samba - Feb 2006 - chown DOMAIN+mylogin /dir fails (Please help)

What can I look at to understand why chown keeps saying user does not
exist.  
 
wbinfo -u/-g returns the user information
klist -v shows kerberos is working
net ads join works fine
wbinfo -t shows secret is fine
 
 
aix does not have getent so I can't run getent passwd -- is there
something equivalent on aix?
 
/usr/lib/security/methods.cfg has:
 
WINBIND:
    program = /usr/lib/security/WINBIND (set with chmod 444)
    options =authonly
 
/etc/security/user has for SYSTEM = WINBIND OR WINBIND[FAILURE] AND
COMPAT
 
my clock syncs with same ntp as ad server and seems fine
 
I am so tired....been working on this for two days.  Please help me
figure out why this is not working now.
 
David
 
David Shapiro
Unix Team Lead
919-765-2011

David Shapiro wrote:
> What can I look at to understand why chown keeps saying user does not
> exist.  
>  
> wbinfo -u/-g returns the user information
> klist -v shows kerberos is working
> net ads join works fine
> wbinfo -t shows secret is fine
>  
>  
> aix does not have getent so I can't run getent passwd -- is there
> something equivalent on aix?
Closest you're going to get is lsuser -R <load_module>
lsuser -R NIS ALL
lsuser -R LDAP ALL
lsuser -R WINBIND ALL

and of course lsgroup -R <load_module>
>  
> /usr/lib/security/methods.cfg has:
>  
> WINBIND:
>     program = /usr/lib/security/WINBIND (set with chmod 444)
>     options =authonly
Authonly means it's not capable of supplying any user information.
I don't know that's true anymore.

Look in source/nsswitch/winbind_nss_aix.c
Available methods are at the end of the file.
Not all methods are implemented, and not all methods implemented
return a valid answere.

Regards, Doug

When I tried to run the commands you suggested, I got the following:
 
 lsuser -R WINBIND ALL
Invalid -R option "WINBIND"
 

Usage: lsuser [-R load_module] [ -c | -f ] [ -a attr attr ... ] {
"ALL"
| user1,user2 ... }

The WINBIND entry that I copied from the nsswitch directory after the
"make install" is in /usr/lib/security.  Why does it not think this is
a
valid module?
 
David
 
David Shapiro
Unix Team Lead
919-765-2011
>>> Doug VanLeuven <roamdad@sonic.net> 2/9/2006 11:03:38 PM
>>>
David Shapiro wrote:
> What can I look at to understand why chown keeps saying user does
not
> exist.  
>  
> wbinfo -u/-g returns the user information
> klist -v shows kerberos is working
> net ads join works fine
> wbinfo -t shows secret is fine
>  
>  
> aix does not have getent so I can't run getent passwd -- is there
> something equivalent on aix?
Closest you're going to get is lsuser -R <load_module>
lsuser -R NIS ALL
lsuser -R LDAP ALL
lsuser -R WINBIND ALL

and of course lsgroup -R <load_module>
>  
> /usr/lib/security/methods.cfg has:
>  
> WINBIND:
>     program = /usr/lib/security/WINBIND (set with chmod 444)
>     options =authonly
Authonly means it's not capable of supplying any user information.
I don't know that's true anymore.

Look in source/nsswitch/winbind_nss_aix.c
Available methods are at the end of the file.
Not all methods are implemented, and not all methods implemented
return a valid answere.

Regards, Doug

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

David Shapiro wrote:
> I only see winbind_nss_aix.po, but I do not see the .c file.  NIS ALL 
> works, but LDAP and WINBIND both do not.
Hi Dave,
I'm having to work from memory as the work I did on AIX ended
last June.  In addidtion, when I formulated the phase transitions
from samba 2.x nt40 style member to samba 3.x AD member, it
was 2003 and at that time, winbindd on AIX wouldn't support
returning sufficient information to allow managing user and
group accounts using the -R option to chuser, chgroup, mkuser,
mkgroup, rmuser, rmgroup.  That's why the writeups say
/usr/lib/security/methods.cfg WINBIND: options=authonly
and KRB5A: options=authonly

So NIS and LDAP can be used to maintain the user and group
attributes but winbind and kerberos were only used to
authenticate an existing user defined locally or in NIS/LDAP,
where LDAP is the AIX native LDAP security model.

If NIS works and LDAP and WINBIND don't, it looks like you've
implemented NIS but not LDAP and WINBIND is configured to
"authonly".  If winbind's capable of returning sufficient
information to satisfy lsuser, remove the authonly option.
I figured you'd look thru winbind_nss_aix.c and make a
determiniation whether or not that was possible with
your version of samba.

Regards, Doug
>  
> David Shapiro
> Unix Team Lead
> 919-765-2011
> 
>  >>> Doug VanLeuven <roamdad@sonic.net> 2/9/2006 11:03:38 PM
>>>
> David Shapiro wrote:
>  > What can I look at to understand why chown keeps saying user does not
>  > exist. 
>  > 
>  > wbinfo -u/-g returns the user information
>  > klist -v shows kerberos is working
>  > net ads join works fine
>  > wbinfo -t shows secret is fine
>  > 
>  > 
>  > aix does not have getent so I can't run getent passwd -- is there
>  > something equivalent on aix?
> 
> Closest you're going to get is lsuser -R <load_module>
> lsuser -R NIS ALL
> lsuser -R LDAP ALL
> lsuser -R WINBIND ALL
> 
> and of course lsgroup -R <load_module>
> 
>  > 
>  > /usr/lib/security/methods.cfg has:
>  > 
>  > WINBIND:
>  >     program = /usr/lib/security/WINBIND (set with chmod 444)
>  >     options =authonly
> 
> Authonly means it's not capable of supplying any user information.
> I don't know that's true anymore.
> 
> Look in source/nsswitch/winbind_nss_aix.c
> Available methods are at the end of the file.
> Not all methods are implemented, and not all methods implemented
> return a valid answere.
> 
> Regards, Doug
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

Thanks for the info.  Should I expect su - DOMAIN+mylogin to work?  I
can now do chown/chgrp commands.  When I run su - DOMAIN+mylogin, I get
in messages:
 
Feb 10 17:39:59 svcanimp su: BAD SU from root to _0100000 at
/dev/pts/5
 
and the message: 3004-503 Cannot set process credentials. goes out to
stdout.
 
David
 
 
 
David Shapiro
Unix Team Lead
919-765-2011
>>> Doug VanLeuven <roamdad@sonic.net> 2/10/2006 3:22:37 PM
>>>
David Shapiro wrote:
> I only see winbind_nss_aix.po, but I do not see the .c file.  NIS ALL
> works, but LDAP and WINBIND both do not.
Hi Dave,
I'm having to work from memory as the work I did on AIX ended
last June.  In addidtion, when I formulated the phase transitions
from samba 2.x nt40 style member to samba 3.x AD member, it
was 2003 and at that time, winbindd on AIX wouldn't support
returning sufficient information to allow managing user and
group accounts using the -R option to chuser, chgroup, mkuser,
mkgroup, rmuser, rmgroup.  That's why the writeups say
/usr/lib/security/methods.cfg WINBIND: options=authonly
and KRB5A: options=authonly

So NIS and LDAP can be used to maintain the user and group
attributes but winbind and kerberos were only used to
authenticate an existing user defined locally or in NIS/LDAP,
where LDAP is the AIX native LDAP security model.

If NIS works and LDAP and WINBIND don't, it looks like you've
implemented NIS but not LDAP and WINBIND is configured to
"authonly".  If winbind's capable of returning sufficient
information to satisfy lsuser, remove the authonly option.
I figured you'd look thru winbind_nss_aix.c and make a
determiniation whether or not that was possible with
your version of samba.

Regards, Doug
>  
> David Shapiro
> Unix Team Lead
> 919-765-2011
> 
>  >>> Doug VanLeuven <roamdad@sonic.net> 2/9/2006 11:03:38 PM
>>>
> David Shapiro wrote:
>  > What can I look at to understand why chown keeps saying user does
not
>  > exist. 
>  > 
>  > wbinfo -u/-g returns the user information
>  > klist -v shows kerberos is working
>  > net ads join works fine
>  > wbinfo -t shows secret is fine
>  > 
>  > 
>  > aix does not have getent so I can't run getent passwd -- is there
>  > something equivalent on aix?
> 
> Closest you're going to get is lsuser -R <load_module>
> lsuser -R NIS ALL
> lsuser -R LDAP ALL
> lsuser -R WINBIND ALL
> 
> and of course lsgroup -R <load_module>
> 
>  > 
>  > /usr/lib/security/methods.cfg has:
>  > 
>  > WINBIND:
>  >     program = /usr/lib/security/WINBIND (set with chmod 444)
>  >     options =authonly
> 
> Authonly means it's not capable of supplying any user information.
> I don't know that's true anymore.
> 
> Look in source/nsswitch/winbind_nss_aix.c
> Available methods are at the end of the file.
> Not all methods are implemented, and not all methods implemented
> return a valid answere.
> 
> Regards, Doug
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

What is the KRB5A option going to provide?
 
David Shapiro
Unix Team Lead
919-765-2011
>>> Doug VanLeuven <roamdad@sonic.net> 2/10/2006 3:22:37 PM
>>>
David Shapiro wrote:
> I only see winbind_nss_aix.po, but I do not see the .c file.  NIS ALL
> works, but LDAP and WINBIND both do not.
Hi Dave,
I'm having to work from memory as the work I did on AIX ended
last June.  In addidtion, when I formulated the phase transitions
from samba 2.x nt40 style member to samba 3.x AD member, it
was 2003 and at that time, winbindd on AIX wouldn't support
returning sufficient information to allow managing user and
group accounts using the -R option to chuser, chgroup, mkuser,
mkgroup, rmuser, rmgroup.  That's why the writeups say
/usr/lib/security/methods.cfg WINBIND: options=authonly
and KRB5A: options=authonly

So NIS and LDAP can be used to maintain the user and group
attributes but winbind and kerberos were only used to
authenticate an existing user defined locally or in NIS/LDAP,
where LDAP is the AIX native LDAP security model.

If NIS works and LDAP and WINBIND don't, it looks like you've
implemented NIS but not LDAP and WINBIND is configured to
"authonly".  If winbind's capable of returning sufficient
information to satisfy lsuser, remove the authonly option.
I figured you'd look thru winbind_nss_aix.c and make a
determiniation whether or not that was possible with
your version of samba.

Regards, Doug
>  
> David Shapiro
> Unix Team Lead
> 919-765-2011
> 
>  >>> Doug VanLeuven <roamdad@sonic.net> 2/9/2006 11:03:38 PM
>>>
> David Shapiro wrote:
>  > What can I look at to understand why chown keeps saying user does
not
>  > exist. 
>  > 
>  > wbinfo -u/-g returns the user information
>  > klist -v shows kerberos is working
>  > net ads join works fine
>  > wbinfo -t shows secret is fine
>  > 
>  > 
>  > aix does not have getent so I can't run getent passwd -- is there
>  > something equivalent on aix?
> 
> Closest you're going to get is lsuser -R <load_module>
> lsuser -R NIS ALL
> lsuser -R LDAP ALL
> lsuser -R WINBIND ALL
> 
> and of course lsgroup -R <load_module>
> 
>  > 
>  > /usr/lib/security/methods.cfg has:
>  > 
>  > WINBIND:
>  >     program = /usr/lib/security/WINBIND (set with chmod 444)
>  >     options =authonly
> 
> Authonly means it's not capable of supplying any user information.
> I don't know that's true anymore.
> 
> Look in source/nsswitch/winbind_nss_aix.c
> Available methods are at the end of the file.
> Not all methods are implemented, and not all methods implemented
> return a valid answere.
> 
> Regards, Doug
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

David Shapiro wrote:
> What is the KRB5A option going to provide?
>  
The daemon winbindd resolves uid/gid to sids and vice versa

The AIX WINBIND provides authentication services by calling a PDC

The AIX KRB5A provides authentication services by Kerberos
and can use a windows AD server.  IBM has a writeup.  Only thing
I would add to it - it is possible to make it work with
samba managing the system keytab.

I looked back on your posts, and I'm unclear on what your
environment is.

Regards, Doug