Re: [Samba] chown DOMAIN+mylogin /dir fails (Please help)
David Shapiro wrote: What is the KRB5A option going to provide? The daemon winbindd resolves uid/gid to sids and vice versa The AIX WINBIND provides authentication services by calling a PDC The AIX KRB5A provides authentication services by Kerberos and can use a windows AD server. IBM has a writeup. Only thing I would add to it - it is possible to make it work with samba managing the system keytab. I looked back on your posts, and I'm unclear on what your environment is. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] chown DOMAIN+mylogin /dir fails (Please help)
When I tried to run the commands you suggested, I got the following:
lsuser -R WINBIND ALL
Invalid -R option WINBIND
Usage: lsuser [-R load_module] [ -c | -f ] [ -a attr attr ... ] { ALL
| user1,user2 ... }
The WINBIND entry that I copied from the nsswitch directory after the
make install is in /usr/lib/security. Why does it not think this is a
valid module?
David
David Shapiro
Unix Team Lead
919-765-2011
Doug VanLeuven [EMAIL PROTECTED] 2/9/2006 11:03:38 PM
David Shapiro wrote:
What can I look at to understand why chown keeps saying user does
not
exist.
wbinfo -u/-g returns the user information
klist -v shows kerberos is working
net ads join works fine
wbinfo -t shows secret is fine
aix does not have getent so I can't run getent passwd -- is there
something equivalent on aix?
Closest you're going to get is lsuser -R load_module
lsuser -R NIS ALL
lsuser -R LDAP ALL
lsuser -R WINBIND ALL
and of course lsgroup -R load_module
/usr/lib/security/methods.cfg has:
WINBIND:
program = /usr/lib/security/WINBIND (set with chmod 444)
options =authonly
Authonly means it's not capable of supplying any user information.
I don't know that's true anymore.
Look in source/nsswitch/winbind_nss_aix.c
Available methods are at the end of the file.
Not all methods are implemented, and not all methods implemented
return a valid answere.
Regards, Doug
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] chown DOMAIN+mylogin /dir fails (Please help)
David Shapiro wrote: I only see winbind_nss_aix.po, but I do not see the .c file. NIS ALL works, but LDAP and WINBIND both do not. Hi Dave, I'm having to work from memory as the work I did on AIX ended last June. In addidtion, when I formulated the phase transitions from samba 2.x nt40 style member to samba 3.x AD member, it was 2003 and at that time, winbindd on AIX wouldn't support returning sufficient information to allow managing user and group accounts using the -R option to chuser, chgroup, mkuser, mkgroup, rmuser, rmgroup. That's why the writeups say /usr/lib/security/methods.cfg WINBIND: options=authonly and KRB5A: options=authonly So NIS and LDAP can be used to maintain the user and group attributes but winbind and kerberos were only used to authenticate an existing user defined locally or in NIS/LDAP, where LDAP is the AIX native LDAP security model. If NIS works and LDAP and WINBIND don't, it looks like you've implemented NIS but not LDAP and WINBIND is configured to authonly. If winbind's capable of returning sufficient information to satisfy lsuser, remove the authonly option. I figured you'd look thru winbind_nss_aix.c and make a determiniation whether or not that was possible with your version of samba. Regards, Doug David Shapiro Unix Team Lead 919-765-2011 Doug VanLeuven [EMAIL PROTECTED] 2/9/2006 11:03:38 PM David Shapiro wrote: What can I look at to understand why chown keeps saying user does not exist. wbinfo -u/-g returns the user information klist -v shows kerberos is working net ads join works fine wbinfo -t shows secret is fine aix does not have getent so I can't run getent passwd -- is there something equivalent on aix? Closest you're going to get is lsuser -R load_module lsuser -R NIS ALL lsuser -R LDAP ALL lsuser -R WINBIND ALL and of course lsgroup -R load_module /usr/lib/security/methods.cfg has: WINBIND: program = /usr/lib/security/WINBIND (set with chmod 444) options =authonly Authonly means it's not capable of supplying any user information. I don't know that's true anymore. Look in source/nsswitch/winbind_nss_aix.c Available methods are at the end of the file. Not all methods are implemented, and not all methods implemented return a valid answere. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] chown DOMAIN+mylogin /dir fails (Please help)
Thanks for the info. Should I expect su - DOMAIN+mylogin to work? I can now do chown/chgrp commands. When I run su - DOMAIN+mylogin, I get in messages: Feb 10 17:39:59 svcanimp su: BAD SU from root to _010 at /dev/pts/5 and the message: 3004-503 Cannot set process credentials. goes out to stdout. David David Shapiro Unix Team Lead 919-765-2011 Doug VanLeuven [EMAIL PROTECTED] 2/10/2006 3:22:37 PM David Shapiro wrote: I only see winbind_nss_aix.po, but I do not see the .c file. NIS ALL works, but LDAP and WINBIND both do not. Hi Dave, I'm having to work from memory as the work I did on AIX ended last June. In addidtion, when I formulated the phase transitions from samba 2.x nt40 style member to samba 3.x AD member, it was 2003 and at that time, winbindd on AIX wouldn't support returning sufficient information to allow managing user and group accounts using the -R option to chuser, chgroup, mkuser, mkgroup, rmuser, rmgroup. That's why the writeups say /usr/lib/security/methods.cfg WINBIND: options=authonly and KRB5A: options=authonly So NIS and LDAP can be used to maintain the user and group attributes but winbind and kerberos were only used to authenticate an existing user defined locally or in NIS/LDAP, where LDAP is the AIX native LDAP security model. If NIS works and LDAP and WINBIND don't, it looks like you've implemented NIS but not LDAP and WINBIND is configured to authonly. If winbind's capable of returning sufficient information to satisfy lsuser, remove the authonly option. I figured you'd look thru winbind_nss_aix.c and make a determiniation whether or not that was possible with your version of samba. Regards, Doug David Shapiro Unix Team Lead 919-765-2011 Doug VanLeuven [EMAIL PROTECTED] 2/9/2006 11:03:38 PM David Shapiro wrote: What can I look at to understand why chown keeps saying user does not exist. wbinfo -u/-g returns the user information klist -v shows kerberos is working net ads join works fine wbinfo -t shows secret is fine aix does not have getent so I can't run getent passwd -- is there something equivalent on aix? Closest you're going to get is lsuser -R load_module lsuser -R NIS ALL lsuser -R LDAP ALL lsuser -R WINBIND ALL and of course lsgroup -R load_module /usr/lib/security/methods.cfg has: WINBIND: program = /usr/lib/security/WINBIND (set with chmod 444) options =authonly Authonly means it's not capable of supplying any user information. I don't know that's true anymore. Look in source/nsswitch/winbind_nss_aix.c Available methods are at the end of the file. Not all methods are implemented, and not all methods implemented return a valid answere. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] chown DOMAIN+mylogin /dir fails (Please help)
What is the KRB5A option going to provide? David Shapiro Unix Team Lead 919-765-2011 Doug VanLeuven [EMAIL PROTECTED] 2/10/2006 3:22:37 PM David Shapiro wrote: I only see winbind_nss_aix.po, but I do not see the .c file. NIS ALL works, but LDAP and WINBIND both do not. Hi Dave, I'm having to work from memory as the work I did on AIX ended last June. In addidtion, when I formulated the phase transitions from samba 2.x nt40 style member to samba 3.x AD member, it was 2003 and at that time, winbindd on AIX wouldn't support returning sufficient information to allow managing user and group accounts using the -R option to chuser, chgroup, mkuser, mkgroup, rmuser, rmgroup. That's why the writeups say /usr/lib/security/methods.cfg WINBIND: options=authonly and KRB5A: options=authonly So NIS and LDAP can be used to maintain the user and group attributes but winbind and kerberos were only used to authenticate an existing user defined locally or in NIS/LDAP, where LDAP is the AIX native LDAP security model. If NIS works and LDAP and WINBIND don't, it looks like you've implemented NIS but not LDAP and WINBIND is configured to authonly. If winbind's capable of returning sufficient information to satisfy lsuser, remove the authonly option. I figured you'd look thru winbind_nss_aix.c and make a determiniation whether or not that was possible with your version of samba. Regards, Doug David Shapiro Unix Team Lead 919-765-2011 Doug VanLeuven [EMAIL PROTECTED] 2/9/2006 11:03:38 PM David Shapiro wrote: What can I look at to understand why chown keeps saying user does not exist. wbinfo -u/-g returns the user information klist -v shows kerberos is working net ads join works fine wbinfo -t shows secret is fine aix does not have getent so I can't run getent passwd -- is there something equivalent on aix? Closest you're going to get is lsuser -R load_module lsuser -R NIS ALL lsuser -R LDAP ALL lsuser -R WINBIND ALL and of course lsgroup -R load_module /usr/lib/security/methods.cfg has: WINBIND: program = /usr/lib/security/WINBIND (set with chmod 444) options =authonly Authonly means it's not capable of supplying any user information. I don't know that's true anymore. Look in source/nsswitch/winbind_nss_aix.c Available methods are at the end of the file. Not all methods are implemented, and not all methods implemented return a valid answere. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] chown DOMAIN+mylogin /dir fails (Please help)
What can I look at to understand why chown keeps saying user does not exist. wbinfo -u/-g returns the user information klist -v shows kerberos is working net ads join works fine wbinfo -t shows secret is fine aix does not have getent so I can't run getent passwd -- is there something equivalent on aix? /usr/lib/security/methods.cfg has: WINBIND: program = /usr/lib/security/WINBIND (set with chmod 444) options =authonly /etc/security/user has for SYSTEM = WINBIND OR WINBIND[FAILURE] AND COMPAT my clock syncs with same ntp as ad server and seems fine I am so tiredbeen working on this for two days. Please help me figure out why this is not working now. David David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] chown DOMAIN+mylogin /dir fails (Please help)
David Shapiro wrote: What can I look at to understand why chown keeps saying user does not exist. wbinfo -u/-g returns the user information klist -v shows kerberos is working net ads join works fine wbinfo -t shows secret is fine aix does not have getent so I can't run getent passwd -- is there something equivalent on aix? Closest you're going to get is lsuser -R load_module lsuser -R NIS ALL lsuser -R LDAP ALL lsuser -R WINBIND ALL and of course lsgroup -R load_module /usr/lib/security/methods.cfg has: WINBIND: program = /usr/lib/security/WINBIND (set with chmod 444) options =authonly Authonly means it's not capable of supplying any user information. I don't know that's true anymore. Look in source/nsswitch/winbind_nss_aix.c Available methods are at the end of the file. Not all methods are implemented, and not all methods implemented return a valid answere. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
