Login or Register to Ask a Question and Join Our Community


AIX

sftp chroot + winbind + ad

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems AIX sftp chroot + winbind + ad
# 1  
Old 11-05-2012
sftp chroot + winbind + ad
I have next configuration :
- AIX 5.3 (5300-11-03-1013)
- pWare.SAMBA 3.5.8.1
- OpenSSH 5.2.0
- OpenSSL 0.9.8

Now, to be more clearly I'll explain what I need indeed.
My task is set up integration AIX server to Active Directory 2008 with Samba (Winbind) for chrooted SSH connections.
It means our developers should login into AIX server by own AD acounts with SFTP and upload/download files on it.
Chroot environment is recommended for it.

Ok, lets look at my krb5.conf

Code:
[root@wb53tst /]$ cat /etc/krb5/krb5.conf 
[libdefaults]
        default_realm = TST.TST
        default_keytab_name = FILE:/etc/krb5/krb5.keytab
        default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts
        default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts

[realms]
        TST.TST = {
                kdc = dc1.tst.com:88
                admin_server = dc1.tst.com:749
                default_domain = tst.com
        }

[domain_realm]
        .tst.com = TST.COM
        dc1.tst.com = TST.COM

[logging]
        kdc = FILE:/var/krb5/log/krb5kdc.log
        admin_server = FILE:/var/krb5/log/kadmin.log
        kadmin_local = FILE:/var/krb5/log/kadmin_local.log
        default = FILE:/var/krb5/log/krb5lib.log

and smb.conf
Code:
[root@wb53tst /]$ cat /opt/pware/lib/smb.conf
[global]
        workgroup = TST
        netbios name = wb53tst
        security = ads
        passdb backend = tdbsam
        realm = TST.COM
        password server = dc1.tst.com
        load printers = yes
        cups options = raw

winbind uid = 10000-65534
winbind gid = 10000-65534
winbind use default domain = yes
winbind separator = +

winbind enum users = yes
winbind enum groups = yes
winbind cache time = 60
winbind uid = 10000-65534
winbind gid = 10000-65534
winbind use default domain = yes
winbind separator = +

template homedir = /home/FILEBASE/TST/%U
template shell = /bin/bash
winbind offline logon = no

[homes]
        comment = Home Directories
        browseable = no
        writable = yes

Then create dirs ...
Code:
[root@wb53tst /]$ mkdir -p /home/FILEBASE/TST

After that we set option for create home dirs automaticaly
Code:
[root@wb53tst /]$ vi /etc/security/login.cfg
...
mkhomeatlogin = true

Now we should edit /etc/security/user config file for authentificate new users in our system with Winbind
Code:
default:
...
        SYSTEM = "WINBIND OR compat"
        registry = WINBIND
...

Eventually we join our server in AD and trying to login on it with ssh from other station (PC, or server)
Code:
[root@wb53tst /]$ net ads join -U aixadmin
Password:
[root@wb53tst /]$ wbinfo -u | grep a.fox
a.fox
[root@wb53tst /]$ lsuser -r WINBIND a.fox
a.fox id=10000 pgrp=domain users home=/home/FILEBASE/TST/a.fox shell=/bin/bash gecos= login=true su=true rlogin=true daemon=true admin=false sugroups=ALL 
admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=WINBIND SYSTEM=WINBIND OR compat logintimes= loginretries=0 
pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 
pwdchecks= dictionlist= fsize=2097151 cpu=-1 data=524288 stack=524288 core=2097151 rss=524288 nofiles=-1 time_last_login=1352112067 
time_last_unsuccessful_login=1352111337 tty_last_login=ssh tty_last_unsuccessful_login=ssh host_last_login=iosx.tst.com host_last_unsuccessful_login=iosx.tst.com 
unsuccessful_login_count=0 roles= pgid=10000 SID=S-1-5-21-1451182435-1389936362-2546935155-38411

Code:
$ ssh -l a.fox wb53tst.tst.com
Password:
[a.fox@wb53tst ~]$ pwd
/home/FILEBASE/TST/a.fox

Well. It works. But what should I do for chroot AD users ?
In /etc/ssh/sshd_config option:
ChrootDirectory /home/FILEBASE/TST/%u
Doesn't work. Any idea ?
Last edited by jess_t03; 11-05-2012 at 07:38 AM..
# 2  
Old 11-06-2012
You said you want the "developers should login into AIX server by own AD acounts with SFTP and upload/download files on it." You shouldn't need the ssh commandline connection for that. I haven't tried this with sftp yet, but guessing from setting up standard ftp servers you chroot the ftpd at start time and it sets the connections to a "virtual root directory", much like a web server is doing this: the web address "http://www.server.com" is hardly the real root directory but some directory designated to be the "virtual root" for the purposes of the web server.


I hope this helps.

bakunin
# 3  
Old 11-07-2012
Unfortunately I should do it with ssh Smilie Because it's test for realization, and my boss just want to know is it possible and how hard it would be.
# 4  
Old 11-07-2012
AIX + sftp + winbind
Hello friends.

I have a task to set up AIX integration with Active Directory with SAMBA.
Users should login on SFTP with own AD accounts and download/upload something to own home directories. I've already setup authentification AIX with WINBIND and I can see AD-users, groups, and even can login to the server via SSH with AD account. But I have no idea why I can't do the same with SFTP. Local users (type: compat) login successfull, but AD users don't. Exactly SFTP, because SSH connection on 22 port works perfect for AD accounts. Maybe I need edit PAM config ?

- AIX 5.3 (5300-11-03-1013)
- pWare.SAMBA 3.5.8.1
- OpenSSH 5.2.0
- OpenSSL 0.9.8

Code:
[root@wb53tst /]$ cat /opt/pware/lib/smb.conf
[global]
        workgroup = TST
        netbios name = wb53tst
        security = ads
        passdb backend = tdbsam
        realm = TST.COM
        password server = dc1.tst.com
        load printers = yes
        cups options = raw

winbind uid = 10000-65534
winbind gid = 10000-65534
winbind use default domain = yes
winbind separator = +

winbind enum users = yes
winbind enum groups = yes
winbind cache time = 60
winbind uid = 10000-65534
winbind gid = 10000-65534
winbind use default domain = yes
winbind separator = +

template homedir = /home/FILEBASE/TST/%U
template shell = /bin/bash
winbind offline logon = no

[homes]
        comment = Home Directories
        browseable = no
        writable = yes

Code:
[root@wb53tst /]$ cat /etc/ssh/sshd_config | egrep -v "(^#.*|^$)"
Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin no
PasswordAuthentication yes
ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
UseLogin yes
PermitUserEnvironment yes
PidFile /var/run/sshd.pid
Subsystem       sftp    /usr/sbin/sftp-server

---------- Post updated at 01:37 AM ---------- Previous update was at 01:30 AM ----------

And I want to add few words.
It's just task. I know that SAMBA, WINBIND, PAM is not perfect solution. Sure Kerberos + LDAP will be more better and easy. But I need done this test only with that.


Moderator's Comments:
Mod Comment edit by bakunin: you do not need to open two threads for one problem - one is perfectly fine. Threads merged.
Last edited by bakunin; 11-07-2012 at 07:24 AM..
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. AIX

Samba 3.6.22 on AIX 7.1 with Windows AD (Kerberos and winbind)

Hi all, I have installed samba 3.6.22 on AIX 7.1 and join a windows AD with success. All seem to work fine, I have configured smb.conf, methods.cfg, kerberos, user .... the following command work fine wbinfo -u, wbinfo -g, wbinfo -i, wbinfo -s, wbinfo -S, lsuser, id... The unique... (20 Replies)
Discussion started by: PhilippeA
20 Replies

2. UNIX and Linux Applications

WINBIND module missing in AIX 7.1

I have installed following packages from perzl samba-winbind-clients-3.6.22-1 samba-client-3.6.22-1 samba-domainjoin-gui-3.6.22-1 samba-winbind-devel-3.6.22-1 samba-3.6.22-1 samba-common-3.6.22-1 samba-winbind-krb5-locator-3.6.22-1 samba-doc-3.6.22-1 samba-swat-3.6.22-1... (7 Replies)
Discussion started by: laxtnog
7 Replies

3. AIX

AIX 7.1 integrate AD with winbind

I have joined an AIX 7.1 into a 2012 AD domain sucesfully. I can get ouput from wbinfo -u but when I try to access a share I get the following error : check_ntlm_password: Authentication for user -> FAILED with error NT_STATUS_NO_SUCH_USER I have found that I'm missing... (0 Replies)
Discussion started by: laxtnog
0 Replies

4. UNIX for Advanced & Expert Users

Cannot login using WINBIND in AIX 5.3

I configured AIX5.3 to use kerberos and winbind so user can login and authenticate via AD. I was able to join my AIX server to domain and can execute wbinfo -u/g. However when I login, It says unknown user. I already edit /etc/secuirty/user and then method.cfg. On the log.winbindd it says ... (0 Replies)
Discussion started by: lhareigh890
0 Replies

5. Red Hat

Chroot sftp users, remote sftp login shows wrong timestamp on files

Hello, I have a weird issue, I have RHEL 5.7 running with openssh5.2 where sftpgroup OS group is chroot. I see the difference difference in timestamp on files, when I login via ssh and SFTP, I see four hour difference, is something missing in my configuration. #pwd... (8 Replies)
Discussion started by: bobby320
8 Replies

6. Red Hat

sftp jail chroot env setup

Hi I need a specific user to be able to sftp to a server and get files from a specific location. The location is not the users home dir, i don't want the user to be able to view anything else apart from the files in that area. e.g ftp file are is - /logging/phplogs e.g user home is... (1 Reply)
Discussion started by: duckeggs01
1 Replies

7. Red Hat

chroot sftp, samba share, ownership issue linux hosts

Hello, I have sftp server with chroot for a group and username is on a Linux host, I have created a few subdirectories under sftpuser home directories with 775. Then using a Samba I shared this user home directory to another linux client. On the Linux client, I have jboss user to access... (2 Replies)
Discussion started by: bobby320
2 Replies

8. Shell Programming and Scripting

Specifying a tcsh shell using winbind

The campus system that I use has switched to using winbind. In the old days, I was able to specify tcsh as my shell with the usual entry in /etc/passwd. But I'm told winbind doesn't have user specific entries, and now my ssh login defaults to a bash shell. Can anybody advise how I can... (2 Replies)
Discussion started by: LeoKSimon
2 Replies

9. Solaris

SSH & SFTP Chroot

Hello all, does anybody knows a procedure to enable an chroot for users using ssh and sftp ? Thanks (1 Reply)
Discussion started by: celord
1 Replies

10. Linux

Auto create local account with winbind.

Hi, I have a set up a linux box connected to windows active directory using winbind. Everything is up and running fine. Now i wish to auto create a local account whenever a new user logs in. I have tried every possible way using the smb.conf to no avail. Any help would be appreciated. (1 Reply)
Discussion started by: d_ark
1 Replies
Login or Register to Ask a Question