Hi,
I have not installed samba until 2.2.5 now.
But there is a bug in the winbindd code which has been fixed by Mike Gerdts,
see attached e-mail.
I assumed that this patch, wich works for me on samba 2.2.4 solaris 2.6, has
been added to the 2.2.5 release.
Obviously not.
<<Re: Samba, winbind, solaris and your patch>>
Could you please give me feedback if this works for you an 2.2.5 also.
Best Regards
Roman
> -----Ursprüngliche Nachricht-----
> Von: Allan Nielsen [SMTP:[EMAIL PROTECTED]]
> Gesendet am: Donnerstag, 27. Juni 2002 09:53
> An: [EMAIL PROTECTED]
> Betreff: Winbind authenticatition of user accessing a share with
> encrypted password.
>
> Hi
>
> In relation to your posted message I have exactly the same problem on
> samba
> 2.2.5.
> Flags used are --with-winbind --with-winbind-auth-challenge
> --with-acl-support.
> After including --with-winbind-auth-challenge it is possible to get
> authentication with encrypted passwords from wbinfo -a user%password but
> when accessing a share as this user he is mapped to nobody.
>
> Did you succeed to solve your problem?
>
> I'm using samba now for 6-7 years starting with samba 1.9.18.
>
> I have 6 machines running samba v2.0.7 under linux and solaris
> I have upgraded one of the solaris machines to samba 2.2.3a including
> acl-support and winbind.
>
> I live in a win2k forest, so my domain has a trust relationship with an
> other win2k domain.
> My domain controllers are in mixed mode.
>
> In order to get winbindd and nsswitch up and running I had to adjust the
> Makefile as follows:
>
> nsswitch/libnss_winbind.so: $(WINBIND_NSS_PICOBJS)
> @echo "Linking $@"
> @$(SHLD) -h $@ -G -o $@ $(WINBIND_NSS_PICOBJS) $(LIBS)
>
> I added the $(LIBS) to the linker-line, without that I had errors when
> doing
> a 'ls -l' for a file which was owned by a DOMAIN+domuser account.
>
> Furthermore I had to copy the nsswitch/libnss_winbind.so as nss_winbind.so
> to /lib
> After configuring nsswitch.conf I can successfully do:
>
> wbinfo -u
> wbinfo -g
> getent passwd
> getent group
>
> From a NT4 or win2k-box I can modify acl an the samba-share as long as I
> use
> a useraccount which is not authenticated by winbind.
>
> when I use:
> wbinfo -a domain\\domuser%password (my winbind separator is '\')
>
> I'll get error:
>
> plaintext password authentication succeeded
> challenge/response password authentication failed
> Could not authenticate user domain\domuser%password with
> challenge/response
>
> Although encrypted passwords are enabled in smb.conf
>
> I can do a
>
> su - domain\\domuser%password
>
> on unix level
>
> When I do a smbclient //server/share -U domain\\domuser%password
>
> I'll get error:
>
> Domain=[DOMAIN] OS=[Unix] Server=[Samba 2.2.3a]
> tree connect failed: NT_STATUS_WRONG_PASSWORD
>
> I can not connect to that server using a winbind authenticated useraccount
> from neither NT4sp6 nor win2ksp2.
>
> In any case I can see in the winbindd-log that the demon is enumerating
> SID's to GID's and UID's, but it states that the password are not
> encrypted.
>
> I was reading through the docs and mailings for the last two days, but I
> did
> not get the proper advice in how to get it up and running.
>
> Can anybody help
>
> Best Regards
>
> Roman
>
> Med venlig hilsen / With kind Regards
>
> Allan Nielsen
> Advisory IT-Specialist
>
> IBM Danmark A/S - Sortemosevej 21 - 3450 Allerød - Phone: 4523
> 9595 - Mobil: 23325107 - Fax: 4523 6803 - E-mail:
> [EMAIL PROTECTED]
>
--- Begin Message ---
On Mon, 2002-05-13 at 11:20, [EMAIL PROTECTED] wrote:
> Hello Mike,
>
> I was veerrryyy interested in your work when I first saw your posting
> concerning winbind and the related problems when running it on more than
one
> machine.
Glad to hear it. I was begininning to think that I was the only one
looking for this functionality.
> I therefore immediately downloaded your patch and enhancements to winbind
> and applied it to samba 2.2.4.
>
> But when starting winbindd I get error messages in the log.winbindd
stating
> that the loader ld.so.1 can not find the symbol main in idmap_file.so.
Hmmmm... not sure about that. Could you send me the version that you
compiled so that I can compare it against the one that works for me?
Also, please include any modifications that you did to the makefile to
get it to compile.
> Any idea what could be wrong?
Perhaps a different compiler and/or linker contributed to the problems.
I am using gcc 2.95.2 on Solaris 8.
> My configuration is as follows:
>
> Solaris 2.6
> Samba 2.2.4
> gcc et al 2.95.3
>
>
> Besides the problem that winbindd, without your patch, causes trouble in
an
> multi-machine environment I face the following problem, with and without
> your patch, as well:
>
> - winbindd is running
> - wbinfo -u --> shows all domain users
> - wbinfo -g --> shows all domain groups
> - getent passwd --> shows all, local and domain, users
> - getent group --> shows all, local and domain, groups
> - getent passwd domain+domuser --> shows passwd entry for specified domain
> user
> - wbinfo -a domain+domuser%passwd --> both authentication methods succeed
> - when install pam_winbind --> login to solaris as domain+domuser and
> domain-passwd works
>
> BUT
>
> connecting from an windows-box in explorer to a share on that
> winbind-machine is not working.
> I tried to track it down and I think I found out that when winbind tries
to
> call the solaris function 'getpwnam' that function returns a null-pointer.
This is likely the bug related to the passwd structure on Solaris having
pw_age and pw_comment fields. See
http://lists.samba.org/pipermail/samba-technical/2002-May/036614.html
for details. If you didn't remove that part from my patch, you should
be protected from this bug. You may want to take a look at
source/lib/system.c. In wsys_getpwnam() there is another function that
copies the passwd structure (wsys_getpwnam). It looks as though it is
not called by anything, but perhaps I am missing some funky macro or
define that comes out of configure somewhere.
If there is another problem, I am not sure where exactly it would be
at. The bug I found was quite difficult to find until I recompiled nscd
with debugging symbols. Unfortunately, that is not an option for most
people, especially with Solaris 2.6. AFAIK, Sun only gave the Solaris
2.5.1, 2.6, and 7 code to univerisities. The only Sun source that I
have access to for debugging things like this is Solaris 8.
> I assume from your postings that you are familiar with c, solaris and have
a
> running winbind environment.
I have tried minimal functionality of winbindd. I do not want to use
the winbind PAM module because UNIX users should authenticate against
NIS. getent passwd <domain\\user> and getent passwd <uid> work just
fine. Exporer on NT4 and Win2k is able to create files and display ACLs
consistent with what I expect, given the U/GIDs assigned by winbindd.
ls and getfacl concur with the results that Windows explorer show.
Also, I explorer on Windows 98 is able to create directories just fine
(that is all I tried from 98).
> Any idea what causes that problem, when I posted this problem to the
> samba-technical mailing list no one was responding except some other
usesrs
> facing the same problem.
>
> Can you contribute in any matter to this problems?
>
> Would be veeerrryyyy helpful.
>
> Thanks in advance and best regards
>
> Roman
If you don't have a reason for not Cc'ing the list, please do so in the
future so that others can benefit from your question and my response.
It helps the samba team know that there is more than one person that
would like this functionality and they are more likely to include it in
future releases.
Please let me know if this does or does not help.
Mike
--- End Message ---
