From: William Jojo on
Yashpal Nagar wrote:
> Hi All
>
> I'm trying to intergrate samba server with ADS on AIX 6.1 TL04, for last one
> week, with idmap / winbind but no satisfactory results. I have gone through
> various links at samba.org relating to winbind, idmapper and followed
> http://pware.hvcc.edu/ for precompiled binaries and
> http://pware.hvcc.edu/AIX-Samba.pdf which is for AIX 6.1 TL03 though.
>
>

It shouldn't matter. The TL's are just IBM's way of drawing lines for
patch sets. The documentation was updated when TL-03 was released. The
code compiled on 5.3 should run just fine under 6.1.

> I have found the samba which is provided by IBM with expansion pack doesn't
> have support for ADS. The binaries I have tried with is both 32 bit and
> 64bit of samba, neither of them has worked for me. ADS join is ok, I am able
> to see all good ouput for wbinfo -t/-m/-p etc.
>
> I have copied the WINBIND module under /usr/lib/security and changed
> /usr/lib/security/methods.cfg
> as
> WINBIND:
> program = /usr/lib/security/WINBIND
> options = authonly
>

Please remove the authonly, it's not necessary.

> the /etc/security/user the default stanza with
>
> SYSTEM = "WINBIND OR compat"
>
> The errors I have repeatedly encountered is --
> Could not trigger lookup sid
> sid2gid returned an error
> Could not lookup name for user MYDOMAIN\USER1
>
> Some other errors are
> Error GID range is full!!
>
>

This is an indication that the winbind configuration may be incorrect.
In general, the AD configurations work as expected on AIX.

Could you post your smb.conf for review? Also, are you using the LDAP
backend or TDB? The IDMAP piece has been significantly modified from
3.3.x through 3.5.x, so some docs (including my own) may need some
revision and depending on how yours is written may be getting
misinterpreted.

I am posting info from one of my (old - 5.3-TL6-SP4) AIX machines
running 3.5.2 joined to w2k8R2:

[aixdev:/] # oslevel -s
5300-06-04-0748

[aixdev:/] # lslpp -l pware*
Fileset Level State Description

----------------------------------------------------------------------------
Path: /usr/lib/objrepos
pware53.base.rte 5.3.0.0 COMMITTED pWare base for 5.3
pware53.bash.rte 4.0.35.0 COMMITTED GNU bash 4.0
pware53.bdb.rte 4.7.25.4 COMMITTED Berkeley DB 4.7.25
pware53.cyrus-sasl.rte 2.1.23.1 COMMITTED cyrus-sasl 2.1.23
pware53.gettext.rte 0.17.0.0 COMMITTED GNU gettext 0.17
pware53.krb5.rte 1.7.1.1 COMMITTED MIT Kerberos 1.7.1
pware53.libiconv.rte 1.13.1.0 COMMITTED GNU libiconv 1.13.1
pware53.ncurses.rte 5.7.0.1 COMMITTED ncurses 5.7.0.1
pware53.openldap.rte 2.4.21.1 COMMITTED OpenLDAP 2.4.21
pware53.openssl.rte 0.9.8.13 COMMITTED OpenSSL 0.9.8m
pware53.popt.rte 1.10.4.0 COMMITTED popt 1.10.4
pware53.readline.rte 6.1.0.0 COMMITTED GNU readline 6.1
pware53.samba.rte 3.5.2.0 COMMITTED Samba 3.5.2
pware53.tar.rte 1.22.0.0 COMMITTED GNU tar 1.22
pware53.zlib.rte 1.2.4.0 COMMITTED zlib 1.2.4

[aixdev:/] # cat /opt/pware/lib/smb.conf
[global]
security = ads
realm = DEV35.LOCAL
password server = 151.103.35.21
workgroup = DEV35
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
log level = 3
template homedir = /home/%D/%U
template shell = /opt/pware/bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
[netlogon]
path = /netlogon

[aixdev:/] # net ads testjoin
Join is OK

[aixdev:/] # wbinfo -u
administrator
guest
krbtgt
w.jojo

[aixdev:/] # wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
dnsadmins
dnsupdateproxy
ctxpilot
[aixdev:/] # lsuser w.jojo
w.jojo id=10000 pgrp=domain users home=/home/DEV35/w.jojo
shell=/opt/pware/bin/bash gecos=William Jojo login=true su=true
rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak
ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=WINBIND
SYSTEM=compat or WINBIND logintimes= loginretries=0 pwdwarntime=0
account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0
minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0
pwdchecks= dictionlist= fsize=-1 cpu=-1 data=-1 stack=-1 core=2097151
rss=-1 nofiles=-1 roles= id=10000 pgrp=domain users
home=/home/DEV35/w.jojo shell=/opt/pware/bin/bash pgid=10000
gecos=William Jojo shell=/opt/pware/bin/bash pgrp=domain users
SID=S-1-5-21-2261283086-3937381662-459627218-1113

[aixdev:/] # cat /usr/lib/security/methods.cfg
* @(#)78 1.5 src/bos/usr/lib/security/methods.cfg.S, cmdsadm,
bos530 6/11/03 17:06:16
********************************************************************************
*
* Authentication methods:
*
* auth_method:
* program = /any/program
* program_64 = /any/program64
*
* auth_method corresponds to a custom authentication method specified in
* the SYSTEM attribute in /etc/security/user, and /any/program is the
* program to run in order to do the authentication. The program_64
attribute
* should be used for process running in 64 bit mode, /any/program64 is
* a 64 bit program.
*
* Two optional attributes may be defined for load modules. They are:
*

* The "domain" attribute is used by methods which support multiple
* domains.
*

* The "options" attribute provides a means of communicating
* run-time configuration options to the load module. Please refer
* to the documentation for the load module for appropriate values.
*
* If you are using Common Desktop Environment (CDE), you must restart the
* desktop login manager (dtlogin) for any changes to take effect.
* Restarting dtlogin will prevent CDE login failure using the updated
security
* mechanisms. Please read the /usr/dt/README file for more related
* information.
*
********************************************************************************

WINBIND:
program = /usr/lib/security/WINBIND



Here is an example of logging into AIX with telnet:

AIX Version 5
Copyright IBM Corporation, 1982, 2007.
login: w.jojo
w.jojo's Password:
**************************************************************************
* *
* Use of this system is restricted to authorized personnel only and must *
* comply with federal, state and local laws in addition to campus *
* regulations. *
* *
* UNAUTHORIZED USE IS STRICTLY PROHIBITED! *
* *
* dev35 p505 5.3 *
* *
**************************************************************************


w.jojo pts/1 Apr 27 07:07 (somwhere.hvcc.edu)

[aixdev] $ cat /etc/passwd
root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest:
nobody:!:4294967294:4294967294::/:
lpd:!:9:4294967294::/:
lp:*:11:11::/var/spool/lp:/bin/false
invscout:*:6:12::/var/adm/invscout:/usr/bin/ksh
snapp:*:200:13:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd
ipsec:*:201:1::/etc/ipsec:/usr/bin/ksh
nuucp:*:7:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
ldap:*:202:1::/home/ldap:/usr/bin/ksh
sbnet:*:22501:1:Remote Services:/usr/lpp/sysback:/usr/bin/ksh
[aixdev] $


As you can see the user w.jojo is an AD user.


/etc/security/user has in the default stanza:

SYSTEM = "compat or WINBIND"


Hope this helps!


Cheers,
Bill

> No matter I removed *.tdb files, specified new ranges etc, this GID error
> persistenly appears. I have reached to the point where user autentication is
> successful but sid to gig mapping doesn't work, or lookup for that AD user
> fails. The AD seems to be OK , as another server AIX 5.2 is already working
> with samba compiled with ADS support.
>
> What I would like to know.
> 1. How do we compile samba from scratch, I tried 3.5.2 , ./configure was OK,
> but this didn;t created any makefile! , I understand I need to
> compile kerbros , db, openldap before compiling samba, which version of the
> dependent software (kerbros, db, openldap) be used?
> 2. How can I resolve this GID range full error.
> 3. what shall be done to have sid to gid mapping.
>
> Best Regards,
> Yash
>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Yashpal Nagar on
On Tue, Apr 27, 2010 at 5:32 PM, William Jojo <w.jojo(a)hvcc.edu> wrote:

> Yashpal Nagar wrote:
>
>> Hi All
>>
>> I'm trying to intergrate samba server with ADS on AIX 6.1 TL04, for last
>> one
>> week, with idmap / winbind but no satisfactory results. I have gone
>> through
>> various links at samba.org relating to winbind, idmapper and followed
>> http://pware.hvcc.edu/ for precompiled binaries and
>> http://pware.hvcc.edu/AIX-Samba.pdf which is for AIX 6.1 TL03 though.
>>
>>
>>
>
> It shouldn't matter. The TL's are just IBM's way of drawing lines for patch
> sets. The documentation was updated when TL-03 was released. The code
> compiled on 5.3 should run just fine under 6.1.
>
>
> I have found the samba which is provided by IBM with expansion pack doesn't
>> have support for ADS. The binaries I have tried with is both 32 bit and
>> 64bit of samba, neither of them has worked for me. ADS join is ok, I am
>> able
>> to see all good ouput for wbinfo -t/-m/-p etc.
>>
>> I have copied the WINBIND module under /usr/lib/security and changed
>> /usr/lib/security/methods.cfg
>> as
>> WINBIND:
>> program = /usr/lib/security/WINBIND
>> options = authonly
>>
>>
>
> Please remove the authonly, it's not necessary.
>
>
> the /etc/security/user the default stanza with
>>
>> SYSTEM = "WINBIND OR compat"
>>
>> The errors I have repeatedly encountered is --
>> Could not trigger lookup sid
>> sid2gid returned an error
>> Could not lookup name for user MYDOMAIN\USER1
>>
>> Some other errors are
>> Error GID range is full!!
>>
>>
>>
>
> This is an indication that the winbind configuration may be incorrect. In
> general, the AD configurations work as expected on AIX.
>
> Could you post your smb.conf for review? Also, are you using the LDAP
> backend or TDB? The IDMAP piece has been significantly modified from 3.3.x
> through 3.5.x, so some docs (including my own) may need some revision and
> depending on how yours is written may be getting misinterpreted.
>
> I am posting info from one of my (old - 5.3-TL6-SP4) AIX machines running
> 3.5.2 joined to w2k8R2:
>
> [aixdev:/] # oslevel -s
> 5300-06-04-0748
>
> [aixdev:/] # lslpp -l pware*
> Fileset Level State Description
> ----------------------------------------------------------------------------
> Path: /usr/lib/objrepos
> pware53.base.rte 5.3.0.0 COMMITTED pWare base for 5.3
> pware53.bash.rte 4.0.35.0 COMMITTED GNU bash 4.0
> pware53.bdb.rte 4.7.25.4 COMMITTED Berkeley DB 4.7.25
> pware53.cyrus-sasl.rte 2.1.23.1 COMMITTED cyrus-sasl 2.1.23
> pware53.gettext.rte 0.17.0.0 COMMITTED GNU gettext 0.17
> pware53.krb5.rte 1.7.1.1 COMMITTED MIT Kerberos 1.7.1
> pware53.libiconv.rte 1.13.1.0 COMMITTED GNU libiconv 1.13.1
> pware53.ncurses.rte 5.7.0.1 COMMITTED ncurses 5.7.0.1
> pware53.openldap.rte 2.4.21.1 COMMITTED OpenLDAP 2.4.21
> pware53.openssl.rte 0.9.8.13 COMMITTED OpenSSL 0.9.8m
> pware53.popt.rte 1.10.4.0 COMMITTED popt 1.10.4
> pware53.readline.rte 6.1.0.0 COMMITTED GNU readline 6.1
> pware53.samba.rte 3.5.2.0 COMMITTED Samba 3.5.2
> pware53.tar.rte 1.22.0.0 COMMITTED GNU tar 1.22
> pware53.zlib.rte 1.2.4.0 COMMITTED zlib 1.2.4
>
> [aixdev:/] # cat /opt/pware/lib/smb.conf
> [global]
> security = ads
> realm = DEV35.LOCAL
> password server = 151.103.35.21
> workgroup = DEV35
> winbind separator = +
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> log level = 3
> template homedir = /home/%D/%U
> template shell = /opt/pware/bin/bash
> client use spnego = yes
> client ntlmv2 auth = yes
> encrypt passwords = yes
> winbind use default domain = yes
> restrict anonymous = 2
> [netlogon]
> path = /netlogon
>
> [aixdev:/] # net ads testjoin
> Join is OK
>
> [aixdev:/] # wbinfo -u
> administrator
> guest
> krbtgt
> w.jojo
>
> [aixdev:/] # wbinfo -g
> domain computers
> domain controllers
> schema admins
> enterprise admins
> cert publishers
> domain admins
> domain users
> domain guests
> group policy creator owners
> ras and ias servers
> allowed rodc password replication group
> denied rodc password replication group
> read-only domain controllers
> enterprise read-only domain controllers
> dnsadmins
> dnsupdateproxy
> ctxpilot
> [aixdev:/] # lsuser w.jojo
> w.jojo id=10000 pgrp=domain users home=/home/DEV35/w.jojo
> shell=/opt/pware/bin/bash gecos=William Jojo login=true su=true rlogin=true
> daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL
> expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=WINBIND SYSTEM=compat or
> WINBIND logintimes= loginretries=0 pwdwarntime=0 account_locked=false
> minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8
> minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=-1 cpu=-1
> data=-1 stack=-1 core=2097151 rss=-1 nofiles=-1 roles= id=10000 pgrp=domain
> users home=/home/DEV35/w.jojo shell=/opt/pware/bin/bash pgid=10000
> gecos=William Jojo shell=/opt/pware/bin/bash pgrp=domain users
> SID=S-1-5-21-2261283086-3937381662-459627218-1113
>
> [aixdev:/] # cat /usr/lib/security/methods.cfg
> * @(#)78 1.5 src/bos/usr/lib/security/methods.cfg.S, cmdsadm,
> bos530 6/11/03 17:06:16
>
> ********************************************************************************
> *
> * Authentication methods:
> *
> * auth_method:
> * program = /any/program
> * program_64 = /any/program64
> *
> * auth_method corresponds to a custom authentication method specified in
> * the SYSTEM attribute in /etc/security/user, and /any/program is the
> * program to run in order to do the authentication. The program_64
> attribute
> * should be used for process running in 64 bit mode, /any/program64 is
> * a 64 bit program.
> *
> * Two optional attributes may be defined for load modules. They are: *
>
>
> * The "domain" attribute is used by methods which support multiple *
> domains. *
>
> * The "options" attribute provides a means of communicating *
> run-time configuration options to the load module. Please refer * to
> the documentation for the load module for appropriate values. *
> * If you are using Common Desktop Environment (CDE), you must restart the
> * desktop login manager (dtlogin) for any changes to take effect.
> * Restarting dtlogin will prevent CDE login failure using the updated
> security
> * mechanisms. Please read the /usr/dt/README file for more related
> * information.
> *
> ********************************************************************************
>
>
>
> WINBIND:
> program = /usr/lib/security/WINBIND
>
>
>
> Here is an example of logging into AIX with telnet:
>
> AIX Version 5
> Copyright IBM Corporation, 1982, 2007.
> login: w.jojo
> w.jojo's Password:
> **************************************************************************
> * *
> * Use of this system is restricted to authorized personnel only and must *
> * comply with federal, state and local laws in addition to campus *
> * regulations. *
> * *
> * UNAUTHORIZED USE IS STRICTLY PROHIBITED! *
> * *
> * dev35 p505 5.3 *
> * *
> **************************************************************************
>
>
> w.jojo pts/1 Apr 27 07:07 (somwhere.hvcc.edu)
>
> [aixdev] $ cat /etc/passwd
> root:!:0:0::/:/usr/bin/ksh
> daemon:!:1:1::/etc:
> bin:!:2:2::/bin:
> sys:!:3:3::/usr/sys:
> adm:!:4:4::/var/adm:
> uucp:!:5:5::/usr/lib/uucp:
> guest:!:100:100::/home/guest:
> nobody:!:4294967294:4294967294::/:
> lpd:!:9:4294967294::/:
> lp:*:11:11::/var/spool/lp:/bin/false
> invscout:*:6:12::/var/adm/invscout:/usr/bin/ksh
> snapp:*:200:13:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd
> ipsec:*:201:1::/etc/ipsec:/usr/bin/ksh
> nuucp:*:7:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
> ldap:*:202:1::/home/ldap:/usr/bin/ksh
> sbnet:*:22501:1:Remote Services:/usr/lpp/sysback:/usr/bin/ksh
> [aixdev] $
>
>
> As you can see the user w.jojo is an AD user.
>
>
> /etc/security/user has in the default stanza:
>
> SYSTEM = "compat or WINBIND"
>
>
> Hope this helps!
>
>
> Cheers,
> Bill
>
>
> No matter I removed *.tdb files, specified new ranges etc, this GID error
>> persistenly appears. I have reached to the point where user autentication
>> is
>> successful but sid to gig mapping doesn't work, or lookup for that AD user
>> fails. The AD seems to be OK , as another server AIX 5.2 is already
>> working
>> with samba compiled with ADS support.
>>
>> What I would like to know.
>> 1. How do we compile samba from scratch, I tried 3.5.2 , ./configure was
>> OK,
>> but this didn;t created any makefile! , I understand I need to
>> compile kerbros , db, openldap before compiling samba, which version of
>> the
>> dependent software (kerbros, db, openldap) be used?
>> 2. How can I resolve this GID range full error.
>> 3. what shall be done to have sid to gid mapping.
>>
>> Best Regards,
>> Yash
>>
>>
>
Thanks a lot Bill for your reply.

My smb.conf
-------------------------------------------------
[global]
workgroup = MYGRP
domain master = no
local master = no
server string = Test Samba Server
netbios name = FOO
realm = AA.DK
allow trusted domains = no
security = ADS
encrypt passwords = yes
password server = *
dns proxy = no
log level = 3
max log size = 100
log file = /var/log/samba/%m.log
client use spnego = yes
idmap domains = MYGRP
idmap config MYGRP:default = yes
idmap config MYGRP:backend = tdb
idmap config MYGRP:range = 200000 - 500000
idmap alloc backend = tdb
idmap alloc config:range = 200000 - 500000
restrict anonymous = yes
wins server = namesrv04 namesrv03
name resolve order = wins bcast
-----------------------------------------------------
When I run testparm, it say unrecognised " idmap domains = MYGRP". If I
comment that out this throws no error for 'net ads testjoin' etc. No matter
whichever samba ver I use it complains about this line, I may notice you
have mentioned same example in one of your examples in your pdf, under
IDMAP_TDB.

Other smb.conf, I have tried which works well on AIX 5.2, but didn't work
with precompiled binaries on AIX 6.1
-------------------------------------------------------
[global]
workgroup = MYGRP
domain master = no
local master = no
server string = Test Samba Server
netbios name = foo
realm = AA.DK
allow trusted domains = no
security = ADS
encrypt passwords = yes
password server = *
dns proxy = no
log level = 1
max log size = 100
log file = /var/log/samba/%m.log
idmap uid = 100000-999999
idmap gid = 1000000-1999999
restrict anonymous = yes
wins server = namesrv04 namesrv03
name resolve order = wins bcast
winbind enum groups = no
winbind enum users = no
winbind cache time = 300
winbind use default domain = yes
--------------------------------------------------
Since the existing setup (AIX5.2) works well with tdb backend, though it is
not explicitly mentioned into the config above, But i can see a large
winbindd_idmap.tdb under $SAMBA/var. I would keep the same tdb (default?)
backend.


What I would like know -

1. Which samba binaries you have installed, I believe it is 32 bit. Can I
use 64 bit binaries on a production server? You have mentioned
*The 64-bit code is to be treated as PRODUCTION. *
what does this mean? if this PRODUCTION means it shall be used for
production servers or it is for you/SAMBA development team currently using
for development/production of samba. Some more information here on your
website surely would help more.

3. After changing mehtods.cfg, user file, Is there any program need to be
restarted apart from samba or server reboot?

4. I understand AIX uses LAM, instead of PAM which is used on Linux. Is
there any setting related to LAM we got to do on AIX. There is no
nsswitch.conf file as well, I assume since these binaries are already
compiled for that platform, it should take care automatically?

Please let me know your comments I shall test this out tomorrow. Your
wesbite is a big relief to many, keep up the good work.

Regards
Yash
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: William Jojo on
Yashpal Nagar wrote:
>
>
> Thanks a lot Bill for your reply.
>
> My smb.conf
> -------------------------------------------------
> [global]

As a member server, I would have expected workgroup to be "AA", that is,
the prefix of the realm.

> workgroup = MYGRP
> domain master = no
> local master = no
> server string = Test Samba Server
> netbios name = FOO
> realm = AA.DK <http://AA.DK>
> allow trusted domains = no
> security = ADS
> encrypt passwords = yes
> password server = *
> dns proxy = no
> log level = 3
> max log size = 100
> log file = /var/log/samba/%m.log
> client use spnego = yes

Remove the following:

> idmap domains = MYGRP
> idmap config MYGRP:default = yes
> idmap config MYGRP:backend = tdb
> idmap config MYGRP:range = 200000 - 500000
> idmap alloc backend = tdb
> idmap alloc config:range = 200000 - 500000

Add the following:

idmap uid = 200000-500000
idmap gid = 200000-500000


Please see the following:

http://samba.org/samba/docs/man/manpages-3/idmap_tdb.8.html

But ignore the last example. :-)


The "idmap alloc" is only necessary if the allocator it not going to the
tdb model specified by "idmap backend"


The man pages are very out of sync with the reality of IDMAP, but IDMAP
is not a simple component and not always easy to debug, but I think it
is in a better place now than previously.


> restrict anonymous = yes
> wins server = namesrv04 namesrv03
> name resolve order = wins bcast
> -----------------------------------------------------
> When I run testparm, it say unrecognised " idmap domains = MYGRP". If
> I comment that out this throws no error for 'net ads testjoin' etc. No
> matter whichever samba ver I use it complains about this line, I may
> notice you have mentioned same example in one of your examples in your
> pdf, under IDMAP_TDB.
>

Yeah, as of 3.3, that's not the case any longer. I will update my docs
to reflect the truth. :-)


> Other smb.conf, I have tried which works well on AIX 5.2, but didn't
> work with precompiled binaries on AIX 6.1
> -------------------------------------------------------
> [global]
> workgroup = MYGRP
> domain master = no
> local master = no
> server string = Test Samba Server
> netbios name = foo
> realm = AA.DK <http://AA.DK>
> allow trusted domains = no
> security = ADS
> encrypt passwords = yes
> password server = *
> dns proxy = no
> log level = 1
> max log size = 100
> log file = /var/log/samba/%m.log
> idmap uid = 100000-999999
> idmap gid = 1000000-1999999
> restrict anonymous = yes
> wins server = namesrv04 namesrv03
> name resolve order = wins bcast
> winbind enum groups = no
> winbind enum users = no
> winbind cache time = 300
> winbind use default domain = yes
> --------------------------------------------------
> Since the existing setup (AIX5.2) works well with tdb backend, though
> it is not explicitly mentioned into the config above, But i can see a
> large winbindd_idmap.tdb under $SAMBA/var. I would keep the same tdb
> (default?) backend.
>
>


The default is TDB, so yes, it would stay the same. You should (and
probably want to) copy the winbindd_idmap.tdb to the new server to keep
your mappings unless this is not desired.

> What I would like know -
>
> 1. Which samba binaries you have installed, I believe it is 32
> bit. Can I use 64 bit binaries on a production server? You have mentioned
> *The 64-bit code is to be treated as PRODUCTION. *
> what does this mean? if this PRODUCTION means it shall be used for
> production servers or it is for you/SAMBA development team currently
> using for development/production of samba. Some more information here
> on your website surely would help more.

Sorry about that. All of my package were initially 32-bit, then I
offered the 64-bit code as BETA for about 6 months, and after some
testing and feedback from users, I marked it as production quality. The
Samba Team makes no guarantees whatsoever on what I produce. This is
simply a statement of usability.

I will remove that line from the site.

>
> 3. After changing mehtods.cfg, user file, Is there any program need to
> be restarted apart from samba or server reboot?
>

The most you may need to do is stop Samba and run "slibclean", then
restart Samba.


> 4. I understand AIX uses LAM, instead of PAM which is used on Linux.
> Is there any setting related to LAM we got to do on AIX. There is no
> nsswitch.conf file as well, I assume since these binaries are already
> compiled for that platform, it should take care automatically?
>

The package(s) I provide also support PAM. The IBM LAM framework is in
use with the WINBIND product Andrew Tridgell wrote some time ago.

You are correct that there no nsswitch.conf. Effectively, methods.cfg
and /etc/security/user are the equivalent.


Let me know how you get on.


Cheers,
Bill

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Yashpal Nagar on
On Wed, Apr 28, 2010 at 12:29 AM, William Jojo <w.jojo(a)hvcc.edu> wrote:
>
> Sorry about that. All of my package were initially 32-bit, then I offered the 64-bit code as >BETA for about 6 months, and after  some testing and feedback from users, I marked it as >production quality. The Samba Team makes no guarantees whatsoever on what I produce. >This is simply a statement of usability.
>
> I will remove that line from the site.


I thought some more information should be provided, which shall help
visitors clearly if they can use 64bit samba into the production.

>>
>>  3. After changing mehtods.cfg, user file, Is there any program need to be restarted apart from samba or server reboot?
>>
>
> The most you may need to do is stop Samba and run "slibclean", then restart Samba.

I have installed samba 3.4.3, 32bit

Path: /usr/lib/objrepos
  pware53.base.rte           5.3.0.0  COMMITTED  pWare base for 5.3
  pware53.bdb.rte           4.7.25.4  COMMITTED  Berkeley DB 4.7.25
  pware53.cyrus-sasl.rte    2.1.23.1  COMMITTED  cyrus-sasl 2.1..23
  pware53.gettext.rte       0.17.0.0  COMMITTED  GNU gettext 0.17
  pware53.krb5.rte           1.7.1.1  COMMITTED  MIT Kerberos 1.7.1
  pware53.libiconv.rte      1.13.1.0  COMMITTED  GNU libiconv 1.13.1
  pware53.ncurses.rte        5.7.0.1  COMMITTED  ncurses 5.7.0.1
  pware53.openldap.rte      2.4.21.1  COMMITTED  OpenLDAP 2..4.21
  pware53.openssl.rte       0.9.8.13  COMMITTED  OpenSSL 0.9.8m
  pware53.popt.rte          1.10.4.0  COMMITTED  popt 1.10.4
  pware53.samba.rte          3.4.3.0  COMMITTED  Samba 3.4.3
  pware53.zlib.rte           1.2.4.0  COMMITTED  zlib 1.2.4

I got these errors--
-------------------------------------------------------------------------
[2010/04/28 10:50:44, 1] winbindd/idmap_tdb.c:445(idmap_tdb_allocate_id)
Fatal Error: GID range full!! (max: 500000)
[2010/04/28 10:50:44, 3] winbindd/idmap.c:695(idmap_new_mapping)
Could not allocate id: NT_STATUS_UNSUCCESSFUL
......
log.winbindd: lookupname_recv: lookup_name() failed!
log.winbindd: Could not lookup name for user MYGRP\USER1
log.winbindd:[2010/04/29 10:28:30, 3]
winbindd/winbindd_sid.c:107(winbindd_lookupname)
log.winbindd: [160060]: lookupname MYGRP\USER1

-------------------------------------------------------------------------

Once I copied the winbind_idmap.tdb from other server like you
suggested, and keep the same idmap uid/gid range as on the server, I
could able to list SID for users. In my case wbinfo -t/-m/-p/-g works
but wbinfo -u doesn't work!. I'am not sure what is the reason, but the
same works Okay on the other server.

wbinfo -u - returns - Error looking up domain users.
net ads users - too lists all the users but wbinfo -u doesn't.

GID range full!! - Error persists no matter, I remove all the *.tdb or
even if I change the larger GID range as well.

I used the following to create machine account.

net ads join -S DOMSERVER -Uuser_adm createcomputer="/Servers/Non
Windows Servers"

I have repated this command replacing DOMSERVER with other DC names
into the TDK.DK realm which I think has helped to keep machine account
trust OK.

My smb.conf is

[global]
workgroup = MYGRP
server string = Samba Server
security = ADS
log level = 5
netbios name = FOO
log file = /var/log/samba/log.%m
max log size = 500
password server = *
realm = AA.DK
allow trusted domains = no
encrypt passwords = yes
client use spnego = yes
client ntlmv2 auth = yes
local master = no
domain master = no
wins server = namesrv04 namesrv03
dns proxy = no
idmap uid = 100000-999999
idmap gid = 1000000-1999999
restrict anonymous = yes
name resolve order = wins bcast
winbind enum groups = no
winbind enum users = no
winbind cache time = 300
winbind use default domain = yes

I think I was missing "client ntlmv2 auth = yes". At present I'm able
to authenticate with the AD Users, and shares are give permission
based upon AD groups which is working Ok. My question now are -

1. Since I have copied the winbind_idmap.tdb from other working
servers, will it be updating the existing and adding new SID?

2. what is reason for user lookup errors in winbindd.log, I have
noticed they only appear which one get NT_STATUS_UNSUCCESSFUL

3. User who has logged into MYGRP domain, are able to see the shares
without any prompt since they have already logged into the domain, but
those shares which they don't have access, I'm prompted for
authentication - Then I provide a valid user credentials but it
doesn't give the access to the shares, Is it normal?

Many thanks for your help!

Yash
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba