PAM Authentication (winbind) and groups

I've followed the Arch wiki (https://wiki.archlinux.org/index.php/Ac … ntegration) to integrate and use my domain login. Currently everything works as expected, I can login with my AD user (thanks to matone and combuster over this thread; https://bbs.archlinux.org/viewtopic.php?pid=1265595).
There is one small problem, annoyance if you will, however; my local user and my AD user (or any other new users I add) can't use networking, the volume mixer or video related when logged in to a KDE session. Maybe some other components, I haven't tested it yet. I'm just stuck on getting my network connections or sound working.
If I add my local (and AD user) to the related groups (for example; audio and network groups), I can manage system sounds and networks as expected.
I'm not sure where to look and I'm out of ideas. Any suggestions?
Thanks.
Last edited by queljin (2013-05-03 15:07:52)

Well, after a lot of tries and reading, I found out that system-login PAM configuration must include system-auth as the last option. Because of the changes made to system-auth configuration, when pam_winbind or pam_unix module returns success and exits (because they are "sufficient") other modules below them aren't working which in turn causes the pam_loginuid module not working. Below is my new system-login config in case someone needs it.
Please remember this is in no way a recommended configuration, it may be completely wrong and break your existing configuration. It just works for me. YMMV.
/etc/pam.d/system-login :
#%PAM-1.0
auth required pam_tally.so onerr=succeed file=/var/log/faillog
auth required pam_shells.so
auth requisite pam_nologin.so
auth include system-auth
account required pam_access.so
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_loginuid.so
session required pam_env.so
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so dir=/var/spool/mail standard quiet
-session optional pam_systemd.so
session include system-auth
Last edited by queljin (2013-05-14 13:38:16)

Similar Messages

Samba winbind and group membership.

I have a Solaris 10 (update 4) box (x86) that is joined to an active directory via samba/winbind.
The users are working fine however their group membership is not.
Users that should be members of certain groups do not seem to be: in that if I run
"groups" and check the group member ship for myself I am missing entry of some groups yet I can verify that I should be a member of that group by running getent group "domain\\group name" and seing my username entered.
winbind has the following parameters set
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
I am at a loss as to why it picks up some groups and not others.
Has anyone come across something similar or know how to solve this issue?
Regards,
James

Hi,
I know this thread is very old but unfortunately I'm facing exactly the same problem under Solaris 10 Sparc. Any ideas? Maybe this issue was solved?
Regards,
Oliver

[Solved] PAM authentication / Winbind

I've followed instructions regarding integration with Active Directory on wiki and successfully joined to the domain. wbinfo gives the list of users and groups and everything works as expected. But I've stuck with PAM.
The way I see it, almost every other pam rule points (includes) system-auth rules. Can I add pam_winbind.so to the system-auth like this and thus automatically solve the problem with ssh, su, lightdm rules etc... That was the way I used to solve this under Fedora once...
cat system-auth
#%PAM-1.0
auth required pam_env.so
auth required pam_unix.so try_first_pass nullok
auth required pam_winbind.so use_first_pass use_authtok
auth optional pam_permit.so
account required pam_unix.so
account sufficient pam_winbind.so use_first_pass use_authtok
account optional pam_permit.so
account required pam_time.so
password required pam_unix.so try_first_pass nullok sha512 shadow
password sufficient pam_winbind.so use_first_pass use_authtok
password optional pam_permit.so
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session sufficient pam_winbind.so use_first_pass use_authtok
session optional pam_permit.so
It locks me out of the machine when I try this - what have I done wrong ?
Last edited by combuster (2013-04-28 20:45:46)

Made it...
Yes, it's possible to change only system-auth and those settings get applied to other pam rules that includes system-auth (pure genius huh ). But relations between pam_winbind.so and pam_unix.so must be exactly the ones as described in the wiki. So here comes the config:
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth required pam_winbind.so use_first_pass use_authtok
auth optional pam_permit.so
account sufficient pam_unix.so
account sufficient pam_winbind.so try_first_pass use_authtok
account optional pam_permit.so
account required pam_time.so
password sufficient pam_unix.so
password sufficient pam_winbind.so try_first_pass use_authtok
password optional pam_permit.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session sufficient pam_unix.so
session sufficient pam_winbind.so use_first_pass use_authtok
session required pam_limits.so
session required pam_env.so
session optional pam_permit.so
This is a lot easier to maintain (one config instead of many) but are there any downsides ?

Manually start RADIUS, Authentication and groups for Cisco ASAs

I am testing moving a 10.7 server to 10.8.
We have used RADIUS to authenticate VPN traffic on our Cisco ASAs in the past. In the past Server Admin allowed for our ASAs to be added manually to the list of devices using the service. With Server Admin being removed and the limited funtionality of automated addition of Airports to the system I have no GUI method to get our ASAs into the service. The ability to tell RADIUS which groups are using the service is no longer available in the GUI as well.
I have found the clients file in /etc/raddb and added our ASAs to the clients list. I believe I have done this correctly in accordance with the instructions on the freeRADIUS website.
I need help with:
1- I was hoping someone knows how to manually tell RADIUS which groups are permitted to use the service.
2- Can anyone tell me how to turn on RADIUS? radiusconfig -start appears to only tell the system to keep it on after a restart if i understand the manual page.
Thanks

With David's suggestion I was able to get RADIUS running. The following assumes that you are comfortable with Terminal and would be able to back up any files you edit. Here is what I did to our fresh installation of 10.8 Server:
In Terminal enter "sudo radiusd -Xx" which tries to turn RADIUS on and runs it with full logging of activity in the window. The last line after this entry should be something similar to "Ready to process records." In our new installtion there were errors relating to "instantiating" sql and the ready message never came.
In Terminal enter "sudo pico /etc/raddb/radiusd.conf" and authenticate as needed. Scroll down in the file to the section where there are "instantiate" items. I commented out the SQL setup, by putting a # before the line that says "sql". Save the file by pressing Control-O, press return to save in the default location, and press Control-X to get out of the editor. I redid step number 1 twice and eventually RADIUS was running. Removing SQL from RADIUS will assure that problems will arise if you plan to use Server.app to add AirPorts to the network in the future. OS X Server adds its clients in an SQL database according to the programming notes in the .conf files. I will only be using our Cisco ASAs so SQL is not relevant to our setup.
Testing the running RADIUS server was easy as well. In Terminal enter "sudo pico /etc/raddb/users" and authenticate as needed. This file contains details for users if you wanted to add them manually to the RADIUS server. For testing purposes I removed the # before a line referring to a user "steve." I had to get RADIUS restarted to take up the new information about Steve. I killed the process using Activity Monitor and reran step number 1.
In Terminal I opened a new tab and entered "sudo radtest steve testing localhost 0 testing123 -t". You should get back a positive authentication message. Switching back to the original tab will show the output of the RADIUS server.
Reverse the entry in step 3 by adding back the # to comment out the line about steve in the users file.
RADIUS is now running and authenticating against its own users file.
Now we need to add our ASAs to the RADIUS server so it knows that it can authenticate for them. In Terminal enter "sudo pico /etc/raddb/clients.conf". We added lines for our ASAs, following the samples in the code. The information in the lines we added included a generic name for each ASA or device needing RADIUS type authentication, its IP address, and the shared secret for device authentication.
Following David's advice from above I created the RADIUS sacl by entering in Terminal "sudo dseditgroup -q -o create -u <admin user> -P <admin password> -n . com.apple.access_radius". This created the sacl for the service. Editing of the associated users and groups permitted to use the service was able to be done in Server. Be sure to select from the View menu "Show system accounts". Selecting "Groups" from the left margin of the Server window will show all of the SACLs along with any groups you have created. The RADIUS sacl can then have groups and users added to it.
To ensure that RADIUS is running and stays running enter the following in Terminal. First, "sudo radiusd.conf" will start RADIUS without logging in the Terminal window. Then, "sudo radiusconfig -start" to tell the system to keep it running and also run after a reboot.
I made no changes to our ASA settings and found that I was able to authenticate the "Steve" user from the RADIUS test in the ASA. I was also able to authenticate a user which had been added to the "Users" in Server. It appears that the ASA will be permitted to authenticate Open Directory users without additional setup.
I now need to set up our user groups to match those we use in our 10.7 server and add them to the RADIUS SACL and we should be set.
Once I have everything running properly, I will add a post here to close this discussion.
If anyone can shorten this procedure please let us know what you suggest.
-Erich

Winbind and samba

Hi,
we are using samba shares on our linux RHEL5.3 boxes and we are using winbind and pam to authenticate our users. I have noticed an issue that i need resolved asap, any user that has an ad account can log in to the unix box with there ad username and password. is there a way to disable this but allow the samba share authentication to continue working as it is now?
I can post my config if this helps.
Thanks,
Keith

Please be more specific when describing your problem.
How about to limit local and remote SSH authentication to members of a specific AD group, e.g. linuxadm
For instance, in order to in order to only allow members of linuxadm to create a SSH session:
Edit /etc/pam.d/system-auth:
auth requisite pam_succeed_if.so user ingroup linuxadm debug
optional pam_mkhomedir.so umask=0077
Then restart winbind: service winbind restart
You may probably also want to configure /etc/sudoers to allow the linuxadm group to use sudo. For more information, perhaps the following is helpful:
http://www.cyberciti.biz/tips/howto-deny-allow-linux-user-group-login.html
http://www.cyberciti.biz/tips/linux-pam-configuration-that-allows-or-deny-login-via-the-sshd-server.html

PAM authentication failed on linux while installing MaxDB Database

Seeing following errors in sapinst.log
INFO 2007-03-29 16:25:23
Account sqdln1 already exists.
ERROR 2007-03-29 16:25:25
The dbmcli call for action DB_CREATE failed. Check the logfile XCMDOUT.LOG.
ERROR 2007-03-29 16:25:25
The dbmcli call for action DB_CREATE failed. Check the logfile XCMDOUT.LOG.
ERROR 2007-03-29 16:25:25
FCO-00011 The step sdb_create_db_instance with step key |NW_Doublestack_DB|ind|ind|ind|ind|0|0|NW_CreateDBandLoad|ind|ind|ind|ind|9|0|NW_CreateDB|ind|ind|ind|ind|0|0|NW_ADA_DB|ind|ind|ind|ind|6|0|SdbPreInstanceDialogs|ind|ind|ind|ind|3|0|SdbInstanceDialogs|ind|ind|ind|ind|1|0|SDB_INSTANCE_CREATE|ind|ind|ind|ind|0|0|sdb_create_db_instance was executed with status ERROR .
And the XCMDOUT.LOG has following error:
ERR
-24875,ERR_NEEDADMI: The operating system user is not a member of the database administrators group
-24994,ERR_RTE: Runtime environment error
5,PAM authentication failed: Authentication failure
Here's the snippet from /etc/group
sapinst:x:500:root,ln1adm
sapsys:x:501:
sdba:*:502:sqdln1,root,sdb,ln1adm
Here's the relevant part from the /etc/passwd file:
ln1adm:x:500:501:SAP System Administrator:/home/ln1adm:/bin/csh
sdb:x:501:502:Database Software Owner:/home/sdb:/bin/csh
sqdln1:x:502:501:Owner of Database Instance LN1:/home/sqdln1:/bin/csh
Any idea why PAM is not authenticating the root user correctly? Even manually firing the dbmcli
gives the same error:
/sapdb/programs/bin/dbmcli -n sapln1db -R /sapdb/LN1/db db_create LN1 CONTROL,vcs12345 sqdln1,vcs12345
ERR
-24875,ERR_NEEDADMI: The operating system user is not a member of the database administrators group
-24994,ERR_RTE: Runtime environment error
5,PAM authentication failed: Authentication failure
Please help.
Satish/

The group and user entries are fine. I have modified the user and groups but still getting the same authentication error. I have disabled MD5 password authentication and now its just shadow. But still the problem persists.
Please help.
<XCMDOUT.LOG>
ERR
-24875,ERR_NEEDADMI: The operating system user is not a member of the database administrators group
-24994,ERR_RTE: Runtime environment error
5,PAM authentication failed: Authentication failure
</XCMDOUT.LOG>
</etc/passwd>
ln1adm:x:500:501:SAP System Administrator:/home/ln1adm:/bin/csh
sdb:x:501:502:Database Software Owner:/home/sdb:/bin/csh
sqdln1:x:502:501:Owner of Database Instance LN1:/home/sqdln1:/bin/csh
</etc/passwd>
</etc/group>
sapinst:x:500:ln1adm,root,sdb
sapsys:x:501:root,sdb
sdba:x:502:sqdln1,root,sdb
</etc/group>

Custom Authentication Provider and User Manage like SQLAuthenticator, How?

Hi everyone,
I faced a problem with login function of my portal (Webcenter Application). The Problem is:
- Allow the users logging in by user that store in another system. I must communicate using low level of socket. This really is not a problem.
- If user logged in, for first time of logging in, i must store them in some identity store (Maybe tables database).
- View Users in Weblogic Console. To do that, i known that i must implemeted something that i dont what that are.
Here are my work:
- I Created a Custom Authentication Provider. And configuration in Admin Console. But i don't know what are that i should implementing to View user & group in Admin Console.
- I Cannot logging in: After i created simple application for testing, i cannot logging in even i tested with SQLAuthenticator Provider and original DefaultProvider. In Logging Console, I saw every I Printed In The Code of Login Module.
Here are my Code:
<?xml version="1.0" ?>
<MBeanType Name = "OrkitVASPortal" DisplayName = "OrkitVASPortal"
 Package = "orkit"
 Extends = "weblogic.management.security.authentication.Authenticator"
 PersistPolicy = "OnUpdate">
 <MBeanAttribute
 Name = "ProviderClassName"
 Type = "java.lang.String"
 Writeable = "false"
 Default = ""orkit.OrkitVASPortalProviderImpl""
/>
 <MBeanAttribute
 Name = "Description"
 Type = "java.lang.String"
 Writeable = "false"
 Default = ""WebLogic Simple Sample Audit Provider""
/>
 <MBeanAttribute
 Name = "Version"
 Type = "java.lang.String"
 Writeable = "false"
 Default = ""1.0""
/>
 <MBeanAttribute
 Name = "LogFileName"
 Type = "java.lang.String"
 Default = ""SimpleSampleAuditor.log""
/>
</MBeanType>
package orkit;
import java.util.HashMap;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import weblogic.management.security.ProviderMBean;
import weblogic.security.provider.PrincipalValidatorImpl;
import weblogic.security.spi.*;
public final class OrkitVASPortalProviderImpl implements AuthenticationProviderV2 {
 private String description;
 private LoginModuleControlFlag controlFlag;
 public OrkitVASPortalProviderImpl() {
 System.out.println("The Orkit VASPortal Provider Implemented!!!!!");
 @Override
 public IdentityAsserterV2 getIdentityAsserter() {
 return null;
 // Our mapping of users to passwords/groups, instead of being in LDAP or in a
 // database, is represented by a HashMap of MyUserDetails objects..
 public class MyUserDetails {
 String pw;
 String group;
 // We use this to represent the user's groups and passwords
 public MyUserDetails(String pw, String group) {
 this.pw = pw;
 this.group = group;
 public String getPassword() {
 return pw;
 public String getGroup() {
 return group;
 // This is our database
 private HashMap userGroupMapping = null;
 public void initialize(ProviderMBean mbean, SecurityServices services) {
 System.out.println("The Orkit VASPortal Provider is intializing......");
 OrkitVASPortalMBean myMBean = (OrkitVASPortalMBean) mbean;
 description = myMBean.getDescription() + "\n" + myMBean.getVersion();
 System.err.println("#In realm:" + myMBean.getRealm().wls_getDisplayName());
 // We would typically use the realm name to find the database
 // we want to use for authentication. Here, we just create one.
 userGroupMapping = new HashMap();
 userGroupMapping.put("a", new MyUserDetails("passworda", "g1"));
 userGroupMapping.put("b", new MyUserDetails("passwordb", "g2"));
 userGroupMapping.put("system", new MyUserDetails("12341234",
 "Administrators"));
 String flag = myMBean.getControlFlag();
 if (flag.equalsIgnoreCase("REQUIRED")) {
 controlFlag = LoginModuleControlFlag.REQUIRED;
 } else if (flag.equalsIgnoreCase("OPTIONAL")) {
 controlFlag = LoginModuleControlFlag.OPTIONAL;
 } else if (flag.equalsIgnoreCase("REQUISITE")) {
 controlFlag = LoginModuleControlFlag.REQUISITE;
 } else if (flag.equalsIgnoreCase("SUFFICIENT")) {
 controlFlag = LoginModuleControlFlag.SUFFICIENT;
 } else {
 throw new IllegalArgumentException("Invalid control flag " + flag);
 public AppConfigurationEntry getLoginModuleConfiguration() {
 HashMap options = new HashMap();
 options.put("usermap", userGroupMapping);
 System.out.println("UserMap: " + options);
 return new AppConfigurationEntry(
 "orkit.OrkitVASPortalLoginModule",
 controlFlag, options);
 public String getDescription() {
 return description;
 public PrincipalValidator getPrincipalValidator() {
 return new PrincipalValidatorImpl();
 public AppConfigurationEntry getAssertionModuleConfiguration() {
 return null;
// public IdentityAsserter getIdentityAsserter() {
// return null;
 public void shutdown() {
* To change this template, choose Tools | Templates
* and open the template in the editor.
package orkit;
import orkit.OrkitVASPortalProviderImpl;
import java.io.IOException;
import java.util.*;
import javax.security.auth.Subject;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
import javax.security.auth.spi.LoginModule;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
* This login module will be called by our Authentication Provider. It assumes
* that the option, usermap, will be passed which contains the map of users to
* passwords and groups.
public class OrkitVASPortalLoginModule implements LoginModule {
 private Subject subject;
 private CallbackHandler callbackHandler;
 private HashMap userMap;
 // Authentication status
 private boolean loginSucceeded;
 private boolean principalsInSubject;
 private Vector principalsBeforeCommit = new Vector();
 public void initialize(Subject subject, CallbackHandler callbackHandler,
 Map sharedState, Map options) {
 this.subject = subject;
 this.callbackHandler = callbackHandler;
 // Fetch user/password map that should be set by the authenticator
 userMap = (HashMap) options.get("usermap");
 * Called once after initialize to try and log the person in
 public boolean login() throws LoginException {
 // First thing we do is create an array of callbacks so that
 // we can get the data from the user
 Callback[] callbacks;
 callbacks = new Callback[2];
 callbacks[0] = new NameCallback("username: ");
 callbacks[1] = new PasswordCallback("password: ", false);
 try {
 callbackHandler.handle(callbacks);
 } catch (IOException eio) {
 throw new LoginException(eio.toString());
 } catch (UnsupportedCallbackException eu) {
 throw new LoginException(eu.toString());
 String username = ((NameCallback) callbacks[0]).getName();
 System.out.println("Username: " + username);
 char[] pw = ((PasswordCallback) callbacks[1]).getPassword();
 String password = new String(pw);
 System.out.println("PASSWORD: " + password);
 if (username.length() > 0) {
 if (!userMap.containsKey(username)) {
 throw new FailedLoginException("Authentication Failed: Could not find user:" + username);
 }else{
 System.out.println("Contstainded Username");
 String realPassword = ((OrkitVASPortalProviderImpl.MyUserDetails) userMap.get(username)).getPassword();
 if (realPassword == null || !realPassword.equals(password)) {
 throw new FailedLoginException("Authentication Failed: Password incorrect for user" + username);
 }else{
 System.out.println("Everyitng OKIE");
 } else {
 // No Username, so anonymous access is being attempted
 loginSucceeded = true;
 // We collect some principals that we would like to add to the user
 // once this is committed.
 // First, we add his username itself
 principalsBeforeCommit.add(new WLSUserImpl(username));
 // Now we add his group
 principalsBeforeCommit.add(new WLSGroupImpl(((OrkitVASPortalProviderImpl.MyUserDetails) userMap.get(username)).getGroup()));
 return loginSucceeded;
 public boolean commit() throws LoginException {
 if (loginSucceeded) {
 subject.getPrincipals().removeAll(principalsBeforeCommit);
 principalsInSubject = true;
 return true;
 } else {
 return false;
 public boolean abort() throws LoginException {
 if (principalsInSubject) {
 subject.getPrincipals().removeAll(principalsBeforeCommit);
 principalsInSubject = false;
 return true;
 public boolean logout() throws LoginException {
 return true;
}and OrkitVASPortalMBean & OrkitVASPortalImpl class created by MBeanMaker tool.
Can someome help.
Thanks in advance!

Hi ,
SQLAuthenticator is not yet supported with UCM 11g due to some JPS Provider limitations .
Currently there is an Enhancement request for this .
Thanks
Srinath

Filter List View by User and Groups in SharePoint Does Not Work on site Restore to another Server

We have a scenario where users from a group or seeing items of list views entered by users of other group.
For e.g, we have (ALL are Active Directory users and are authenticated as such)
GROUP A with USER-A1, USER-A2, USER-A3
GROUP B with USER-B1, USER-B2, USER-B3
GROUP C with USER-C1, USER-C2, USER-C3
We created views called
GROUP_A_VIEW
GROUP_B_VIEW
GROUP_C_VIEW
We created a web part for each of this view
And from Advanced Settings, added Target audience for each VIew with respect. For e.g. if Target AUdience is Group A, then USER-A1 will see items entered by himself or USER-A2, and USER-A3 but not the mbers of GROUP_B and GROUP_C
It works fine on the our development machine.
However when we backup and restore to other machine containing the same Active Directory users,
GROUP A members are seeing records entered by GROUP B
GROUP B members are seeing records entered by GROUP C
GROUP C members are seeing records entered by GROUP D
....etc.
Any help will be appreciated.
Murali Boyapati

Groups and users are stored locally in a cache on each site collection. Within that site collection they have IDs assigned which are used internally to identify those groups.
What is probably happening is that the groups you've targeted are being identified by IDs which are not consistent between your source site collection and your destination collection.

New files and folders on a Linux client mounting a Windows 2012 Server for NFS share do not inherit Owner and Group when SetGID bit set

Problem statement
When I mount a Windows NFS service file share using UUUA and set the Owner and Group, and set the SetGID bit on the parent folder in a hierarchy. New Files and folders inside and underneath the parent folder do not inherit the Owner and Group permissions
of the parent.
I am given to understand from this Microsoft KnowledgeBase article (http://support.microsoft.com/kb/951716/en-gb) the problem is due to the Windows implmentation of NFS Services not supporting the Solaris SystemV or BSD grpid "Semantics"
However the article says the same functionality can acheived by using ACE Inheritance in conjunction with changing the Registry setting for "KeepInheritance" to enable Inheritance propagation of the Permissions by the Windows NFS Services.
1. The Precise location of the "KeepInheritance" DWORD key appears to have "moved" in Windows Server 2012 from a Services path to a Software path, is this documented somewhere? And after enabling it, (or creating it in the previous
location) the feature seems non-functional. Is there a method to file a Bug with Microsoft for this Feature?
2. All of the references on demonstrating how to set an ACE to achieve the same result "currently" either lead to broken links on Microsoft technical websites, or are not explicit they are vague or circumreferential. There are no plain Examples.
Can an Example be provided?
3. Is UUUA compatible with the method of setting ACE to acheive this result, or must the Linux client mount be "Mapped" using an Authentication source. And could that be with the new Flat File passwd and group files in c:\windows\system32\drivers\etc
and is there an Example available.
Scenario:
Windows Server 2012 Standard
File Server (Role)
+- Server for NFS (Role) << -- installed
General --
Folder path: F:\Shares\raid-6-array
Remote path: fs4:/raid-6-array
Protocol: NFS
Authentication --
No server authentication
+- No server authentication (AUTH_SYS)
++- Enable unmapped user access
+++- Allow unmapped user access by UID/GID
Share Permissions --
Name: linux_nfs_client.host.edu
Permissions: Read/Write
Root Access: Allowed
Encoding: ANSI
NTFS Permissions --
Type: Allow
Principal: BUILTIN\Administrators
Access: Full Control
Applies to: This folder only
Type: Allow
Principal: NT AUTHORITY\SYSTEM
Access: Full Control
Applies to: This folder only
-- John Willis, Facebook: John-Willis, Skype: john.willis7416

I'm making some "major" progress on this problem.
1. Apparently the "semantics" issue to honor SGID or grpid in NFS on the server side or the client side has been debated for some time. It also existed as of 2009 between Solaris nfs server and Linux nfs clients. The Linux community defaulted to declaring
it a "Server" side issue to avoid "Race" conditions between simultaneous access users and the local file system daemons. The client would have to "check" for the SGID and reformulate its CREATE request to specify the Secondary group it would have to "notice"
by which time it could have changed on the server. SUN declined to fix it.. even though there were reports it did not behave the same between nfs3 vs nfs4 daemons.. which might be because nfs4 servers have local ACL or ACE entries to process.. and a new local/nfs
"inheritance" scheme to worry about honoring.. that could place it in conflict with remote access.. and push the responsibility "outwards" to the nfs client.. introducing a race condition, necessitating "locking" semantics.
This article covers that discovery and no resolution - http://thr3ads.net/zfs-discuss/2009/10/569334-CR6894234-improved-sgid-directory-compatibility-with-non-Solaris-NFS-clients
2. A much Older Microsoft Knowledge Based article had explicit examples of using Windows ACEs and Inheritance to "mitigate" the issue.. basically the nfs client "cannot" update an ACE to make it "Inheritable" [-but-] a Windows side Admin or Windows User
[-can-] update or promote an existing ACE to "Inheritable"
Here are the pertinent statements -
"In Windows Services for UNIX 2.3, you can use the KeepInheritance registry value to set inheritable ACEs and to make sure that these ACEs apply to newly created files and folders on NFS shares."
"Note About the Permissions That Are Set by NFS Clients
The KeepInheritance option only applies ACEs that have inheritance enabled. Any permissions that are set by an NFS client will
only apply to that file or folder, so the resulting ACEs created by an NFS client will
not have inheritance set."
"So
If you want a folder's permissions to be inherited to new subfolders and files, you must set its permissions from the Windows NFS server because the permissions that are set by NFS clients only apply to the folder itself."
http://support.microsoft.com/default.aspx?scid=kb;en-us;321049
3. I have set up a Windows 2008r2 NFS server and mounted it with a Redhat Enteprise Linux 5 release 10 x86_64 server [Oct 31, 2013] and so far this does appear to be the case.
4. In order to mount and then switch user to a non-root user to create subdirectories and files, I had to mount the NFS share (after enabling Anonymous AUTH_SYS mapping) this is not a good thing, but it was because I have been using UUUA - Unmapped Unix
User Access Mapping, which makes no attempt to "map" a Unix UID/GID set by the NFS client to a Windows User account.
To verify the Inheritance of additional ACEs on new subdirectories and files created by a non-root Unix user, on the Windows NFS server I used the right click properties, security tab context menu, then Advanced to list all the ACEs and looked at the far
Column reflecting if it applied to [This folder only, or This folder and Subdirectories, or This folder and subdirectories and files]
5. All new Subdirectories and files createdby the non-root user had a [Non-Inheritance] ACE created for them.
6. I turned a [Non-Inheritance] ACE into an [Inheritance] ACE by selecting it then clicking [Edit] and using the Drop down to select [This folder, subdirs and files] then I went back to the NFS client and created more subdirs and files. Then back to the
Windows NFS server and checked the new subdirs and folders and they did Inherit the Windows NFS server ACE! - However the UID/GID of the subdirs and folders remained unchanged, they did not reflect the new "Effective" ownership or group membership.
7. I "believe" because I was using UUUA and working "behind" the UID/GID presentation layer for the NFS client, it did not update that presentation layer. It might do that "if" I were using a Mapping mechanism and mapped UID/GID to Windows User SIDs and
Group SIDs. Windows 2008r2 no longer has a "simple" Mapping server, it does not accept flat text files and requires a Schema extension to Active Directory just to MAP a windows account to a UID/GID.. a lot of overhead. Windows Server 2012 accepts flat text
files like /etc/passwd and /etc/group to perform this function and is next on my list of things to see if that will update the UID/GID based on the Windows ACE entries. Since the Local ACE take precedence "over" Inherited ACEs there could be a problem. The
Inheritance appears to be intended [only] to retain Administrative rights over user created subdirs and files by adding an additional ACE at the time of creation.
8. I did verify from the NFS client side in Linux that "Even though" the UID/GID seem to reflect the local non-root user should not have the ability to traverse or create new files, the "phantom" NFS Server ACEs are in place and do permit the function..
reconciling the "view" with "reality" appears problematic, unless the User Mapping will update "effective" rights and ownership in the "view"
-- John Willis, Facebook: John-Willis, Skype: john.willis7416

How to get the user and groups information from http header

Hi All,
In my current scneario, we are using Siteminder for SSO setup.. And in this process, after authentication and authorization, they are going to append the user information and group information of the user into a HTTP header and it will be sent back to our presentation services.. We have to extract the user information and group information from the http header.
My HTTP header will look like as follows..
SM_USER XYZ
SM_USERDN CN=Firstname\, Lastname\, xyz, OU=GPO-Low Level Security,OU=Domain Users,OU=BU FDT,
SM_USERGROUPS CN=GG-CA-SiteminderAdmins, OU=Global,OU=Domain Groups, DC=com^CN=GG-ServiceDeskAdmin-TCCORPCEFS
And also if anyone explain me the overall working of SSO in detail like how presentation services will make a connection to BI server( I guess using Impersonator User), and also how our BI server will read the URL from presentation services and the over all working flow in our OBIEE..
Thanks a lot....

Please use the search! this topic has come up lots of times already.

RSA authentication with LDAP group mapping

Greetings,
I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
The problem I'm having is that my users are in multiple OU's on our AD tree. When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error. If I add an OU in front of it, then it will work fine.
As far as I know, you can only use one LDAP configuration with RSA.
Any thoughts on this?

@Tarik
I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen. I have resorted to creating a Radius profile on the RSA appliance for each access group I need. Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
Thankfully, I have a small group of users that I am attempting to map. I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create. Likewise, our Account Admin will have to determine who gets assigned a particular access group.
I would still prefer to do this dynamically.
Scott

LDAP Users and Groups

Hi,

I have configured an LDAP Authenticator for an external LDAP directory in the security realm of the samples portal. User Management is working, but when I try to access the Group Management for the LDAP Authenticator I get the following error:

com.bea.p13n.usermgmt.hierarchy.TreeNotBuiltException: State: UNINITIALIZED. Tree is uninitialized. Add provider GAAD to list of providers to build. Tree is uninitialized. Add provider GAAD to list of providers to build.


It seems that this needs to be setup. How do I do this?


Some general notes on LDAP:

I think that in a production environment it is of great value to manage users and groups in a LDAP directory. For instance we have a company directory which contains all users. It seems that users from LDAP can not been added to groups which are in the DB. LDAP also has the advantage of supporting dynamic groups.
As in previous weblogic releases the LDAP authenticator is read only. It would be great if the write functionality could be added as well. Actually managing LDAP users and groups in one place would be a tremendous improvement for us.

Another thing on my wishlist are examples for delegated administration and visitor entitlements. For the sample portal these are empty. But I think it would be nice to have some out of the box examples that show what is possible and help developers and business analysts to understand the concepts and create their own roles.

It would be interesting to read what Bea and other developer think about this.

Kind regards,

Kai


Marcus,
Yes, I am using 9.2 TP.
We are already using LDAP for user management with 8.1.
Now, I try to configure 9.2 as well. I am running 9.2 installations on different machines. When I click on Service Administration in the Admin Portal, I get the following error message for each installation:
java.lang.NullPointerException at com.bea.jsptools.serviceadmin.ads.ToolAdServiceBean.cloneFromAdServiceBean(ToolAdServiceBean.java:190) at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.buildAdContentProviderNodes(ServiceAdminTreeBuilder.java:769) at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.buildAdServiceBranch(ServiceAdminTreeBuilder.java:746) at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.createTreeElement(ServiceAdminTreeBuilder.java:184) at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildWholeTree(TreeService.java:234) at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildWholeTree(TreeService.java:235) at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildTree(TreeService.java:122) at util.tree.TreeController.constructTree(TreeController.java:142) at util.tree.TreeController.buildTree(TreeController.java:422) at jrockit.reflect.VirtualNativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown Source) at java.lang.reflect.Method.invoke(Ljava.lang.Object;[Ljava.lang.Object;I)Ljava.lang.Object;(Unknown Source) at org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowController.java:852) at org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:782) at org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:456) at org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:285) at org.apache.beehive.netui.pageflow.FlowController.execute(FlowController.java:336) at org.apache.beehive.netui.pageflow.internal.FlowControllerAction.execute(FlowControllerAction.java:48) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:419) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:1984) at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:90) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2055) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:224) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:535) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:821) at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:625) at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:156) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414) at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1178)
java.lang.NullPointerException
java.lang.NullPointerException
at com.bea.jsptools.serviceadmin.ads.ToolAdServiceBean.cloneFromAdServiceBean(ToolAdServiceBean.java:190)
at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.buildAdContentProviderNodes(ServiceAdminTreeBuilder.java:769)
at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.buildAdServiceBranch(ServiceAdminTreeBuilder.java:746)
at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.createTreeElement(ServiceAdminTreeBuilder.java:184)
at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildWholeTree(TreeService.java:234)
at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildWholeTree(TreeService.java:235)
at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildTree(TreeService.java:122)
at util.tree.TreeController.constructTree(TreeController.java:142)
at util.tree.TreeController.buildTree(TreeController.java:422)
at jrockit.reflect.VirtualNativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown Source)
at java.lang.reflect.Method.invoke(Ljava.lang.Object;[Ljava.lang.Object;I)Ljava.lang.Object;(Unknown Source)
at org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowController.java:852)
at org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:782)
at org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:456)
at org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:285)
at org.apache.beehive.netui.pageflow.FlowController.execute(FlowController.java:336)
at org.apache.beehive.netui.pageflow.internal.FlowControllerAction.execute(FlowControllerAction.java:48)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:419)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:1984)
at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:90)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2055)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:224)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:535)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:821)
at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:625)
at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:156)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1178)

Mapping NT user accounts and groups in BOXI 3.1.i'm getting below error

Mapping NT user accounts and groups in BOXI 3.1.i'm getting below error
In BOXI 3.1 CMC
.NT Authentication is enabled check box is selected.
In the Mapped NT Member Groups area, entered the NT domain\group in the Add NT Group text box.
like : secWindowsNT:
BLRKEC148827D\BusinessObjects NT Users
getting error like
"The secWindowsNT security plugin is not enabled. Contact your system administrator for details. (FWB 00002) "

You shouldn't be using the NT plugin in 3.1, is there a reason you are using this plugin over AD? If you really want to use it you may need to open a case with support and trace the CMS. Are there any groups currently mapped? if you hit update without adding/removing what happens? What if you remove the NT users group and hit update?
Regards,
Tim

Populating users and groups - design considerations/best practice

We are currently running a 4.5 Portal in production. We are doing requirements/design for the 5.0 upgrade.
We currently have a stored procedure that assigns users to the appropriate groups based on the domain info and role info from an ERP database after they are imported and synched up by the authentication source.
We need to migrate this functionality to the 5.0 portal. We are debating whether to provide this functionality by doing this process via a custom Profile Web service. It was recommended during ADC and other presentation that we should stay away from using the database security/membership tables in the database directy and use the EDK/PRC instead.
Please advise on the best way to approach(With details) this issue. We need to finalize the best approach to take asap.
Thanks.
Vanita

So the best way to do this is to write a custom Authentication Web Service. Database customizations can do much more damage and the EDK/PRC/API are designed to prevent inconsistencies and problems.
Along those lines they also make it really easy to rationalize data from multiple backend systems into an orgainzation you'd like for your portal. For example you could write a Custom Authentication Source that would connect to your NT Domain and get all the users and groups, then connect to your ERP system and do the same work your stored procedure would do. It can then present this information to the portal in the way that the portal expects and let the portal maintain its own database and information store.
Another solution is to write an External Operation that encapsulates the logic in your stored procedure but uses the PRC/Server API to manipulate users and group memberships. I suggest you use the PRC interface since the Server API may change in subtle ways from release to release and is not as well documented.
Either of these solutions would be easier in the long term to maintain than a database stored procedure.
Hope this helps,
-Akash

What is the SYNTAX for the user and group filters??? Is the HTML Ampersand token Amper A m p semicolon required in the filter

There seems to be quite a bit of confusion over the actual syntax for the user and group filters on the Forms Based Authentication Ldap Role and membership providers.. MSFT isn't really clear and there is a universal confusion in the blogsphere.
I the filters should the prefix be the ACTUAL Ampersand or the HTML token for an AMPERSAND.. I realize the in many cases the blogger might have inadvertently specified the html token when the bare naked ampersand was intended.. The question
therefore is : can a filter be taken directly from and ADSIEdit query and used as a filter or must the filter be made HTML safe by swapping out the AMERSAND with the HTML Token for AMERSAND before putting it into the configuration
for the LDAPRole/membership provider...
All science is either physics or stamp collecting

Hi GUYO,
I am not quite sure how we implement this on sharepoint side, as I did research and sharepoint may not have this feature to do this.
most of the LDAP for sharepoint may need to follow these steps in this article:
http://technet.microsoft.com/en-us/library/ee806890(v=office.15).aspx
http://blogs.msdn.com/b/sridhara/archive/2010/01/07/setting-up-fba-claims-in-sharepoint-2010-with-active-directory-membership-provider.aspxhttp://blogs.msdn.com/b/kaevans/archive/2013/01/31/configuring-ldap-for-fba-in-sharepoint-2010-or-sharepoint-2013-with-powershell.aspx
here is an example :
http://blogs.msdn.com/b/sharepoint__cloud/archive/2011/12/20/achieving-fba-with-adlds-amp-sharepoint-2010.aspx
if should this questions was at the ADSIEdit part, perhaps you can help us by opening a new thread at the AD foum
https://social.technet.microsoft.com/Forums/en-US/home?category=windowsserver
Regards,
Aries
Microsoft Online Community Support
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

PAM Authentication (winbind) and groups

Similar Messages

Maybe you are looking for