[Samba] Query re winbind, primary group enumeration from Active Directory and Services For Unix
Query re winbind, primary group enumeration from Active Directory and Services For Unix I am wondering if anyone can explain to me how the GIDs work when using winbind to extract them from an ADS server. I have Unix servers running AIX 5.3 ML-10, an ADS server running Win 2003-SP2 with SFU 3.5 installed. I have been configuring the Unix servers as domain members and using winbind to extract the user id and primary group form the AD and SFU. This in theory would supply consistent uids and gids for the domian user accounts when logging into the Unix servers. I have been able to compile samba 3.4.7 and with ADS support successfully. I have also used version 3.4.7 from the pware site and get the same issues. I have modified the /usr/security/user file to use WINBIND. I have modified the /usr/lib/security/methods.cfg file to include a stanza for WINBIND. I can obtain a kerberos ticket successfully, (kinit valid-aduser). I can join the domain successfully, (net ads join -Uvalid-ad-user). I can run wbinfo -t, -u, -g, -i, etc succssfully. Using wbinfo -i valid-ad-user returns the correct information as stored under the users properties SFU tab. If I change these settings, eg: home directory, primary group name/gid or login shell they are reflected correctly by a subsequent wbinfo -i. That is, they are correctly extracted/obtained from the ADS server. However when I try to open a telnet session to the Unix server I have a problem if the PGID is not related back to an actual group as stored within the AD. That is, if I set the PGID to 208, which is a valid group id within the group file on the Unix server but is not a valid group id within the AD I cannot telnet to the Unix server. The -i option of wbinfo shows the correct group id. Eg: wbinfo -i valid-ad-user valid-ad-user:*:1009:208::/home/support/abc:/bin/ksh When I try and open a telnet session I get the following error. 3004-010 Failed setting terminal ownership and mode. Browsing the www indicates that this problem is due to an invalid group id. That the id is not stored within the group file. But it is a valid group id. If I change the gid to be 10001 which according to samba is BUILTIN\users EG: wbinfo --gid-info=10001 BUILTIN\users:x:10001 I can open a telnet session without any problems: My understanding from reading the smb.conf man page is that for samba (aka winbind) to extract the home directory, login shell, UID and GID from the ADS server then you need to specify the options winbind nss info and either idmap backend = ad or idmap config DOMAIN:backend = ad as well. I have these entries in the smb.conf file. idmap config ULTRADATA : default = yes idmap config ULTRADATA : backend = ad idmap config ULTRADATA : range = 200- idmap config ULTRADATA : schema_mode = sfu winbind nss info = sfu With these settings the userid that is extracted is the one that gets used when a successful telnet session is made. However the GID appears to be ignored. It looks like the GID must be one that is allocated to a valid group that is on the ADS server. What entries do I need to make in the smb.conf file to have samba/winbind use the group id as stored on the ADS server? I have included what I think is the pertinent info from the global section of the smb.conf file: workgroup = REALMNAME security = ADS realm = REALMNAME.COM.AU encrypt passwords = Yes password server = 172.16.xx.xxx socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 log file = /etc/samba/var/%L-%m.log log level = 5 interfaces = en0 lo0 bind interfaces only = yes name resolve order = host wins bcast keepalive = 30 os level = 0 lm announce = False preferred master = False local master = No domain master = False wins server = 172.16.xx.xxx unix extensions = no auth methods = winbind idmap uid = 1-20 idmap gid = 1-20 idmap config REALMNAME : default = yes idmap config REALMNAME : backend = ad idmap config REALMNAME : range = 200- idmap config REALMNAME : schema_mode = sfu winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind nss info = sfu Disclaimer Notice This message contains privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that you must not disseminate, copy or take any action or place any reliance on it. If you have received this message in error please notify Ultradata immediately on +61 3 9291 1600. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Ultradata Australia Pty.
Re: [Samba] krb5 library issues when Compiling 3.5.2 and 3.4.7 on AIX 5.3
I have worked out why I was getting ld: 0711-318 ERROR: Undefined symbols were found. during the make process. There are three libraries that are built near the start and placed into the bin dir within the source3 dir. These are: bin/libtalloc.so bin/libtdb.so bin/libwbclient.so These have the required symbols defined. However the linking commands reference /opt/pware/lib before other lib dirs. If you have another version of samba installed the its libraries are in /opt/pware/lib. When building/compiling a new version the linking finds the libraries for the installed version and loads these. If you remove the reference for these from /opt/pware/lib prior to compiling then the process runs to completion with version 3.4.7. I only get warnings re duplicates. However with 3.5.2 I get an error re EXTRA_FLAGS EXTRA_FLAGS:? = EXTRA_FLAGS: = make: 1254-002 Cannot find a rule to create target EXTRA_FLAGS from dependencies. Stop. A point of interest is that I do not get any issues with undefined symbols if building 3.3.9 on a server that has another version of samba installed and running. I have only had this issue with 3.4.7, 3.5.0 and 3.5.2. I have not tried any other version of 3.4.x. One difference that I notice is that with 3.3.9 there is only a source dir. IE: no source3 and source4 etc. William, do you build your pware versions on a server that has samba installed and running on it? If yes then how do you overcome this issue. Regards, Craig -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Craig Green Sent: Monday, 19 April 2010 5:18 PM To: 'William Jojo'; Michael Wood; christoph.be...@desy.de Cc: Samba Subject: Re: [Samba] krb5 library issues when Compiling 3.5.2 and 3.4.7 on AIX 5.3 HI, I have altered my build script so that the variables are exported. I now get past the issue of configure falling over but the make now fails. The data and issues I have listed here refer to samba 3.5.0. I will be running a configure and make for 3.4.7 overnight to see if I get the same issues. The configure runs to completion and here is the tail end of the output. #define HAVE_ZLIB_H 1 #define HAVE_ZLIBVERSION 1 #define HAVE_LIBZ 1 configure: exit 0 Here is the tail end of the output from the make. (ld): lib /usr/lib/libxdsm.a (ld): i bin/libtalloc.a (ld): i bin/libtdb.a (ld): lib /opt/pware/lib/libwbclient.so (ld): lib /opt/pware/lib/libz.so (ld): i /opt/freeware/lib/gcc/powerpc-ibm-aix5.3.0.0/4.2.4/libgcc.a (ld): i /opt/freeware/lib/gcc/powerpc-ibm-aix5.3.0.0/4.2.4/libgcc_eh.a (ld): lib /usr/lib/libc.a (ld): lib /usr/lib/librtl.a LIBRARY: Shared object libldap.so: 463 symbols imported. LIBRARY: Shared object liblber.so: 134 symbols imported. LIBRARY: Shared object libgssapi_krb5.so: 73 symbols imported. LIBRARY: Shared object libkrb5.so: 746 symbols imported. LIBRARY: Shared object libk5crypto.so: 158 symbols imported. LIBRARY: Shared object libcom_err.so: 9 symbols imported. LIBRARY: Shared object libpthreads.a[shr_comm.o]: 177 symbols imported. LIBRARY: Shared object libpthreads.a[shr_xpg5.o]: 162 symbols imported. LIBRARY: Shared object libpam.a[shr.o]: 23 symbols imported. LIBRARY: Shared object libiconv.a[libiconv.so.2]: 13 symbols imported. LIBRARY: Shared object librt.a[posix_aio.o]: 7 symbols imported. LIBRARY: Shared object libpopt.a[libpopt.so.0]: 30 symbols imported. LIBRARY: Shared object libxdsm.a[shr.o]: 75 symbols imported. LIBRARY: Shared object libwbclient.so: 108 symbols imported. LIBRARY: Shared object libz.so: 72 symbols imported. LIBRARY: Shared object libc.a[shr.o]: 2875 symbols imported. LIBRARY: Shared object libc.a[meth.o]: 2 symbols imported. LIBRARY: Shared object libc.a[posix_aio.o]: 20 symbols imported. LIBRARY: Shared object libc.a[aio.o]: 18 symbols imported. LIBRARY: Shared object libc.a[pse.o]: 5 symbols imported. LIBRARY: Shared object libc.a[dl.o]: 4 symbols imported. LIBRARY: Shared object libc.a[pty.o]: 1 symbols imported. LIBRARY: Shared object librtl.a[shr.o]: 1 symbols imported. LIBRARY: Shared object librtl.a[lazy42.o]: 3 symbols imported. FILELIST: Number of previously inserted files processed: 561 (ld): initfini _GLOBAL__FI_smbd _GLOBAL__FD_smbd (ld): resolve ld: 0711-228 WARNING: Duplicate symbols were found while resolving symbols. The following duplicates were found: SymbolSource-File(Object) OR Import-File{Shared-object} - - __start crt0main.s(/lib/crt0.o) ** Duplicate **{/opt/pware/lib/libwbclient.so} .__start crt0main.s(/lib/crt0.o) ** Duplicate **{/opt/pware/lib/libwbclient.so} __C_runtime_pstartup crt0main.s(/lib/crt0.o) ** Duplicate **{/opt/pware/lib/libwbclient.so} p_xargc crt0main.s(/lib/crt0.o
Re: [Samba] Compile errors for samba 3.5.2 on aix 5.3
I am also having the same issue when compiling samba 3.5.2 with ADS support. I am using IBM's make. EXTRA_FLAGS:? = EXTRA_FLAGS: = make: 1254-002 Cannot find a rule to create target EXTRA_FLAGS from dependencies. Stop. I have gnu make installed so I will try it. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of William Jojo Sent: Thursday, 22 April 2010 5:18 AM To: Beau Gauthreaux Cc: samba@lists.samba.org Subject: Re: [Samba] Compile errors for samba 3.5.2 on aix 5.3 Beau Gauthreaux wrote: Any suggestions would be appreciated. I'm trying to compile samba 3.5.2 on aix 5.3 using gcc. And getting the following error while running: Which make are you using? IBM's? Cheers, Bill ./source3/make -d -f Makefile-noincludes Linking non-shared library bin/libsmbclient.a update time: 13:48:41.808974749 Apr 21, 2010 Suff_FindDeps (bin/libsmbclient.so) No known suffix on bin/libsmbclient.so. Using .NULL suffix. bin/libsmbclient.so:@ = bin/libsmbclient.so bin/libsmbclient.so:* = bin/libsmbclient.so bin/libsmbclient.so: = No valid suffix on bin/libsmbclient.so. failed. Returning NULL Suff_FindDeps (bin/libsmbclient.so.0) No known suffix on bin/libsmbclient.so.0. Using .NULL suffix. bin/libsmbclient.so.0:@ = bin/libsmbclient.so.0 bin/libsmbclient.so.0:* = bin/libsmbclient.so.0 bin/libsmbclient.so.0: = No valid suffix on bin/libsmbclient.so.0. failed. Returning NULL Suff_FindDeps (libsmb/libsmb_thread_impl.o) trying libsmb/libsmb_thread_impl.c...got it. Caching 9:26:22.0 Apr 1, 2010 for libsmb/libsmb_thread_impl.c got it libsmb/libsmb_thread_impl.o:@ = libsmb/libsmb_thread_impl.o libsmb/libsmb_thread_impl.o:* = libsmb/libsmb_thread_impl libsmb/libsmb_thread_impl.o: = libsmb/libsmb_thread_impl.c applying .c - .o to libsmb/libsmb_thread_impl.o Suff_FindDeps (EXTRA_FLAGS) No known suffix on EXTRA_FLAGS. Using .NULL suffix. EXTRA_FLAGS:@ = EXTRA_FLAGS EXTRA_FLAGS:* = EXTRA_FLAGS EXTRA_FLAGS: = failed. Returning NULL Examining EXTRA_FLAGS...non-existent...non-existent and no sources...out-of-date. EXTRA_FLAGS:? = EXTRA_FLAGS: = make: 1254-002 Cannot find a rule to create target EXTRA_FLAGS from dependencies. Stop. Thanks, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Disclaimer Notice This message contains privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that you must not disseminate, copy or take any action or place any reliance on it. If you have received this message in error please notify Ultradata immediately on +61 3 9291 1600. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Ultradata Australia Pty. Ltd. To unsubscribe from receiving commercial electronic messages from Ultradata Australia please email unsubscr...@ultradata.com.au with the subject heading Unsubscribe. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Ver 3.4.7 joined to MS-AD authentication issues?
I am having issues with joining samba 3.4.7 to MS-Active Directory, MS-2003 with SFU installed. I am experiencing the same issue with the 3.4.7 version obtained from the pware site and with the version I have compiled on our IBM server. The server joins to the domain without any issues. All of the wbinfo commands run.. (IE: using options -u, -g, -a, -i, etc). The command wbinfo -iuser returns the correct userid and primary group id. I have modified the /etc/security/user and /usr/lib/security/methods.cfg files as required. I have placed a copy of WINBIND into /usr/lib/security. However when I try and telnet to the server I get the following error after I have entered a valid login and password. 3004-010 Failed setting terminal ownership and mode. All references that I can find re this error on the internet says that the group ID that is being used is not in the /etc/group file. However it is. All of the inbuilt AIX checks say there is nothing wrong with my passwd, group or security files. If I login as a local user that uses the same group id I have no problems. Has any one got any ideas as to what the problem might be. Craig. Disclaimer Notice This message contains privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that you must not disseminate, copy or take any action or place any reliance on it. If you have received this message in error please notify Ultradata immediately on +61 3 9291 1600. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Ultradata Australia Pty. Ltd. To unsubscribe from receiving commercial electronic messages from Ultradata Australia please email unsubscr...@ultradata.com.au with the subject heading Unsubscribe. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] krb5 library issues when Compiling 3.5.2 and 3.4.7 on AIX 5.3
} ** Duplicate ** ../../gcc-4.2.4/gcc/libgcc2.c(/opt/freeware/lib/gcc/powerpc-ibm-aix5.3.0.0/4.2.4/libgcc.a[_divdi3.o]) _GLOBAL__F___moddi3_7DED82B0 {/opt/pware/lib/libwbclient.so} ** Duplicate ** ../../gcc-4.2.4/gcc/libgcc2.c(/opt/freeware/lib/gcc/powerpc-ibm-aix5.3.0.0/4.2.4/libgcc.a[_moddi3.o]) _GLOBAL__F___udivdi3_7DED82B0 {/opt/pware/lib/libwbclient.so} ** Duplicate ** ../../gcc-4.2.4/gcc/libgcc2.c(/opt/freeware/lib/gcc/powerpc-ibm-aix5.3.0.0/4.2.4/libgcc.a[_udivdi3.o]) _GLOBAL__F___umoddi3_7DED82B0 {/opt/pware/lib/libwbclient.so} ** Duplicate ** ../../gcc-4.2.4/gcc/libgcc2.c(/opt/freeware/lib/gcc/powerpc-ibm-aix5.3.0.0/4.2.4/libgcc.a[_umoddi3.o]) _GLOBAL__F___register_frame_info_bases_CBACD997 {/opt/pware/lib/libwbclient.so} ** Duplicate ** ../../gcc-4.2.4/gcc/unwind-dw2-fde.c(/opt/freeware/lib/gcc/powerpc-ibm-aix5.3.0.0/4.2.4/libgcc_eh.a[unwind-dw2-fde.o]) _text crt0main.s(/lib/crt0.o) ** Duplicate **{/opt/pware/lib/libwbclient.so} _etextcrt0main.s(/lib/crt0.o) ** Duplicate **{/opt/pware/lib/libwbclient.so} _data crt0main.s(/lib/crt0.o) ** Duplicate **{/opt/pware/lib/libwbclient.so} _edatacrt0main.s(/lib/crt0.o) ** Duplicate **{/opt/pware/lib/libwbclient.so} end crt0main.s(/lib/crt0.o) ** Duplicate **{/opt/pware/lib/libwbclient.so} _end crt0main.s(/lib/crt0.o) ** Duplicate **{/opt/pware/lib/libwbclient.so} _libs_init_routine ../../../../../../../src/bos/usr/ccs/lib/libc/__threads_init.c(/lib/crt0.o) ** Duplicate **{/opt/pware/lib/libwbclient.so} _odm_init_routine ../../../../../../../src/bos/usr/ccs/lib/libc/__threads_init.c(/lib/crt0.o) ** Duplicate **{/opt/pware/lib/libwbclient.so} RESOLVE: 32797 of 54918 symbols were kept. RESOLVE: The return code is 4. (ld): addgl /usr/lib/glink.o ADDGL: Glink code added for 456 symbols. (ld): er full ld: 0711-318 ERROR: Undefined symbols were found. The following symbols are in error: SymbolInpndx TY CL Source-File(Object-File) OR Import-File{Shared-object} RLD: Address Section Rld-type Referencing Symbol -- .wbcGetSidAliases [6] ER PR lib/winbind_util.c(lib/winbind_util.o) 00c8 .textR_RBR[58] .winbind_get_sid_aliases .wbcGetpwsid [48]ER PR lib/winbind_util.c(lib/winbind_util.o) 0c9c .textR_RBR[84] .winbind_getpwsid .wbcChangeTrustCredentials [142] ER PR rpc_server/srv_netlog_nt.c(rpc_server/srv_netlog_nt.o) 3a94 .textR_RBR[256] ._netr_LogonControl2Ex ER: The return code is 8. The duplicates I can live with but the undefined symbols are an issue. As yet I have no idea how to resolve the undefined symbols. Regards, Craig Green Support Consultant - Unix Ultradata - Vision to Reality +61 3 9291 1742 www.ultradata.com.au -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Craig Green Sent: Monday, 19 April 2010 9:56 AM To: 'William Jojo'; Michael Wood; christoph.be...@desy.de Cc: Samba Subject: Re: [Samba] krb5 library issues when Compiling 3.5.2 and 3.4.7 on AIX 5.3 Hi, Thank you for your response. I am already specifying the -brtl option. I only listed the configure line of my build script. I really should have included all of the script. Here it is. I actually used the do-it script from the pware site as the basis for my script. #!/usr/bin/ksh93 PATH=/usr/bin:/etc:/usr/sbin:/usr/bin/X11:/sbin:/opt/pware/bin :/opt/pware/sbin:/usr/java14/jre/bin:/usr/java14/bin:/usr/vac/ bin:/usr/local/bin:/root export PATH SrcDir=/intsupport/samba/samba-3.4.7/source3 env CC=gcc -maix32 -O2 -Wl,-blibpath:/opt/pware/lib:/usr/lib:/lib,-brtl \ CPPFLAGS=-I/opt/pware/include \ CFLAGS=-O2 -I/opt/pware/include \ LDFLAGS=-lcrypto -L/opt/pware/lib \ (cd ${SrcDir} \ ./configure --with-acl-support --with-utmp --with-ads \ --with-ldap --with-krb5=/opt/pware --with-pam \ --with-libiconv=/opt/pware --with-sendfile-support \ --prefix=/opt/pware/samba/3.4.7 --with-syslog --with-quotas \ --with-winbind=yes --with-aio-support=yes --with-automount \ --with-static-modules=vfs_aixacl2,vfs_aixacl \ --with-shared-modules=idmap_rid,idmap_ad,idmap_tdb2 \ --with-dnsupdate | tee ${SrcDir}/config-3.4.7.log ) The only kerberos components installed on the server is the krb5 package from the pware site. IE: There no AIX krb components installed . The output from lslpp -l | grep -i krb returns pware53.krb5.rte 1.7.1.1 COMMITTED MIT Kerberos
Re: [Samba] krb5 library issues when Compiling 3.5.2 and 3.4.7 on AIX 5.3
Hi, Thank you for your response. I am already specifying the -brtl option. I only listed the configure line of my build script. I really should have included all of the script. Here it is. I actually used the do-it script from the pware site as the basis for my script. #!/usr/bin/ksh93 PATH=/usr/bin:/etc:/usr/sbin:/usr/bin/X11:/sbin:/opt/pware/bin:/opt/pware/sbin:/usr/java14/jre/bin:/usr/java14/bin:/usr/vac/bin:/usr/local/bin:/root export PATH SrcDir=/intsupport/samba/samba-3.4.7/source3 env CC=gcc -maix32 -O2 -Wl,-blibpath:/opt/pware/lib:/usr/lib:/lib,-brtl \ CPPFLAGS=-I/opt/pware/include \ CFLAGS=-O2 -I/opt/pware/include \ LDFLAGS=-lcrypto -L/opt/pware/lib \ (cd ${SrcDir} \ ./configure --with-acl-support --with-utmp --with-ads \ --with-ldap --with-krb5=/opt/pware --with-pam \ --with-libiconv=/opt/pware --with-sendfile-support \ --prefix=/opt/pware/samba/3.4.7 --with-syslog --with-quotas \ --with-winbind=yes --with-aio-support=yes --with-automount \ --with-static-modules=vfs_aixacl2,vfs_aixacl \ --with-shared-modules=idmap_rid,idmap_ad,idmap_tdb2 \ --with-dnsupdate | tee ${SrcDir}/config-3.4.7.log ) The only kerberos components installed on the server is the krb5 package from the pware site. IE: There no AIX krb components installed . The output from lslpp -l | grep -i krb returns pware53.krb5.rte 1.7.1.1 COMMITTED MIT Kerberos 1.7.1. I have tried using the samba packages from the pware site and have had issues with integrating AIX with ADS. Refer to thread AIX 5.3 Active Directory Synchronisation using Winbind. I thought I had overcome my issues by using 3.5.2 from the pware site but when I tried un-installing and re-installing 3.5.2 I had issues. I could not get wbinfo -i user to work. I kept getting Could not get info for user x or it would return data for the user but it would not use the uid and gid that was specified via SFU3.5 in the AD. If I used 3.4.7 from the pware site then wbinfo -i would always verify the user and return the correct uid and gid as specified in the AD. However when you tried to telnet into the server an error would occur that implied that the group id was not in the group file. But it is listed and there is definitely nothing wrong with the passwd, group or /etc/security file(s). So I thought I would go back to compiling samba from scratch to see if could overcome the issues of AD integration. I will export the vars CC, CPPFLAGS, CFLAGS and LDFLAGS and then run configure. The more I think about it this is most likely the issue. It takes approx 2 hrs to run the configure script before it fails so I will update you once I have been able to test this. Regards, Craig Green Support Consultant - Unix Ultradata - Vision to Reality +61 3 9291 1742 www.ultradata.com.au -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of William Jojo Sent: Sunday, 18 April 2010 1:49 AM To: Michael Wood; christoph.be...@desy.de Cc: Samba Subject: Re: [Samba] krb5 library issues when Compiling 3.5.2 and 3.4.7 on AIX 5.3 Original message Date: Fri, 16 Apr 2010 10:38:09 +0200 From: Michael Wood esiot...@gmail.com Subject: Re: [Samba] krb5 library issues when Compiling 3.5.2 and 3.4.7 on AIX 5.3 To: christoph.be...@desy.de Cc: Samba samba@lists.samba.org Hi On 16 April 2010 09:59, christoph.be...@desy.de wrote: Hi, try --with-krb5=/path/to/your/kerberos/installation/root I suggested this at the bottom of his message and then realised that he had done this. The real problem is the ld command will not search for libs that end with .so unless you provide the -brtl option. BTW, 3.5.2 is available on the site, unless there are features you don't need. :-) The method of configuring Samba that I use for pWare is: env CC=gcc -O2 -Wl,-blibpath:/opt/pware/lib:/usr/lib:/lib,-brtl \ CPPFLAGS=-I/opt/pware/include \ CFLAGS=-O2 -I/opt/pware/include \ LDFLAGS=-L/opt/pware/lib \ ./configure --with-acl-support --with-utmp \ --with-ldap --with-krb5=/opt/pware \ --with-libiconv=/opt/pware --with-sendfile-support \ --prefix=/opt/pware --with-syslog --with-quotas \ --with-winbind=yes --with-aio-support=yes --with-automount \ --with-pam --with-acl-support \ --with-static-modules=vfs_aixacl2,vfs_aixacl \ --with-shared-modules=idmap_rid,idmap_ad,vfs_gpfs,idmap_tdb2 Cheers, Bill or export CPPFLAGS=-I/your/krb/dir/include export LDFLAGS=$LDFLAGS -L/your/krb/dir/lib This might be worth a try. -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Disclaimer Notice This message contains privileged and confidential information intended only for the use of the addressee named above
[Samba] krb5 library issues when Compiling 3.5.2 and 3.4.7 on AIX 5.3
I have been trying to configure/compile Samba 3.5.2 and 3.4.7 on AIX 5.3 with ML-11 and ML-10. The configure issues that I am getting only occur if I use --with-ads. I can run configure on both versions if I do not include ADS support. The errors I get are: checking for krb5_principal_get_realm... no checking for krb5_princ_realm... no configure: WARNING: krb5_mk_req_extended not found in -lkrb5 configure: WARNING: no CREATE_KEY_FUNCTIONS detected configure: WARNING: no GET_ENCTYPES_FUNCTIONS detected configure: WARNING: no KT_FREE_FUNCTION detected configure: WARNING: no KRB5_VERIFY_CHECKSUM_FUNCTION detected configure: error: krb5 libs don't have all features required for Active Directory support It appears that I am missing the krb5-libs, is this correct? If I do not include --with-ads I get the same WARNINGS but do not get the error. The error is now actually a warning, as per: configure: WARNING: krb5 libs don't have all features required for Active Directory support checking whether Active Directory and krb5 support is used... no I have also tried compiling KRB5 from source. It compiles and I can install what I have compiled but I still get the same warnings and error. I am using gcc, etc .from the pware.hvcc site. The packaged I have installed are: pware53.autoconf.rte 2.63.0.0 COMMITTED GNU autoconf 2.63 pware53.base.rte 5.3.0.0 COMMITTED pWare base for 5.3 pware53.bdb.rte 4.7.25.4 COMMITTED Berkeley DB 4.7.25 pware53.bison.rte 2.4.0.0 COMMITTED GNU bison 2.4 pware53.cyrus-sasl.rte2.1.23.1 COMMITTED cyrus-sasl 2.1.23 pware53.gcc-g++.rte4.2.4.0 COMMITTED GNU GCC pware53.gettext.rte 0.17.0.0 COMMITTED GNU gettext 0.17 pware53.gmp.rte4.3.1.0 COMMITTED gmp 4.3.1 pware53.krb5.rte 1.7.1.1 COMMITTED MIT Kerberos 1.7.1 pware53.libiconv.rte 1.13.1.0 COMMITTED GNU libiconv 1.13.1 pware53.libtool.rte 1.5.26.0 COMMITTED GNU libtool 1.5.26 pware53.m4.rte1.4.12.0 COMMITTED GNU m4 1.4.12 pware53.make.rte 3.81.0.0 COMMITTED GNU make 3.81 pware53.mpfr.rte 2.4.1.5 COMMITTED mpfr 2.4.1-p5 pware53.ncurses.rte5.7.0.1 COMMITTED ncurses 5.7.0.1 pware53.openldap.rte 2.4.21.1 COMMITTED OpenLDAP 2.4.21 pware53.openssl.rte 0.9.8.13 COMMITTED OpenSSL 0.9.8m pware53.popt.rte 1.10.4.0 COMMITTED popt 1.10.4 pware53.readline.rte 6.1.0.0 COMMITTED GNU readline 6.1 pware53.zlib.rte 1.2.4.0 COMMITTED zlib 1.2.4 Here is my configure line ./configure --with-acl-support --with-utmp --with-ads \ --with-ldap --with-krb5=/opt/pware --with-pam \ --with-libiconv=/opt/pware --with-sendfile-support \ --prefix=/opt/pware/samba/3.4.7 --with-syslog --with-quotas \ --with-winbind=yes --with-aio-support=yes --with-automount \ --with-static-modules=vfs_aixacl2,vfs_aixacl \ --with-shared-modules=idmap_rid,idmap_ad,idmap_tdb2 \ --with-dnsupdate Does anyone have any idea as to what the problem is? Regards, Craig Green Support Consultant - Unix Ultradata - Vision to Reality +61 3 9291 1742 www.ultradata.com.au Disclaimer Notice This message contains privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that you must not disseminate, copy or take any action or place any reliance on it. If you have received this message in error please notify Ultradata immediately on +61 3 9291 1600. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Ultradata Australia Pty. Ltd. To unsubscribe from receiving commercial electronic messages from Ultradata Australia please email unsubscr...@ultradata.com.au with the subject heading Unsubscribe. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] AIX 5.3 Active Directory Synchronisation using Winbind
Hi William, I appear to have resolved the main issue. I have had to include both idmap config ULTRADATA : schema_mode = sfu and winbind nss info = sfu in the smb.conf file. Without either of these settings wbinfo -i does not work correctly. I found this fix listed in a posting labeled Windows server 2003 SP2, SFU 3.5 and Samba 3.0.28. When I have the entry in smb.conf I can readily resolve AD users and login via a telnet session using their AD password. I now only have one issue left and that is the allocation if the primary group id from that specified in the SFU setup for a user account. The user id as specified in the SFU setup is being used but the group id is not. EG: wbinfo -i abloggs returns abloggs:*:1300:1::/home/support/amu:/bin/ksh The correct uid of 1300 is used but the group id of 208 that is set is not. I have tried using the setting of idmap config ULTRADATA : range = 200- in case this controls the uid and gid. However the gid stays set to 1. Over the next few days I am going to try uninstalling and reinstalling samba. Setting smb.conf to the required settings that I have discovered before I join the domain and or start samba/winbind etc. Regards, Craig Green Support Consultant - Unix Ultradata - Vision to Reality +61 3 9291 1742 www.ultradata.com.au -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Craig Green Sent: Friday, 9 April 2010 1:31 PM To: 'William Jojo' Cc: samba@lists.samba.org; 'John Welch' Subject: Re: [Samba] AIX 5.3 Active Directory Synchronisation using Winbind Hi William, OK. I have installed samba 3.5.2 from your site along with its required dependencies. I have been able to join the AIX server to the domain, etc, without any issues. However I am still having some issues, though they are now slightly different from what I was originally having. Here is the output from wbinfo -i and lsuser -R WINBIND with slightly different settings in smb.conf. The first is with the following entries commented out ;idmap config ULTRADATA : default = yes ;idmap config ULTRADATA : backend = ad ;idmap config ULTRADATA : range = 1000- ;winbind nss info = sfu Without these implicit settings then the shell is definitely /bin/false. $ wbinfo -i jcitizen jcitizen:*:1009:1:John Citizen:/home/ULTRADATA/jcitizen:/bin/false $ lsuser -R WINBIND jcitizen jcitizen id=1009 pgrp=domain users home=/home/ULTRADATA/jcitizen shell=/bin/false gecos=John Citizen login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=WINBIND SYSTEM=WINBIND or compat logintimes= loginretries=4 pwdwarntime=21 account_locked=false minage=0 maxage=0 maxexpired=1 minalpha=2 minother=2 mindiff=4 maxrepeats=2 minlen=8 histexpire=8 histsize=2 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=524288 stack=524288 core=2097151 rss=524288 nofiles=-1 time_last_login=1267768837 time_last_unsuccessful_login=1270702351 tty_last_login=ssh tty_last_unsuccessful_login=/dev/pts/2 host_last_login=jcitizen.ultradata.com.au host_last_unsuccessful_login=jcitizen.ultradata.com.au unsuccessful_login_count=0 roles= pgid=1 SID=S-1-5-21-2908653425-2220236570-374614302-7401 If I activate these settings within smb.conf (uncomment them and stop/start samba), so as to get the relevant home dir, login shell, etc from the AD values set within SFU, then the shell is /bin/ksh and the home dir is correct. These are the values set in the Unix Attributes tab of the properties settings of the user on the AD server. If I change the shell or home directory settings then it is reflected by the wbinfo -i or lsuser commands. $ wbinfo -i jcitizen jcitizen:*:1009:1::/home/support/jci:/bin/ksh $ lsuser -R WINBIND jcitizen jcitizen id=1009 pgrp=domain users home=/home/support/jci shell=/bin/ksh gecos= login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=WINBIND SYSTEM=WINBIND or compat logintimes= loginretries=4 pwdwarntime=21 account_locked=false minage=0 maxage=0 maxexpired=1 minalpha=2 minother=2 mindiff=4 maxrepeats=2 minlen=8 histexpire=8 histsize=2 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=524288 stack=524288 core=2097151 rss=524288 nofiles=-1 time_last_login=1267768837 time_last_unsuccessful_login=1270767969 tty_last_login=ssh tty_last_unsuccessful_login=/dev/pts/2 host_last_login=jcitizen.ultradata.com.au host_last_unsuccessful_login=jcitizen.ultradata.com.au unsuccessful_login_count=1 roles= pgid=1 SID=S-1-5-21-2908653425-2220236570-374614302-7401 With either of these settings I can telnet into the server using the login of jcitizen and the password as set in the AD. Of course when the shell is set as /bin/false the session gets logged off
Re: [Samba] AIX 5.3 Active Directory Synchronisation using Winbind
, they can, but their relevant userid is incorrect as well as their group id. Also if i try and use still another login - abloggs I get the following when using wbinfo -i and lsuser abloggs. $ wbinfo -i abloggs Could not get info for user abloggs $ lsuser abloggs User abloggs does not exist. However the wbinfo -n command returns the relevant SID. $ wbinfo -n abloggs S-1-5-21-2908653425-2220236570-374614302-7403 SID_USER (1) If I check the log.wb-ULTRADATA file I can see the info for abloggs as held in the AD. [2010/04/09 10:59:00.166520, 3] winbindd/winbindd_ads.c:572(query_user) ads query_user gave abloggs [2010/04/09 10:59:00.167218, 10] winbindd/winbindd_cache.c:536(refresh_sequence_number) refresh_sequence_number: ULTRADATA time ok [2010/04/09 10:59:00.167821, 10] winbindd/winbindd_cache.c:581(refresh_sequence_number) refresh_sequence_number: ULTRADATA seq number is now 25356801 [2010/04/09 10:59:00.169370, 10] winbindd/winbindd_cache.c:962(wcache_save_user) wcache_save_user: S-1-5-21-2908653425-2220236570-374614302-7403 (acct_name abloggs) [2010/04/09 10:59:00.170043, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug) wbint_QueryUser: struct wbint_QueryUser out: struct wbint_QueryUser info : * info: struct wbint_userinfo acct_name: * acct_name: 'abloggs' full_name: * full_name: 'Andrew Bloggs' homedir : * homedir : '/home/support/amu' shell: * shell: '/bin/ksh' primary_gid : 0x00d0 (208) user_sid : S-1-5-21-2908653425-2220236570-374614302-7403 group_sid: S-1-5-21-2908653425-2220236570-374614302-513 result : NT_STATUS_OK After waiting over two hours, to see if for some reason it was a timing issue, I still cannot get info on the account abloggs. It is definitely defined in the AD and has the relevant Unix Attributes set. So in summary: - installing 3.5.2 seems to have resolved the telnet login for accounts that wbinfo -i can return data for - the uid's and gid's for given users are not being assigned as I would expect - cannot access information for all AD logins in a consistent manner Any assistance or any insights into what I must be doing incorrectly would be greatly appreciated. Regards, Craig Green Support Consultant - Unix Ultradata - Vision to Reality +61 3 9291 1742 www.ultradata.com.au -Original Message- From: William Jojo [mailto:w.j...@hvcc.edu] Sent: Thursday, 8 April 2010 10:09 PM To: Craig Green Cc: 'John Welch'; samba@lists.samba.org Subject: Re: [Samba] AIX 5.3 Active Directory Synchronisation using Winbind Craig Green wrote: Hi John, Thank you for your reply. I really appreciate your input. I have been using Samba on our AIX servers for last few years. Up unto recently I have always used security = DOMAIN, (with versions 3.0.28 and 3.3.9). I have had no issues with that type of setup. It is only now that I have been testing integration into MS AD and using security = ADS that I am having problems. The Samba versions I have tried with ADS are 3.3.9 and 3.5.0. Version 3.3.9 was compiled from scratch. I get the same issues with both versions. Originally I thought the issues must be with my compiled version. However it seems it be some sort of AIX config issue since I get the same issues with version 3.5.0 which is the pre-compiled version from the hvcc.edu site. I am stumped as to what the issue is. Everything I can find on the net re using samba and winbind implies I have the correct setup but this cannot be the case since I cannot get it to work. I must have something wrong but for the life of me I cannot figure it out. Re the question of do you really need ADS security mode. Well, most likely not, we could integrate using ldap but my understanding is that using winbind is a less complicated method or it is supposed to be. In regards to the correct version of WINBIND, I have checked this previously and the correct version is being used. In the past I have been able to connect a Linux server to an MS-AD but the Linux server uses NSS. AIX does not have NSS but I believe the changes to the /etc/security/user file are supposed to replace this. I am guessing the issue has something to do with this. However I have found info on the www that says other users of AIX have been able to Samba and WINBIND to join and ADS and to authenticate back to the AD without issues once they have made the alterations to the /etc/security/user
Re: [Samba] AIX 5.3 Active Directory Synchronisation using Winbind
Hi John, Thank you for your reply. I really appreciate your input. I have been using Samba on our AIX servers for last few years. Up unto recently I have always used security = DOMAIN, (with versions 3.0.28 and 3.3.9). I have had no issues with that type of setup. It is only now that I have been testing integration into MS AD and using security = ADS that I am having problems. The Samba versions I have tried with ADS are 3.3.9 and 3.5.0. Version 3.3.9 was compiled from scratch. I get the same issues with both versions. Originally I thought the issues must be with my compiled version. However it seems it be some sort of AIX config issue since I get the same issues with version 3.5.0 which is the pre-compiled version from the hvcc.edu site. I am stumped as to what the issue is. Everything I can find on the net re using samba and winbind implies I have the correct setup but this cannot be the case since I cannot get it to work. I must have something wrong but for the life of me I cannot figure it out. Re the question of do you really need ADS security mode. Well, most likely not, we could integrate using ldap but my understanding is that using winbind is a less complicated method or it is supposed to be. In regards to the correct version of WINBIND, I have checked this previously and the correct version is being used. In the past I have been able to connect a Linux server to an MS-AD but the Linux server uses NSS. AIX does not have NSS but I believe the changes to the /etc/security/user file are supposed to replace this. I am guessing the issue has something to do with this. However I have found info on the www that says other users of AIX have been able to Samba and WINBIND to join and ADS and to authenticate back to the AD without issues once they have made the alterations to the /etc/security/user and methods.cfg files. If I perform a test to verify that communications between Samba-3 winbind and the Active Directory server is using Kerberos protocols I get the correct data back. $ net ads info LDAP server: 172.16.xxx.xxx LDAP server name: blue.testrealm.com.au Realm: TESTREALM.COM.AU Bind Path: dc=TESTREALM,dc=COM,dc=AU LDAP port: 389 Server time: Tue, 06 Apr 2010 11:27:22 EET KDC server: 172.16.xxx.xxx Server time offset: 0 The net ads status command also returns the correct data. So everything I do implies I am communicating correctly with the AD. However authentication does not work. I also agree with you that the hvcc.edu site it is an awesome project. Without it my life would certainly be more difficult. Regards, Craig Green Support Consultant - Unix Ultradata - Vision to Reality +61 3 9291 1742 www.ultradata.com.au -Original Message- From: John Welch [mailto:jwe...@brosco.com] Sent: Saturday, 3 April 2010 1:10 AM To: William Jojo Cc: samba@lists.samba.org; Craig Green Subject: Re: [Samba] AIX 5.3 Active Directory Synchronisation using Winbind - William Jojo w.j...@hvcc.edu wrote: Original message Date: Fri, 2 Apr 2010 08:15:38 -0400 (EDT) From: John Welch jwe...@brosco.com Subject: Re: [Samba] AIX 5.3 Active Directory Synchronisation using Winbind To: cgr...@ultradata.com.au Cc: samba@lists.samba.org I know one issue I ran into when I recently upgraded Samba on the AIX box was that the WINBIND file in /usr/lib/security was a symbolic link that was not linked to the correct version of Samba. Have you looked at this file and verified that it is correct? John, Can you provide a little more on the problem you had? I'm not able to find the broken link in my development servers (32 or 64 bit), and I *really* want to improve our quality control. Glad to hear the project is working out for you otherwise. :-) Cheers, Bill Hi Bill, Prior to the recent upgrade to 3.4.5 we had been using an old 3.0 version (3.0.28) from your pware project. At that level of Samba at least the directory structure was /opt/pware/samba/version. I did the upgrade a few months ago, so I'm trying to recall from memory the exact issue, but I believe after upgrading the WINBIND symbolic link was still pointing to the 3.0.28 binary. Not sure if the upgrade should have fixed this automatically or not. Really a minor thing, but something I overlooked initially. Your project is awesome... Keep up the good work! Thanks, John Disclaimer Notice This message contains privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that you must not disseminate, copy or take any action or place any reliance on it. If you have received this message in error please notify Ultradata immediately on +61 3 9291 1600. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Ultradata Australia Pty. Ltd. To unsubscribe from receiving
[Samba] AIX 5.3 Active Directory Synchronisation using Winbind
I have been trying to get AIX 5.3 ML-11 integrated with MS AD (MS-2003 with SP2 and SFU 3.5). It has given me a few y hairs. I have not been able to get it to function correctly. I have followed various tech articles and installation notes that I have found on the web. They are all basically the same in that they suggest to either compile the required components from scratch or to use the precompiled packages from the pware.hvcc.edu site. I originally tried compiling from scratch/source which I have always done in the past when using samba as a NT4 domain member. This is the first time I have tried integrating into MS AD. My latest attempt is with using the pre compiled packages from the hvcc site. I run into the same issues with both types of setup (i.e.: compiling samba from scratch or using the pware53 packages). When I have samba installed and joined to the AD the following commands work as expected. wbinfo -u wbinfo -g wbinfo -a username However if I try and telnet to the AIX server or connect to a share the AD is not using for authenticating the password. When trying a telnet login I get back “3004-007 You entered an invalid login name or password.” Following is a list of what I have installed etc. AIX: 5.3 ML-11-03-1013 pware53.base.rte 5.3.0.0 COMMITTED pWare base for 5.3 pware53.bdb.rte 4.6.21.4 COMMITTED Berkeley DB 4.6.21 pware53.cyrus-sasl.rte2.1.22.2 COMMITTED cyrus-sasl 2.1.22 pware53.gettext.rte 0.17.0.0 COMMITTED GNU gettext 0.17 pware53.krb5.rte 1.7.1.0 COMMITTED MIT Kerberos 1.7.1 pware53.libiconv.rte 1.13.1.0 COMMITTED GNU libiconv 1.13.1 pware53.ncurses.rte5.7.0.1 COMMITTED ncurses 5.7.0.1 pware53.openldap.rte 2.4.19.0 COMMITTED OpenLDAP 2.4.19 pware53.openssl.rte 0.9.8.13 COMMITTED OpenSSL 0.9.8m pware53.popt.rte 1.10.4.0 COMMITTED popt 1.10.4 pware53.readline.rte 6.1.0.0 COMMITTED GNU readline 6.1 pware53.samba.rte 3.5.0.0 COMMITTED Samba 3.5.0 pware53.zlib.rte 1.2.3.0 COMMITTED zlib 1.2.3 The kerberos krb5.conf. Below is the one I'm using in my environment --- krb5.conf - start --- [libdefaults] default_realm = TESTREALM.COM.AU dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] TESTREALM.COM.AU = { kdc = ad01.testrealm.com.au:88 default_domain = testrealm.com.au admin_server = ad01.testrealm.com.au:749 } [domain_realm] .kerberos.server = TESTREALM.COM.AU .domain.com = TESTREALM.COM.AU domain.com = TESTREALM.COM.AU .testrealm.com.au = TESTREALM.COM.AU testrealm.com.au = TESTREALM.COM.AU [logging] default = FILE:/var/log/krb5/krb5libs.log kdc = FILE:/var/log/krb5/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } --- krb5.conf - ends --- I can execute $ kinit [AD username] and this asks me for a password, I fill that in and if everything goes well. Here is the global section of my smb.conf file. --- smb.conf [global] section - start --- comment = AIX Internal Services - Samba %v workgroup = TESTREALM netbios name = %h security = ADS realm = TESTREALM.COM.AU encrypt passwords = Yes password server = ab01 username map = /etc/samba/lib/smbusers.map log file = /etc/samba/var/%m.log log level = 2 interfaces = en0 lo0 bind interfaces only = yes name resolve order = host wins bcast keepalive = 30 printcap name = /etc/qconfig os level = 0 lm announce = False preferred master = False local master = No domain master = False wins server = 172.16.xxx.yyy ← I have obfuscated the last two octets. guest account = guest admin users = sh, root, cgr read only = No create mask = 0770 directory mask = 0770 map archive = No follow symlinks = No dont descend = /dev,/proc,/root,/stand load printers = no passdb backend = tdbsam smb passwd file = /etc/samba/private/tdbsam unix extensions = no winbind use default domain = yes idmap uid = 1-20 idmap gid = 1-20 auth methods = winbind winbind enum users = yes winbind enum groups = yes --- smb.conf [globa] section - end --- I can join the AIX server to the AD domain using $ net ads join -U[AD username] Enter [AD username]'s password: Using short domain name -- TESTREAM Joined 'AIXSERVER' to realm 'testrealm.com.au' $ I can then start nmbd,