Univention Bugzilla – Attachment 4511 Details for
Bug 25244
Authentisierung von Vertrauensstellung-Benutzern an UCS-Memberservern defekt
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Testprotokoll UCS 2.4-1
HOWTO-winbind_UCS_trusts_AD.txt_ucs_2.4-1 (text/plain), 18.39 KB, created by
Arvid Requate
on 2012-07-06 00:31:18 CEST
(
hide
)
Description:
Testprotokoll UCS 2.4-1
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2012-07-06 00:31:18 CEST
Size:
18.39 KB
patch
obsolete
>#### Tested with UCS 2.4-1 and W2k3R2 >## note: ARW2K8R2U24 actually is the W2k3R2 domain. >## see also Ticket#: 2011011710013431 > >root@qamaster:~# apt-get install winbind >Paketlisten werden gelesen... Fertig >Abhängigkeitsbaum wird aufgebaut >Lese Status-Informationen ein... Fertig >Die folgenden Pakete wurden automatisch installiert und werden nicht länger benötigt: > libapt-pkg-perl >Verwenden Sie »apt-get autoremove«, um sie zu entfernen. >Die folgenden NEUEN Pakete werden installiert: > winbind >0 aktualisiert, 1 neu installiert, 0 zu entfernen und 0 nicht aktualisiert. >Es müssen 5246kB an Archiven heruntergeladen werden. >Nach dieser Operation werden 15,1MB Plattenplatz zusätzlich benutzt. >WARNUNG: Die folgenden Pakete können nicht authentifiziert werden! > winbind >Authentifizierungswarnung überstimmt. >Hole:1 http://univention-repository.knut.univention.de 2.4-1/i386/ winbind 2:3.5.4~dfsg-1.465.201011191326 [5246kB] >Es wurden 5246kB in 0s geholt (22,2MB/s) >Wähle vormals abgewähltes Paket winbind. >(Lese Datenbank ... 168038 Dateien und Verzeichnisse sind derzeit installiert.) >Entpacke winbind (aus .../winbind_2%3a3.5.4~dfsg-1.465.201011191326_i386.deb) ... >Verarbeite Trigger für man-db ... >Richte winbind ein (2:3.5.4~dfsg-1.465.201011191326) ... > * Starting the Winbind daemon winbind [ ok ] >PKGDB: cannot create a handle to the database pkgdb in qamaster.arucs241i1.qa >root@qamaster:~# net rpc trustdom establish ARW2K8R2U24 >Enter ARUCS241I1$'s password: >Could not connect to server W2K3R2-32 >Trust to domain ARW2K8R2U24 established > >### 1. first ping to winbindd must work >root@qamaster:~# wbinfo -p >Ping to winbindd failed >could not ping winbindd! >root@qamaster:~# /etc/init.d/samba restart > * Stopping Samba daemons: nmbd > * Stopping Samba daemons: smbd > ...done. > * Starting Samba daemons: nmbd > * Starting Samba daemons: smbd > ...done. >root@qamaster:~# wbinfo -p >Ping to winbindd failed >could not ping winbindd! >root@qamaster:~# /etc/init.d/winbind restart > * Stopping the Winbind daemon winbind [ ok ] > * Starting the Winbind daemon winbind [ ok ] >root@qamaster:~# wbinfo -p >Ping to winbindd succeeded > > >### 2. listing trustdoms does not work with machine account >## either setauthuser >## or net rpc join >## see e.g. https://forge.univention.org/bugzilla/show_bug.cgi?id=24030#c6 >root@qamaster:~# net rpc trustdom list -UAdministrator%univention >Could not connect to server QAMASTER >Connection failed: NT_STATUS_IO_TIMEOUT >Couldn't connect to domain controller: NT_STATUS_IO_TIMEOUT >root@qamaster:~# wbinfo --ping-dc >checking the NETLOGON dc connection failed > >root@qamaster:~# net setauthuser -U Administrator >Enter the auth user's password: >root@qamaster:~# /etc/init.d/winbind restart > * Stopping the Winbind daemon winbind [ ok ] > * Starting the Winbind daemon winbind >root@qamaster:~# net rpc trustdom list -UAdministrator%univention >Trusted domains list: > >ARW2K8R2U24 S-1-5-21-215963510-1792852931-2165353431 > >Trusting domains list: > >none >root@qamaster:~# wbinfo --ping-dc >checking the NETLOGON dc connection failed > >root@qamaster:~# net setauthuser delete >root@qamaster:~# net getauthuser >No authorised user configured >root@qamaster:~# /etc/init.d/samba restart > * Stopping Samba daemons: nmbd > * Stopping Samba daemons: smbd > ...done. > * Starting Samba daemons: nmbd > * Starting Samba daemons: smbd > ...done. >root@qamaster:~# /etc/init.d/winbind restart > * Stopping the Winbind daemon winbind [ ok ] > * Starting the Winbind daemon winbind [ ok ] >root@qamaster:~# net rpc trustdom list -UAdministrator%univention >Could not connect to server QAMASTER >Connection failed: NT_STATUS_IO_TIMEOUT >Couldn't connect to domain controller: NT_STATUS_IO_TIMEOUT >root@qamaster:~# net rpc testjoin >get_schannel_session_key: could not fetch trust account password for domain 'ARUCS241I1' >net_rpc_join_ok: failed to get schannel session key from server QAMASTER for domain ARUCS241I1. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO >Join to domain 'ARUCS241I1' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO >root@qamaster:~# net rpc join >Enter root's password: >Interupted by signal. >root@qamaster:~# net rpc join -UAdministrator%univntion >Connection failed: NT_STATUS_IO_TIMEOUT >Could not connect to server QAMASTER >The username or password was not correct. >Connection failed: NT_STATUS_LOGON_FAILURE >root@qamaster:~# net rpc join -UAdministrator%univention >Connection failed: NT_STATUS_IO_TIMEOUT >Joined domain ARUCS241I1. >root@qamaster:~# net rpc testjoin >Join to 'ARUCS241I1' is OK >root@qamaster:~# net rpc trustdom list -UAdministrator%univention >Trusted domains list: > >ARW2K8R2U24 S-1-5-21-215963510-1792852931-2165353431 > >Trusting domains list: > >none >root@qamaster:~# wbinfo --ping-dc >checking the NETLOGON dc connection succeeded > > >### 3. resolving AD users does not work without "winbind rpc only" >## https://forge.univention.org/bugzilla/show_bug.cgi?id=17592 >root@qamaster:~# wbinfo -n ARW2K8R2U24+Administrator >Could not lookup name ARW2K8R2U24+Administrator >root@qamaster:~# vim /etc/samba/local.conf >## winbind rpc only = yes >root@qamaster:~# wbinfo -n ARW2K8R2U24+Administrator >S-1-5-21-215963510-1792852931-2165353431-500 SID_USER (1) >root@qamaster:~# wbinfo -n ARW2K8R2U24+aduser1 >S-1-5-21-215963510-1792852931-2165353431-1108 SID_USER (1) > > >### 4. getent passwd only works if nss is configured to use winbind too >root@qamaster:~# getent passwd ARW2K8R2U24+aduser1 || echo "unknown" >unknown >root@qamaster:~# ucr set auth/user/methods="krb5 ldap unix winbind" >Setting auth/user/methods >Multifile: /etc/pam.d/common-session >File: /etc/nsswitch.conf >File: /etc/pam.d/admin-auth-nowrite >File: /etc/pam.d/admin-password >File: /etc/pam.d/common-account >Multifile: /etc/pam.d/common-auth >File: /etc/pam.d/common-auth-nowrite >File: /etc/pam.d/common-password >File: /etc/pam.d/univention-management-console >File: /etc/ssh/ssh_config >root@qamaster:~# /etc/init.d/nscd restart > * Restarting NSCD . >root@qamaster:~# getent passwd ARW2K8R2U24+aduser1 || echo unknown >unknown >root@qamaster:~# wbinfo -S S-1-5-21-215963510-1792852931-2165353431-1108 >Could not convert sid S-1-5-21-215963510-1792852931-2165353431-1108 to uid > >root@qamaster:~# tail -4 /var/log/samba/log.winbindd-idmap >[2012/07/05 19:11:49.481843, 0] winbindd/idmap_ldap.c:123(get_credentials) > get_credentials: Unable to fetch auth credentials for cn=admin,dc=arucs241i1,dc=qa in ALLOC >[2012/07/05 19:11:49.481869, 0] winbindd/idmap.c:589(idmap_alloc_init) > ERROR: Initialization failed for alloc backend, deferred! >root@qamaster:~# net idmap secret alloc $(cat /etc/ldap.secret) >Secret stored >root@qamaster:~# /etc/init.d/winbind restart > * Stopping the Winbind daemon winbind [ ok ] > * Starting the Winbind daemon winbind [ ok ] >root@qamaster:~# wbinfo -S S-1-5-21-215963510-1792852931-2165353431-1108 >55000 >## ok uid is allocated, strange that net idmap secret was necessary again, because: >root@qamaster:~# grep 'idmap secret' /var/log/univention/* >/var/log/univention/join.log:setting idmap secret for alloc from /etc/ldap.secret > >## but getent passwd still fails >root@qamaster:~# getent passwd ARW2K8R2U24+aduser1 || echo unknown >unknown > > > >#### try to enumerate users >root@qamaster:~# wbinfo -u >join-backup >join-slave >administrator >root@qamaster:~# net setauthuser -U Administrator >Enter the auth user's password: >## see Ticket#: 2011011710013431 >root@qamaster:~# wbinfo -u >join-backup >join-slave >administrator >ARW2K8R2U24+administrator >ARW2K8R2U24+aduser1 >ARW2K8R2U24+gast >ARW2K8R2U24+krbtgt >ARW2K8R2U24+support_388945a0 >## You have to give the Administrator Passwort for the AD domain here: >root@qamaster:~# net getauthuser >ARUCS241I1+Administrator%Univention123 >## THIS IS REALLY BROKEN ^^^^ that is the PW of ARW2K8R2U24+Administrator.. >## Probably this also works with machine account instead of setauthuser >## if a bidirectional trust is set up >root@qamaster:~# getent passwd ARW2K8R2U24+aduser1 || echo unknown >unknown >root@qamaster:~# /etc/init.d/nscd restart > * Restarting NSCD . >root@qamaster:~# getent passwd ARW2K8R2U24+aduser1 || echo unknown >ARW2K8R2U24+aduser1:*:55000:55000:aduser1 univention:/home/ARW2K8R2U24-aduser1:/bin/bash >## cross check >root@qamaster:~# net setauthuser delete >root@qamaster:~# /etc/init.d/winbind restart > * Stopping the Winbind daemon winbind [ ok ] > * Starting the Winbind daemon winbind [ ok ] >root@qamaster:~# /etc/init.d/nscd restart > * Restarting NSCD . >root@qamaster:~# wbinfo -u >join-backup >join-slave >administrator >root@qamaster:~# getent passwd ARW2K8R2U24+aduser1 || echo unknown >unknown >root@qamaster:~# net setauthuser -U Administrator >Enter the auth user's password: >root@qamaster:~# /etc/init.d/winbind restart > * Stopping the Winbind daemon winbind [ ok ] > * Starting the Winbind daemon winbind [ ok ] >root@qamaster:~# /etc/init.d/nscd restart > * Restarting NSCD . >root@qamaster:~# sleep 10 ## wait a bit for winbind.. >getent passwd ARW2K8R2U24+aduser1 || echo unknown >root@qamaster:~# getent passwd ARW2K8R2U24+aduser1 || echo unknown >ARW2K8R2U24+aduser1:*:55000:55000:aduser1 univention:/home/ARW2K8R2U24-aduser1:/bin/bash > >### Authentication >root@qamaster:~# wbinfo -a ARW2K8R2U24+Administrator%Univention123 >plaintext password authentication succeeded >challenge/response password authentication succeeded > >### Testscript for https://forge.univention.org/bugzilla/show_bug.cgi?id=25244 >root@qamaster:~# wget 'https://forge.univention.org/bugzilla/attachment.cgi?id=3986' -O check-winbind-user >root@qamaster:~# chmod 755 check-winbind-user >root@qamaster:~# ./check-winbind-user ARW2K8R2U24+aduser1%'Test1234;.' >sid: S-1-5-21-215963510-1792852931-2165353431-1108 >username: ARW2K8R2U24+aduser1 >uid: 55000 >GIDs: 55000 >groupsid: S-1-5-21-215963510-1792852931-2165353431-513 >groupname: ARW2K8R2U24+Domänen-Benutzer >getent passwd: ARW2K8R2U24+aduser1:*:55000:55000:aduser1 univention:/home/ARW2K8R2U24-aduser1:/bin/bash >plaintext password authentication succeeded >challenge/response password authentication succeeded >dcname: w2k3r2-32.arw2k8r2u24.qa >Could not lookup WINS by name w2k3r2-32.arw2k8r2u24.qa >trying DNS: Host w2k3r2-32.arw2k8r2u24.qa not found: 3(NXDOMAIN) >enum users for domain ARW2K8R2U24 successfull >enum groups for domain ARW2K8R2U24 successfull > >### Miscellaneous >root@qamaster:~# wbinfo --online-status >BUILTIN : online >ARUCS241I1 : offline >ARW2K8R2U24 : online > > >###### Memberserver ############################################################### >root@qamember:~# net rpc testjoin >Join to 'ARUCS241I1' is OK >### trustdom is already established, also for the memberserver: >root@qamember:~# net rpc trustdom list -UAdministrator%univention >Trusted domains list: > >ARW2K8R2U24 S-1-5-21-215963510-1792852931-2165353431 > >Trusting domains list: > >none >root@qamember:~# wbinfo -p >Ping to winbindd failed >could not ping winbindd! >root@qamember:~# wbinfo --ping-dc >checking the NETLOGON dc connection failed >Could not ping our DC >## oops? >root@qamember:~# /etc/init.d/winbind restart > * Stopping the Winbind daemon winbind [ ok ] > * Starting the Winbind daemon winbind [ ok ] >root@qamember:~# wbinfo -p >Ping to winbindd succeeded >root@qamember:~# wbinfo --ping-dc >checking the NETLOGON dc connection succeeded >## ok.. > >### resolving AD users on the memerserver also works without "winbind rpc only" >root@qamember:~# wbinfo -n ARW2K8R2U24+Administrator >S-1-5-21-215963510-1792852931-2165353431-500 SID_USER (1) >root@qamember:~# wbinfo -n ARW2K8R2U24+aduser1 >S-1-5-21-215963510-1792852931-2165353431-1108 SID_USER (1) > >### IDMapping works without manual intervention: >root@qamember:~# grep 'idmap secret' /var/log/univention/* >/var/log/univention/join.log:setting idmap secret for alloc from /etc/machine.secret >root@qamember:~# wbinfo -S S-1-5-21-215963510-1792852931-2165353431-1108 >55000 >root@qamember:~# wbinfo -n ARW2K8R2U24+aduser2 >S-1-5-21-215963510-1792852931-2165353431-1110 SID_USER (1) >root@qamember:~# wbinfo -S S-1-5-21-215963510-1792852931-2165353431-1110 >55002 > > >### Authentication >root@qamember:~# wbinfo -a ARW2K8R2U24+Administrator%Univention123 >plaintext password authentication succeeded >challenge/response password authentication succeeded >root@qamember:~# wbinfo -a ARW2K8R2U24+aduser1%'Test1234;.' >plaintext password authentication succeeded >challenge/response password authentication succeeded > > >### Testscript for https://forge.univention.org/bugzilla/show_bug.cgi?id=25244 >root@qamember:~# wget 'https://forge.univention.org/bugzilla/attachment.cgi?id=3986' -O check-winbind-user >root@qamember:~# chmod 755 check-winbind-user >root@qamember:~# ./check-winbind-user >sid: S-1-5-21-1631607150-3973500847-3586540417 >username: ARUCS241I1+ >Could not convert sid S-1-5-21-1631607150-3973500847-3586540417 to uid >root@qamember:~# ./check-winbind-user ARW2K8R2U24+aduser1%'Test1234;.' >sid: S-1-5-21-215963510-1792852931-2165353431-1108 >username: +aduser1 >uid: 55000 >GIDs: 55000 >groupsid: S-1-5-21-215963510-1792852931-2165353431-513 >groupname: +Domänen-Benutzer >ERROR: getent passwd: no entry >plaintext password authentication succeeded >challenge/response password authentication succeeded >Could not get dc name for ARW2K8R2U24 >root@qamember:~# ucr set auth/user/methods="krb5 ldap unix winbind" >Setting auth/user/methods >File: /etc/pam.d/univention-management-console >File: /etc/ssh/ssh_config >Multifile: /etc/pam.d/common-session >File: /etc/nsswitch.conf >File: /etc/pam.d/admin-auth-nowrite >File: /etc/pam.d/admin-password >File: /etc/pam.d/common-account >Multifile: /etc/pam.d/common-auth >File: /etc/pam.d/common-auth-nowrite >File: /etc/pam.d/common-password >root@qamember:~# /etc/init.d/nscd restart > * Restarting NSCD . >root@qamember:~# ./check-winbind-user ARW2K8R2U24+aduser1%'Test1234;.' >sid: S-1-5-21-215963510-1792852931-2165353431-1108 >username: ARW2K8R2U24+aduser1 >uid: 55000 >GIDs: 55000 >groupsid: S-1-5-21-215963510-1792852931-2165353431-513 >groupname: +Domänen-Benutzer >getent passwd: ARW2K8R2U24+aduser1:*:55000:55000::/home/ARW2K8R2U24-aduser1:/bin/bash >plaintext password authentication succeeded >challenge/response password authentication succeeded >dcname: W2K3R2-32 >WARNING: enum users failed for domain ARW2K8R2U24 >WARNING: enum groups failed for domain ARW2K8R2U24 > >#### try to enumerate users >#### strange: does not work yet! >root@qamember:~# wbinfo -u >QAMEMBER+nagios >QAMEMBER+backup >QAMEMBER+nobody >QAMEMBER+lp >QAMEMBER+postfix >QAMEMBER+root >QAMEMBER+sshd >QAMEMBER+daemon >QAMEMBER+mail >QAMEMBER+tss >QAMEMBER+news >QAMEMBER+messagebus >QAMEMBER+bin >QAMEMBER+uucp >QAMEMBER+ntp >QAMEMBER+saned >QAMEMBER+proxy >QAMEMBER+sys >QAMEMBER+systemmail >QAMEMBER+listener >QAMEMBER+hplip >QAMEMBER+statd >QAMEMBER+sync >QAMEMBER+list >QAMEMBER+apt-mirror >QAMEMBER+games >QAMEMBER+irc >QAMEMBER+www-data >QAMEMBER+gnats >QAMEMBER+man >QAMEMBER+libuuid >ARUCS241I1+join-backup >ARUCS241I1+join-slave >ARUCS241I1+administrator >root@qamember:~# net setauthuser -U Administrator >Enter the auth user's password: ## AD password >root@qamember:~# /etc/init.d/winbind restart > * Stopping the Winbind daemon winbind [ ok ] > * Starting the Winbind daemon winbind >root@qamember:~# wbinfo -g --domain="ARW2K8R2U24" >root@qamember:~# net setauthuser -U Administrator >Enter the auth user's password: ## UCS password >root@qamember:~# /etc/init.d/winbind restart > * Stopping the Winbind daemon winbind [ ok ] > * Starting the Winbind daemon winbind >root@qamember:~# wbinfo -g --domain="ARW2K8R2U24" >root@qamember:~# net setauthuser delete >root@qamember:~# /etc/init.d/winbind restart > * Stopping the Winbind daemon winbind [ ok ] > * Starting the Winbind daemon winbind
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=4511">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 25244
:
3986
|
4510
| 4511 |
4640
|
4641