From: William Jojo on 27 Apr 2010 08:10 Yashpal Nagar wrote: > Hi All > > I'm trying to intergrate samba server with ADS on AIX 6.1 TL04, for last one > week, with idmap / winbind but no satisfactory results. I have gone through > various links at samba.org relating to winbind, idmapper and followed > http://pware.hvcc.edu/ for precompiled binaries and > http://pware.hvcc.edu/AIX-Samba.pdf which is for AIX 6.1 TL03 though. > > It shouldn't matter. The TL's are just IBM's way of drawing lines for patch sets. The documentation was updated when TL-03 was released. The code compiled on 5.3 should run just fine under 6.1. > I have found the samba which is provided by IBM with expansion pack doesn't > have support for ADS. The binaries I have tried with is both 32 bit and > 64bit of samba, neither of them has worked for me. ADS join is ok, I am able > to see all good ouput for wbinfo -t/-m/-p etc. > > I have copied the WINBIND module under /usr/lib/security and changed > /usr/lib/security/methods.cfg > as > WINBIND: > program = /usr/lib/security/WINBIND > options = authonly > Please remove the authonly, it's not necessary. > the /etc/security/user the default stanza with > > SYSTEM = "WINBIND OR compat" > > The errors I have repeatedly encountered is -- > Could not trigger lookup sid > sid2gid returned an error > Could not lookup name for user MYDOMAIN\USER1 > > Some other errors are > Error GID range is full!! > > This is an indication that the winbind configuration may be incorrect. In general, the AD configurations work as expected on AIX. Could you post your smb.conf for review? Also, are you using the LDAP backend or TDB? The IDMAP piece has been significantly modified from 3.3.x through 3.5.x, so some docs (including my own) may need some revision and depending on how yours is written may be getting misinterpreted. I am posting info from one of my (old - 5.3-TL6-SP4) AIX machines running 3.5.2 joined to w2k8R2: [aixdev:/] # oslevel -s 5300-06-04-0748 [aixdev:/] # lslpp -l pware* Fileset Level State Description ---------------------------------------------------------------------------- Path: /usr/lib/objrepos pware53.base.rte 5.3.0.0 COMMITTED pWare base for 5.3 pware53.bash.rte 4.0.35.0 COMMITTED GNU bash 4.0 pware53.bdb.rte 4.7.25.4 COMMITTED Berkeley DB 4.7.25 pware53.cyrus-sasl.rte 2.1.23.1 COMMITTED cyrus-sasl 2.1.23 pware53.gettext.rte 0.17.0.0 COMMITTED GNU gettext 0.17 pware53.krb5.rte 1.7.1.1 COMMITTED MIT Kerberos 1.7.1 pware53.libiconv.rte 1.13.1.0 COMMITTED GNU libiconv 1.13.1 pware53.ncurses.rte 5.7.0.1 COMMITTED ncurses 5.7.0.1 pware53.openldap.rte 2.4.21.1 COMMITTED OpenLDAP 2.4.21 pware53.openssl.rte 0.9.8.13 COMMITTED OpenSSL 0.9.8m pware53.popt.rte 1.10.4.0 COMMITTED popt 1.10.4 pware53.readline.rte 6.1.0.0 COMMITTED GNU readline 6.1 pware53.samba.rte 3.5.2.0 COMMITTED Samba 3.5.2 pware53.tar.rte 1.22.0.0 COMMITTED GNU tar 1.22 pware53.zlib.rte 1.2.4.0 COMMITTED zlib 1.2.4 [aixdev:/] # cat /opt/pware/lib/smb.conf [global] security = ads realm = DEV35.LOCAL password server = 151.103.35.21 workgroup = DEV35 winbind separator = + idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes log level = 3 template homedir = /home/%D/%U template shell = /opt/pware/bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 [netlogon] path = /netlogon [aixdev:/] # net ads testjoin Join is OK [aixdev:/] # wbinfo -u administrator guest krbtgt w.jojo [aixdev:/] # wbinfo -g domain computers domain controllers schema admins enterprise admins cert publishers domain admins domain users domain guests group policy creator owners ras and ias servers allowed rodc password replication group denied rodc password replication group read-only domain controllers enterprise read-only domain controllers dnsadmins dnsupdateproxy ctxpilot [aixdev:/] # lsuser w.jojo w.jojo id=10000 pgrp=domain users home=/home/DEV35/w.jojo shell=/opt/pware/bin/bash gecos=William Jojo login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=WINBIND SYSTEM=compat or WINBIND logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=-1 stack=-1 core=2097151 rss=-1 nofiles=-1 roles= id=10000 pgrp=domain users home=/home/DEV35/w.jojo shell=/opt/pware/bin/bash pgid=10000 gecos=William Jojo shell=/opt/pware/bin/bash pgrp=domain users SID=S-1-5-21-2261283086-3937381662-459627218-1113 [aixdev:/] # cat /usr/lib/security/methods.cfg * @(#)78 1.5 src/bos/usr/lib/security/methods.cfg.S, cmdsadm, bos530 6/11/03 17:06:16 ******************************************************************************** * * Authentication methods: * * auth_method: * program = /any/program * program_64 = /any/program64 * * auth_method corresponds to a custom authentication method specified in * the SYSTEM attribute in /etc/security/user, and /any/program is the * program to run in order to do the authentication. The program_64 attribute * should be used for process running in 64 bit mode, /any/program64 is * a 64 bit program. * * Two optional attributes may be defined for load modules. They are: * * The "domain" attribute is used by methods which support multiple * domains. * * The "options" attribute provides a means of communicating * run-time configuration options to the load module. Please refer * to the documentation for the load module for appropriate values. * * If you are using Common Desktop Environment (CDE), you must restart the * desktop login manager (dtlogin) for any changes to take effect. * Restarting dtlogin will prevent CDE login failure using the updated security * mechanisms. Please read the /usr/dt/README file for more related * information. * ******************************************************************************** WINBIND: program = /usr/lib/security/WINBIND Here is an example of logging into AIX with telnet: AIX Version 5 Copyright IBM Corporation, 1982, 2007. login: w.jojo w.jojo's Password: ************************************************************************** * * * Use of this system is restricted to authorized personnel only and must * * comply with federal, state and local laws in addition to campus * * regulations. * * * * UNAUTHORIZED USE IS STRICTLY PROHIBITED! * * * * dev35 p505 5.3 * * * ************************************************************************** w.jojo pts/1 Apr 27 07:07 (somwhere.hvcc.edu) [aixdev] $ cat /etc/passwd root:!:0:0::/:/usr/bin/ksh daemon:!:1:1::/etc: bin:!:2:2::/bin: sys:!:3:3::/usr/sys: adm:!:4:4::/var/adm: uucp:!:5:5::/usr/lib/uucp: guest:!:100:100::/home/guest: nobody:!:4294967294:4294967294::/: lpd:!:9:4294967294::/: lp:*:11:11::/var/spool/lp:/bin/false invscout:*:6:12::/var/adm/invscout:/usr/bin/ksh snapp:*:200:13:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd ipsec:*:201:1::/etc/ipsec:/usr/bin/ksh nuucp:*:7:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico ldap:*:202:1::/home/ldap:/usr/bin/ksh sbnet:*:22501:1:Remote Services:/usr/lpp/sysback:/usr/bin/ksh [aixdev] $ As you can see the user w.jojo is an AD user. /etc/security/user has in the default stanza: SYSTEM = "compat or WINBIND" Hope this helps! Cheers, Bill > No matter I removed *.tdb files, specified new ranges etc, this GID error > persistenly appears. I have reached to the point where user autentication is > successful but sid to gig mapping doesn't work, or lookup for that AD user > fails. The AD seems to be OK , as another server AIX 5.2 is already working > with samba compiled with ADS support. > > What I would like to know. > 1. How do we compile samba from scratch, I tried 3.5.2 , ./configure was OK, > but this didn;t created any makefile! , I understand I need to > compile kerbros , db, openldap before compiling samba, which version of the > dependent software (kerbros, db, openldap) be used? > 2. How can I resolve this GID range full error. > 3. what shall be done to have sid to gid mapping. > > Best Regards, > Yash > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Yashpal Nagar on 27 Apr 2010 09:40 On Tue, Apr 27, 2010 at 5:32 PM, William Jojo <w.jojo(a)hvcc.edu> wrote: > Yashpal Nagar wrote: > >> Hi All >> >> I'm trying to intergrate samba server with ADS on AIX 6.1 TL04, for last >> one >> week, with idmap / winbind but no satisfactory results. I have gone >> through >> various links at samba.org relating to winbind, idmapper and followed >> http://pware.hvcc.edu/ for precompiled binaries and >> http://pware.hvcc.edu/AIX-Samba.pdf which is for AIX 6.1 TL03 though. >> >> >> > > It shouldn't matter. The TL's are just IBM's way of drawing lines for patch > sets. The documentation was updated when TL-03 was released. The code > compiled on 5.3 should run just fine under 6.1. > > > I have found the samba which is provided by IBM with expansion pack doesn't >> have support for ADS. The binaries I have tried with is both 32 bit and >> 64bit of samba, neither of them has worked for me. ADS join is ok, I am >> able >> to see all good ouput for wbinfo -t/-m/-p etc. >> >> I have copied the WINBIND module under /usr/lib/security and changed >> /usr/lib/security/methods.cfg >> as >> WINBIND: >> program = /usr/lib/security/WINBIND >> options = authonly >> >> > > Please remove the authonly, it's not necessary. > > > the /etc/security/user the default stanza with >> >> SYSTEM = "WINBIND OR compat" >> >> The errors I have repeatedly encountered is -- >> Could not trigger lookup sid >> sid2gid returned an error >> Could not lookup name for user MYDOMAIN\USER1 >> >> Some other errors are >> Error GID range is full!! >> >> >> > > This is an indication that the winbind configuration may be incorrect. In > general, the AD configurations work as expected on AIX. > > Could you post your smb.conf for review? Also, are you using the LDAP > backend or TDB? The IDMAP piece has been significantly modified from 3.3.x > through 3.5.x, so some docs (including my own) may need some revision and > depending on how yours is written may be getting misinterpreted. > > I am posting info from one of my (old - 5.3-TL6-SP4) AIX machines running > 3.5.2 joined to w2k8R2: > > [aixdev:/] # oslevel -s > 5300-06-04-0748 > > [aixdev:/] # lslpp -l pware* > Fileset Level State Description > ---------------------------------------------------------------------------- > Path: /usr/lib/objrepos > pware53.base.rte 5.3.0.0 COMMITTED pWare base for 5.3 > pware53.bash.rte 4.0.35.0 COMMITTED GNU bash 4.0 > pware53.bdb.rte 4.7.25.4 COMMITTED Berkeley DB 4.7.25 > pware53.cyrus-sasl.rte 2.1.23.1 COMMITTED cyrus-sasl 2.1.23 > pware53.gettext.rte 0.17.0.0 COMMITTED GNU gettext 0.17 > pware53.krb5.rte 1.7.1.1 COMMITTED MIT Kerberos 1.7.1 > pware53.libiconv.rte 1.13.1.0 COMMITTED GNU libiconv 1.13.1 > pware53.ncurses.rte 5.7.0.1 COMMITTED ncurses 5.7.0.1 > pware53.openldap.rte 2.4.21.1 COMMITTED OpenLDAP 2.4.21 > pware53.openssl.rte 0.9.8.13 COMMITTED OpenSSL 0.9.8m > pware53.popt.rte 1.10.4.0 COMMITTED popt 1.10.4 > pware53.readline.rte 6.1.0.0 COMMITTED GNU readline 6.1 > pware53.samba.rte 3.5.2.0 COMMITTED Samba 3.5.2 > pware53.tar.rte 1.22.0.0 COMMITTED GNU tar 1.22 > pware53.zlib.rte 1.2.4.0 COMMITTED zlib 1.2.4 > > [aixdev:/] # cat /opt/pware/lib/smb.conf > [global] > security = ads > realm = DEV35.LOCAL > password server = 151.103.35.21 > workgroup = DEV35 > winbind separator = + > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > log level = 3 > template homedir = /home/%D/%U > template shell = /opt/pware/bin/bash > client use spnego = yes > client ntlmv2 auth = yes > encrypt passwords = yes > winbind use default domain = yes > restrict anonymous = 2 > [netlogon] > path = /netlogon > > [aixdev:/] # net ads testjoin > Join is OK > > [aixdev:/] # wbinfo -u > administrator > guest > krbtgt > w.jojo > > [aixdev:/] # wbinfo -g > domain computers > domain controllers > schema admins > enterprise admins > cert publishers > domain admins > domain users > domain guests > group policy creator owners > ras and ias servers > allowed rodc password replication group > denied rodc password replication group > read-only domain controllers > enterprise read-only domain controllers > dnsadmins > dnsupdateproxy > ctxpilot > [aixdev:/] # lsuser w.jojo > w.jojo id=10000 pgrp=domain users home=/home/DEV35/w.jojo > shell=/opt/pware/bin/bash gecos=William Jojo login=true su=true rlogin=true > daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL > expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=WINBIND SYSTEM=compat or > WINBIND logintimes= loginretries=0 pwdwarntime=0 account_locked=false > minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 > minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=-1 cpu=-1 > data=-1 stack=-1 core=2097151 rss=-1 nofiles=-1 roles= id=10000 pgrp=domain > users home=/home/DEV35/w.jojo shell=/opt/pware/bin/bash pgid=10000 > gecos=William Jojo shell=/opt/pware/bin/bash pgrp=domain users > SID=S-1-5-21-2261283086-3937381662-459627218-1113 > > [aixdev:/] # cat /usr/lib/security/methods.cfg > * @(#)78 1.5 src/bos/usr/lib/security/methods.cfg.S, cmdsadm, > bos530 6/11/03 17:06:16 > > ******************************************************************************** > * > * Authentication methods: > * > * auth_method: > * program = /any/program > * program_64 = /any/program64 > * > * auth_method corresponds to a custom authentication method specified in > * the SYSTEM attribute in /etc/security/user, and /any/program is the > * program to run in order to do the authentication. The program_64 > attribute > * should be used for process running in 64 bit mode, /any/program64 is > * a 64 bit program. > * > * Two optional attributes may be defined for load modules. They are: * > > > * The "domain" attribute is used by methods which support multiple * > domains. * > > * The "options" attribute provides a means of communicating * > run-time configuration options to the load module. Please refer * to > the documentation for the load module for appropriate values. * > * If you are using Common Desktop Environment (CDE), you must restart the > * desktop login manager (dtlogin) for any changes to take effect. > * Restarting dtlogin will prevent CDE login failure using the updated > security > * mechanisms. Please read the /usr/dt/README file for more related > * information. > * > ******************************************************************************** > > > > WINBIND: > program = /usr/lib/security/WINBIND > > > > Here is an example of logging into AIX with telnet: > > AIX Version 5 > Copyright IBM Corporation, 1982, 2007. > login: w.jojo > w.jojo's Password: > ************************************************************************** > * * > * Use of this system is restricted to authorized personnel only and must * > * comply with federal, state and local laws in addition to campus * > * regulations. * > * * > * UNAUTHORIZED USE IS STRICTLY PROHIBITED! * > * * > * dev35 p505 5.3 * > * * > ************************************************************************** > > > w.jojo pts/1 Apr 27 07:07 (somwhere.hvcc.edu) > > [aixdev] $ cat /etc/passwd > root:!:0:0::/:/usr/bin/ksh > daemon:!:1:1::/etc: > bin:!:2:2::/bin: > sys:!:3:3::/usr/sys: > adm:!:4:4::/var/adm: > uucp:!:5:5::/usr/lib/uucp: > guest:!:100:100::/home/guest: > nobody:!:4294967294:4294967294::/: > lpd:!:9:4294967294::/: > lp:*:11:11::/var/spool/lp:/bin/false > invscout:*:6:12::/var/adm/invscout:/usr/bin/ksh > snapp:*:200:13:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd > ipsec:*:201:1::/etc/ipsec:/usr/bin/ksh > nuucp:*:7:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico > ldap:*:202:1::/home/ldap:/usr/bin/ksh > sbnet:*:22501:1:Remote Services:/usr/lpp/sysback:/usr/bin/ksh > [aixdev] $ > > > As you can see the user w.jojo is an AD user. > > > /etc/security/user has in the default stanza: > > SYSTEM = "compat or WINBIND" > > > Hope this helps! > > > Cheers, > Bill > > > No matter I removed *.tdb files, specified new ranges etc, this GID error >> persistenly appears. I have reached to the point where user autentication >> is >> successful but sid to gig mapping doesn't work, or lookup for that AD user >> fails. The AD seems to be OK , as another server AIX 5.2 is already >> working >> with samba compiled with ADS support. >> >> What I would like to know. >> 1. How do we compile samba from scratch, I tried 3.5.2 , ./configure was >> OK, >> but this didn;t created any makefile! , I understand I need to >> compile kerbros , db, openldap before compiling samba, which version of >> the >> dependent software (kerbros, db, openldap) be used? >> 2. How can I resolve this GID range full error. >> 3. what shall be done to have sid to gid mapping. >> >> Best Regards, >> Yash >> >> > Thanks a lot Bill for your reply. My smb.conf ------------------------------------------------- [global] workgroup = MYGRP domain master = no local master = no server string = Test Samba Server netbios name = FOO realm = AA.DK allow trusted domains = no security = ADS encrypt passwords = yes password server = * dns proxy = no log level = 3 max log size = 100 log file = /var/log/samba/%m.log client use spnego = yes idmap domains = MYGRP idmap config MYGRP:default = yes idmap config MYGRP:backend = tdb idmap config MYGRP:range = 200000 - 500000 idmap alloc backend = tdb idmap alloc config:range = 200000 - 500000 restrict anonymous = yes wins server = namesrv04 namesrv03 name resolve order = wins bcast ----------------------------------------------------- When I run testparm, it say unrecognised " idmap domains = MYGRP". If I comment that out this throws no error for 'net ads testjoin' etc. No matter whichever samba ver I use it complains about this line, I may notice you have mentioned same example in one of your examples in your pdf, under IDMAP_TDB. Other smb.conf, I have tried which works well on AIX 5.2, but didn't work with precompiled binaries on AIX 6.1 ------------------------------------------------------- [global] workgroup = MYGRP domain master = no local master = no server string = Test Samba Server netbios name = foo realm = AA.DK allow trusted domains = no security = ADS encrypt passwords = yes password server = * dns proxy = no log level = 1 max log size = 100 log file = /var/log/samba/%m.log idmap uid = 100000-999999 idmap gid = 1000000-1999999 restrict anonymous = yes wins server = namesrv04 namesrv03 name resolve order = wins bcast winbind enum groups = no winbind enum users = no winbind cache time = 300 winbind use default domain = yes -------------------------------------------------- Since the existing setup (AIX5.2) works well with tdb backend, though it is not explicitly mentioned into the config above, But i can see a large winbindd_idmap.tdb under $SAMBA/var. I would keep the same tdb (default?) backend. What I would like know - 1. Which samba binaries you have installed, I believe it is 32 bit. Can I use 64 bit binaries on a production server? You have mentioned *The 64-bit code is to be treated as PRODUCTION. * what does this mean? if this PRODUCTION means it shall be used for production servers or it is for you/SAMBA development team currently using for development/production of samba. Some more information here on your website surely would help more. 3. After changing mehtods.cfg, user file, Is there any program need to be restarted apart from samba or server reboot? 4. I understand AIX uses LAM, instead of PAM which is used on Linux. Is there any setting related to LAM we got to do on AIX. There is no nsswitch.conf file as well, I assume since these binaries are already compiled for that platform, it should take care automatically? Please let me know your comments I shall test this out tomorrow. Your wesbite is a big relief to many, keep up the good work. Regards Yash -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: William Jojo on 27 Apr 2010 15:00 Yashpal Nagar wrote: > > > Thanks a lot Bill for your reply. > > My smb.conf > ------------------------------------------------- > [global] As a member server, I would have expected workgroup to be "AA", that is, the prefix of the realm. > workgroup = MYGRP > domain master = no > local master = no > server string = Test Samba Server > netbios name = FOO > realm = AA.DK <http://AA.DK> > allow trusted domains = no > security = ADS > encrypt passwords = yes > password server = * > dns proxy = no > log level = 3 > max log size = 100 > log file = /var/log/samba/%m.log > client use spnego = yes Remove the following: > idmap domains = MYGRP > idmap config MYGRP:default = yes > idmap config MYGRP:backend = tdb > idmap config MYGRP:range = 200000 - 500000 > idmap alloc backend = tdb > idmap alloc config:range = 200000 - 500000 Add the following: idmap uid = 200000-500000 idmap gid = 200000-500000 Please see the following: http://samba.org/samba/docs/man/manpages-3/idmap_tdb.8.html But ignore the last example. :-) The "idmap alloc" is only necessary if the allocator it not going to the tdb model specified by "idmap backend" The man pages are very out of sync with the reality of IDMAP, but IDMAP is not a simple component and not always easy to debug, but I think it is in a better place now than previously. > restrict anonymous = yes > wins server = namesrv04 namesrv03 > name resolve order = wins bcast > ----------------------------------------------------- > When I run testparm, it say unrecognised " idmap domains = MYGRP". If > I comment that out this throws no error for 'net ads testjoin' etc. No > matter whichever samba ver I use it complains about this line, I may > notice you have mentioned same example in one of your examples in your > pdf, under IDMAP_TDB. > Yeah, as of 3.3, that's not the case any longer. I will update my docs to reflect the truth. :-) > Other smb.conf, I have tried which works well on AIX 5.2, but didn't > work with precompiled binaries on AIX 6.1 > ------------------------------------------------------- > [global] > workgroup = MYGRP > domain master = no > local master = no > server string = Test Samba Server > netbios name = foo > realm = AA.DK <http://AA.DK> > allow trusted domains = no > security = ADS > encrypt passwords = yes > password server = * > dns proxy = no > log level = 1 > max log size = 100 > log file = /var/log/samba/%m.log > idmap uid = 100000-999999 > idmap gid = 1000000-1999999 > restrict anonymous = yes > wins server = namesrv04 namesrv03 > name resolve order = wins bcast > winbind enum groups = no > winbind enum users = no > winbind cache time = 300 > winbind use default domain = yes > -------------------------------------------------- > Since the existing setup (AIX5.2) works well with tdb backend, though > it is not explicitly mentioned into the config above, But i can see a > large winbindd_idmap.tdb under $SAMBA/var. I would keep the same tdb > (default?) backend. > > The default is TDB, so yes, it would stay the same. You should (and probably want to) copy the winbindd_idmap.tdb to the new server to keep your mappings unless this is not desired. > What I would like know - > > 1. Which samba binaries you have installed, I believe it is 32 > bit. Can I use 64 bit binaries on a production server? You have mentioned > *The 64-bit code is to be treated as PRODUCTION. * > what does this mean? if this PRODUCTION means it shall be used for > production servers or it is for you/SAMBA development team currently > using for development/production of samba. Some more information here > on your website surely would help more. Sorry about that. All of my package were initially 32-bit, then I offered the 64-bit code as BETA for about 6 months, and after some testing and feedback from users, I marked it as production quality. The Samba Team makes no guarantees whatsoever on what I produce. This is simply a statement of usability. I will remove that line from the site. > > 3. After changing mehtods.cfg, user file, Is there any program need to > be restarted apart from samba or server reboot? > The most you may need to do is stop Samba and run "slibclean", then restart Samba. > 4. I understand AIX uses LAM, instead of PAM which is used on Linux. > Is there any setting related to LAM we got to do on AIX. There is no > nsswitch.conf file as well, I assume since these binaries are already > compiled for that platform, it should take care automatically? > The package(s) I provide also support PAM. The IBM LAM framework is in use with the WINBIND product Andrew Tridgell wrote some time ago. You are correct that there no nsswitch.conf. Effectively, methods.cfg and /etc/security/user are the equivalent. Let me know how you get on. Cheers, Bill -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Yashpal Nagar on 29 Apr 2010 07:40 On Wed, Apr 28, 2010 at 12:29 AM, William Jojo <w.jojo(a)hvcc.edu> wrote: > > Sorry about that. All of my package were initially 32-bit, then I offered the 64-bit code as >BETA for about 6 months, and after some testing and feedback from users, I marked it as >production quality. The Samba Team makes no guarantees whatsoever on what I produce. >This is simply a statement of usability. > > I will remove that line from the site. I thought some more information should be provided, which shall help visitors clearly if they can use 64bit samba into the production. >> >> 3. After changing mehtods.cfg, user file, Is there any program need to be restarted apart from samba or server reboot? >> > > The most you may need to do is stop Samba and run "slibclean", then restart Samba. I have installed samba 3.4.3, 32bit Path: /usr/lib/objrepos pware53.base.rte 5.3.0.0 COMMITTED pWare base for 5.3 pware53.bdb.rte 4.7.25.4 COMMITTED Berkeley DB 4.7.25 pware53.cyrus-sasl.rte 2.1.23.1 COMMITTED cyrus-sasl 2.1..23 pware53.gettext.rte 0.17.0.0 COMMITTED GNU gettext 0.17 pware53.krb5.rte 1.7.1.1 COMMITTED MIT Kerberos 1.7.1 pware53.libiconv.rte 1.13.1.0 COMMITTED GNU libiconv 1.13.1 pware53.ncurses.rte 5.7.0.1 COMMITTED ncurses 5.7.0.1 pware53.openldap.rte 2.4.21.1 COMMITTED OpenLDAP 2..4.21 pware53.openssl.rte 0.9.8.13 COMMITTED OpenSSL 0.9.8m pware53.popt.rte 1.10.4.0 COMMITTED popt 1.10.4 pware53.samba.rte 3.4.3.0 COMMITTED Samba 3.4.3 pware53.zlib.rte 1.2.4.0 COMMITTED zlib 1.2.4 I got these errors-- ------------------------------------------------------------------------- [2010/04/28 10:50:44, 1] winbindd/idmap_tdb.c:445(idmap_tdb_allocate_id) Fatal Error: GID range full!! (max: 500000) [2010/04/28 10:50:44, 3] winbindd/idmap.c:695(idmap_new_mapping) Could not allocate id: NT_STATUS_UNSUCCESSFUL ...... log.winbindd: lookupname_recv: lookup_name() failed! log.winbindd: Could not lookup name for user MYGRP\USER1 log.winbindd:[2010/04/29 10:28:30, 3] winbindd/winbindd_sid.c:107(winbindd_lookupname) log.winbindd: [160060]: lookupname MYGRP\USER1 ------------------------------------------------------------------------- Once I copied the winbind_idmap.tdb from other server like you suggested, and keep the same idmap uid/gid range as on the server, I could able to list SID for users. In my case wbinfo -t/-m/-p/-g works but wbinfo -u doesn't work!. I'am not sure what is the reason, but the same works Okay on the other server. wbinfo -u - returns - Error looking up domain users. net ads users - too lists all the users but wbinfo -u doesn't. GID range full!! - Error persists no matter, I remove all the *.tdb or even if I change the larger GID range as well. I used the following to create machine account. net ads join -S DOMSERVER -Uuser_adm createcomputer="/Servers/Non Windows Servers" I have repated this command replacing DOMSERVER with other DC names into the TDK.DK realm which I think has helped to keep machine account trust OK. My smb.conf is [global] workgroup = MYGRP server string = Samba Server security = ADS log level = 5 netbios name = FOO log file = /var/log/samba/log.%m max log size = 500 password server = * realm = AA.DK allow trusted domains = no encrypt passwords = yes client use spnego = yes client ntlmv2 auth = yes local master = no domain master = no wins server = namesrv04 namesrv03 dns proxy = no idmap uid = 100000-999999 idmap gid = 1000000-1999999 restrict anonymous = yes name resolve order = wins bcast winbind enum groups = no winbind enum users = no winbind cache time = 300 winbind use default domain = yes I think I was missing "client ntlmv2 auth = yes". At present I'm able to authenticate with the AD Users, and shares are give permission based upon AD groups which is working Ok. My question now are - 1. Since I have copied the winbind_idmap.tdb from other working servers, will it be updating the existing and adding new SID? 2. what is reason for user lookup errors in winbindd.log, I have noticed they only appear which one get NT_STATUS_UNSUCCESSFUL 3. User who has logged into MYGRP domain, are able to see the shares without any prompt since they have already logged into the domain, but those shares which they don't have access, I'm prompted for authentication - Then I provide a valid user credentials but it doesn't give the access to the shares, Is it normal? Many thanks for your help! Yash -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
|
Pages: 1 Prev: KVNO keeps getting higher and higher Next: Migration from 3.0.24 to 3.5.2 |