CentOS 5 Server :: Winbind UID GID Maps Are Not Correct From Two Diffeernt Servers
Apr 8, 2010
Centos 5.4 64bit fully updated. What I am doing is vsftpd is setup and nfs shares are mounted to a NAS server which is running openfiler 2.3 fully updated. openfiler is winbind to AD and pulling users and groups over.
I have it confirmed working when a ftp users connects the username/password is authenticated against AD which works. User can login and is directed to the users folder on the nfs share.
Openfiler shows me UID and GID numbers for users and groups, centos also shows me UID and GID but they are different which is causing permissions/quota's to not work right.
Both servers are setup with krb and winbind, openfiler has a more recent version of winbind.
Here is an example...
AD Users are
user UID of 160010 as an example
user1 UID 160011
When user logs into the vsftp server it works and chrooted into the directory for that user. When user uploads files I can upload but the UID in the ftp client shows 1600011 which is user1 UID
logging into windows to that share shows in the security tab that user1 uploaded the files.
Centos is mapping user as 160011
openfiler is mapping user as 160010
windows is showing the user1 in the security tab.
So it appears that centos is not mapping the right numbers to the right users and groups.
If you need details please ask for it and I will provide.
Both configs are nearly a match and I have made small changes to the config files smb.conf but it failed resolve these issues to work so I reverted back. kinit works with authentication, getent works, wbinfo -a and -u works. wbinfo -u user shows different results on both servers, but authentication works user/password and I tried a different password to test.
Is this a known bug or a silly misconfiguration? I had authentication GUI tool configure the winbind stuff so its all fairly standard on the centos machine and the openfiler gui configure winbind configs.
View 2 Replies
ADVERTISEMENT
Apr 13, 2010
Recently i configured Postfix with Cyrus-Imap and it all worked fine unless i wanted to allow also AD users to use Squirrelmail.Currently AD users are able to logon to ssh server without any problems.
- wbinfo -u & -g is fine
- testsaslauth - passed
- telnet to localhost 143 + a LOGIN user password - passed
- cyradm shows active mailbox for particular user
imap i pam.d:
#%PAM-1.0
auth include system-auth
account include system-auth
View 1 Replies
View Related
May 25, 2011
How do I turn winbind authentication off or vsftpd. I keep getting these error messages in the /var/log/ secure:vsftpd: pam_winbind(vsftpd:auth): request failed: No such user, PAM error was User not known to the underlying authentication module (10), NT error was NT_STATUS_NO_SUCH_USER.I already tried remarking out different things in the config files. Is it safe to remark out the winbind stuff in /etc/pam.d/system-auth if we are using the smbclient to connect to a Windows share?Why would you want to to use AD to authenticate users for something simple like FTP is beyond me.I merely want it to authenticate against local system users.
View 3 Replies
View Related
Nov 10, 2009
following situation and configuring authentication for Windows users on my CentOS clients please:IHAC WIN2003 R2 Domaincontroller with ALL my users and groups maintained there. For Usermapping (SID to UID/GID) I want to use IMU which is included with WIN2003 R2 srv and extends my Active Directory schema for UID, GID, NIS Domain etc. I want now authenticate my Windows users on my CentOS clients via their "domainnameusername" and passwords on the CentOS clients.
I also have a NAS server which has usermapping integrated and resolves the Windows SID's to the UID/GID's configured within the IMU schema extensions. Now I have no idea to setup my CentOS clients to use winbind, PAM and LDAP (IMU supports LDAP queries for UID/GID resolving) WITHOUT needing any Samaba Server or functionality.
* Do I need to configure the smb.conf file because my usermapping is done on the NAS Server and I want to resolve my Windows Users/Groups UID/GID's from IMU via LDAP?
* Do I (just) need to Join the AD (2003 native) or even using Kerberos with generating ktpass.exe keytab files (what is needed/recommended and what is the difference?) Can I authenticate the users without using Kerberos?
For e.g. my username is "domainuser_a" and within the IMU the UID is set to "12345", I don't want Samba/winbind to do usermapping again based on the configured values in the smb.conf file. Some hints would be really nice for me to understand how exactly it works and what is needed...
View 1 Replies
View Related
Sep 11, 2010
I have setup a Centos5.5 VMWare guest with Samba and Winbind for Active Directory integration, using GUI tools. Authentication works flawlessly, with automatic home directory creation. What I want to achieve now is using local UNIX groups to controll access to shared folders, to avoid bothering AD administrators with groups management. This is my smb.conf global section:
workgroup = COGITANS
password server = domainserver.hq.cogitans.it
realm = HQ.COGITANS.IT
security = ads
[code]....
'finance' is a local UNIX group where I added user 'COGITANSalberto' (I also tried with 'alberto') as a secondary group (primary group is 'domain users' and it cannot be changed). I am sure the user is added, because it is listed in 'getent group'. If I specify user COGITANSalberto in valid users it works, i.e. only that use can access the share, the others get a NT_STATUS_ACCESS_DENIED error. But if I use +finance, access is denied to everybody, and this is the log:
[2010/09/11 14:12:37, 10] smbd/share_access.c:user_ok_token(211)
User COGITANSalberto not in 'valid users'
[2010/09/11 14:12:37, 2] smbd/service.c:make_connection_snum(617)
user 'COGITANSalberto' (from session setup) not permitted to access this share (finance)
[code]....
It seems like winbind cannot recognize finance as a local group. For the same reason, I guess, 'force group = finance' does not work either (files are created with 'domain users' group ownership). My /etc/nsswitch.conf:
passwd: files winbind
shadow: files winbind
group: files winbind
Grants and ownership on the '/repositories/shared/finance' folder are
root:domain users with permissions 775
View 2 Replies
View Related
Apr 29, 2010
In short we are booting Centos 5.4 over PXE to a bunch of diskless clients. Once they are booted - we can login (as local root account) and RDP to windows machines using rdesktop as we require.
The next step of the project is to get user authentication to the Windows Domain controller working for the PXE image.
To do so - we continued with our physical install of Centos 5.4 (used to create the pxe image with rsync as per the wiki page for diskless clients) by following through this page. AD auth works perfect on this box (it has a local HDD install of centos obviously).
Once we rsync'd the changes over to the pxeboot location - and rebooted one of the diskless pxe clients - we get issues.
The issue is that winbind seems to start - however the file "/etc/samba/secrets.tdb" cant be read. We tried removing this file that the PXE clients use and recreating it using
touch /etc/samba/secrets.tdb
View 3 Replies
View Related
Nov 22, 2010
I seem to be able to install / configure Postfix server in 10 minutes as an MTA for a single domain but my struggle is really understanding the maps / restrictions which even after reading "The Book of Postfix" is not very clear to me:
[Code]....
My question is between those commonly used three maps above, what are the difference between them and how do I know when to use one over the other? Can someone clearly explain them to me? Here's what I have in my 'main.cf' but honestly I couldn't tell you if they're correct or now:
[Code]....
View 4 Replies
View Related
Jul 14, 2009
I have a Samba File Server that can authenticate users in my Windows AD to log into the server. Anyways, I have a good amount of Windows Admins on staff but our org wants to cut budget so our first "slash" as it were is cutting down the actual Windows based File Servers.So my question is, now that I have this test server up and authenticating for logins using Windbind....is there a way I can get system-config-samba to "see" winbind users and groups so that file servers can still be "point and click" for my Windows Admins?
View 3 Replies
View Related
Aug 3, 2011
Intent is to use samba+winbind to authenticate Ubuntu desktop against a Windows 2008 R2 domain (seems like I was able to get it working temporarily but it stopped working after some time). Quick overview of the issue: winbind is failing to lookup group ID's for a domain user causing the domain user to receive group errors on login and an inability to use domain groups in other configuration (sudoers, etc)
- Very basic install, boot to Ubuntu Desktop 10.04 LTS 64bit install, basic install options, perform software updates
- Following an Ubuntu AD HowTo [URL]
- Install kerberos, samba, winbind packages
- Make changes to krb5.conf, smb.conf, files in pam.d/ (to make the home directory and restrict login based on group membership, which works even in the half-working state but requires SID instead of text name)
After a reboot I can login as a domain account but I get the following error(s):
groups: cannot find name for group ID #####
##### is usually a number that ranges from 10000 to 10020, based on the smb.conf line regarding idmap I will get multiple group errors (one for each group that the user belongs to that winbind can't lookup for whatever reason, some groups can be resolved - see below) If I log-out and then log-in as a local user I can run the following command: id username The output returns something similar to the following:
uid=10002(username) gid=10003(domain users) groups=10003(domain users),10033,10032,10031,10030,10029,10028,10027,1 0026,10025,10024,10023,10022,10021(some group),10020,10019,10018(some other group),10017,10016,10015,10014,10013,10012,10011(s ome other other group),10010,10009,10008,10007
On a working system (Ubuntu 10.10 and when 10.04 decides to work) each group is followed by parenthesis' and the name of the group, this result clearly shows that some groups can be looked up but for some reason other groups are failing An output of /var/log/samba/log.winbind produces the following entries (that are logged when you run the id command)
[2011/08/03 19:04:39, 1] winbindd/winbindd_ads.c:1137(lookup_groupmem)
lsa_lookupsids call failed with NT_STATUS_PIPE_BROKEN - retrying...
[2011/08/03 19:04:39, 1] winbindd/winbindd_ads.c:1137(lookup_groupmem)
lsa_lookupsids call failed with NT_STATUS_PIPE_BROKEN - retrying...
The above repeats for what looks to be each group that fails (based on count of entries)If I use wbinfo I can resolve text group name to SID and SID to GID
wbinfo -n groupname (returns proper SID)
wbinfo -s SID (returns proper text group name)
wbinfo -Y SID (returns proper linux mapped group ID)
Following that process for a group that my user belongs to that is not resolving (via the id username command) will return the group ID (GID) properly (even though id username fails to lookup info for that same GID) Version Information:
uname -a
Linux hostname 2.6.32-33-generic #71-Ubuntu SMP Wed Jul 20 17:27:30 UTC 2011 x86_64 GNU/Linux
lsb_release -a
No LSB modules are available.
[code]....
View 3 Replies
View Related
Aug 16, 2009
I've setup postfix using mysql tables and all works except for sending to an alias. The mysql logs show that postfix is only looking at the mailbox table for where to deliver the mail for the alias. However it is not looking in the virtual alias maps table. There are no complaints from postfix on startup to indicate that there is anything wrong, and if I send to a virtual domain listed as a relay on the server it does look up the virtual alias table... even though the domain is not hosted on the server....
So the question I have is where to look next? The mysql log shows the expected lookups from postfix EXCEPT for the virtual alias map queries.... why would it not be checking the table? Since it is not looking up the virtual alias it bounces the addresses back to sender complaining that the user doesn't exist... It does deliver to a virtal mailbox, however again it never checks the vitual alias table.... so it only delivers since there's a mailbox for it rather than needing an alias...
View 2 Replies
View Related
Jul 3, 2010
I've been searching around the web for help and have been really pulling my hair on this one. I have a Windows 2003 Server w/ AD on it. I have two linux machine, both running the same version of RHEL 5 (compute-1, compute-4)
When I log into compute-1, and do an "id dhuynh", I get this:
uid=1501(dhuynh) gid=1500(domain users) groups=1500(domain users),2013(dusers),1501(certsvc_dcom_access),1507 (BUILTIN+users)
When I log into compute-4, do do the same command, I get this:
uid=1500(dhuynh) gid=1504(domain users) groups=1504(domain users),1505(certsvc_dcom_access),1501(BUILTIN+user s)
Notice that the uid and gid are different. How do I get them to be the same? This is affective the file permissions in certain shared directories. I've check /etc/samba/smb.conf and they are identical. I also check /etc/nsswitch.conf and they are identical too.
View 2 Replies
View Related
Jan 1, 2010
I have two servers, both running CentOS, but one running Cpanel as the control panel and the other running Webmin.
I would like to sync the web folders using rsync. However, when I sync the files from the Cpanel host the permissions look as follows:
Code:
But that doesn't work on the Webmin server which needs the following:
Code:
It seems the Cpanel install has the group as 'nobody' whilst webmin has it the same as the file owner. I can fix this by running:
Code:
But as the file transfers will be frequent, I don't want the files to be inaccessible until chown is run.
So, what I really want to know is - how can I change things on the 'webmin' server so that files with ownership owner:nobody will run?
View 1 Replies
View Related
Oct 12, 2010
I have a few mail servers, a mail log server and a web server running on Centos 5. Now I have a task: to avoid accidental crashes on the production servers while installing updates, my boss asked me to do clones (these clones will all be VMware virtual machines) of the servers (EXCLUDING the actual e-mails and log contents) and then to run those clones on VMWare Server. This way, first I will install and test updates on the clones and - if they will be running without crashes - I will apply the updates on the real production servers themselves.
I have already installed VMWare Server 2.0 I have a few questions: How do I build the virtual machines to exclude the actual mail files and mail logs? Can I use VMware Converter for this purpose, or do I have to use another program? How do I actually do this cloning? Is there a tutorial on how to do this?
View 4 Replies
View Related
May 4, 2009
There is a tool appeared in repository called ktune; The purpose is to adjust some sysctl.conf settings to improve server speed on servers with heavy load. What is this tool for if one can achieve the same with the configuration file added to system startup? Or ktune is just such file?
View 1 Replies
View Related
May 6, 2010
I have a Ubuntu 10.04 server configured with an lxc container also running 10.04. I wonder if somebody knows the correct procedure to move such a container to another server? I tried a straight rsync both with the source up and down but mysql won't start on boot after move and if I manually start it none of the websites within the container are able to connect to mysql. I can connect to mysql using telnet of the command line client.
View 1 Replies
View Related
Sep 24, 2009
i am getting duplicate entries in dag rpm repository with different names in different cases !
# yum search fileinfo
php-pecl-Fileinfo.x86_64 : Fileinfo is a PHP extension that wraps the libmagic library
php-pecl-fileinfo.x86_64 : PECL package to get file information through libmagic[code]....
which is the correct rpm to install ?
View 8 Replies
View Related
Mar 23, 2011
I get the following error while starting apache httpd
Code: httpd: Could not determine the server's fully qualified domain name, using <Server's-ip-address> for ServerName I googled it and have come across the following solutions, all of them involve changing the ServerName setting in httpd.conf:ServerName localhost ServerName www.example.com:80 ServerName <ip-address-of-server> ServerName <hostname-of-machine/FQDN>
I am setting up httpd to be accessed from over a LAN, so i don't have a .com domain name. I am thinking of going with the first option, it seems to be working...
View 5 Replies
View Related
Feb 16, 2010
how to access a FTP server with php. I've written a script from a tutorial but I'm getting errors with the ftp_get function.
PHP Code:
[code].....
Warning: ftp_get() [function.ftp-get]: Error opening /var/www/download.txt/ in /var/www/gwr/connect.php on line 11
I'm having trouble with the ftp_get function and I believe the problem is with the local server path. In this case var/www/download.txt I've also used a folder in that directory called download in the place of the .txt file and it gives the same errors. Is var/www/ the correct path to tell php where to download the files to? I've experimented with the files permission and nothing has worked. I'm running a standard ubuntu desktop install, Karmic Koala.
View 3 Replies
View Related
Apr 30, 2009
I upgraded my OS from 5.2 to 5.3 through the system built-in updater. Then I found that I lost correct SCIM support for some applications. I was able to type Chinese and Japanese into aMSN and Skype when it was CentOS 5.2. But I can no longer do that now. Typing into some other applications still works. These applications include sylpheed, firefox, and open office....
View 3 Replies
View Related
Jul 8, 2009
I'm running CentOS 5.3 x86_64 on my laptop (dell vostro 1400, core2duo, 3GB RAM, intel 3945ABG wireless, nvidia video and LAN). The problem is that some times (like 15-20% of times) I shutdown the laptop, I get a kernel panic related always to the wireless kernel module (I haven't been able to get screenshot or anything). I'm using the latest centosplus kernel. I never get these panics with the standard CentOS kernel, however the standard kernel doesn't light the wireless led, and that annoys me a lot. Therefore I'm forced to use centosplus kernel. The question is not how to solve this (i know I've not given enough details) but what to do to diagnose better the cause of the panic and then correct it.
View 3 Replies
View Related
Nov 12, 2009
The last time I did a restore using cpio under CentOS 3.9 it took a very long time for me to find my seemingly correct command wasn't working and I ended up doing the work in Knoppix. This time I thought I'd run my command by wiser heads before the necessary tape turns up and I spend a lot of time finding my command doesn't work. cpio -i -mtvV --block-size=128 --no-absolute-filenames /var/log/maillog* < /dev/st0
Does this look right? The backup string is find / -path /mnt -prune -o -path /lost+found -prune -o -path /sys -prune -o -path /proc -prune -o -path /swapfile1 -prune -o -path /var/named/chroot/proc -prune -o -print | cpio -o -H crc --block-size=128 > /dev/st0
EDIT: I changed the restore string to cpio -i -mtvV --block-size=128 --no-absolute-filenames *var/log/maillog* < /dev/st0 EDIT2: Whoops, should be cpio -i -mvV --block-size=128 --no-absolute-filenames *var/log/maillog* < /dev/st0
View 1 Replies
View Related
Jun 1, 2011
I'm setting up a svn server and would like users to share home dir. One problem is how to get sshd to identify the correct rsa key for the different users that shares the same .ssh folder. Will sshd even look for the key in a folder that isn't owned by the user trying to login?
[code]...
View 3 Replies
View Related
Jan 27, 2009
I have a server running VMWare Server on it with 4 virtual machines running. I am trying to use NTPD to keep the time correct on all of the virtual machines. On my physical server, I have installed ntpd and this is it's config file:
Quote:# ntpd.conf
tinker panic 0
restrict 127.0.0.1
restrict default kod nomodify notrap
server 0.vmware.pool.ntp.org
server 1.vmware.pool.ntp.org
server 2.vmware.pool.ntp.org
[Code]...
View 3 Replies
View Related
Mar 21, 2009
What I really want to do is compile an apache version that uses the same layout as the version included with CentOS. I can not however find the correct layout.conf file. The one from the Apache Source doesn't have a REHL or CentOS option.
View 10 Replies
View Related
Mar 30, 2009
having a bit of trouble getting domains to resolve to their own folder properly on my new server.
this is a plesk/centos server that is pretty much out of the box.
Problem I have is that all the domain names I add to Plesk, are all pulling files from /var/www/html . All 5 domains Ive added each got their own /var/www/vhosts/domain.com/* folders created ...
Is there something I am missing in order to have the server grab files from each domains respective folder?
What I noticed was that if I edit /etc/httpd/conf/httpd.conf and add the virtualhost lines to it, then the one domain name resolves properly.
i replaced my domain with 'mydomain.com'
<VirtualHost *>
ServerAdmin youremail@yoursite.com
DocumentRoot /var/www/vhosts/mydomain.com/httpdocs/
ServerAlias mydomain.com *.mydomain.com
</virtualHost>
View 1 Replies
View Related
Oct 2, 2009
[URL]..This does not work on reboot because the network service starts after fstab is checked.What is the missing step to rectify this?
View 3 Replies
View Related
Feb 28, 2010
I'm looking for some sort of a way keep track of all of my users that are logging in to my server (centos 5), what I mean is this: at our firm we outsource some of our work (programing), now all of the developing is done under our servers, what I'd like to find is a way of taking all of the users log on time and display by days/weeks/months - so I could see how much did everyone had put in. Another thing that I'm looking for is a way to monitor an ongoing session and record user activity, now I've seen ObserveIT, but it doesn't support Linux agents as of today.
View 7 Replies
View Related
Feb 15, 2011
My question is about setting up SMB and AFP failover between two servers. The plan is to have two servers both running CentOS with one acting as a primary node and one as secondary failover node. I have never set anything like this up before. In the past I have always worked with SAN's primary XSAN/StorNext. Both of which handle failover pretty much automatically. Unfortunately there isn't the budget on this job to install a SAN. Also this is only for temporary use for a week in a production office.
My thoughts where to run the two servers and use rsync on a cron tab to keep the data synchronised between the two. In an ideal world clients would log on to the primary and if that fails, seamlessly moved over to the secondary. I'm guessing however this is not possible outside of a SAN environment. So keeping the two servers synced and the clients manually moving over to the secondary manually is, I'm guessing, my only real option.
View 1 Replies
View Related
Feb 2, 2011
I cannot sudo nor log into a second ssh session on my Ubuntu 10.10 server edition headless setup. Entering an incorrect password works as expected but the correct password gives errors, and on the second attempt a segfault. I recently changed my password as the old one was about to expire, that was 3 days ago, I can't find evidence that I have sudo'ed or logged in a second session since, I have been logged into it via ssh throughout all of it and I am still currently logged in. What should I do to correct this problem? I'm worried that by turning it off I will lose all access. Is the only option using a live cd to change the password?
[Code]...
View 1 Replies
View Related
Jan 3, 2011
Does anyone know how to get the autofs to use NIS maps to create mount points for NFS mounts? I see no reason to create a local /etc/auto.home just to add the line +auto.home. I am using CentOS 5.5.
What's really irking me is that I have 2 machines that work and others (freshly built) that don't and I haven't found the difference (yet)!
View 1 Replies
View Related
