Re: [Samba] Strange behaviour of winbind on solaris 8

Tue, 29 Apr 2008 04:31:54 -0700 

Which samba version do you use?

Please post the global configuration section of smb.conf.


Oliver Weinmann schrieb:
Here could be a problem. I could not change our win 2k3 schema. They were afraid it could break something... tsss. So i had to use the idmap_rid module. Which does a good job actually. It uses the last portion of the AD users SID and adds it to a base set in smb.conf. I issued your commands: bash-2.03# getent passwd | grep oweinmann 
oweinmann2:*:15042:1613:Oliver Weinmann2:/home/oweinmann2:/bin/sh
oweinmann:*:11611:1613:Oliver Weinmann:/home/oweinmann:/bin/sh
oweinmann1:*:15041:1613:Oliver Weinmann1:/home/oweinmann1:/bin/sh
bash-2.03# id -a oweinmann
uid=11611(oweinmann) gid=1613(domain users) groups=10(staff)
bash-2.03# su oweinmann
$ id
uid=11611(oweinmann) gid=1613(domain users)
$ id -a
the "id -a" as user "oweinmann" seems to get stuck. It just sits there. I noticed when issuing "groups oweinmann" as root it also gets stuck. On some users the "groups" command seems to be working on some other don't.
On 4/29/08, *Dietrich Streifert* <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: 

    We have several installations where we use the two different AD
    schema extensions (SFU from Windows Services for Unix and
    rfc2307bis from Windows Server 2003R2) to put the needed
    information in.

    We are using the idmap_ad module to map the uid, gid, home etc.
    information from the AD.

    The local users and the AD users are completely separated. We do
    not mix up local users and AD users.

    The first basic test if the AD user information retreival is
    working is to use the getent command:

        getent <someADUser>

    So for a test user account I get:

        korund{root}[/]: getent passwd testuser
        testuser:*:1004:1000:Lastname, Firstname:/home/testuser:/bin/tcsh

    If this works the first step is done.

    The second test is to get all related Information for one user:

    korund{root}[/]: id -a testuser
    uid=1004(testuser) gid=1000(visionet) groups=1033(devjavalib)

    The third test is to su - testuser and again try to issue both
    commands obove. If the retreived information is the same you
    should all be done (except from pam.conf which is another story).






    Oliver Weinmann schrieb:

    Could the problem be that the AD users are not in any of the
    local groups on the machine? How do you manage your AD users to
    be members of local groups e.g. staff, sys etc.? pam_groups?

    On 4/29/08, *Oliver Weinmann* <[EMAIL PROTECTED]
    <mailto:[EMAIL PROTECTED]>> wrote:

        there is nothing in /etc/profile and the user oweinmann has
        no .bashrc. The problem seems to be related to nscd. When
        nscd is turned on i can login and issue commands and I don't
        get kicked out of the ssh login. There is no idle session
        timeout set. If there was I would get kicked out when nscd is
        turned on as well. Only when logged in as an AD user I get
        kicked out...


        On 4/29/08, *Dietrich Streifert*
        <[EMAIL PROTECTED]
        <mailto:[EMAIL PROTECTED]>> wrote:

            So there must be something in your bash init files,
            /etc/profile or ~/.bashrc (sorry I'm not a bash user)
            which causes the problem.

            Maybe something which forms the shell prompt like whoami etc.

            Maybe there is something like a autologout set for the
            csh or in sshd with idle session timeout.


            Oliver Weinmann schrieb:

            Hi,
no, there was nothing in /var/adm/messages, but guess 
            what with the csh ls -alrt and such commands work
            fine... But i get kicked out of the ssh session after 2
            minutes... :(


            On 4/29/08, *Dietrich Streifert*
            <[EMAIL PROTECTED]
            <mailto:[EMAIL PROTECTED]>> wrote:

                Are there any messages in /var/adm/messages which
                are related to nss ?

                As I can see you are using bash as your shell.

                Try using csh. Does something change?

                Oliver Weinmann schrieb:

                su to user oweinmann works but when i ussie the ldd
                -r /usr/lib/nss_winbind.so command it gets put in
                the background.. :( i then do fg 2 and this is the
                output:
bash-2.03$ ldd -r /usr/lib/nss_winbind.so 

                [2]+  Stopped                 ldd -r
                /usr/lib/nss_winbind.so
                bash-2.03$ fg 2
                ldd -r /usr/lib/nss_winbind.so
libthread.so.1 => /usr/lib/libthread.so.1 libsocket.so.1 => /usr/lib/libsocket.so.1 
                        libdl.so.1 =>    /usr/lib/libdl.so.1
                        libc.so.1 =>     /usr/lib/libc.so.1
                        libnsl.so.1 =>   /usr/lib/libnsl.so.1
                        libmp.so.2 =>    /usr/lib/libmp.so.2
                        /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1

                bash-2.03$ ls -alrt /etc/nsswitch.conf

                [2]+  Stopped                 ls -alrt
                /etc/nsswitch.conf
                bash-2.03$ fg 2
                ls -alrt /etc/nsswitch.conf
                -rw-r--r--   1 root     sys         1320 Apr 28
                13:19 /etc/nsswitch.conf
On 4/29/08, *Dietrich Streifert* 
                <[EMAIL PROTECTED]
                <mailto:[EMAIL PROTECTED]>> wrote:

                    Please try to login (or su) to the user
                    oweinmann and issue then ldd -r
                    /usr/lib/nss_winbind.so

                    For some reason I think that non root users are
                    not able to read one of the involved files.

                    This could be

                        /etc/nsswitch.conf
                        /usr/lib/nss_winbind.so

                    or some of the files found by the ldd -r
                    command. The fact that you can issue commands
                    while nscd is running points to this fact
                    becaus nscd is running as root and has
                    permissions to read all of those files.

                    /etc/nsswitch.conf should be readable by everyone.

                    I compiled samba myself with a full stack of
                    openssl, iconv, heimdal kerberos, cyrus-sasl,
                    openldap and samba. While people often speak of
                    the Windows DLL hell this is the Solaris shared
                    library hell :-( But it works.



                    Oliver Weinmann schrieb:

                    Hi,
bash-2.03# ldd -r /usr/lib/nss_winbind.so libthread.so.1 => /usr/lib/libthread.so.1 libsocket.so.1 => /usr/lib/libsocket.so.1 
                            libdl.so.1 =>    /usr/lib/libdl.so.1
                            libc.so.1 =>     /usr/lib/libc.so.1
                            libnsl.so.1 =>   /usr/lib/libnsl.so.1
                            libmp.so.2 =>    /usr/lib/libmp.so.2
/usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 I changed the permissions and files exactly to 
                    be the same but i still cant issue commands... :(

                    bash-2.03# ls -alrt /usr/lib/nss_winbind.so*
                    -rwxr-xr-x   1 root     other      74744 Apr
                    29 09:03 /usr/lib/nss_winbind.so.1
                    lrwxrwxrwx   1 root     other         25 Apr
                    29 09:04 /usr/lib/nss_winbind.so ->
                    /usr/lib/nss_winbind.so.1

                    Could this also be a problem of a compiling?
                    Have you compiled the samba yourself or are
                    you using prebuilt packages?
On 4/29/08, *Dietrich Streifert* 
                    <[EMAIL PROTECTED]
                    <mailto:[EMAIL PROTECTED]>> wrote:

                        which output gives ldd -r
                        /usr/lib/nss_winbind.so ?

                        I have the following naming and permission
                        for nss_winbind:

                        lrwxrwxrwx   1 root     other         16
                        Jan 15  2004 nss_winbind.so ->
                        nss_winbind.so.1
                        -rwxr-xr-x   1 root     other      44540
                        Apr 28 17:35 nss_winbind.so.1

                        Please try with the exactly same naming
                        and permissions of your files.



                        Oliver Weinmann schrieb:

                            I will try to get hands on the latest
                            patches for solaris 8 and see if that
                            fixes the nscd problems. I can't
                            believe that samba-winbind is not running
                            100% well on a Solaris 8 machine.


                            On 4/28/08, Oliver Weinmann
                            <[EMAIL PROTECTED]
                            <mailto:[EMAIL PROTECTED]>>
                            wrote:

                                Just for fun i changed the perms
                                of /usr/lib/libnss_winbind.so to 777

                                bash-2.03# chmod 777
                                /usr/lib/libnss_winbind.so
                                bash-2.03# ls -alrt
                                /usr/lib/libnss_winbind.so
-rwxrwxrwx 1 root other 74744 Apr 28 13:32 
                                /usr/lib/libnss_winbind.so

                                nscd is turned off. I can login as
                                an AD users but I cant start any
                                command. :(


                                login as: oweinmann
                                Using keyboard-interactive
                                authentication.
                                Password:
                                Last login: Mon Apr 28 15:17:11
                                2008 from vb8860.vegagrou
                                bash-2.03$ ls -alrt

                                [1]+  Stopped                 ls -alrt
                                bash-2.03$ id

                                [2]+  Stopped                 id
                                bash-2.03$ group

                                [3]+  Stopped                 group
                                bash-2.03$ echo "TEST"
                                TEST
                                bash-2.03$
                                Some commands are working and some
                                others are put in background and the
                                session closes after one or two
                                minutes?

                                When I turn on nscd everything is
                                fine, except ls -alrt not working.



                                On 4/28/08, Gerald (Jerry) Carter
                                <[EMAIL PROTECTED]
                                <mailto:[EMAIL PROTECTED]>> wrote:

                                    -----BEGIN PGP SIGNED MESSAGE-----
                                    Hash: SHA1

                                    Oliver Weinmann wrote:
                                    | forgot to mention that the
                                    nss_winbind links are there:
                                    |
                                    | bash-2.03# ls -alrt
                                    /usr/lib/nss_w*
| lrwxrwxrwx 1 root other 28 Apr 23 14:30 
                                    | /usr/lib/nss_winbind.so.2 ->
                                    /usr/lib/libnss_winbind.so.1
| lrwxrwxrwx 1 root other 28 Apr 23 14:30 
                                    | /usr/lib/nss_winbind.so.1 ->
                                    /usr/lib/libnss_winbind.so.1
| lrwxrwxrwx 1 root other 28 Apr 23 14:30 
                                    | /usr/lib/nss_winbind.so ->
                                    /usr/lib/libnss_winbind.so.1

                                    Check the perms on
                                    /usr/lib/libnss_winbind.so.1.
                                     Sounds
                                    like it might be rwx for root
                                    only.







                                    cheers, jerry
                                    - --
                                    
=====================================================================
Samba ------- 
                                    http://www.samba.org
                                    <http://www.samba.org/>
Likewise Software --------- 
                                     http://www.likewisesoftware.com
                                    <http://www.likewisesoftware.com/>
                                    "What man is a man who does
not make the world better?" --Balian 
                                    -----BEGIN PGP SIGNATURE-----
                                    Version: GnuPG v1.4.2.2 (Darwin)
                                    Comment: Using GnuPG with
                                    Mozilla -
                                    http://enigmail.mozdev.org
                                    <http://enigmail.mozdev.org/>

                                    
iD8DBQFIFcnJIR7qMdg1EfYRAp+uAKCoT5s9gRV+x0M+PUrFnYWVRtqmcwCg293J
                                    0OxWwTr/wJPDW67YmZCAfQo=
                                    =6S2v
                                    -----END PGP SIGNATURE-----
-- Mit freundlichen Grüßen 
                        Dietrich Streifert
                        --
                        Visionet GmbH
                        Firmensitz: Am Weichselgarten 7, 91058
                        Erlangen
                        Registergericht: Handelsregister Fürth,
                        HRB 6573
                        Geschäftsführer: Stefan Lindner
-- Mit freundlichen Grüßen 
                    Dietrich Streifert
                    --
                    Visionet GmbH
                    Firmensitz: Am Weichselgarten 7, 91058 Erlangen
                    Registergericht: Handelsregister Fürth, HRB 6573
                    Geschäftsführer: Stefan Lindner
-- Mit freundlichen Grüßen 
                Dietrich Streifert
                --
                Visionet GmbH
                Firmensitz: Am Weichselgarten 7, 91058 Erlangen
                Registergericht: Handelsregister Fürth, HRB 6573
                Geschäftsführer: Stefan Lindner
-- Mit freundlichen Grüßen 
            Dietrich Streifert
            --
            Visionet GmbH
            Firmensitz: Am Weichselgarten 7, 91058 Erlangen
            Registergericht: Handelsregister Fürth, HRB 6573
            Geschäftsführer: Stefan Lindner
-- Mit freundlichen Grüßen 
    Dietrich Streifert
    --
    Visionet GmbH
    Firmensitz: Am Weichselgarten 7, 91058 Erlangen
    Registergericht: Handelsregister Fürth, HRB 6573
    Geschäftsführer: Stefan Lindner






--
Mit freundlichen Grüßen
Dietrich Streifert
--
Visionet GmbH
Firmensitz: Am Weichselgarten 7, 91058 Erlangen
Registergericht: Handelsregister Fürth, HRB 6573
Geschäftsführer: Stefan Lindner



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Reply via email to