Samba winbind and group membership.
I have a Solaris 10 (update 4) box (x86) that is joined to an active directory via samba/winbind.
The users are working fine however their group membership is not.
Users that should be members of certain groups do not seem to be: in that if I run
"groups" and check the group member ship for myself I am missing entry of some groups yet I can verify that I should be a member of that group by running getent group "domain\\group name" and seing my username entered.
winbind has the following parameters set
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
I am at a loss as to why it picks up some groups and not others.
Has anyone come across something similar or know how to solve this issue?
Regards,
James
Hi,
I know this thread is very old but unfortunately I'm facing exactly the same problem under Solaris 10 Sparc. Any ideas? Maybe this issue was solved?
Regards,
Oliver
Similar Messages
-
RDBMSRealm and Group membership
Hello.
I would like to us an RDBMSRealm implementation behind some form of caching implementation.
I have looked at and run the RDBMSRealm example that ships with 6.0.
The major drawback is that I expect to have some groups where the number of members
can be up to 1 million. The examples for RDBMSRealm and Custom Realm say to use
a hash table to hold the membership of a group. This seems unrealistic in cases
where the group membership is this large.
Has anyone implemented an RDBMSRealm or custom realm that does not use the "hash
table" approach?
I am currently using WLS 6.0 sp2 and am connecting to an Oracle 8.1.7 database.
Thanks for your time,
BubbaThis article from Sarge's Blog might help:
http://www.sargeway.com/blog/index.cfm?mode=entry&entry=30 -
AD custom6 attribute and group memberships for shared mailboxes
I have 900 shared mailboxes that are in Exchange 2007. These mailboxes have no owners and are provided access to the users threw AD groups. I need a script that will produce Each users custom6 attribute (SID is there) along with the shared mailboxes they
have rights to (Full. send As etc...)
This is a migration from 2007 to 2010 in different domains.
[email protected]
2142285476
Charles B. GilesDeployment and upgrade questions should be asked in the forum for the product as there are tools available to automate 2007 to 2010 migrations.
See:
http://technet.microsoft.com/en-us/library/ee681665(v=exchg.141).aspx
See:
http://blogs.technet.com/b/exchange/archive/2012/05/23/exchange-server-deployment-assistant-update-for-exchange-2010-hybrid-deployments-with-office-365.aspx
See:
http://social.technet.microsoft.com/Forums/exchange/en-US/home?forum=exchange2010
¯\_(ツ)_/¯ -
DFS folder visibility and group membership
Hello
I have a forest with multiple domain
I have activated ABE on DFS
My design is :
\\contoso.com\DFS
-Site1 -> \\site1.contoso.com\DFS (explicit permission : DL.folder1.site1)
\\site1.contoso.com\DFS
-Folder1 -> \\fileserver.site1.contoso.com\Folder1 (explicit permission : DL.folder1.site1)
i have set explicit explicit authorization with Domain local group (Domain local groups contains Global Group which contain users)
when my user from site 1 connect to : \\site1.contoso.com\dfs it's work they can see the folder1 only if they are in DL.folder1.site1
But when there are connect to \\contoso.com\DFS then don't see ther folder site1. but they can't access it if put the full path ( \contoso.com\DFS\site1Hi,
Do you mean that you have a Domain local group named DL.folder1.site1 and you give explicit permission on the group to access DFS share Folder1? You have enabled ABE. The use in the group can see the Folder1 using the DFS path
\\site1.contoso.com\dfs. But the user cannot see the Folder1 using the DFS path
\\contoso.com\DFS and the user cannot access the Folder1 using the full path
\\contoso.com\DFS\Folder1?
The DFS share is created on the domain or the forest? If on the forest, I think it is by design. As the DFS domain namespace is domain based, so we could not access it using forest name.
Regards,
Mandy
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Load balance and group membership
I have 3 3030's that I load balance. Do any one know of any way I can create one group and spread them across the 3030's without creating them on each concentrator
You could refer to the document "Configuring Load-Balancing on VPN 3000 Concentrators" at the URL:
http://www.cisco.com/warp/public/471/ld_bl_vpn3000_7602.html -
PAM Authentication (winbind) and groups
I've followed the Arch wiki (https://wiki.archlinux.org/index.php/Ac … ntegration) to integrate and use my domain login. Currently everything works as expected, I can login with my AD user (thanks to matone and combuster over this thread; https://bbs.archlinux.org/viewtopic.php?pid=1265595).
There is one small problem, annoyance if you will, however; my local user and my AD user (or any other new users I add) can't use networking, the volume mixer or video related when logged in to a KDE session. Maybe some other components, I haven't tested it yet. I'm just stuck on getting my network connections or sound working.
If I add my local (and AD user) to the related groups (for example; audio and network groups), I can manage system sounds and networks as expected.
I'm not sure where to look and I'm out of ideas. Any suggestions?
Thanks.
Last edited by queljin (2013-05-03 15:07:52)Well, after a lot of tries and reading, I found out that system-login PAM configuration must include system-auth as the last option. Because of the changes made to system-auth configuration, when pam_winbind or pam_unix module returns success and exits (because they are "sufficient") other modules below them aren't working which in turn causes the pam_loginuid module not working. Below is my new system-login config in case someone needs it.
Please remember this is in no way a recommended configuration, it may be completely wrong and break your existing configuration. It just works for me. YMMV.
/etc/pam.d/system-login :
#%PAM-1.0
auth required pam_tally.so onerr=succeed file=/var/log/faillog
auth required pam_shells.so
auth requisite pam_nologin.so
auth include system-auth
account required pam_access.so
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_loginuid.so
session required pam_env.so
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so dir=/var/spool/mail standard quiet
-session optional pam_systemd.so
session include system-auth
Last edited by queljin (2013-05-14 13:38:16) -
How can I find the date modified and group membership in contacts?
I used to have a smart group that could show the modification date, but those criteria don't exist in mountain lion (ML)
i also had a script that would find any contact that was not a member of any group. It does not work any more in ML.still can't figure it out
-
I know this is a Solaris 9 forum, but I couldn't find a Solaris 8.
Basically, I'm having problems with winbindd crashing. While I'm watching ldap requests with snoop I see about 90% good traffic, then these stubborn IP's of domain controllers of a different domain on another network. I don't know how they got there, but too many of them and winbindd crashes with a PANIC in the log file. I do have a 2 way non transitive trust with this domain. I know this isn't a lot of info but maybe it's as simple as clearing out some sort of cache somewhere.I had a bizarre problem with NIS+ many years ago that might be related to your issue. My NIS+ master server was connected to 2 networks, one for normal WAN traffic and one restricted to only backups (local LAN only connection). On a periodic basis, I think every hour, the NIS+ master communicates wiht its slaves (or whatever the politically correct term is now). For some reason, this periodic update failed, which resulted in the entire system going down. It took multiple unix, network, and SUN support staff 12 hours to figure out that the NIS+ master server was attempting to communicate to the slaves only through the backup LAN network and not through the WAN network. The LAN was on bge0 and the WAN was on bge1. The fix was to put the WAN on bge0 and the LAN on bge1.
Any chance that the netmask is incorrect?
Edited by: Paisley on Feb 18, 2011 3:49 PM -
Group Memberships not Flowing into Metaverse
Hello,
I'm trying to figure out why the group member attributes in the CS are not flowing into the MV. Here's what I have:
An HR system running on SQL Server
A staging database that extract data from the HR system
The staging database has a table representing person object
The stating database has a table representing person multi-valued attributes (i.e location, job code, etc)
The staging database has a table representing group objects
The staging database has a table representing group memberships (mult-valued)
A SQLMA connected to the person and person multi tables
A SQLMA connected to the group and group membership tables
All group memberships are based on job codes and locations. There are no approval process in place. If they have this job code, they get certain groups. That's all calculated in the staging database and the memberships are in the group membership
table
This system does connect to AD (and a few other things), but I'm not concerned with that, right now.
I've read 100 articles on this, most of them over 5 years old, and tried the ones that made sense. The flow from the database into the CS works well. No issues there.
But, a search of the metaverse for the group shows an empty member attribute. The sync process is not throwing any errors. At least they're not showing up in the sync service app or the event logs.
Where allowed, I'm using rules extensions for everything. I can't use a rules extension to set the member attribute because it's an rdn.
I'm going to move forward with this by extending the metaverse schema and adding a multi-valued string attribute named "memberOf" to the person object. Then, I'll modify my existing MA to use that attribute instead of the member attribute.
I'm not sure what kind of issues I'm going to run into when exporting that to AD. I'll cross that bridge when I come to it. I don't anticipate that being an issue as the dns for all these objects will be calculated by the ADMA based on locations,
group functions and person types (bascially, I don't care about the MV rdn).
Anyway, I'm looking for some real world insight on this. This whole effort is to migrate off an existing IDM system that works very, very well but quite expensive to license.
Thanks,
Greg WilkersonHey Cameron,
I have total control of all the DB tables FIM is accessing. I build them up as part of IDM process.
I've read this article, along the many others that address the "manager" scenario. This really doesn't apply in this case as the user and group objects are loaded in separate MAs. Getting reference values to flow with both object live in the
same CS shouldn't be an issue.
I also saw a solution where the group and user objects were in the same table and differentiated by the "object_type" value (user, group). That solution solved the issue of the groups and user being in the same CS. As I grow tired of my daily
FIM beatdown, that solution is growing more attractive. That's a major DB redesign, and seems quite inefficient.
The multi-value table for group memberships already exists in the DB. For FIM purposes, I transferred that data into the user object multi-value table. See screen shot. I can certainly configure the group MA to access that multi-value table
and load the group members as references. But, because the group MA CS will not contain the user objects, I don't see how the references will be set. If the reference value isn't set in the CS, it's not going to flow into the MV (at least I haven't
figured out a way to set the an reference value for an object in the MV - my problem all along.
This whole "setting a reference value" encompasses much more than just group memberships in my implementation. Telephone resources and physical access (key cards, etc) are provisioned through the existing eDirectory system. These objects exist
in our current IDM system and are associated with users based on rules. So, the reference value process is something I need to figure out, if I'm going to use this product.
Maybe I could use a stripped down ECMA2 as a "staging" CS, export the users and groups into this CS and assign the reference values, then import the groups back into the MV, memberships intact. I'm not sure that would get me where I want to go, and
it seems like a lot of extra "stuff" to solve what should be a simple problem. Hmmmmmm. Or, connect the ECMA2 directly to my group membership multi-value table in the DB. Hmmmmmm. I'd still have to export the groups and users into that
CS, but the import might be much more straight forward. Hmmmmmm.
The structure of my GroupMembership table (both columns are anchors or directly translatable to anchors):
EmployeeGroups
GroupName varchar(50) not null,
EmployeeID nvarchar(50) not null,
ID int identity(1,1) not null -
Populating users and groups - design considerations/best practice
We are currently running a 4.5 Portal in production. We are doing requirements/design for the 5.0 upgrade.
We currently have a stored procedure that assigns users to the appropriate groups based on the domain info and role info from an ERP database after they are imported and synched up by the authentication source.
We need to migrate this functionality to the 5.0 portal. We are debating whether to provide this functionality by doing this process via a custom Profile Web service. It was recommended during ADC and other presentation that we should stay away from using the database security/membership tables in the database directy and use the EDK/PRC instead.
Please advise on the best way to approach(With details) this issue. We need to finalize the best approach to take asap.
Thanks.
VanitaSo the best way to do this is to write a custom Authentication Web Service. Database customizations can do much more damage and the EDK/PRC/API are designed to prevent inconsistencies and problems.
Along those lines they also make it really easy to rationalize data from multiple backend systems into an orgainzation you'd like for your portal. For example you could write a Custom Authentication Source that would connect to your NT Domain and get all the users and groups, then connect to your ERP system and do the same work your stored procedure would do. It can then present this information to the portal in the way that the portal expects and let the portal maintain its own database and information store.
Another solution is to write an External Operation that encapsulates the logic in your stored procedure but uses the PRC/Server API to manipulate users and group memberships. I suggest you use the PRC interface since the Server API may change in subtle ways from release to release and is not as well documented.
Either of these solutions would be easier in the long term to maintain than a database stored procedure.
Hope this helps,
-Akash -
Hi,
we are using samba shares on our linux RHEL5.3 boxes and we are using winbind and pam to authenticate our users. I have noticed an issue that i need resolved asap, any user that has an ad account can log in to the unix box with there ad username and password. is there a way to disable this but allow the samba share authentication to continue working as it is now?
I can post my config if this helps.
Thanks,
KeithPlease be more specific when describing your problem.
How about to limit local and remote SSH authentication to members of a specific AD group, e.g. linuxadm
For instance, in order to in order to only allow members of linuxadm to create a SSH session:
Edit /etc/pam.d/system-auth:
auth requisite pam_succeed_if.so user ingroup linuxadm debug
optional pam_mkhomedir.so umask=0077
Then restart winbind: service winbind restart
You may probably also want to configure /etc/sudoers to allow the linuxadm group to use sudo. For more information, perhaps the following is helpful:
http://www.cyberciti.biz/tips/howto-deny-allow-linux-user-group-login.html
http://www.cyberciti.biz/tips/linux-pam-configuration-that-allows-or-deny-login-via-the-sshd-server.html -
Getting list of all users and their group memberships from Active Directory
Hi,
I want to retrieve a list of all the users and their group memberships through JNDI from Active Directory. I am using the following code to achieve this:
==================
import javax.naming.*;
import java.util.Hashtable;
import javax.naming.directory.*;
public class GetUsersGroups{
public static void main(String[] args){
String[] attributeNames = {"memberOf"};
//create an initial directory context
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://172.19.1.32:389/");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
env.put(Context.SECURITY_CREDENTIALS, "p8admin");
try {
// Create the initial directory context
DirContext ctx = new InitialDirContext(env);
//get all the users list and their group memberships
NamingEnumeration contentsEnum = ctx.list("CN=Users,DC=filenetp8,DC=com");
while (contentsEnum.hasMore()){
NameClassPair ncp = (NameClassPair) contentsEnum.next();
String userName = ncp.getName();
System.out.println("User: "+userName);
try{
System.out.println("am here....1");
Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should be returned
System.out.println("am here....2");
Attribute groupsAttribute = attrs.get(attributeNames[0]); // memberOf
System.out.println("-----"+groupsAttribute.size());
if (groupsAttribute != null){
// memberOf is a multi valued attribute
for (int i=0; i<groupsAttribute.size(); i++){
// print out each group that user belongs to
System.out.println("MemberOf: "+groupsAttribute.get(i));
}catch(NamingException ne){
// ignore for now
System.err.println("Problem encountered....0000:" + ne);
//get all the groups list
} catch (NamingException e) {
System.err.println("Problem encountered 1111:" + e);
=================
The following exception gets thrown at every user entry:
User: CN=Administrator
am here....1
Problem encountered....0000:javax.naming.NamingException: [LDAP: error code 1 -
000020D6: SvcErr: DSID-03100690, problem 5012 (DIR_ERROR), data 0
]; remaining name 'CN=Administrator'
I think it gets thrown at this line in the code:
Attributes attrs = ctx.getAttributes(userName, attributeNames);
Any idea how to overcome this and where am I wrong?
Thanks in advance,
Regards.In this sentence:
Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should
It seems Ok when I add "CN=Users,DC=filenetp8,DC=com" after userName, just as
userName + ",CN=Users,DC=filenetp8,DC=com"
But I still have some problem with it.
Hope it will be useful for you. -
Good morning all,
I need some help achieving the following in our Exchange 2013 Environment. First off, we have Exchange 2013, but all our clients have Outlook 2010.
Here's what I would like to be able to do:
1) create/manage public calendars / rooms in exchange 2013
2) force these shared public calendars / rooms to users' calendars who are members of particular security groups
3) give edit permissions / "booking" permissions for the shared calendars so select users are able to make changes to the shared calendars, as well as accept/deny requests to "book" shared room calendars
Any one got any resources they can give to point me in the right direction?
I have already created two mailbox room resources, and have them set up in a room list in AD. But need to know the above as far as creating a shared calendar for events, and forcing these calendars / room lists out to users based on security group
membership.
I don't want my users to have to know how to add a shared calendar...that would be a nightmare explaining. I just want it to show up.
Any help on this is greatly appreciated, thank you!1) I recommend using Room Mailboxes for resource calendars because it just works better.
2) This is a standard feature of a Room Mailbox.
3) You're pretty specific here, but I think this is also more or less available with a Room Mailbox combined with folder rights.
I don't know any way to just make them "show up". You'll have to teach them. Well written instructions can work wonders.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." -
Changed group membership in WGM 10.6.3 from the 10.6 server. The change takes overnight to work. Formerly ran WGM from my 10.6.8 mac (worked perfectly) but now I am at 10.7.5 and must use WGM on the server. Has anyone else seen this behavior?
Hi
"Changed group membership in WGM 10.6.3 from the 10.6 server. The change takes overnight to work"
If I've understood you correctly I've never known this or anything else to take that long? What were you trying to do exactly?
"Formerly ran WGM from my 10.6.8 mac (worked perfectly) but now I am at 10.7.5 and must use WGM on the server. Has anyone else seen this behaviour?"
http://support.apple.com/kb/HT1822
HTH?
Tony -
I have LON\JSmith in LON domain and DEL\JimSmith in DEL domain
I would like to extract group memberships of LON\JSmith in LON domain and append matching by email (i.e. DEL\JimSmith) user object in every group in LON domain.
for instance
LON\JSmith and DEL\JimSmith is the same person and has same email address [email protected]
LON\JSmith belongs to 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey
The outcome of the script should be
LON\JSmith; DEL\JimSmith should be in 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey.
How can i do it?
NavgupHi Navgup,
Please refer to the script below, to query users in other domain by specifying the parameter "-Server" in the cmdlet "get-aduser", and also note I haven't tested the script below:
import-module activedirectory
get-adgroupmember "group"|foreach{
$email=(get-aduser $_.samaccountname -properties *).EmailAddress#get the user email
Get-ADUser -filter {EmailAddress -eq $email} -properties * -server DomainB.company.com|select samaccountname, memberof}#filter user name and group with the email in other domain
To get users across domain, please also refer this blog:
Adding/removing members from another forest or domain to groups in Active Directory:
http://blogs.msdn.com/b/adpowershell/archive/2010/01/20/adding-removing-members-from-another-forest-or-domain-to-groups-in-active-directory.aspx?Redirected=true
I hope this helps.
Maybe you are looking for
-
How to get a fresh start to successfully install creative cloud for mac?
I start with install creative cloud for download trials, however, since I'm in China, the creative cloud somehow automatically defaults and installs the software in Chinese version(for example, there is no way that I can choose the language of premie
-
Output Video File to 'Microsoft DV Camera And VCR' DV driver
I've just submitted this: I would like to request that the facility be made available to output the one video file allowed on the session timeline to the 'Microsoft DV Camera And VCR' DV driver for display on a TV monitor via appropriate hardware. Pl
-
Devices not showing up in Measurement & Automation
Old system ... XP operating system ... PCI-1407, PCI-1408, IMAQ cards and a 6602 timing card. None of these devices show up in devices and interfaces. Any ideas? Solved! Go to Solution.
-
How to create a Post String in HTTP Post Action - 11.5 SR3
Hi Guys, I am trying to post a string to a servlet using HTTP Post. The servlet excepts a Parameter with name b2mml. I am trying to send the Post String in the HTTP Post actions as a name value pair b2mml=xmlencode("my xml here"). Is this the way tha
-
I'm trying to work out the best workflow that will allow me to import 1080P H.264 QTs shot on 5D mkII, carry out my VFX work then export the finished 1080P shots with the least amount of compression ready to conform with non VFX & online. The animati