[Samba] Samba/Winbind 3.4.4 on AIX 5.3 TL 10 does not retrieve ANY User's Secondary Groups
in [Samba]
|
Prev: [Samba] pipe error
Next: [Samba] How to speed up Samba From Mac OS 10.6 to access Windows Share under W2K3
From: Virgil Ollivier on 21 Jan 2010 07:50 Hi folks ! Has someone any idea on this issue on AIX 5.3 TL 10 with winbind ? I'm really stuck now ... I think everything is working pretty well with WINBIND and AD 2k3 , but not my most important point : I absolutely need the Secondary groups of each AD user which get connected to the AIX to use this filter with sudo... I only get Primary Group (which is by default "Domain Users" ) I'll try to be as clear as possible to explain you what are all the relationships between WINBIND & Active Directory & SUDO, and show you a "working" example (on Linux). 1 . Active Directory : -------------------------------- Installed Version : Win2003 R1 SP2 without SFU because : we do not have the right to use them on this architecture - this is related to another soft above the AD, which is used to do the user's provisionning - - We only modified the schema directory to have the sudoers manage by the AD : from : http://www.gratisoft.us/sudo/readme_ldap.html [...] If using an Active Directory server, copy schema.ActiveDirectory to your Windows domain controller and run the following command: ldifde -i -f schema.ActiveDirectory -c dc=X dc=example,dc=com [...] - All users (Windows / Unix) are created by the "AD's way" : everybody is "Domain Users" as a primary group, then have a variable number of secondary groups (at least one). This one is giving all "necessary privileges" either to access Windows or Unix systems/apps . But for Unix, a sec. group is used for the sudo's privilege elevation too. 2 . WINBIND : ---------------------- - And on ALL Unix/Linux machines is installed Winbind & and configured. Installed packages : ------------------------------- pware53.base.rte 5.3.0.0 COMMITTED pWare base for 5.3 pware53.bdb.rte 4.6.21.4 COMMITTED Berkeley DB 4.6.21 pware53.cyrus-sasl.rte 2.1.22.2 COMMITTED cyrus-sasl 2.1.22 pware53.gettext.rte 0.17.0.0 COMMITTED GNU gettext 0.17 pware53.krb5.rte 1.6.3.1 COMMITTED MIT Kerberos 1.6.3 pware53.libiconv.rte 1.13.1.0 COMMITTED GNU libiconv 1.13.1 pware53.ncurses.rte 5.7.0.1 COMMITTED ncurses 5.7.0.1 pware53.openldap.rte 2.4.19.0 COMMITTED OpenLDAP 2.4.19 pware53.openssl.rte 0.9.8.10 COMMITTED OpenSSL 0.9.8j pware53.popt.rte 1.10.4.0 COMMITTED popt 1.10.4 pware53.readline.rte 6.1.0.0 COMMITTED GNU readline 6.1 pware53.samba.rte 3.4.4.0 COMMITTED Samba 3.4.4 pware53.sudo.rte 1.7.2.1 COMMITTED sudo 1.7.2p1 pware53.zlib.rte 1.2.3.0 COMMITTED zlib 1.2.3 Here is the smb.conf : [global] workgroup = PEPS realm = PEPS.LOCAL server string = PEPS Security IAM security = ads ; use kerberos keytab = true load printers = no log file = /var/log/samba/%m.log client use spnego = yes max log size = 50 log level = 5 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 password server = PEPSDC1.PEPS.LOCAL PEPSDC2.PEPS.LOCAL idmap backend = rid:PEPS=10000-20000 idmap uid = 10000 - 20000 idmap gid = 10000 - 20000 winbind enum users = yes winbind enum groups = yes winbind cache time = 10 winbind nested groups = yes ; winbind separator = + winbind use default domain = yes allow trusted domains = no template shell = /bin/ksh dns proxy = no preferred master = no encrypt passwords = yes auth methods = winbind winbind refresh tickets = true winbind expand groups = 8 3 . SUDO : ----------------- - In the AD's sudoers OU, we have all sec. groups configured with the good privileges (authorized commands / hosts / noexec ...) - sudo is looking for a secondary group (with a ldap query) to match. Here is the Linux example : [pepsrh5.peps.local:test:/home/PEPS/test:] id uid=11137(test) gid=10513(Domain Users) groups=10512(Domain Admins),10513(Domain Users),10518(Schema Admins),10519(Enterprise Admins),11111(ghba8),11113(unix),11132(adminL),11605(CERTSVC_DCOM_ACCESS) [pepsrh5.peps.local:test:/home/PEPS/test:] groups Domain Users Domain Admins Schema Admins Enterprise Admins ghba8 unix adminL CERTSVC_DCOM_ACCESS [pepsrh5.peps.local:test:/home/PEPS/test:] sudo su - LDAP Config Summary =================== uri ldaps://pepsdc1.peps.local/ ldaps://pepsdc2.peps.local/ ldap_version 3 sudoers_base ou=SUDOers,dc=peps,dc=local binddn <bind user> bindpw <bind user pwd> bind_timelimit 3000 timelimit 3 ssl yes tls_checkpeer (no) tls_cacertdir /etc/openldap/cacerts/ =================== sudo: ldap_initialize(ld, ldaps://pepsdc1.peps.local/ ldaps://pepsdc2.peps.local/) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_checkpeer -> 0 sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts/ sudo: ldap_set_option: timelimit -> 3 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 3) sudo: ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD) sudo: ldap_sasl_bind_s() ok sudo: found:CN=defaults,OU=SUDOers,DC=peps,DC=local sudo: ldap sudoOption: 'timestamp_timeout=0' sudo: ldap sudoOption: 'loglinelen=0' sudo: ldap sudoOption: 'syslog_badpri=alert' sudo: ldap sudoOption: 'syslog=local2' sudo: ldap sudoOption: 'syslog_goodpri=alert' sudo: ldap sudoOption: '!env_reset' sudo: ldap sudoOption: 'log_year' sudo: ldap sudoOption: 'log_host' sudo: ldap sudoOption: 'insults' sudo: ldap sudoOption: 'logfile=/var/log/sudo.log' sudo: ldap search '(|(sudoUser=test)(sudoUser=%Domain Users)(sudoUser=%ghba8)(sudoUser=%unix)(sudoUser=%CERTSVC_DCOM_ACCESS)(sudoUser=ALL))' sudo: found:CN=ghba8,OU=SUDOers,DC=peps,DC=local <-- here we can see that the user has been found into the sec. group ghba8 <-- here below there are the matching sudo authorized privileges [...] --> sudo: ldap sudoHost 'ALL' ... MATCH! sudo: ldap sudoCommand 'ALL' ... MATCH! sudo: Command allowed sudo: ldap sudoOption: 'authenticate' sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 Password: <user test password> [root(a)pepsrh5 ~]# Here is the AIX example : [pepsaix53.peps.local:test:/home/PEPS/test:] id uid=11137(test) gid=10513(domain users) [pepsaix53.peps.local:test:/home/PEPS/test:] groups domain users [pepsaix53.peps.local:test:/home/PEPS/test:] lsuser -R WINBIND test test id=11137 pgrp=domain users home=/home/PEPS/test shell=/bin/ksh gecos= registry=WINBIND roles= id=11137 pgrp=domain users home=/home/PEPS/test shell=/bin/ksh pgid=10513 gecos= shell=/bin/ksh pgrp=domain users SID=S-1-5-21-1911926800-2589015463-1641127959-1137 [pepsaix53.peps.local:test:/home/PEPS/test:] sudo su - LDAP Config Summary =================== uri ldaps://pepsdc1.peps.local/ ldaps://pepsdc2.peps.local/ ldap_version 3 sudoers_base ou=SUDOers,dc=peps,dc=local binddn <bind user> bindpw <bind user pwd> bind_timelimit 3000 timelimit 3 ssl yes tls_checkpeer (no) tls_cacertdir /etc/openldap/cacerts/ =================== sudo: ldap_initialize(ld, ldaps://pepsdc1.peps.local/ ldaps://pepsdc2.peps.local/) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_checkpeer -> 0 sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts/ sudo: ldap_set_option: timelimit -> 3 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 3) sudo: ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD) sudo: ldap_sasl_bind_s() ok sudo: found:CN=defaults,OU=SUDOers,DC=peps,DC=local sudo: ldap sudoOption: 'timestamp_timeout=0' sudo: ldap sudoOption: 'loglinelen=0' sudo: ldap sudoOption: 'syslog_badpri=alert' sudo: ldap sudoOption: 'syslog=local2' sudo: ldap sudoOption: 'syslog_goodpri=alert' sudo: ldap sudoOption: '!env_reset' sudo: ldap sudoOption: 'log_year' sudo: ldap sudoOption: 'log_host' sudo: ldap sudoOption: 'insults' sudo: ldap sudoOption: 'logfile=/var/log/sudo.log' sudo: ldap search '(|(sudoUser=test)(sudoUser=%domain users)(sudoUser=ALL))' sudo: ldap search 'sudoUser=+*' sudo: user_matches=0 sudo: host_matches=0 sudo: sudo_ldap_lookup(0)=0x60 Password: <user test password> test is not in the sudoers file. This incident will be reported. 4 . Traces : ------------------ 4.1 when user test ran '[pepsaix53.peps.local:test:/home/PEPS/test:] id' command winbindd -SFi -d 3 gives : [...] [180298]: request interface version [180298]: request location of privileged pipe [180298]: getpwuid 11147 [233722]: uid to sid 11147 [233722]: lookupsid S-1-5-21-1911926800-2589015463-1641127959-1147 ads: fetch sequence_number for PEPS get_dc_list: preferred server list: "pepsdc1.peps.local, PEPSDC1.PEPS.LOCAL PEPSDC2.PEPS.LOCAL" Successfully contacted LDAP server 9.100.71.180 get_dc_list: preferred server list: "pepsdc1.peps.local, PEPSDC1.PEPS.LOCAL PEPSDC2.PEPS.LOCAL" get_dc_list: preferred server list: "pepsdc1.peps.local, PEPSDC1.PEPS.LOCAL PEPSDC2.PEPS.LOCAL" get_dc_list: preferred server list: "pepsdc1.peps.local, PEPSDC1.PEPS.LOCAL PEPSDC2.PEPS.LOCAL" Successfully contacted LDAP server 9.100.71.180 get_dc_list: preferred server list: "pepsdc1.peps.local, PEPSDC1.PEPS.LOCAL PEPSDC2.PEPS.LOCAL" get_dc_list: preferred server list: "pepsdc1.peps.local, PEPSDC1.PEPS.LOCAL PEPSDC2.PEPS.LOCAL" Successfully contacted LDAP server 9.100.71.180 Connected to LDAP server pepsdc1.peps.local ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3 ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 ads_sasl_spnego_bind: got server principal name = pepsdc1$@PEPS.LOCAL ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Thu, 21 Jan 2010 14:31:43 CET ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT ads: query_user [233722]: sid to uid S-1-5-21-1911926800-2589015463-1641127959-1147 [233722]: sid to gid S-1-5-21-1911926800-2589015463-1641127959-513 [180298]: getgrgid 10513 [233722]: gid 10513 to sid [233722]: lookupsid S-1-5-21-1911926800-2589015463-1641127959-513 sid_to_name [rpc] S-1-5-21-1911926800-2589015463-1641127959-513 for domain PEPS connection_ok: Connection to pepsdc1.peps.local for domain PEPS has died or was never started (fd == -1) Doing spnego session setup (blob length=107) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.2.840.113554.1.2.2.3 got OID=1.3.6.1.4.1.311.2.2.10 got principal=pepsdc1$@PEPS.LOCAL Doing kerberos session setup ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Thu, 21 Jan 2010 14:31:43 CET ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT Connecting to 9.100.71.180 at port 135 Connecting to 9.100.71.180 at port 1025 [233722]: sid to gid S-1-5-21-1911926800-2589015463-1641127959-513 get_dc_list: preferred server list: "pepsdc1.peps.local, PEPSDC1.PEPS.LOCAL PEPSDC2.PEPS.LOCAL" Successfully contacted LDAP server 9.100.71.180 get_dc_list: preferred server list: "pepsdc1.peps.local, PEPSDC1.PEPS.LOCAL PEPSDC2.PEPS.LOCAL" get_dc_list: preferred server list: "pepsdc1.peps.local, PEPSDC1.PEPS.LOCAL PEPSDC2.PEPS.LOCAL" get_dc_list: preferred server list: "pepsdc1.peps.local, PEPSDC1.PEPS.LOCAL PEPSDC2.PEPS.LOCAL" Successfully contacted LDAP server 9.100.71.180 get_dc_list: preferred server list: "pepsdc1.peps.local, PEPSDC1.PEPS.LOCAL PEPSDC2.PEPS.LOCAL" get_dc_list: preferred server list: "pepsdc1.peps.local, PEPSDC1.PEPS.LOCAL PEPSDC2.PEPS.LOCAL" Successfully contacted LDAP server 9.100.71.180 Connected to LDAP server pepsdc1.peps.local ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3 ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 ads_sasl_spnego_bind: got server principal name = pepsdc1$@PEPS.LOCAL ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Thu, 21 Jan 2010 14:31:43 CET ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT Connecting to 9.100.71.180 at port 135 Connecting to 9.100.71.180 at port 1025 ads lookup_groupmem for sid=S-1-5-21-1911926800-2589015463-1641127959-513 succeeded [180298]: getgrgid 10513 [233722]: gid 10513 to sid [233722]: lookupsid S-1-5-21-1911926800-2589015463-1641127959-513 [233722]: sid to gid S-1-5-21-1911926800-2589015463-1641127959-513 results : [pepsaix53.peps.local:test:/home/PEPS/test:] id uid=11147(test) gid=10513(domain users) 4.2 . when user test run '[pepsaix53.peps.local:test:/home/PEPS/test:] id test' command winbindd -SFi -d 3 gives : [...] [323810]: request interface version [323810]: request location of privileged pipe [323810]: getpwnam test [233726]: lookupname PEPS\test [233726]: lookupsid S-1-5-21-1911926800-2589015463-1641127959-1147 [233726]: sid to uid S-1-5-21-1911926800-2589015463-1641127959-1147 [233726]: sid to gid S-1-5-21-1911926800-2589015463-1641127959-513 [323810]: getgrgid 10513 [233726]: gid 10513 to sid [233726]: lookupsid S-1-5-21-1911926800-2589015463-1641127959-513 [233726]: sid to gid S-1-5-21-1911926800-2589015463-1641127959-513 [323810]: getgroups test [233726]: lookupname PEPS\test [233726]: getsidaliases [233726]: getsidaliases [233726]: getsidaliases [233726]: sid to gid S-1-5-21-1911926800-2589015463-1641127959-513 [233726]: sid to gid S-1-5-21-1911926800-2589015463-1641127959-1113 [233726]: sid to gid S-1-5-21-1911926800-2589015463-1641127959-1605 [233726]: sid to gid S-1-5-21-1911926800-2589015463-1641127959-1605 [323810]: getgrgid 11113 [233726]: gid 11113 to sid [233726]: lookupsid S-1-5-21-1911926800-2589015463-1641127959-1113 [233726]: sid to gid S-1-5-21-1911926800-2589015463-1641127959-1113 [323810]: getgrgid 11605 [233726]: gid 11605 to sid [233726]: lookupsid S-1-5-21-1911926800-2589015463-1641127959-1605 [233726]: sid to gid S-1-5-21-1911926800-2589015463-1641127959-1605 results : [pepsaix53.peps.local:test:/home/PEPS/test:] id test uid=11147(test) gid=10513(domain users) groups=11113(unix),11605(certsvc_dcom_access) 4.3 . when as root we run 'lsuser -R WINBIND test' [pepsaix53:root:/home/root:] lsuser -R WINBIND test test id=11147 pgrp=domain users home=/home/PEPS/test shell=/bin/ksh gecos= login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=77 registry=WINBIND SYSTEM=WINBIND OR WINBIND[UNAVAIL] OR compat logintimes= loginretries=5 pwdwarntime=0 account_locked=false minage=1 maxage=13 maxexpired=-1 minalpha=1 minother=1 mindiff=1 maxrepeats=2 minlen=8 histexpire=0 histsize=8 pwdchecks= dictionlist=/usr/share/dict/words fsize=-1 cpu=-1 data=524288 stack=524288 core=2097151 rss=524288 nofiles=-1 time_last_login=1264076318 time_last_unsuccessful_login=1263895814 tty_last_login=/dev/pts/2 tty_last_unsuccessful_login=ssh host_last_login=9.212.28.117 host_last_unsuccessful_login=9.212.28.117 unsuccessful_login_count=0 roles= id=11147 pgrp=domain users home=/home/PEPS/test shell=/bin/ksh pgid=10513 gecos= shell=/bin/ksh pgrp=domain users SID=S-1-5-21-1911926800-2589015463-1641127959-1147 We have not the "groups=" field ... :/ ! As you could see these are 2 different behaviours ! :D Maybe it's not due to Winbind or SUDO, but only to AIX... I really don't know ... It seems that the sudo ldap query is based on either 'id' or 'lsuser' commands, or on how AIX stores the user's uid/pgrp/groups into the system, which I don't know ... Hoping I was clear enough... if not don't hesitate to tell me. Thanks. Virgil. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |