Greg Scott wrote:
I can run ntlm_auth by hand. If I pass it a valid domain\username password, it returns OK. And if I pass it a bogus one, it returns ERR. When I run
/usr/local/samba/bin/wbinfo -u
it returns all my AD usernames like this: DOMAIN\user.
So it looks like winbindd is working. But when I run getent passwd, all
that comes back are the entries from my local passwd file. If I'm
reading the documentation correctly, it's supposed to also return my A/D
entries, right? (nsswitch.conf and libraries noted below.) So winbindd
seems to be doing its job, smbd is just not calling it. Could this be
related to the backslash character issue or is this a dead-end?
It's a dead end. Run testparm -sv |grep 'winbind separator' with it commented out in the conf file to see what it is.
<>Here is some more strange behavior, trying to follow the instructions in 22.5.3.1 of the HOWTO-Collection:
[EMAIL PROTECTED] lib]# [EMAIL PROTECTED] lib]# ln --symbolic libnss_windbind.so libnss_winbind.so.2 [EMAIL PROTECTED] lib]# ls -la /lib | grep winbind
-rwxr-xr-x 1 root root 305094 Apr 2 20:21 libnss_winbind.so
lrwxrwxrwx 1 root root 18 Apr 3 00:45
libnss_winbind.so.2 -> libnss_windbind.so
[EMAIL PROTECTED] lib]#
[EMAIL PROTECTED] lib]# /sbin/ldconfig -v | grep winbind
/sbin/ldconfig: Cannot stat /lib/libnss_winbind.so.2: No such file or directory
libnss_winbind.so -> libnss_winbind.so
[EMAIL PROTECTED] lib]#
[EMAIL PROTECTED] lib]# ls -la /lib | grep winbind -rwxr-xr-x 1 root root 305094 Apr 2 20:21 libnss_winbind.so
[EMAIL PROTECTED] lib]#
Note that ldconfig got rid of that symbolic link the HOWTO suggested putting in. I have to believe the messed up linkage between smbd and winbindd are related somehow to this.
I made this script to update the library after each samba build. Run it from the samba source directory. Should be more robust about the source dir, but I'm the only one who uses it. Remove the libnss_wins.so lines if you don't use it. Probably don't need the .1 links, but I was shotgunning in the beginning and never went back. The version number X is 1 for glibc 2.0 and 2 for glibc 2.1. I have some old stuff.
#!/bin/sh
echo "Copying nsswitch modules to system library"
CWD=`pwd`
cd /lib rm -f libnss_winbind.so libnss_winbind.so.1 libnss_winbind.so.2 rm -f libnss_wins.so libnss_wins.so.1 libnss_wins.so.2 cd /usr/lib rm -f libnss_winbind.so libnss_wins.so
cd $CWD cp -f nsswitch/libnss_winbind.so /lib cp -f nsswitch/libnss_wins.so /lib
cd /lib ln -sf libnss_winbind.so libnss_winbind.so.1 ln -sf libnss_winbind.so libnss_winbind.so.2 ln -sf libnss_wins.so libnss_wins.so.1 ln -sf libnss_wins.so libnss_wins.so.2
cd /usr/lib ln -sf ../../lib/libnss_winbind.so libnss_winbind.so ln -sf ../../lib/libnss_wins.so libnss_wins.so
ldconfig
In your original post, you had specified netbios name = SQUIDTEST but the prompt is [EMAIL PROTECTED] samba. For security=ads, windows and kerberos get very picky about the computer name being the same as the dns name. I use netbios aliases, but then manually add them to the servicePrincipalName in the computer account in AD. I can't tell if you ever joined the domain, but if you did with the SQUIDTEST netbios name, I'd probably stop samba, delete all the *.tdb files in the lock directory and private/secrets.tdb and start over.Here is the dump of my current smb.conf, without all the ugly comments:
[EMAIL PROTECTED] lib]# /usr/local/samba/bin/testparm Load smb config files from /usr/local/samba/lib/smb.conf Processing section "[homes]" Processing section "[printers]" Processing section "[gregshare]" Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = INFRASUPPORTETC
realm = INFRASUPPORTETC.COM
I use compat instead of files. From man nsswitch.confserver string = Greg squidtest Samba Server interfaces = 10.10.10.2 security = ADS log file = /var/log/samba/log.smbd max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = No idmap uid = 10000-20000 idmap gid = 10000-20000
[EMAIL PROTECTED] lib]#
I am trying to get windind to work so my domain users can touch shares on this Linux box without being prompted for credentials. I put these in nsswitch.conf:
passwd: files winbind
group: files winbind
An example /etc/nsswitch.conf (namely, the default used when /etc/nsswitch.conf is missing):
passwd: compat
group: compat
shadow: compatI also use NIS and use the winbind trusted domains only = Yes so the compat tries all the native authentication methods first.
FYI, I still run RH9 servers. Some des only, some arc4, some dns=realm and some dns != realm. krb5-MIT-1.3.5-1, ypbind-1.11-4, 2.4.20-28.9smp.
There was some talk that the 2.4 kernels might have trouble with sendfile, so use sendfile = No
Regards, Doug
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
