Re: [U2] Logging on to UD 7.2 on RH Linux using Active Directory andwinbind
Winbind should cover all the necessary bases at the OS-level for verifying a user's identity so that an application can't tell if the user is local or not. We use AD for authentication with UV on linux and I've never run into any UV permissions issues as a result. You might want to double-check your /etc/nsswitch.conf file. This is how ours is set up: passwd: files winbind shadow: files winbind group: files winbind Also, check that your AD users have write permissions on the database directory. Ours has group ownership of "domain users" with group write permission enabled: drwxrwxr-x 771 fabric.prod domain users 131072 Apr 5 08:39 /uvdata/FABRIC.PROD -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Mecki Foerthmann Sent: Thursday, April 05, 2012 9:08 AM To: U2 Users List Subject: [U2] Logging on to UD 7.2 on RH Linux using Active Directory andwinbind We are finally in the process of upgrading our old UD 5.2 system on Solaris to 7.2 running on a virtual RH Linux server. So far everything seems to work OK. We can log into the database as the root user fine. We can log into the database as a local linux user fine. But we don't want to create local users on the linux box as it is another set of user accounts / passwords to maintain. To get round this we are using winbind to allow users to login to the Linux server with their Windows Active Directory credentials. This works well however when we come to run the udt command in the data directory we get the following error "Illegal User ID" then the UID of the Winbind user. There is obviously some check that occurs when udt starts to see if the user is a valid linux user, udt must not be able to query the authentication mechanism and therefore will not allow the user to run udt. Is there a switch or another way to make this work? Thanks Mecki ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
Re: [U2] Logging on to UD 7.2 on RH Linux using Active Directory andwinbind
One other potential issue just came to mind. I think AD user names are returned by winbind in the form "domain\user" by default. If your winbind is configured this way, it could be that udt doesn't like seeing the backslash character in the user name. This behaviour can be turned off with the following setting in smb.conf: winbind use default domain = yes You can see how user names are currently being reported by winbind with wbinfo -u. -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Mecki Foerthmann Sent: Thursday, April 05, 2012 9:08 AM To: U2 Users List Subject: [U2] Logging on to UD 7.2 on RH Linux using Active Directory andwinbind We are finally in the process of upgrading our old UD 5.2 system on Solaris to 7.2 running on a virtual RH Linux server. So far everything seems to work OK. We can log into the database as the root user fine. We can log into the database as a local linux user fine. But we don't want to create local users on the linux box as it is another set of user accounts / passwords to maintain. To get round this we are using winbind to allow users to login to the Linux server with their Windows Active Directory credentials. This works well however when we come to run the udt command in the data directory we get the following error "Illegal User ID" then the UID of the Winbind user. There is obviously some check that occurs when udt starts to see if the user is a valid linux user, udt must not be able to query the authentication mechanism and therefore will not allow the user to run udt. Is there a switch or another way to make this work? Thanks Mecki ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
Re: [U2] Logging on to UD 7.2 on RH Linux using Active Directory andwinbind
Thanks John, we will check all those back at work on Tuesday. This is a sample of the actual error message we see: */Illegal user id = (16777216). Mecki /* On 06/04/2012 21:13, John Hester wrote: One other potential issue just came to mind. I think AD user names are returned by winbind in the form "domain\user" by default. If your winbind is configured this way, it could be that udt doesn't like seeing the backslash character in the user name. This behaviour can be turned off with the following setting in smb.conf: winbind use default domain = yes You can see how user names are currently being reported by winbind with wbinfo -u. -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Mecki Foerthmann Sent: Thursday, April 05, 2012 9:08 AM To: U2 Users List Subject: [U2] Logging on to UD 7.2 on RH Linux using Active Directory andwinbind We are finally in the process of upgrading our old UD 5.2 system on Solaris to 7.2 running on a virtual RH Linux server. So far everything seems to work OK. We can log into the database as the root user fine. We can log into the database as a local linux user fine. But we don't want to create local users on the linux box as it is another set of user accounts / passwords to maintain. To get round this we are using winbind to allow users to login to the Linux server with their Windows Active Directory credentials. This works well however when we come to run the udt command in the data directory we get the following error "Illegal User ID" then the UID of the Winbind user. There is obviously some check that occurs when udt starts to see if the user is a valid linux user, udt must not be able to query the authentication mechanism and therefore will not allow the user to run udt. Is there a switch or another way to make this work? Thanks Mecki ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
Re: [U2] Logging on to UD 7.2 on RH Linux using Active Directory andwinbind
No problem, Mecki, glad to help. From that message it does appear that udt isn't able to resolve the user's name from their numeric ID. One other thing to check is this setting in smb.conf: winbind enum users = true If that's set to false, that's a likely cause of the error you're getting. The default is true, though, so I doubt that's it. If the enum users setting is true, when you execute "getent passwd", you should get a unified list of all local and AD users. The system calls that getent is using to return the list are the same that any other application should be using. If you're not getting a unified list, then something is wrong with the winbind config. If you are getting a unified list, then I suspect something non-standard has been written into udt and there might not be an easy fix. -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Mecki Foerthmann Sent: Friday, April 06, 2012 1:46 PM To: u2-users@listserver.u2ug.org Subject: Re: [U2] Logging on to UD 7.2 on RH Linux using Active Directory andwinbind Thanks John, we will check all those back at work on Tuesday. This is a sample of the actual error message we see: */Illegal user id = (16777216). Mecki /* On 06/04/2012 21:13, John Hester wrote: > One other potential issue just came to mind. I think AD user names > are returned by winbind in the form "domain\user" by default. If your > winbind is configured this way, it could be that udt doesn't like > seeing the backslash character in the user name. This behaviour can > be turned off with the following setting in smb.conf: > > winbind use default domain = yes > > You can see how user names are currently being reported by winbind > with wbinfo -u. > > -John > > -Original Message- > From: u2-users-boun...@listserver.u2ug.org > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Mecki > Foerthmann > Sent: Thursday, April 05, 2012 9:08 AM > To: U2 Users List > Subject: [U2] Logging on to UD 7.2 on RH Linux using Active Directory > andwinbind > > We are finally in the process of upgrading our old UD 5.2 system on > Solaris to 7.2 running on a virtual RH Linux server. > So far everything seems to work OK. > We can log into the database as the root user fine. > We can log into the database as a local linux user fine. > But we don't want to create local users on the linux box as it is > another set of user accounts / passwords to maintain. > To get round this we are using winbind to allow users to login to the > Linux server with their Windows Active Directory credentials. > This works well however when we come to run the udt command in the > data directory we get the following error "Illegal User ID" then the > UID of the Winbind user. > There is obviously some check that occurs when udt starts to see if > the user is a valid linux user, udt must not be able to query the > authentication mechanism and therefore will not allow the user to run > udt. > Is there a switch or another way to make this work? > > Thanks > > Mecki > ___ > U2-Users mailing list > U2-Users@listserver.u2ug.org > http://listserver.u2ug.org/mailman/listinfo/u2-users > ___ > U2-Users mailing list > U2-Users@listserver.u2ug.org > http://listserver.u2ug.org/mailman/listinfo/u2-users ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
Re: [U2] Logging on to UD 7.2 on RH Linux using Active Directory andwinbind
Thanks for your help John. One of the settings was actually missing. This solved the unified list issue but we still couldn't log on using AD. In the end the problem was down to a missing 32 bit library for winbind and once we installed that everything seems to work now. I forgot to mention that RH is running on a virtual 64 bit server. Mecki ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
Re: [U2] Logging on to UD 7.2 on RH Linux using Active Directory andwinbind
You're welcome, Mecki. Glad to help. One other setting you might want to add if it's not in smb.conf already is this: winbind allow offline logon = yes I think the default is no. That will allow users to continue to log into your UD server via cached credentials if the domain controllers are ever down or unreachable. -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Mecki Foerthmann Sent: Tuesday, April 10, 2012 4:32 AM To: u2-users@listserver.u2ug.org Subject: Re: [U2] Logging on to UD 7.2 on RH Linux using Active Directory andwinbind Thanks for your help John. One of the settings was actually missing. This solved the unified list issue but we still couldn't log on using AD. In the end the problem was down to a missing 32 bit library for winbind and once we installed that everything seems to work now. I forgot to mention that RH is running on a virtual 64 bit server. Mecki ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
