[Samba] login into AIX using winbind
William E Jojo
w.jojo at hvcc.edu
Thu Apr 7 09:02:37 MDT 2011
----- Original Message -----
> From: "kleber povoação" <okleber at gmail.com>
> To: "William E Jojo" <w.jojo at hvcc.edu>
> Cc: samba at lists.samba.org
> Sent: Thursday, April 7, 2011 10:05:22 AM
> Subject: Re: [Samba] login into AIX using winbind
> I´m trying log using just the username: brab10_dbr, without domain
> CEABR at login.
> **********
> ceaulab1:/opt/pware64/var>lslpp -l | grep pware
> pware53-64.base.rte 5.3.0.0 COMMITTED 64-bit pWare base for 5.3
> pware53-64.bdb.rte 4.7.25.4 COMMITTED Berkeley DB 4.7.25 (64-bit)
> pware53-64.cyrus-sasl.rte
> pware53-64.gettext.rte 0.17.0.0 COMMITTED GNU gettext 0.17 (64-bit)
> pware53-64.krb5.rte 1.8.3.0 COMMITTED MIT Kerberos 1.8.3 (64-bit)
> pware53-64.libiconv.rte 1.13.1.0 COMMITTED GNU libiconv 1.13.1
> (64-bit)
> pware53-64.ncurses.rte 5.7.0.1 COMMITTED ncurses 5.7.0.1 (64-bit)
> pware53-64.openldap.rte 2.4.23.0 COMMITTED OpenLDAP 2.4.23 (64-bit)
> pware53-64.openssl.rte 0.9.8.15 COMMITTED OpenSSL 0.9.8o (64-bit)
> pware53-64.popt.rte 1.10.4.0 COMMITTED popt 1.10.4 (64-bit)
> pware53-64.readline.rte 6.1.0.0 COMMITTED GNU readline 6.1 (64-bit)
> pware53-64.samba.rte 3.5.6.0 COMMITTED Samba 3.5.6 (64-bit)
> pware53-64.zlib.rte 1.2.4.0 COMMITTED zlib 1.2.4 (64-bit)
Thank you for using pWare. ;-)
I would have expected the pware61.* to be running on AIX 6.1
Now that I know you are running the 64-bit stuff, you will need to change the methods.cfg:
program_64 = /usr/lib/security/WINBIND_64
Only the 64-bit WINBIND is provided with pware53-64.
Let me know how you get on. :-)
Cheers,
Bill
> ********
> AIX 6100-06
> ********************
> ceaulab1:/>lsuser -R WINBIND brab10_dbr
> 3004-687 User "brab10_dbr" does not exist.
>
> Do I need not to do a mkuser ok ? Because the user is at AD.
> ***************************
> ceaulab1:/tmp>touch file
> ceaulab1:/tmp>chown brab10_dbr file
> chown: 3002-131 brab10_dbr is an unknown username.
> ***********************
> ceaulab1:/opt/pware64/var>telnet localhost
> Trying...
> Connected to localhost.
> Escape character is '^]'.
>
>
> telnet (ceaulab1)
>
>
>
> Login: brab10_dbr
> brab10_dbr's Password:
> 3004-007 You entered an invalid login name or password.
> login:
>
> ******************
> file /opt/pware64/var/log.winbind
>
> At the folowing file I noted one line "connection_ok: Connection to
> for domain CEABR is not connected" -> CEABR is windows workgroup that
> user brab10_db belong.
>
> ceaulab1:/opt/pware64/var>cat log.winbindd
> [2011/04/07 10:48:01, 0] winbindd/winbindd.c:1105(main)
> winbindd version 3.5.6 started.
> Copyright Andrew Tridgell and the Samba Team 1992-2010
> [2011/04/07 10:48:01.968181, 2]
> lib/tallocmsg.c:106(register_msg_pool_usage)
> Registered MSG_REQ_POOL_USAGE
> [2011/04/07 10:48:01.968302, 2]
> lib/dmallocmsg.c:77(register_dmalloc_msgs)
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> [2011/04/07 10:48:01.968399, 3] param/loadparm.c:9158(lp_load_ex)
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: rlimit_max (2000) below minimum Windows limit (16384)
> [2011/04/07 10:48:01.968567, 3] ../lib/util/params.c:550(pm_process)
> params.c:pm_process() - Processing configuration file
> "/opt/pware64/lib/smb.conf"
> [2011/04/07 10:48:01.968641, 3] param/loadparm.c:7842(do_section)
> Processing section "[global]"
> [2011/04/07 10:48:01.969161, 3] param/loadparm.c:6313(lp_add_ipc)
> adding IPC service
> [2011/04/07 10:48:01.976518, 2] lib/interface.c:340(add_interface)
> added interface en3 ip=10.x.x.x bcast=10.x.x.255 netmask=
> [2011/04/07 10:48:01.976670, 2] lib/interface.c:340(add_interface)
> added interface lo0 ip=127.0.0.1 bcast=127.255.255.255 netmask=
> [2011/04/07 10:48:01.976832, 2] lib/interface.c:340(add_interface)
> added interface en3 ip=10.x.x.x bcast=10.x.x.255 netmask=
> [2011/04/07 10:48:01.976912, 2] lib/interface.c:340(add_interface)
> added interface lo0 ip=127.0.0.1 bcast=127.255.255.255 netmask=
> [2011/04/07 10:48:04.035216, 1]
> lib/tdb_validate.c:457(tdb_validate_and_backup)
> tdb '/opt/pware64/var/locks/winbindd_cache.tdb' is valid
> [2011/04/07 10:48:08.296102, 1]
> lib/tdb_validate.c:467(tdb_validate_and_backup)
> Created backup '/opt/pware64/var/locks/winbindd_cache.tdb.bak' of
> tdb '/opt/pware64/var/locks/winbindd_cache.tdb'
> [2011/04/07 10:48:08.375298, 2]
> winbindd/winbindd_util.c:221(add_trusted_domain)
> Added domain BUILTIN S-1-5-32
> [2011/04/07 10:48:08.375504, 2]
> winbindd/winbindd_util.c:221(add_trusted_domain)
> Added domain CEAULAB1 S-1-5-21-275589774-1111006802-1142404070
> [2011/04/07 10:48:08.375700, 2]
> winbindd/winbindd_util.c:221(add_trusted_domain)
> Added domain WW S-1-5-21-477278139-4163948897-2641029873
> [2011/04/07 10:48:09.095861, 2]
> winbindd/winbindd_util.c:221(add_trusted_domain)
> Added domain WWW S-1-5-21-4109860217-3884139575-1781413053
> [2011/04/07 10:48:09.096544, 2]
> winbindd/winbindd_util.c:221(add_trusted_domain)
> Added domain CW S-1-5-21-3224037681-1998144755-3803369224
> [2011/04/07 10:48:09.104932, 2]
> winbindd/winbindd_util.c:221(add_trusted_domain)
> Added domain xxx S-1-5-21-1125475667-1308779437-1236795852
> [2011/04/07 10:48:09.105264, 2]
> winbindd/winbindd_util.c:221(add_trusted_domain)
> Added domain WWW S-1-5-21-858964348-3275466132-3667905073
> [2011/04/07 10:48:13.512247, 3]
> winbindd/winbindd_cm.c:1633(connection_ok)
> connection_ok: Connection to for domain CEABR is not connected
> [2011/04/07 10:48:13.528483, 3]
> libsmb/cliconnect.c:991(cli_session_setup_spnego)
> Doing spnego session setup (blob length=115)
> [2011/04/07 10:48:13.535011, 3]
> libsmb/cliconnect.c:1020(cli_session_setup_spnego)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.2.840.113554.1.2.2.3
> got OID=1.3.6.1.4.1.311.2.2.10
> [2011/04/07 10:48:13.535212, 3]
> libsmb/cliconnect.c:1030(cli_session_setup_spnego)
> got principal=ceaadbrp1$@XXX
> [2011/04/07 10:48:13.567241, 2]
> libsmb/cliconnect.c:795(cli_session_setup_kerberos)
> Doing kerberos session setup
> [2011/04/07 10:48:13.575172, 3]
> libsmb/clikrb5.c:622(ads_cleanup_expired_creds)
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
> expiration Thu, 07 Apr 2011 20:48:13 GMT-03:00
> [2011/04/07 10:48:13.575364, 3] libsmb/clikrb5.c:840(ads_krb5_mk_req)
> ads_krb5_mk_req: server marked as OK to delegate to, building
> forwardable TGT
>
> **********************
> ceaulab1:/opt/pware64/var>cat log.wb-CEABR
>
> [2011/04/07 10:48:08.446242, 3]
> winbindd/winbindd_cm.c:1633(connection_ok)
> connection_ok: Connection to for domain CEABR is not connected
> [2011/04/07 10:48:08.495255, 3]
> libsmb/cliconnect.c:991(cli_session_setup_spnego)
> Doing spnego session setup (blob length=115)
> [2011/04/07 10:48:08.495545, 3]
> libsmb/cliconnect.c:1020(cli_session_setup_spnego)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.2.840.113554.1.2.2.3
> got OID=1.3.6.1.4.1.311.2.2.10
> [2011/04/07 10:48:08.495666, 3]
> libsmb/cliconnect.c:1030(cli_session_setup_spnego)
> got principal=ceaadbrp1$@xxxx
> [2011/04/07 10:48:08.529939, 2]
> libsmb/cliconnect.c:795(cli_session_setup_kerberos)
> Doing kerberos session setup
> [2011/04/07 10:48:08.538272, 3]
> libsmb/clikrb5.c:622(ads_cleanup_expired_creds)
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
> expiration Thu, 07 Apr 2011 20:48:08 GMT-03:00
> [2011/04/07 10:48:08.538440, 3] libsmb/clikrb5.c:840(ads_krb5_mk_req)
> ads_krb5_mk_req: server marked as OK to delegate to, building
> forwardable TGT
> [2011/04/07 10:48:08.871177, 3]
> winbindd/winbindd_ads.c:1206(sequence_number)
> ads: fetch sequence_number for CEABR
> [2011/04/07 10:48:08.871449, 3] libsmb/namequery.c:1880(get_dc_list)
> get_dc_list: preferred server list: "ceaadbrp1.xxx, *"
> [2011/04/07 10:48:08.877761, 3] libads/ldap.c:634(ads_connect)
> Successfully contacted LDAP server 10.16.1.203
> [2011/04/07 10:48:08.877989, 3] libsmb/namequery.c:1880(get_dc_list)
> get_dc_list: preferred server list: "ceaadbrp1.xxx, *"
> [2011/04/07 10:48:08.878252, 3] libsmb/namequery.c:1880(get_dc_list)
> get_dc_list: preferred server list: "ceaadbrp1.xxx, *"
> [2011/04/07 10:48:08.943625, 3] libsmb/namequery.c:1880(get_dc_list)
> get_dc_list: preferred server list: "ceaadbrp1.xxx, *"
> [2011/04/07 10:48:08.946330, 3] libads/ldap.c:634(ads_connect)
> Successfully contacted LDAP server 10.x.x.x
> [2011/04/07 10:48:08.946581, 3] libsmb/namequery.c:1880(get_dc_list)
> get_dc_list: preferred server list: "ceaadbrp1.xxx, *"
> [2011/04/07 10:48:08.946852, 3] libsmb/namequery.c:1880(get_dc_list)
> get_dc_list: preferred server list: "ceaadbrp1.xxx, *"
> [2011/04/07 10:48:09.004434, 3] libads/ldap.c:634(ads_connect)
> Successfully contacted LDAP server 10.16.1.203
> [2011/04/07 10:48:09.006830, 3] libads/ldap.c:688(ads_connect)
> Connected to LDAP server ceaadbrp1.xxx
> [2011/04/07 10:48:09.008109, 3]
> libads/sasl.c:782(ads_sasl_spnego_bind)
> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> [2011/04/07 10:48:09.008190, 3]
> libads/sasl.c:782(ads_sasl_spnego_bind)
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> [2011/04/07 10:48:09.008267, 3]
> libads/sasl.c:782(ads_sasl_spnego_bind)
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
> [2011/04/07 10:48:09.008343, 3]
> libads/sasl.c:782(ads_sasl_spnego_bind)
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> [2011/04/07 10:48:09.008418, 3]
> libads/sasl.c:791(ads_sasl_spnego_bind)
> ads_sasl_spnego_bind: got server principal name = ceaadbrp1$@xxx
> [2011/04/07 10:48:09.008672, 3] libsmb/clikrb5.c:787(ads_krb5_mk_req)
> ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
> found)
> [2011/04/07 10:48:09.054672, 3]
> libsmb/clikrb5.c:622(ads_cleanup_expired_creds)
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
> expiration Thu, 07 Apr 2011 20:48:09 GMT-03:00
> [2011/04/07 10:48:09.054867, 3] libsmb/clikrb5.c:840(ads_krb5_mk_req)
> ads_krb5_mk_req: server marked as OK to delegate to, building
> forwardable TGT
> [2011/04/07 10:48:09.074603, 3]
> libsmb/ntlmssp.c:1101(ntlmssp_client_challenge)
> Got challenge flags:
> [2011/04/07 10:48:09.074743, 3]
> libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62898235
> [2011/04/07 10:48:09.074819, 3]
> libsmb/ntlmssp.c:1123(ntlmssp_client_challenge)
> NTLMSSP: Set final flags:
> [2011/04/07 10:48:09.074888, 3]
> libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x60088235
> [2011/04/07 10:48:09.075079, 3]
> libsmb/ntlmssp_sign.c:343(ntlmssp_sign_init)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2011/04/07 10:48:09.075167, 3]
> libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x60088235
> [2011/04/07 10:48:09.081098, 3]
> winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains)
> [6553754]: list trusted domains
> [2011/04/07 10:48:09.081206, 3]
> winbindd/winbindd_ads.c:1269(trusted_domains)
> ads: trusted_domains
> [2011/04/07 10:48:09.105515, 3]
> winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains)
> [6553754]: list trusted domains
> [2011/04/07 10:48:09.105620, 3]
> winbindd/winbindd_ads.c:1269(trusted_domains)
> ads: trusted_domains
> [2011/04/07 10:53:08.428859, 3]
> winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains)
> [6553754]: list trusted domains
> [2011/04/07 10:53:08.429039, 3]
> winbindd/winbindd_ads.c:1269(trusted_domains)
> ads: trusted_domains
>
>
> TKS
>
> Em 6 de abril de 2011 22:08, William E Jojo <w.jojo at hvcc.edu>
> escreveu:
> >
> > ----- Original Message -----
> >> From: "kleber povoação" <okleber at gmail.com>
> >> To: samba at lists.samba.org
> >> Sent: Wednesday, April 6, 2011 6:33:10 PM
> >> Subject: [Samba] login into AIX using winbind
> >> Can someone help me ?
> >>
> >> I can´t login at the AIX machine using an Active directory user.
> >> ****************************
> >> /etc/smb.conf
> >>
> >> [global]
> >> security = ads
> >> realm = XXXXXXXX
> >> password server = *
> >> workgroup = YYYYY
> >> idmap uid = 10000-20000
> >> idmap gid = 10000-20000
> >> winbind use default domain = yes
> >> log level = 3
> >> template homedir = /home/%D/%U
> >> template shell = /usr/bin/ksh
> >> server string = %h server
> >> winbind nested groups = Yes
> >> winbind offline logon = true
> >> interfaces = en3 lo0
> >> bind interfaces only = yes
> >> name resolve order = host wins bcast
> >> lm announce = False
> >> preferred master = False
> >> keepalive = 30
> >> auth methods = winbind
> >> client use spnego = Yes
> >> encrypt passwords = Yes
> >> domain master = no
> >> local master = no
> >> preferred master = no
> >> passdb backend = tdbsam
> >> unix extensions = no
> >> idmap config YYYYY : default = yes
> >> idmap config YYYYY : backend = ad
> >> idmap config YYYYY : range = 10000-20000
> >> ********************************************
> >> /usr/lib/security/methods.cfg
> >>
> >> WINBIND:
> >> program = /usr/lib/security/WINBIND
> >>
> >> KRB5A:
> >> program = /usr/lib/security/KRB5A
> >> options = authonly
> >> program_64 = /usr/lib/security/KRB5A_64
> >>
> >> KRB5Afiles:
> >> options = db=BUILTIN,auth=KRB5A
> >>
> >> NIS:
> >> program = /usr/lib/security/NIS
> >> program_64 = /usr/lib/security/NIS_64
> >>
> >>
> >> DCE:
> >> program = /usr/lib/security/DCE
> >>
> >>
> >> ***************************
> >> /etc/security/user
> >>
> >> default:
> >> admin = false
> >> login = true
> >> su = true
> >> daemon = true
> >> rlogin = true
> >> sugroups = ALL
> >> admgroups =
> >> ttys = ALL
> >> auth1 = SYSTEM
> >> auth2 = NONE
> >> tpath = nosak
> >> umask = 22
> >> expires = 0
> >> SYSTEM = "WINBIND OR compat"
> >> registry = WINBIND
> >> logintimes =
> >> pwdwarntime = 3
> >> account_locked = false
> >> loginretries = 5
> >> histexpire = 48
> >> histsize = 8
> >> minage = 1
> >> maxage = 0
> >> maxexpired = -1
> >> minalpha = 4
> >> minother = 2
> >> minlen = 8
> >> mindiff = 3
> >> maxrepeats = 8
> >> dictionlist =
> >> pwdchecks =
> >> default_roles =
> >> *************************
> >> /etc/krb5.conf
> >> [libdefaults]
> >> default_realm = wwww
> >> default_keytab_name = FILE:/etc/krb5/krb5.keytab
> >> forwardable = true
> >> clockskew = 300
> >>
> >> [realms]
> >> BRASIL.LATAM.CEA = {
> >> kdc = www:88
> >> admin_server = www:749
> >> default_domain = wwww
> >> }
> >>
> >> [domain_realm]
> >> .xxx.xx.xx = XXXX
> >> xxx.xx.xx = XXXX
> >>
> >> [logging]
> >> kdc = FILE:/var/krb5/log/krb5kdc.log
> >> admin_server = FILE:/var/krb5/log/kadmin.log
> >> kadmin_local = FILE:/var/krb5/log/kadmin_local.log
> >> default = FILE:/var/krb5/log/krb5lib.log
> >>
> >> ******************
> >> what´s works ?
> >>
> >>
> >> lab1:/>wbinfo -i brab10_dbr
> >> brab10_dbr:*:10000:10000:Anderson:/home/XXX/brab10_dbr:/usr/bin/ksh
> >>
> >> wbinfo -g
> >>
> >> net ads info
> >>
> >> klist
> >> ***********************
> >> what´s not work
> >>
> >> lab1:/>lsuser -R WINBIND ALL -> show no error but not return any
> >> user.
> >> lab1:/>
> >>
> >
> > ALL has never worked. There is a timeout issue within AIX that I was
> > never able to track down.
> >
> >
> >> login with AD user at telnet or ssh or locally at console
> >
> >
> > How are you logging in? Is the user fully-qualified? (Should not be
> > necessary with winbind use default domain). Is there a home dir
> > ready to receive them?
> >
> > Does "lsuser -R WINBIND username" return what you expect?
> >
> > Does chown allow you to specify an AD user?
> >
> > Anything in your log level 3 that may help?
> >
> >
> > Cheers,
> > Bill
> >
> >
> >>
> >> *******************
> >>
> >> tks all
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >
More information about the samba
mailing list