You need to ensure that pam is allowing ssh or telnet access, not sure
in Solaris but in RedHat based sistems is inside /etc/pam.d
You will have to allow access through pam only enabled accounts since
usually the access is restricted to shadow by default.
On 10/4/10 7:11 AM, Gaiseric Vandal wrote:
According to your page
"getent passwd" is showing the domain users.
If you try to ssh into your linux machine as "ben", with the way
nsswitch.conf is configured, it will try to authenticated you as the
"ben" in /etc/passwd not the one in the AD domain.
I suggest you try the following
comment out "ben" from /etc/passwd and /etc/shadow.
Make sure that the /export/Home/ben directory is owned by the SRE+ben
user. See if you can ssh into linux as "ben." (I think you can
specify "ben" and not "SRE+ben" for the ssh user.) Keep an eye on the
log files e.g in /var/samba/log or /var/log/samba.
You have still not clarified why nsswitch.conf has entries for ldap.
On 10/04/2010 05:17 AM, Ben George wrote:
please check this link
http://bentgeorge.com/samba/
all are mentioned here
Thanks
Ben.T.George
On Thu, Sep 30, 2010 at 10:16 PM, Gaiseric Vandal
<gaiseric.van...@gmail.com <mailto:gaiseric.van...@gmail.com>> wrote:
Hi
Please clarify the following
- Did you run "truss getent passwd" command and look for lines
with nss_winbind- just in case it is looking for a file with a
different version.
- Why does nsswitch.conf have ldap references- are you using ldap?
You should also look through the samba logs- it may provide some
information.
On 09/30/2010 12:14 PM, Ben George wrote:
yes client has Solaris and a windows xp machine under the AD domain
yes i exported the paths to the newly installed
/usr/local/samba/lib
me using the new packahes and disabled the default packages
On Thu, Sep 30, 2010 at 6:16 PM, Gaiseric Vandal
<gaiseric.van...@gmail.com <mailto:gaiseric.van...@gmail.com>> wrote:
So to clarify the customer has a Sun Solaris 10 UNIX machine
and a Linux workstation?
FOR SOLARIS
I had problems with getting nsswitch+winbind working with the
samba from sunfreeware- I had to recompile from scratch
(major headache.) In hindsight this may not have been
necessary for winbind- although I had to recompile anyway
for ZFS support.
On solaris, you should have a file called
/usr/lib/nss_winbind.so.1 - which is the nsswitcher winbind
library provided by the samba that sun bundles with solaris
10 (but this is samba 3.0.x and too old to be much use.)
In /usr/local/samba/lib - do you see an nss_winbind.so.1
file? How is your PATH and LD_LIBRARY_PATH set- you want
to make sure you are using the /usr/local/samba/bin and
/usr/local/samba/lib first.
If you run "truss getent passwd | tee log1.txt" you should
see it looking for nss_winbind.so.1 - ideally it will look
in /usr/local/samba/lib before /usr/lib. If it uses
/usr/lib/nss_winbind.so.1 that will probably NOT work. You
may want to rename that file just to make sure.
On 09/30/2010 10:57 AM, Ben George wrote:
Sun Solaris 10 (under SPARC)
local users in /etc/passwd
samba 3.4.2 from sunfreeware.com <http://sunfreeware.com>
getent passwd
*/ramana:x:100:1::/export/home/ramana:/bin/sh
teju:x:101:1::/export/home/teju:/bin/sh
user1:x:102:1::/export/home/user1:/bin/sh
ben:x:103:1::/home/ben:/bin/sh
/*like this*/
/*/
/Thanks
Ben.T.George*/
/*
On Thu, Sep 30, 2010 at 5:45 PM, Gaiseric Vandal
<gaiseric.van...@gmail.com
<mailto:gaiseric.van...@gmail.com>> wrote:
Then it sounds like you need the AD integration. If the
user's also login to the linux workstation directly (or
via ssh) then you will need to configure winbind and
nsswitch to support unix logins.
Why does nsswitch.conf include ldap? Is this the only
linux/unix machine? Are local users in ldap or
/etc/passwd?
What version of samba? What version of linux?
Ideally "getent passwd" woudl show something like
ben:*:10001:10001:Ben
George:/export/Home/SRE/ben/:bin/tcsh
or
SRE+ben:*:10001:10001:Ben
George:/export/Home/SRE/ben:/bin/bash
I don't think you need a huge amount of AD experience to
make this work but I think you have to have general
understanding of what WIndows domains are about.
You should also review the smb.conf man page for the
section on idmap_ad.
On 09/30/2010 09:24 AM, Ben George wrote:
Thanks for your replay..
yes my client told me like this that's Y..and the
manager gave that work to newly joined me.. :(
i don't have any AD and core unix experience..i have
only experience in linux.not much
may this project will affect my job.. :(
my nsswitch.conf
*/passwd: files ldap winbind
group: files ldap winbind
hosts: dns files
ipnodes: dns files/*
"*nsswitch+winbind (which I do) or the smb pam
module*"..? :(
i don't know..my client's need is he has a linux
machine..also a ADS..from the unix machine, he want to
share secure folder's to the AD user's..so eash user
can only access that particular shared folder..when the
password of user changed in AD, that will affect to the
smbpassword...means without changing that particular
user's smb password in the unix machine..
for this need which method is useful..from your
experience
"*Does "getent passwd" show the windows users?*"
please check the output ..i think getent password only
shows unix system password
*/bash-3.00# getent passwd
root:x:0:0:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp
Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
smmsp:x:25:25:SendMail Message Submission Program:/:
listen:x:37:4:Network Admin:/usr/net/nls:
gdm:x:50:50:GDM Reserved UID:/:
webservd:x:80:80:WebServer Reserved UID:/:
postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
svctag:x:95:12:Service Tag UID:/:
nobody:x:60001:60001:NFS Anonymous Access User:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access
User:/:
ramana:x:100:1::/export/home/ramana:/bin/sh
teju:x:101:1::/export/home/teju:/bin/sh
user1:x:102:1::/export/home/user1:/bin/sh
ben:x:103:1::/home/ben:/bin/sh/*
"you already have a "unix" ben and a "ADS" ben defined?"
Yes i defined the ben user in Unix and ADS...bcoz i
don't have much knowledge about that sorry
Hope u will help me
Thanks
Ben.T.George
On Thu, Sep 30, 2010 at 3:59 PM, Gaiseric Vandal
<gaiseric.van...@gmail.com
<mailto:gaiseric.van...@gmail.com>> wrote:
disclaimer: I don't use Samba as an ADS member
server. I use samba as PDC with trusts to an ADS
domain. So my observations may not be valuid.
Did you try updating nsswitch.conf
passwd: files winbind
group: files winbind
If you are using a Windows domain and have a user
defined in the domain, you generally don't want to
add the user as a local user. Since the
underlying unix OS needs to know about the domain
users you need to either use nsswitch+winbind
(which I do) or the smb pam module (which I don't
use, and not sure if it really is the correct
approach.)
If you use nsswitch.conf+winbind you can then also
OPTIONALLY allow "windows" users "unix" access like
ssh. My samba server is a PDC- I have a domain
trust with windows domains BUT the default shell
is "/bin/false." (It is still a little flaky...)
Does "getent passwd" show the windows users? It
should show something like
ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
or
SRE+ben:*:10001:10001:Ben
George:/home/SRE/ben/bin/false
It looks like = you already have a "unix" ben and a
"ADS" ben defined?
"wbinfo -s" and "wbinfo -n" are also useful for
making sure that the name-to-sid and sid-to-name
mappings are correct for domain users.
--
Max León
Systems Director
Wire Watchers : enterprise : technology : genius
------------------------------------------------------------------------------------------------------------------
Avenida 11 y Calle 7-9, Barrio Amón, San José, Costa Rica
cel: +(506) 8364-6261 | fax: +(506) 2258-3695
email: ml...@wirewatchers.com <mailto:ml...@wirewatchers.com> |
www.wirewatchers.com <http://www.wirewatchers.com>
------------------------------------------------------------------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
