HPE Community
Operating System - HP-UX
1829579 Members
5004 Online
109992 Solutions
New Discussion

Kerberos/LDAP group membership authentication

 
Dustin Black
Advisor

‎03-06-2007 05:44 AM

‎03-06-2007 05:44 AM

Kerberos/LDAP group membership authentication

I have been working to setup an 11i v1 server to be installed into an otherwise 100% Windows environment. I will be administering this machine remotely - as in from another country - so I am trying to setup user access and authentication to be as simple as possible from the Windows user standpoint.

I have Kerberos authentication working properly such that I can login to the HP-UX machine directly as an AD user. I also have Samba/CIFS shares configured such that access to the shares is restricted based on AD group membership.

The problem I have now is that I can't seem to authenticate AD group permissions on a filesystem level. I have set ownership on an HP-UX filesystem such that the owning gid maps to a particular AD sid via winbind. However, when a user that is a member of the owning group tries to access the filesystem, that access is denied. This happens through remote Samba access and from local system login.

It appears that the only group authorization that is occuring is what Samba sees as the user's primary group. Something is missing that is keeping Samba/PAM/Kerberos/LDAP from recognizing the user's membership in other AD groups.

Any help would be greatly appreciated.
0 Kudos
Reply
3 REPLIES 3
Steven E. Protter
Exalted Contributor

‎03-06-2007 07:19 AM

‎03-06-2007 07:19 AM

Re: Kerberos/LDAP group membership authentication

Shalom,

You need to look at smb.conf settings for workgroup and security. These much match your primary domain controller.

You may need to add a machine account for your hp server on the PDC

net join with an administrative account to fully integrate your HP-UX box into your realm/domain.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
William Henry Andrews
Advisor

‎03-06-2007 07:30 PM

‎03-06-2007 07:30 PM

Re: Kerberos/LDAP group membership authentication

Check whether your smb.conf has the security level set to share level.
If it is set to user level you could have issues.
I think ads will also work
0 Kudos
Reply
Dustin Black
Advisor

‎03-07-2007 01:57 AM

‎03-07-2007 01:57 AM

Re: Kerberos/LDAP group membership authentication

I've been working with HP support on the phone, and it turnes out that my problem stems from an HP-UX limitation whereby a user can only belong to 20 groups. If I add up all of the nested AD groups for the user trying to access the filesystem, I get just over 20 (easily available with "wbinfo -r username | wc -l").

Because of this system limitation and the AD group structure our Windows team has chosen, it appears that I am stuck relying only on Samba share-level permissions, which seem to resolve the user's group memberships properly. I would prefer the finer granularity of filesystem permissions, but I believe I can make this work.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.