[Samba] login into AIX using winbind
kleber povoação
okleber at gmail.com
Thu Apr 7 14:25:31 MDT 2011
I didn´t find WINBIND_64 so I changed the versions:
pware61.base.rte 6.1.0.0 COMMITTED pWare base for 6.1
pware61.bdb.rte 4.7.25.4 COMMITTED Oracle Berkeley DB 4.7.25
pware61.cyrus-sasl.rte 2.1.23.0 COMMITTED Cyrus SASL 2.1.23
pware61.gettext.rte 0.18.1.1 COMMITTED GNU gettext 0.18.1.1
pware61.krb5.rte 1.8.3.0 COMMITTED MIT Kerberos 1.8.3
pware61.libiconv.rte 1.13.1.0 COMMITTED GNU libiconv 1.13.1
pware61.ncurses.rte 5.7.0.0 COMMITTED ncurses 5.7
pware61.openldap.rte 2.4.23.0 COMMITTED OpenLDAP 2.4.23
pware61.openssl.rte 0.9.8.15 COMMITTED OpenSSL 0.9.8o
pware61.popt.rte 1.16.0.0 COMMITTED popt 1.16
pware61.readline.rte 6.1.2.0 COMMITTED GNU readline 6.1
pware61.samba.rte 3.5.6.0 COMMITTED Samba 3.5.6
pware61.zlib.rte 1.2.5.0 COMMITTED zlib 1.2.5
again this file( WINBIND_64) not exist
ceaulab1:/opt/pware>find . -name *WINB*
./lib/security/WINBIND
ceaulab1:/opt/pware>
I just added one line at methods.cfg
WINBIND:
program = /usr/lib/security/WINBIND
program_64 = /usr/lib/security/WINBIND
and tried
WINBIND:
program_64 = /usr/lib/security/WINBIND
I just copied it from /opt/pware/lib/security/WINBIND to /usr/lib/security
I´m at the same. Any idea ?
Em 7 de abril de 2011 12:02, William E Jojo <w.jojo at hvcc.edu> escreveu:
>
>
> ----- Original Message -----
>> From: "kleber povoação" <okleber at gmail.com>
>> To: "William E Jojo" <w.jojo at hvcc.edu>
>> Cc: samba at lists.samba.org
>> Sent: Thursday, April 7, 2011 10:05:22 AM
>> Subject: Re: [Samba] login into AIX using winbind
>> I´m trying log using just the username: brab10_dbr, without domain
>> CEABR at login.
>> **********
>> ceaulab1:/opt/pware64/var>lslpp -l | grep pware
>> pware53-64.base.rte 5.3.0.0 COMMITTED 64-bit pWare base for 5.3
>> pware53-64.bdb.rte 4.7.25.4 COMMITTED Berkeley DB 4.7.25 (64-bit)
>> pware53-64.cyrus-sasl.rte
>> pware53-64.gettext.rte 0.17.0.0 COMMITTED GNU gettext 0.17 (64-bit)
>> pware53-64.krb5.rte 1.8.3.0 COMMITTED MIT Kerberos 1.8.3 (64-bit)
>> pware53-64.libiconv.rte 1.13.1.0 COMMITTED GNU libiconv 1.13.1
>> (64-bit)
>> pware53-64.ncurses.rte 5.7.0.1 COMMITTED ncurses 5.7.0.1 (64-bit)
>> pware53-64.openldap.rte 2.4.23.0 COMMITTED OpenLDAP 2.4.23 (64-bit)
>> pware53-64.openssl.rte 0.9.8.15 COMMITTED OpenSSL 0.9.8o (64-bit)
>> pware53-64.popt.rte 1.10.4.0 COMMITTED popt 1.10.4 (64-bit)
>> pware53-64.readline.rte 6.1.0.0 COMMITTED GNU readline 6.1 (64-bit)
>> pware53-64.samba.rte 3.5.6.0 COMMITTED Samba 3.5.6 (64-bit)
>> pware53-64.zlib.rte 1.2.4.0 COMMITTED zlib 1.2.4 (64-bit)
>
> Thank you for using pWare. ;-)
>
> I would have expected the pware61.* to be running on AIX 6.1
>
> Now that I know you are running the 64-bit stuff, you will need to change the methods.cfg:
>
> program_64 = /usr/lib/security/WINBIND_64
>
>
> Only the 64-bit WINBIND is provided with pware53-64.
>
>
> Let me know how you get on. :-)
>
>
> Cheers,
> Bill
>
>
>> ********
>> AIX 6100-06
>> ********************
>> ceaulab1:/>lsuser -R WINBIND brab10_dbr
>> 3004-687 User "brab10_dbr" does not exist.
>>
>> Do I need not to do a mkuser ok ? Because the user is at AD.
>> ***************************
>> ceaulab1:/tmp>touch file
>> ceaulab1:/tmp>chown brab10_dbr file
>> chown: 3002-131 brab10_dbr is an unknown username.
>> ***********************
>> ceaulab1:/opt/pware64/var>telnet localhost
>> Trying...
>> Connected to localhost.
>> Escape character is '^]'.
>>
>>
>> telnet (ceaulab1)
>>
>>
>>
>> Login: brab10_dbr
>> brab10_dbr's Password:
>> 3004-007 You entered an invalid login name or password.
>> login:
>>
>> ******************
>> file /opt/pware64/var/log.winbind
>>
>> At the folowing file I noted one line "connection_ok: Connection to
>> for domain CEABR is not connected" -> CEABR is windows workgroup that
>> user brab10_db belong.
>>
>> ceaulab1:/opt/pware64/var>cat log.winbindd
>> [2011/04/07 10:48:01, 0] winbindd/winbindd.c:1105(main)
>> winbindd version 3.5.6 started.
>> Copyright Andrew Tridgell and the Samba Team 1992-2010
>> [2011/04/07 10:48:01.968181, 2]
>> lib/tallocmsg.c:106(register_msg_pool_usage)
>> Registered MSG_REQ_POOL_USAGE
>> [2011/04/07 10:48:01.968302, 2]
>> lib/dmallocmsg.c:77(register_dmalloc_msgs)
>> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
>> [2011/04/07 10:48:01.968399, 3] param/loadparm.c:9158(lp_load_ex)
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: rlimit_max (2000) below minimum Windows limit (16384)
>> [2011/04/07 10:48:01.968567, 3] ../lib/util/params.c:550(pm_process)
>> params.c:pm_process() - Processing configuration file
>> "/opt/pware64/lib/smb.conf"
>> [2011/04/07 10:48:01.968641, 3] param/loadparm.c:7842(do_section)
>> Processing section "[global]"
>> [2011/04/07 10:48:01.969161, 3] param/loadparm.c:6313(lp_add_ipc)
>> adding IPC service
>> [2011/04/07 10:48:01.976518, 2] lib/interface.c:340(add_interface)
>> added interface en3 ip=10.x.x.x bcast=10.x.x.255 netmask=
>> [2011/04/07 10:48:01.976670, 2] lib/interface.c:340(add_interface)
>> added interface lo0 ip=127.0.0.1 bcast=127.255.255.255 netmask=
>> [2011/04/07 10:48:01.976832, 2] lib/interface.c:340(add_interface)
>> added interface en3 ip=10.x.x.x bcast=10.x.x.255 netmask=
>> [2011/04/07 10:48:01.976912, 2] lib/interface.c:340(add_interface)
>> added interface lo0 ip=127.0.0.1 bcast=127.255.255.255 netmask=
>> [2011/04/07 10:48:04.035216, 1]
>> lib/tdb_validate.c:457(tdb_validate_and_backup)
>> tdb '/opt/pware64/var/locks/winbindd_cache.tdb' is valid
>> [2011/04/07 10:48:08.296102, 1]
>> lib/tdb_validate.c:467(tdb_validate_and_backup)
>> Created backup '/opt/pware64/var/locks/winbindd_cache.tdb.bak' of
>> tdb '/opt/pware64/var/locks/winbindd_cache.tdb'
>> [2011/04/07 10:48:08.375298, 2]
>> winbindd/winbindd_util.c:221(add_trusted_domain)
>> Added domain BUILTIN S-1-5-32
>> [2011/04/07 10:48:08.375504, 2]
>> winbindd/winbindd_util.c:221(add_trusted_domain)
>> Added domain CEAULAB1 S-1-5-21-275589774-1111006802-1142404070
>> [2011/04/07 10:48:08.375700, 2]
>> winbindd/winbindd_util.c:221(add_trusted_domain)
>> Added domain WW S-1-5-21-477278139-4163948897-2641029873
>> [2011/04/07 10:48:09.095861, 2]
>> winbindd/winbindd_util.c:221(add_trusted_domain)
>> Added domain WWW S-1-5-21-4109860217-3884139575-1781413053
>> [2011/04/07 10:48:09.096544, 2]
>> winbindd/winbindd_util.c:221(add_trusted_domain)
>> Added domain CW S-1-5-21-3224037681-1998144755-3803369224
>> [2011/04/07 10:48:09.104932, 2]
>> winbindd/winbindd_util.c:221(add_trusted_domain)
>> Added domain xxx S-1-5-21-1125475667-1308779437-1236795852
>> [2011/04/07 10:48:09.105264, 2]
>> winbindd/winbindd_util.c:221(add_trusted_domain)
>> Added domain WWW S-1-5-21-858964348-3275466132-3667905073
>> [2011/04/07 10:48:13.512247, 3]
>> winbindd/winbindd_cm.c:1633(connection_ok)
>> connection_ok: Connection to for domain CEABR is not connected
>> [2011/04/07 10:48:13.528483, 3]
>> libsmb/cliconnect.c:991(cli_session_setup_spnego)
>> Doing spnego session setup (blob length=115)
>> [2011/04/07 10:48:13.535011, 3]
>> libsmb/cliconnect.c:1020(cli_session_setup_spnego)
>> got OID=1.2.840.48018.1.2.2
>> got OID=1.2.840.113554.1.2.2
>> got OID=1.2.840.113554.1.2.2.3
>> got OID=1.3.6.1.4.1.311.2.2.10
>> [2011/04/07 10:48:13.535212, 3]
>> libsmb/cliconnect.c:1030(cli_session_setup_spnego)
>> got principal=ceaadbrp1$@XXX
>> [2011/04/07 10:48:13.567241, 2]
>> libsmb/cliconnect.c:795(cli_session_setup_kerberos)
>> Doing kerberos session setup
>> [2011/04/07 10:48:13.575172, 3]
>> libsmb/clikrb5.c:622(ads_cleanup_expired_creds)
>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
>> expiration Thu, 07 Apr 2011 20:48:13 GMT-03:00
>> [2011/04/07 10:48:13.575364, 3] libsmb/clikrb5.c:840(ads_krb5_mk_req)
>> ads_krb5_mk_req: server marked as OK to delegate to, building
>> forwardable TGT
>>
>> **********************
>> ceaulab1:/opt/pware64/var>cat log.wb-CEABR
>>
>> [2011/04/07 10:48:08.446242, 3]
>> winbindd/winbindd_cm.c:1633(connection_ok)
>> connection_ok: Connection to for domain CEABR is not connected
>> [2011/04/07 10:48:08.495255, 3]
>> libsmb/cliconnect.c:991(cli_session_setup_spnego)
>> Doing spnego session setup (blob length=115)
>> [2011/04/07 10:48:08.495545, 3]
>> libsmb/cliconnect.c:1020(cli_session_setup_spnego)
>> got OID=1.2.840.48018.1.2.2
>> got OID=1.2.840.113554.1.2.2
>> got OID=1.2.840.113554.1.2.2.3
>> got OID=1.3.6.1.4.1.311.2.2.10
>> [2011/04/07 10:48:08.495666, 3]
>> libsmb/cliconnect.c:1030(cli_session_setup_spnego)
>> got principal=ceaadbrp1$@xxxx
>> [2011/04/07 10:48:08.529939, 2]
>> libsmb/cliconnect.c:795(cli_session_setup_kerberos)
>> Doing kerberos session setup
>> [2011/04/07 10:48:08.538272, 3]
>> libsmb/clikrb5.c:622(ads_cleanup_expired_creds)
>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
>> expiration Thu, 07 Apr 2011 20:48:08 GMT-03:00
>> [2011/04/07 10:48:08.538440, 3] libsmb/clikrb5.c:840(ads_krb5_mk_req)
>> ads_krb5_mk_req: server marked as OK to delegate to, building
>> forwardable TGT
>> [2011/04/07 10:48:08.871177, 3]
>> winbindd/winbindd_ads.c:1206(sequence_number)
>> ads: fetch sequence_number for CEABR
>> [2011/04/07 10:48:08.871449, 3] libsmb/namequery.c:1880(get_dc_list)
>> get_dc_list: preferred server list: "ceaadbrp1.xxx, *"
>> [2011/04/07 10:48:08.877761, 3] libads/ldap.c:634(ads_connect)
>> Successfully contacted LDAP server 10.16.1.203
>> [2011/04/07 10:48:08.877989, 3] libsmb/namequery.c:1880(get_dc_list)
>> get_dc_list: preferred server list: "ceaadbrp1.xxx, *"
>> [2011/04/07 10:48:08.878252, 3] libsmb/namequery.c:1880(get_dc_list)
>> get_dc_list: preferred server list: "ceaadbrp1.xxx, *"
>> [2011/04/07 10:48:08.943625, 3] libsmb/namequery.c:1880(get_dc_list)
>> get_dc_list: preferred server list: "ceaadbrp1.xxx, *"
>> [2011/04/07 10:48:08.946330, 3] libads/ldap.c:634(ads_connect)
>> Successfully contacted LDAP server 10.x.x.x
>> [2011/04/07 10:48:08.946581, 3] libsmb/namequery.c:1880(get_dc_list)
>> get_dc_list: preferred server list: "ceaadbrp1.xxx, *"
>> [2011/04/07 10:48:08.946852, 3] libsmb/namequery.c:1880(get_dc_list)
>> get_dc_list: preferred server list: "ceaadbrp1.xxx, *"
>> [2011/04/07 10:48:09.004434, 3] libads/ldap.c:634(ads_connect)
>> Successfully contacted LDAP server 10.16.1.203
>> [2011/04/07 10:48:09.006830, 3] libads/ldap.c:688(ads_connect)
>> Connected to LDAP server ceaadbrp1.xxx
>> [2011/04/07 10:48:09.008109, 3]
>> libads/sasl.c:782(ads_sasl_spnego_bind)
>> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>> [2011/04/07 10:48:09.008190, 3]
>> libads/sasl.c:782(ads_sasl_spnego_bind)
>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>> [2011/04/07 10:48:09.008267, 3]
>> libads/sasl.c:782(ads_sasl_spnego_bind)
>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
>> [2011/04/07 10:48:09.008343, 3]
>> libads/sasl.c:782(ads_sasl_spnego_bind)
>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>> [2011/04/07 10:48:09.008418, 3]
>> libads/sasl.c:791(ads_sasl_spnego_bind)
>> ads_sasl_spnego_bind: got server principal name = ceaadbrp1$@xxx
>> [2011/04/07 10:48:09.008672, 3] libsmb/clikrb5.c:787(ads_krb5_mk_req)
>> ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
>> found)
>> [2011/04/07 10:48:09.054672, 3]
>> libsmb/clikrb5.c:622(ads_cleanup_expired_creds)
>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
>> expiration Thu, 07 Apr 2011 20:48:09 GMT-03:00
>> [2011/04/07 10:48:09.054867, 3] libsmb/clikrb5.c:840(ads_krb5_mk_req)
>> ads_krb5_mk_req: server marked as OK to delegate to, building
>> forwardable TGT
>> [2011/04/07 10:48:09.074603, 3]
>> libsmb/ntlmssp.c:1101(ntlmssp_client_challenge)
>> Got challenge flags:
>> [2011/04/07 10:48:09.074743, 3]
>> libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
>> Got NTLMSSP neg_flags=0x62898235
>> [2011/04/07 10:48:09.074819, 3]
>> libsmb/ntlmssp.c:1123(ntlmssp_client_challenge)
>> NTLMSSP: Set final flags:
>> [2011/04/07 10:48:09.074888, 3]
>> libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
>> Got NTLMSSP neg_flags=0x60088235
>> [2011/04/07 10:48:09.075079, 3]
>> libsmb/ntlmssp_sign.c:343(ntlmssp_sign_init)
>> NTLMSSP Sign/Seal - Initialising with flags:
>> [2011/04/07 10:48:09.075167, 3]
>> libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
>> Got NTLMSSP neg_flags=0x60088235
>> [2011/04/07 10:48:09.081098, 3]
>> winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains)
>> [6553754]: list trusted domains
>> [2011/04/07 10:48:09.081206, 3]
>> winbindd/winbindd_ads.c:1269(trusted_domains)
>> ads: trusted_domains
>> [2011/04/07 10:48:09.105515, 3]
>> winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains)
>> [6553754]: list trusted domains
>> [2011/04/07 10:48:09.105620, 3]
>> winbindd/winbindd_ads.c:1269(trusted_domains)
>> ads: trusted_domains
>> [2011/04/07 10:53:08.428859, 3]
>> winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains)
>> [6553754]: list trusted domains
>> [2011/04/07 10:53:08.429039, 3]
>> winbindd/winbindd_ads.c:1269(trusted_domains)
>> ads: trusted_domains
>>
>>
>> TKS
>>
>> Em 6 de abril de 2011 22:08, William E Jojo <w.jojo at hvcc.edu>
>> escreveu:
>> >
>> > ----- Original Message -----
>> >> From: "kleber povoação" <okleber at gmail.com>
>> >> To: samba at lists.samba.org
>> >> Sent: Wednesday, April 6, 2011 6:33:10 PM
>> >> Subject: [Samba] login into AIX using winbind
>> >> Can someone help me ?
>> >>
>> >> I can´t login at the AIX machine using an Active directory user.
>> >> ****************************
>> >> /etc/smb.conf
>> >>
>> >> [global]
>> >> security = ads
>> >> realm = XXXXXXXX
>> >> password server = *
>> >> workgroup = YYYYY
>> >> idmap uid = 10000-20000
>> >> idmap gid = 10000-20000
>> >> winbind use default domain = yes
>> >> log level = 3
>> >> template homedir = /home/%D/%U
>> >> template shell = /usr/bin/ksh
>> >> server string = %h server
>> >> winbind nested groups = Yes
>> >> winbind offline logon = true
>> >> interfaces = en3 lo0
>> >> bind interfaces only = yes
>> >> name resolve order = host wins bcast
>> >> lm announce = False
>> >> preferred master = False
>> >> keepalive = 30
>> >> auth methods = winbind
>> >> client use spnego = Yes
>> >> encrypt passwords = Yes
>> >> domain master = no
>> >> local master = no
>> >> preferred master = no
>> >> passdb backend = tdbsam
>> >> unix extensions = no
>> >> idmap config YYYYY : default = yes
>> >> idmap config YYYYY : backend = ad
>> >> idmap config YYYYY : range = 10000-20000
>> >> ********************************************
>> >> /usr/lib/security/methods.cfg
>> >>
>> >> WINBIND:
>> >> program = /usr/lib/security/WINBIND
>> >>
>> >> KRB5A:
>> >> program = /usr/lib/security/KRB5A
>> >> options = authonly
>> >> program_64 = /usr/lib/security/KRB5A_64
>> >>
>> >> KRB5Afiles:
>> >> options = db=BUILTIN,auth=KRB5A
>> >>
>> >> NIS:
>> >> program = /usr/lib/security/NIS
>> >> program_64 = /usr/lib/security/NIS_64
>> >>
>> >>
>> >> DCE:
>> >> program = /usr/lib/security/DCE
>> >>
>> >>
>> >> ***************************
>> >> /etc/security/user
>> >>
>> >> default:
>> >> admin = false
>> >> login = true
>> >> su = true
>> >> daemon = true
>> >> rlogin = true
>> >> sugroups = ALL
>> >> admgroups =
>> >> ttys = ALL
>> >> auth1 = SYSTEM
>> >> auth2 = NONE
>> >> tpath = nosak
>> >> umask = 22
>> >> expires = 0
>> >> SYSTEM = "WINBIND OR compat"
>> >> registry = WINBIND
>> >> logintimes =
>> >> pwdwarntime = 3
>> >> account_locked = false
>> >> loginretries = 5
>> >> histexpire = 48
>> >> histsize = 8
>> >> minage = 1
>> >> maxage = 0
>> >> maxexpired = -1
>> >> minalpha = 4
>> >> minother = 2
>> >> minlen = 8
>> >> mindiff = 3
>> >> maxrepeats = 8
>> >> dictionlist =
>> >> pwdchecks =
>> >> default_roles =
>> >> *************************
>> >> /etc/krb5.conf
>> >> [libdefaults]
>> >> default_realm = wwww
>> >> default_keytab_name = FILE:/etc/krb5/krb5.keytab
>> >> forwardable = true
>> >> clockskew = 300
>> >>
>> >> [realms]
>> >> BRASIL.LATAM.CEA = {
>> >> kdc = www:88
>> >> admin_server = www:749
>> >> default_domain = wwww
>> >> }
>> >>
>> >> [domain_realm]
>> >> .xxx.xx.xx = XXXX
>> >> xxx.xx.xx = XXXX
>> >>
>> >> [logging]
>> >> kdc = FILE:/var/krb5/log/krb5kdc.log
>> >> admin_server = FILE:/var/krb5/log/kadmin.log
>> >> kadmin_local = FILE:/var/krb5/log/kadmin_local.log
>> >> default = FILE:/var/krb5/log/krb5lib.log
>> >>
>> >> ******************
>> >> what´s works ?
>> >>
>> >>
>> >> lab1:/>wbinfo -i brab10_dbr
>> >> brab10_dbr:*:10000:10000:Anderson:/home/XXX/brab10_dbr:/usr/bin/ksh
>> >>
>> >> wbinfo -g
>> >>
>> >> net ads info
>> >>
>> >> klist
>> >> ***********************
>> >> what´s not work
>> >>
>> >> lab1:/>lsuser -R WINBIND ALL -> show no error but not return any
>> >> user.
>> >> lab1:/>
>> >>
>> >
>> > ALL has never worked. There is a timeout issue within AIX that I was
>> > never able to track down.
>> >
>> >
>> >> login with AD user at telnet or ssh or locally at console
>> >
>> >
>> > How are you logging in? Is the user fully-qualified? (Should not be
>> > necessary with winbind use default domain). Is there a home dir
>> > ready to receive them?
>> >
>> > Does "lsuser -R WINBIND username" return what you expect?
>> >
>> > Does chown allow you to specify an AD user?
>> >
>> > Anything in your log level 3 that may help?
>> >
>> >
>> > Cheers,
>> > Bill
>> >
>> >
>> >>
>> >> *******************
>> >>
>> >> tks all
>> >> --
>> >> To unsubscribe from this list go to the following URL and read the
>> >> instructions: https://lists.samba.org/mailman/options/samba
>> >
>
More information about the samba
mailing list