterpreted.
>
> I am posting info from one of my (old - 5.3-TL6-SP4) AIX machines running
> 3.5.2 joined to w2k8R2:
>
> [aixdev:/] # oslevel -s
> 5300-06-04-0748
>
> [aixdev:/] # lslpp -l pware*
> Fileset Level State Description
> ----------------------------------------------------------------------------
> Path: /usr/lib/objrepos
> pware53.base.rte 5.3.0.0 COMMITTED pWare base for 5.3
> pware53.bash.rte 4.0.35.0 COMMITTED GNU bash 4.0
> pware53.bdb.rte 4.7.25.4 COMMITTED Berkeley DB 4.7.25
> pware53.cyrus-sasl.rte 2.1.23.1 COMMITTED cyrus-sasl 2.1.23
> pware53.gettext.rte 0.17.0.0 COMMITTED GNU gettext 0.17
> pware53.krb5.rte 1.7.1.1 COMMITTED MIT Kerberos 1.7.1
> pware53.libiconv.rte 1.13.1.0 COMMITTED GNU libiconv 1.13.1
> pware53.ncurses.rte 5.7.0.1 COMMITTED ncurses 5.7.0.1
> pware53.openldap.rte 2.4.21.1 COMMITTED OpenLDAP 2.4.21
> pware53.openssl.rte 0.9.8.13 COMMITTED OpenSSL 0.9.8m
> pware53.popt.rte 1.10.4.0 COMMITTED popt 1.10.4
> pware53.readline.rte 6.1.0.0 COMMITTED GNU readline 6.1
> pware53.samba.rte 3.5.2.0 COMMITTED Samba 3.5.2
> pware53.tar.rte 1.22.0.0 COMMITTED GNU tar 1.22
> pware53.zlib.rte 1.2.4.0 COMMITTED zlib 1.2.4
>
> [aixdev:/] # cat /opt/pware/lib/smb.conf
> [global]
> security = ads
> realm = DEV35.LOCAL
> password server = 151.103.35.21
> workgroup = DEV35
> winbind separator = +
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> log level = 3
> template homedir = /home/%D/%U
> template shell = /opt/pware/bin/bash
> client use spnego = yes
> client ntlmv2 auth = yes
> encrypt passwords = yes
> winbind use default domain = yes
> restrict anonymous = 2
> [netlogon]
> path = /netlogon
>
> [aixdev:/] # net ads testjoin
> Join is OK
>
> [aixdev:/] # wbinfo -u
> administrator
> guest
> krbtgt
> w.jojo
>
> [aixdev:/] # wbinfo -g
> domain computers
> domain controllers
> schema admins
> enterprise admins
> cert publishers
> domain admins
> domain users
> domain guests
> group policy creator owners
> ras and ias servers
> allowed rodc password replication group
> denied rodc password replication group
> read-only domain controllers
> enterprise read-only domain controllers
> dnsadmins
> dnsupdateproxy
> ctxpilot
> [aixdev:/] # lsuser w.jojo
> w.jojo id=10000 pgrp=domain users home=/home/DEV35/w.jojo
> shell=/opt/pware/bin/bash gecos=William Jojo login=true su=true rlogin=true
> daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL
> expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=WINBIND SYSTEM=compat or
> WINBIND logintimes= loginretries=0 pwdwarntime=0 account_locked=false
> minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8
> minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=-1 cpu=-1
> data=-1 stack=-1 core=2097151 rss=-1 nofiles=-1 roles= id=10000 pgrp=domain
> users home=/home/DEV35/w.jojo shell=/opt/pware/bin/bash pgid=10000
> gecos=William Jojo shell=/opt/pware/bin/bash pgrp=domain users
> SID=S-1-5-21-2261283086-3937381662-459627218-1113
>
> [aixdev:/] # cat /usr/lib/security/methods.cfg
> * @(#)78 1.5 src/bos/usr/lib/security/methods.cfg.S, cmdsadm,
> bos530 6/11/03 17:06:16
>
> ********************************************************************************
> *
> * Authentication methods:
> *
> * auth_method:
> * program = /any/program
> * program_64 = /any/program64
> *
> * auth_method corresponds to a custom authentication method specified in
> * the SYSTEM attribute in /etc/security/user, and /any/program is the
> * program to run in order to do the authentication. The program_64
> attribute
> * should be used for process running in 64 bit mode, /any/program64 is
> * a 64 bit program.
> *
> * Two optional attributes may be defined for load modules. They are: *
>
>
> * The "domain" attribute is used by methods which support multiple *
> domains. *
>
> * The "options" attribute provides a means of communicating *
> run-time configuration options to the load module. Please refer * to
> the documentation for the load module for appropriate values. *
> * If you are using Common Desktop Environment (CDE), you must restart the
> * desktop login manager (dtlogin) for any changes to take effect.
> * Restarting dtlogin will prevent CDE login failure using the updated
> security
> * mechanisms. Please read the /usr/dt/README file for more related
> * information.
> *
> ********************************************************************************
>
>
>
> WINBIND:
> program = /usr/lib/security/WINBIND
>
>
>
> Here is an example of logging into AIX with telnet:
>
> AIX Version 5
> Copyright IBM Corporation, 1982, 2007.
> login: w.jojo
> w.jojo's Password:
> **************************************************************************
> * *
> * Use of this system is restricted to authorized personnel only and must *
> * comply with federal, state and local laws in addition to campus *
> * regulations. *
> * *
> * UNAUTHORIZED USE IS STRICTLY PROHIBITED! *
> * *
> * dev35 p505 5.3 *
> * *
> **************************************************************************
>
>
> w.jojo pts/1 Apr 27 07:07 (somwhere.hvcc.edu)
>
> [aixdev] $ cat /etc/passwd
> root:!:0:0::/:/usr/bin/ksh
> daemon:!:1:1::/etc:
> bin:!:2:2::/bin:
> sys:!:3:3::/usr/sys:
> adm:!:4:4::/var/adm:
> uucp:!:5:5::/usr/lib/uucp:
> guest:!:100:100::/home/guest:
> nobody:!:4294967294:4294967294::/:
> lpd:!:9:4294967294::/:
> lp:*:11:11::/var/spool/lp:/bin/false
> invscout:*:6:12::/var/adm/invscout:/usr/bin/ksh
> snapp:*:200:13:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd
> ipsec:*:201:1::/etc/ipsec:/usr/bin/ksh
> nuucp:*:7:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
> ldap:*:202:1::/home/ldap:/usr/bin/ksh
> sbnet:*:22501:1:Remote Services:/usr/lpp/sysback:/usr/bin/ksh
> [aixdev] $
>
>
> As you can see the user w.jojo is an AD user.
>
>
> /etc/security/user has in the default stanza:
>
> SYSTEM = "compat or WINBIND"
>
>
> Hope this helps!
>
>
> Cheers,
> Bill
>
>
> No matter I removed *.tdb files, specified new ranges etc, this GID error
>> persistenly appears. I have reached to the point where user autentication
>> is
>> successful but sid to gig mapping doesn't work, or lookup for that AD user
>> fails. The AD seems to be OK , as another server AIX 5.2 is already
>> working
>> with samba compiled with ADS support.
>>
>> What I would like to know.
>> 1. How do we compile samba from scratch, I tried 3.5.2 , ./configure was
>> OK,
>> but this didn;t created any makefile! , I understand I need to
>> compile kerbros , db, openldap before compiling samba, which version of
>> the
>> dependent software (kerbros, db, openldap) be used?
>> 2. How can I resolve this GID range full error.
>> 3. what shall be done to have sid to gid mapping.
>>
>> Best Regards,
>> Yash
>>
>>
>
Thanks a lot Bill for your reply.
My smb.conf
-------------------------------------------------
[global]
workgroup = MYGRP
domain master = no
local master = no
server string = Test Samba Server
netbios name = FOO
realm = AA.DK
allow trusted domains = no
security = ADS
encrypt passwords = yes
password server = *
dns proxy = no
log level = 3
max log size = 100
log file = /var/log/samba/%m.log
client use spnego = yes
idmap domains = MYGRP
idmap config MYGRP:default = yes
idmap config MYGRP:backend = tdb
idmap config MYGRP:range = 200000 - 500000
idmap alloc backend = tdb
idmap alloc config:range = 200000 - 500000
restrict anonymous = yes
wins server = namesrv04 namesrv03
name resolve order = wins bcast
-----------------------------------------------------
When I run testparm, it say unrecognised " idmap domains = MYGRP". If I
comment that out this throws no error for 'net ads testjoin' etc. No matter
whichever samba ver I use it complains about this line, I may notice you
have mentioned same example in one of your examples in your pdf, under
IDMAP_TDB.
Other smb.conf, I have tried which works well on AIX 5.2, but didn't work
with precompiled binaries on AIX 6.1
-------------------------------------------------------
[global]
workgroup = MYGRP
domain master = no
local master = no
server string = Test Samba Server
netbios name = foo
realm = AA.DK
allow trusted domains = no
security = ADS
encrypt passwords = yes
password server = *
dns proxy = no
log level = 1
max log size = 100
log file = /var/log/samba/%m.log
idmap uid = 100000-999999
idmap gid = 1000000-1999999
restrict anonymous = yes
wins server = namesrv04 namesrv03
name resolve order = wins bcast
winbind enum groups = no
winbind enum users = no
winbind cache time = 300
winbind use default domain = yes
--------------------------------------------------
Since the existing setup (AIX5.2) works well with tdb backend, though it is
not explicitly mentioned into the config above, But i can see a large
winbindd_idmap.tdb under $SAMBA/var. I would keep the same tdb (default?)
backend.
What I would like know -
1. Which samba binaries you have installed, I believe it is 32 bit. Can I
use 64 bit binaries on a production server? You have mentioned
*The 64-bit code is to be treated as PRODUCTION. *
what does this mean? if this PRODUCTION means it shall be used for
production servers or it is for you/SAMBA development team currently using
for development/production of samba. Some more information here on your
website surely would help more.
3. After changing mehtods.cfg, user file, Is there any program need to be
restarted apart from samba or server reboot?
4. I understand AIX uses LAM, instead of PAM which is used on Linux. Is
there any setting related to LAM we got to do on AIX. There is no
nsswitch.conf file as well, I assume since these binaries are already
compiled for that platform, it should take care automatically?
Please let me know your comments I shall test this out tomorrow. Your
wesbite is a big relief to many, keep up the good work.
Regards
Yash
More information about the samba
mailing list