AIX + Winbind + SFTP


Главная Форумы POWER Systems AIX/Hardware AIX + Winbind + SFTP

В этой теме 9 ответов, 2 участника, последнее обновление  Oleg 5 года/лет, 1 месяц назад.

  • Автор
    Сообщения
  • #17130

    Oleg
    Участник

    Друзья, поставили задачу настроить интеграцию AIX систем с Active Directory.
    Пользователи должны логиниться на SFTP с учетками AD и заливать файлы в свои домашние каталоги.
    Аутентификацию системы с WINBIND я настроил. Я вижу пользователей AD, могу зайти на сервер по OpenSSH с учеткой AD. Но к сожалению не могу найти способ реализовать это для SFTP. Локальные пользователи заходят, а пользователей AD не пускает. Выкидывает ошибку будто сервер SFTP не запущен. Может как то PAM необходимо поднастроить ?

    — AIX 5.3 (5300-11-03-1013)
    — pWare.SAMBA 3.5.8.1
    — OpenSSH 5.2.0
    — OpenSSL 0.9.8

    [code]
    [root@wb53tst /]$ cat /opt/pware/lib/smb.conf
    [global]
    workgroup = TST
    netbios name = wb53tst
    security = ads
    passdb backend = tdbsam
    realm = TST.COM
    password server = dc1.tst.com
    load printers = yes
    cups options = raw

    winbind uid = 10000-65534
    winbind gid = 10000-65534
    winbind use default domain = yes
    winbind separator = +

    winbind enum users = yes
    winbind enum groups = yes
    winbind cache time = 60
    winbind uid = 10000-65534
    winbind gid = 10000-65534
    winbind use default domain = yes
    winbind separator = +

    template homedir = /home/FILEBASE/TST/%U
    template shell = /bin/bash
    winbind offline logon = no

    [homes]
    comment = Home Directories
    browseable = no
    writable = yes
    [/code]

    [code]
    [root@wb53tst /]$ cat /etc/ssh/sshd_config | egrep -v «(^#.*|^$)»
    Protocol 2
    SyslogFacility AUTHPRIV
    PermitRootLogin no
    PasswordAuthentication yes
    ChallengeResponseAuthentication yes
    GSSAPIAuthentication yes
    GSSAPICleanupCredentials yes
    UsePAM yes
    UseLogin yes
    PermitUserEnvironment yes
    PidFile /var/run/sshd.pid
    Subsystem sftp /usr/sbin/sftp-server
    [/code]

  • #17131

    andrewk
    Участник

    1. Выкинуть winbind
    2. Выкинуть Samba
    3. Выкинуть PAM
    4. Забыть все, что знаете про Linux и его интеграцию с AD
    5. Настроить Kerberos и LDAP по книжке.

  • #17132

    andrewk
    Участник

    заодно обновить OpenSSH

  • #17133

    Oleg
    Участник

    Честное слово я так и хочу сделать. Samba это не то решение что надо.
    Но перед мной стоит задача тестирования. Возможно ли это реализовать с Samba или нет.
    Мне надо завершить эту задачу до конца 🙁

  • #17134

    andrewk
    Участник

    у Вас задача стоит «потестировать Samba» или «интегрировать AIX с MS AD»?

  • #17135

    Oleg
    Участник

    Конкретно здесь «потестировать Samba».
    Потестировал. Интеграция возможна, юзеров вижу, группы вижу. По SSH зайти могу. По SFTP нет. Использование других продуктов типа ProFTPd/WuFTPd etc., в рамках теста запрещено.
    На Linux это работает, но там с помощью PAM. Тут я в конфиг залез, отличие не вооруженым глазом видно 🙂

  • #17138

    andrewk
    Участник

    тогда включайте Debug Logging и шлите логи. «Выкидывает ошибку будто сервер SFTP не запущен» — это если бы на 22м порту никто не слушал. В любом другом случае клиент передает SSH, что он хочет SFTP-сессию, SSH авторизует клиента и запускает SFTP-сервер (если я ничего не путаю).

  • #17140

    Oleg
    Участник

    Запустил SSHD с параметром -ddd

    Ввожу имя пользователя :
    [code]
    debug1: userauth-request for user iosx service ssh-connection method none
    debug1: attempt 0 failures 0
    debug3: mm_getpwnamallow entering
    debug3: mm_request_send entering: type 6
    debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
    debug3: mm_request_receive_expect entering: type 7
    debug3: mm_request_receive entering
    debug3: monitor_read: checking request 6
    debug3: mm_answer_pwnamallow
    debug3: Trying to reverse map address 10.1.106.50.
    debug2: parse_server_config: config reprocess config len 398
    debug3: AIX/loginrestrictions returned 0 msg (none)
    debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
    debug3: mm_request_send entering: type 7
    debug2: monitor_read: 6 used once, disabling now
    debug3: mm_request_receive entering
    debug2: input_userauth_request: setting up authctxt for iosx
    debug1: Eff_sl:::Eff_tl:
    debug3: mm_inform_authserv entering
    debug3: mm_request_send entering: type 3
    debug2: input_userauth_request: try method none
    debug3: mm_auth_password entering
    debug3: mm_request_send entering: type 10
    debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
    debug3: mm_request_receive_expect entering: type 11
    debug3: mm_request_receive entering
    debug3: monitor_read: checking request 3
    debug3: mm_answer_authserv: service=ssh-connection, style=
    debug2: monitor_read: 3 used once, disabling now
    debug3: mm_request_receive entering
    debug3: monitor_read: checking request 10
    debug3: mm_answer_authpassword: sending result 0
    debug3: mm_request_send entering: type 11
    Failed none for iosx from 10.1.106.50 port 52595 ssh2
    debug3: mm_request_receive entering
    debug3: mm_auth_password: user not authenticated
    debug1: userauth-request for user iosx service ssh-connection method keyboard-interactive
    debug1: attempt 1 failures 0
    debug2: input_userauth_request: try method keyboard-interactive
    debug1: keyboard-interactive devs
    debug1: auth2_challenge: user=iosx devs=
    debug1: kbdint_alloc: devices »
    debug2: auth2_challenge_start: devices
    [/code]
    Ввожу пароль :
    [code]
    debug1: userauth-request for user iosx service ssh-connection method password
    debug1: attempt 2 failures 1
    debug2: input_userauth_request: try method password
    debug3: mm_auth_password entering
    debug3: mm_request_send entering: type 10
    debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
    debug3: mm_request_receive_expect entering: type 11
    debug3: mm_request_receive entering
    debug3: monitor_read: checking request 10
    debug3: AIX/authenticate result 0, authmsg
    debug3: AIX SYSTEM attribute WINBIND OR compat
    debug3: AIX/setauthdb set registry ‘WINBIND’
    debug3: AIX/passwdexpired returned 0 msg
    debug3: aix_restoreauthdb: restoring old registry »
    debug3: mm_answer_authpassword: sending result 1
    debug3: mm_request_send entering: type 11
    Accepted password for iosx from 10.1.106.50 port 52595 ssh2
    debug3: mm_auth_password: user authenticated
    debug3: mm_send_keystate: Sending new keys: 2003d2c8 2003cf98
    debug3: mm_newkeys_to_blob: converting 2003d2c8
    debug3: mm_newkeys_to_blob: converting 2003cf98
    debug3: mm_send_keystate: New keys have been sent
    debug3: mm_send_keystate: Sending compression state
    debug3: mm_request_send entering: type 24
    debug3: mm_send_keystate: Finished sending state
    debug3: AIX/setauthdb set registry ‘WINBIND’
    debug3: aix_restoreauthdb: restoring old registry »
    debug1: monitor_child_preauth: iosx has been authenticated by privileged process
    debug3: mm_get_keystate: Waiting for new keys
    debug3: mm_request_receive_expect entering: type 24
    debug3: mm_request_receive entering
    debug3: mm_newkeys_from_blob: 20092da8(139)
    debug2: mac_setup: found hmac-sha1
    debug3: mm_get_keystate: Waiting for second key
    debug3: mm_newkeys_from_blob: 20092da8(139)
    debug2: mac_setup: found hmac-sha1
    debug3: mm_get_keystate: Getting compression state
    debug3: mm_get_keystate: Getting Network I/O buffers
    debug1: ACCESS KEY:

    debug3: mm_share_sync: Share sync
    debug3: mm_share_sync: Share sync end
    debug1: temporarily_use_uid: 10000/10000 (e=0/0)
    debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism
    debug1: restore_uid: 0/0
    debug2: set_newkeys: mode 0
    debug2: cipher_init: set keylen (16 -> 32)
    debug2: set_newkeys: mode 1
    debug2: cipher_init: set keylen (16 -> 32)
    debug1: Entering interactive session for SSH2.
    debug2: fd 6 setting O_NONBLOCK
    debug2: fd 7 setting O_NONBLOCK
    debug1: server_init_dispatch_20
    debug3: Received SSH2_MSG_IGNORE
    debug1: server_input_channel_open: ctype session rchan 256 win 2147483647 max 16384
    debug1: input_session_request
    debug1: channel 0: new [server-session]
    debug2: session_new: allocate (allocated 0 max 10)
    debug3: session_unused: session id 0 unused
    debug1: session_new: session 0
    debug1: session_open: channel 0
    debug1: session_open: session 0: link with channel 0
    debug1: server_input_channel_open: confirm session
    debug1: server_input_channel_req: channel 0 request simple@putty.projects.tartarus.org reply 0
    debug1: session_by_channel: session 0 channel 0
    debug1: session_input_channel_req: session 0 req simple@putty.projects.tartarus.org
    debug1: server_input_channel_req: channel 0 request subsystem reply 1
    debug1: session_by_channel: session 0 channel 0
    debug1: session_input_channel_req: session 0 req subsystem
    subsystem request for sftp
    debug1: subsystem: exec() /usr/sbin/sftp-server
    debug2: fd 4 setting TCP_NODELAY
    debug2: fd 11 setting O_NONBLOCK
    debug2: fd 10 setting O_NONBLOCK
    debug1: Received SIGCHLD.
    debug1: session_by_pid: pid 294986
    debug1: session_exit_message: session 0 channel 0 pid 294986
    debug2: channel 0: request exit-status confirm 0
    debug1: session_exit_message: release channel 0
    debug2: channel 0: write failed
    debug2: channel 0: close_write
    debug2: channel 0: send eow
    debug2: channel 0: output open -> closed
    debug2: notify_done: reading
    debug2: channel 0: read drain
    debug2: channel 0: ibuf empty
    debug2: channel 0: send eof
    debug2: channel 0: input drain -> closed
    debug2: channel 0: send close
    debug3: channel 0: will not send data after close
    debug2: channel 0: rcvd close
    debug3: channel 0: will not send data after close
    debug2: channel 0: is dead
    debug2: channel 0: gc: notify user
    debug1: session_by_channel: session 0 channel 0
    debug1: session_close_by_channel: channel 0 child 0
    debug1: session_close: session 0 pid 0
    debug3: session_unused: session id 0 unused
    debug2: channel 0: gc: user detached
    debug2: channel 0: is dead
    debug2: channel 0: garbage collecting
    debug1: channel 0: free: server-session, nchannels 1
    debug3: channel 0: status: The following connections are open:
    #0 server-session (t4 r256 i3/0 o3/0 fd -1/-1 cfd -1)

    debug3: channel 0: close_fds r -1 w -1 e -1 c -1
    Connection closed by 10.1.106.50
    debug1: do_cleanup
    Transferred: sent 2328, received 1552 bytes
    Closing connection to 10.1.106.50 port 52595
    [/code]
    Демон запущенный с параметром -ddd завершает работу.

  • #17141

    andrewk
    Участник

    Вот эту строчку

    Subsystem sftp /usr/sbin/sftp-server

    замените на

    Subsystem sftp /usr/sbin/sftp-server -e -l DEBUG3

    и повторите опыт. Я не уверен, что Ваш древний OpenSSH понимает эти параметры. Проверьте по man sftp-server сначала.

  • #17143

    Oleg
    Участник

    Я обновил OpenSSH с сайта IBM до версии 6.0p1. Повторил опыт.

    [code]
    debug1: userauth-request for user iosx service ssh-connection method password [preauth]
    debug1: attempt 2 failures 1 [preauth]
    debug2: input_userauth_request: try method password [preauth]
    debug3: mm_auth_password entering [preauth]
    debug3: mm_request_send entering: type 10 [preauth]
    debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD [preauth]
    debug3: mm_request_receive_expect entering: type 11 [preauth]
    debug3: mm_request_receive entering [preauth]
    debug3: mm_request_receive entering
    debug3: monitor_read: checking request 10
    debug3: AIX/authenticate result 0, authmsg
    debug3: AIX SYSTEM attribute WINBIND OR compat
    debug3: AIX/setauthdb set registry ‘WINBIND’
    debug3: AIX/passwdexpired returned 0 msg
    debug3: aix_restoreauthdb: restoring old registry »
    debug3: mm_answer_authpassword: sending result 1
    debug3: mm_request_send entering: type 11
    Accepted password for iosx from 10.1.106.50 port 59173 ssh2
    debug3: AIX/setauthdb set registry ‘WINBIND’
    debug3: aix_restoreauthdb: restoring old registry »
    debug3: mm_auth_password: user authenticated [preauth]
    debug3: mm_send_keystate: Sending new keys: 20042508 20042178 [preauth]
    debug3: mm_newkeys_to_blob: converting 20042508 [preauth]
    debug3: mm_newkeys_to_blob: converting 20042178 [preauth]
    debug3: mm_send_keystate: New keys have been sent [preauth]
    debug3: mm_send_keystate: Sending compression state [preauth]
    debug3: mm_request_send entering: type 24 [preauth]
    debug3: mm_send_keystate: Finished sending state [preauth]
    debug1: monitor_read_log: child log fd closed
    debug1: monitor_child_preauth: iosx has been authenticated by privileged process
    debug3: mm_get_keystate: Waiting for new keys
    debug3: mm_request_receive_expect entering: type 24
    debug3: mm_request_receive entering
    debug3: mm_newkeys_from_blob: 20099278(139)
    debug2: mac_setup: found hmac-sha1
    debug3: mm_get_keystate: Waiting for second key
    debug3: mm_newkeys_from_blob: 20099278(139)
    debug2: mac_setup: found hmac-sha1
    debug3: mm_get_keystate: Getting compression state
    debug3: mm_get_keystate: Getting Network I/O buffers
    debug3: ACCESS KEY:

    debug3: mm_share_sync: Share sync
    debug3: mm_share_sync: Share sync end
    debug1: audit event euid 0 user iosx event 2 (SSH_authsuccess)
    debug1: Return Val-1 for auditproc:0
    debug1: temporarily_use_uid: 10000/10000 (e=0/0)
    debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism
    debug1: restore_uid: 0/0
    debug2: set_newkeys: mode 0
    debug2: cipher_init: set keylen (16 -> 32)
    debug2: set_newkeys: mode 1
    debug2: cipher_init: set keylen (16 -> 32)
    debug1: Entering interactive session for SSH2.
    debug2: fd 6 setting O_NONBLOCK
    debug2: fd 7 setting O_NONBLOCK
    debug1: server_init_dispatch_20
    debug3: Received SSH2_MSG_IGNORE
    debug1: server_input_channel_open: ctype session rchan 256 win 2147483647 max 16384
    debug1: input_session_request
    debug1: channel 0: new [server-session]
    debug2: session_new: allocate (allocated 0 max 10)
    debug3: session_unused: session id 0 unused
    debug1: session_new: session 0
    debug1: session_open: channel 0
    debug1: session_open: session 0: link with channel 0
    debug1: server_input_channel_open: confirm session
    debug1: server_input_channel_req: channel 0 request simple@putty.projects.tartarus.org reply 0
    debug1: session_by_channel: session 0 channel 0
    debug1: session_input_channel_req: session 0 req simple@putty.projects.tartarus.org
    debug1: server_input_channel_req: channel 0 request subsystem reply 1
    debug1: session_by_channel: session 0 channel 0
    debug1: session_input_channel_req: session 0 req subsystem
    subsystem request for sftp by user iosx
    debug1: subsystem: exec() /usr/sbin/sftp-server -e -l DEBUG3 -m /etc/ssh/sshd_config
    debug1: Values: options.num_allow_users: 0
    debug1: RLOGIN VALUE :1

    debug1: audit run command euid 0 user iosx command ‘/usr/sbin/sftp-server -e -l DEBUG3 -m /etc/ssh/sshd_config’
    debug2: fd 4 setting TCP_NODELAY
    debug3: packet_set_tos: set IP_TOS 0x08
    debug2: fd 11 setting O_NONBLOCK
    debug2: fd 10 setting O_NONBLOCK
    debug2: fd 13 setting O_NONBLOCK
    debug2: channel 0: read 46 from efd 13
    debug3: channel 0: discard efd
    debug1: Received SIGCHLD.
    debug1: session_by_pid: pid 376972
    debug1: session_exit_message: session 0 channel 0 pid 376972
    debug2: channel 0: request exit-status confirm 0
    debug1: session_exit_message: release channel 0
    debug2: channel 0: write failed
    debug2: channel 0: close_write
    debug2: channel 0: send eow
    debug2: channel 0: output open -> closed
    debug2: channel 0: read 0 from efd 13
    debug2: channel 0: closing read-efd 13
    debug2: notify_done: reading
    debug2: channel 0: read drain
    debug2: channel 0: ibuf empty
    debug2: channel 0: send eof
    debug2: channel 0: input drain -> closed
    debug2: channel 0: send close
    debug3: channel 0: will not send data after close
    debug2: channel 0: rcvd close
    debug3: channel 0: will not send data after close
    debug2: channel 0: is dead
    debug2: channel 0: gc: notify user
    debug1: session_by_channel: session 0 channel 0
    debug1: session_close_by_channel: channel 0 child 0
    debug1: session_close: session 0 pid 0
    debug3: session_unused: session id 0 unused
    debug2: channel 0: gc: user detached
    debug2: channel 0: is dead
    debug2: channel 0: garbage collecting
    debug1: channel 0: free: server-session, nchannels 1
    debug3: channel 0: status: lmkdir path Create local directory
    #0 server-session (t4 r256 i3/0 o3/0 fd -1/-1 cc -1)

    Connection closed by 10.1.106.50
    debug1: do_cleanup
    Transferred: sent 2448, received 1552 bytes
    Closing connection to 10.1.106.50 port 59173
    debug1: audit event euid 0 user iosx event 11 (SSH_connclose)
    debug1: Return Val-1 for auditproc:0
    [/code]

Для ответа в этой теме необходимо авторизоваться.