So I'm running out of ideas :-( Mabye someone out there can take over.
Good luck and report back what you have found. Oliver Weinmann schrieb:
I changed both groups and users to "no". Still no difference. Another strange thing i came across. as user "oweinmann" $ iduid=11611(oweinmann) gid=1613(domain users) $ id -a oweinmann uid=11611(oweinmann) gid=1613(domain users) groups=10(staff) $ id -awhy is the id -a oweinmann working as user "oweinmann" but not id -a????On 4/29/08, *Dietrich Streifert* <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:Please try to set combinations of winbind enum groups = Noand test again.This could be the reason why getent groups never ends. This is known to be a problem with big AD user/groups databases. Have a look at this and related paramters in <samba installation path>/swat/help/manpages/smb.conf.5.html Oliver Weinmann schrieb:It's the latest stable.# smbd -VVersion 3.0.28a [global] netbios name = rose8 realm = VEGAGROUP.NET <http://vegagroup.net/> workgroup = VEGA security = ADS encrypt passwords = yes password server = * os level = 20 socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap uid = 1100-200000 idmap gid = 1100-200000 idmap backend = rid:VEGA=1100-200000 allow trusted domains = no winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/sh preferred master = no winbind nested groups = Yes winbind use default domain = Yes #winbind separator = + #winbind normalize names = yes log level = 10 max log size = 50 log file = /var/log/samba/log.%m dns proxy = no wins server = 172.20.205.1 <http://172.20.205.1/> allow trusted domains = No client use spnego = Yes use kerberos keytab = true winbind offline logon = yesI really appreciate your big effort. Thanks! On 4/29/08, *Dietrich Streifert* <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>> wrote: Which samba version do you use? Please post the global configuration section of smb.conf. Oliver Weinmann schrieb:Here could be a problem. I could not change our win 2k3 schema. They were afraid it could break something... tsss. So i had to use the idmap_rid module. Which does a good job actually. It uses the last portion of the AD users SID and adds it to a base set in smb.conf. I issued your commands:bash-2.03# getent passwd | grep oweinmannoweinmann2:*:15042:1613:Oliver Weinmann2:/home/oweinmann2:/bin/sh oweinmann:*:11611:1613:Oliver Weinmann:/home/oweinmann:/bin/sh oweinmann1:*:15041:1613:Oliver Weinmann1:/home/oweinmann1:/bin/sh bash-2.03# id -a oweinmann uid=11611(oweinmann) gid=1613(domain users) groups=10(staff) bash-2.03# su oweinmann $ id uid=11611(oweinmann) gid=1613(domain users) $ id -athe "id -a" as user "oweinmann" seems to get stuck. It justsits there. I noticed when issuing "groups oweinmann" as root it also gets stuck. On some users the "groups" command seems to be working on some other don't.On 4/29/08, *Dietrich Streifert*<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: We have several installations where we use the two different AD schema extensions (SFU from Windows Services for Unix and rfc2307bis from Windows Server 2003R2) to put the needed information in. We are using the idmap_ad module to map the uid, gid, home etc. information from the AD. The local users and the AD users are completely separated. We do not mix up local users and AD users. The first basic test if the AD user information retreival is working is to use the getent command: getent <someADUser> So for a test user account I get: korund{root}[/]: getent passwd testuser testuser:*:1004:1000:Lastname, Firstname:/home/testuser:/bin/tcsh If this works the first step is done. The second test is to get all related Information for one user: korund{root}[/]: id -a testuser uid=1004(testuser) gid=1000(visionet) groups=1033(devjavalib) The third test is to su - testuser and again try to issue both commands obove. If the retreived information is the same you should all be done (except from pam.conf which is another story). Oliver Weinmann schrieb:Could the problem be that the AD users are not in any of the local groups on the machine? How do you manage your AD users to be members of local groups e.g. staff, sys etc.? pam_groups? On 4/29/08, *Oliver Weinmann* <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: there is nothing in /etc/profile and the user oweinmann has no .bashrc. The problem seems to be related to nscd. When nscd is turned on i can login and issue commands and I don't get kicked out of the ssh login. There is no idle session timeout set. If there was I would get kicked out when nscd is turned on as well. Only when logged in as an AD user I get kicked out... On 4/29/08, *Dietrich Streifert* <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: So there must be something in your bash init files, /etc/profile or ~/.bashrc (sorry I'm not a bash user) which causes the problem. Maybe something which forms the shell prompt like whoami etc. Maybe there is something like a autologout set for the csh or in sshd with idle session timeout. Oliver Weinmann schrieb:Hi,no, there was nothing in /var/adm/messages,but guess what with the csh ls -alrt and such commands work fine... But i get kicked out of the ssh session after 2 minutes... :( On 4/29/08, *Dietrich Streifert* <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: Are there any messages in /var/adm/messages which are related to nss ? As I can see you are using bash as your shell. Try using csh. Does something change? Oliver Weinmann schrieb:su to user oweinmann works but when i ussie the ldd -r /usr/lib/nss_winbind.so command it gets put in the background.. :( i then do fg 2 and this is the output:bash-2.03$ ldd -r /usr/lib/nss_winbind.so[2]+ Stopped ldd -r /usr/lib/nss_winbind.so bash-2.03$ fg 2 ldd -r /usr/lib/nss_winbind.solibthread.so.1 => /usr/lib/libthread.so.1 libsocket.so.1 => /usr/lib/libsocket.so.1libdl.so.1 => /usr/lib/libdl.so.1 libc.so.1 => /usr/lib/libc.so.1 libnsl.so.1 => /usr/lib/libnsl.so.1 libmp.so.2 => /usr/lib/libmp.so.2/usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1bash-2.03$ ls -alrt /etc/nsswitch.conf [2]+ Stopped ls -alrt /etc/nsswitch.conf bash-2.03$ fg 2 ls -alrt /etc/nsswitch.conf -rw-r--r-- 1 root sys 1320 Apr 28 13:19 /etc/nsswitch.confOn 4/29/08, *Dietrich Streifert*<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: Please try to login (or su) to the user oweinmann and issue then ldd -r /usr/lib/nss_winbind.so For some reason I think that non root users are not able to read one of the involved files. This could be /etc/nsswitch.conf /usr/lib/nss_winbind.so or some of the files found by the ldd -r command. The fact that you can issue commands while nscd is running points to this fact becaus nscd is running as root and has permissions to read all of those files. /etc/nsswitch.conf should be readable by everyone. I compiled samba myself with a full stack of openssl, iconv, heimdal kerberos, cyrus-sasl, openldap and samba. While people often speak of the Windows DLL hell this is the Solaris shared library hell :-( But it works. Oliver Weinmann schrieb:Hi,bash-2.03# ldd -r/usr/lib/nss_winbind.solibthread.so.1 => /usr/lib/libthread.so.1 libsocket.so.1 => /usr/lib/libsocket.so.1 libdl.so.1 => /usr/lib/libdl.so.1 libc.so.1 => /usr/lib/libc.so.1 libnsl.so.1 => /usr/lib/libnsl.so.1 libmp.so.2 => /usr/lib/libmp.so.2 /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 I changed the permissions and filesexactly to be the same but i still cant issue commands... :( bash-2.03# ls -alrt /usr/lib/nss_winbind.so*-rwxr-xr-x 1 root other 74744 Apr 29 09:03/usr/lib/nss_winbind.so.1lrwxrwxrwx 1 root other 25 Apr 29 09:04/usr/lib/nss_winbind.so -> /usr/lib/nss_winbind.so.1 Could this also be a problem of a compiling? Have you compiled the samba yourself or are you using prebuilt packages?On 4/29/08, *Dietrich Streifert*<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: which output gives ldd -r /usr/lib/nss_winbind.so ? I have the following naming and permission for nss_winbind:lrwxrwxrwx 1 root other 16 Jan 15 2004nss_winbind.so -> nss_winbind.so.1-rwxr-xr-x 1 root other 44540 Apr 28 17:35nss_winbind.so.1 Please try with the exactly same naming and permissions of your files. Oliver Weinmann schrieb: I will try to get hands on the latest patches for solaris 8 and see if that fixes the nscd problems. I can't believe that samba-winbind is not running 100% well on a Solaris 8 machine. On 4/28/08, Oliver Weinmann <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:Just for fun i changed the perms of /usr/lib/libnss_winbind.so to 777 bash-2.03# chmod 777 /usr/lib/libnss_winbind.so bash-2.03# ls -alrt /usr/lib/libnss_winbind.so-rwxrwxrwx 1 root other 74744 Apr 2813:32 /usr/lib/libnss_winbind.so nscd is turned off. I can login as an AD users but I cant start any command. :( login as: oweinmann Using keyboard-interactive authentication. Password: Last login: Mon Apr 28 15:17:11 2008 from vb8860.vegagrou bash-2.03$ ls -alrt[1]+ Stopped ls -alrtbash-2.03$ id[2]+ Stopped idbash-2.03$ group[3]+ Stopped groupbash-2.03$ echo "TEST" TEST bash-2.03$ Some commands are working and some others are put in background and the session closes after one or two minutes? When I turn on nscd everything is fine, except ls -alrt not working. On 4/28/08, Gerald (Jerry) Carter <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Oliver Weinmann wrote: | forgot to mention that the nss_winbind links are there: | | bash-2.03# ls -alrt /usr/lib/nss_w* | lrwxrwxrwx 1root other 28 Apr 23 14:30| /usr/lib/nss_winbind.so.2 -> /usr/lib/libnss_winbind.so.1 | lrwxrwxrwx 1root other 28 Apr 23 14:30| /usr/lib/nss_winbind.so.1 -> /usr/lib/libnss_winbind.so.1 | lrwxrwxrwx 1root other 28 Apr 23 14:30| /usr/lib/nss_winbind.so -> /usr/lib/libnss_winbind.so.1 Check the perms on /usr/lib/libnss_winbind.so.1. Sounds like it might be rwx for root only. cheers, jerry - -- =====================================================================Samba -------http://www.samba.org <http://www.samba.org/>Likewise Software ---------http://www.likewisesoftware.com <http://www.likewisesoftware.com/> "What man is a man who does not makethe world better?" --Balian-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org <http://enigmail.mozdev.org/> iD8DBQFIFcnJIR7qMdg1EfYRAp+uAKCoT5s9gRV+x0M+PUrFnYWVRtqmcwCg293J 0OxWwTr/wJPDW67YmZCAfQo= =6S2v -----END PGP SIGNATURE------- Mit freundlichen GrüßenDietrich Streifert -- Visionet GmbH Firmensitz: Am Weichselgarten 7, 91058 Erlangen Registergericht: Handelsregister Fürth, HRB 6573 Geschäftsführer: Stefan Lindner-- Mit freundlichen GrüßenDietrich Streifert -- Visionet GmbH Firmensitz: Am Weichselgarten 7, 91058 Erlangen Registergericht: Handelsregister Fürth, HRB 6573 Geschäftsführer: Stefan Lindner-- Mit freundlichen GrüßenDietrich Streifert -- Visionet GmbH Firmensitz: Am Weichselgarten 7, 91058 Erlangen Registergericht: Handelsregister Fürth, HRB 6573 Geschäftsführer: Stefan Lindner-- Mit freundlichen GrüßenDietrich Streifert -- Visionet GmbH Firmensitz: Am Weichselgarten 7, 91058 Erlangen Registergericht: Handelsregister Fürth, HRB 6573 Geschäftsführer: Stefan Lindner-- Mit freundlichen GrüßenDietrich Streifert -- Visionet GmbH Firmensitz: Am Weichselgarten 7, 91058 Erlangen Registergericht: Handelsregister Fürth, HRB 6573 Geschäftsführer: Stefan Lindner-- Mit freundlichen GrüßenDietrich Streifert -- Visionet GmbH Firmensitz: Am Weichselgarten 7, 91058 Erlangen Registergericht: Handelsregister Fürth, HRB 6573 Geschäftsführer: Stefan Lindner-- Mit freundlichen GrüßenDietrich Streifert -- Visionet GmbH Firmensitz: Am Weichselgarten 7, 91058 Erlangen Registergericht: Handelsregister Fürth, HRB 6573 Geschäftsführer: Stefan Lindner
-- Mit freundlichen Grüßen Dietrich Streifert -- Visionet GmbH Firmensitz: Am Weichselgarten 7, 91058 Erlangen Registergericht: Handelsregister Fürth, HRB 6573 Geschäftsführer: Stefan Lindner -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
