Yes, i added him to that group to see if that makes any difference. Thanks for all your help. And I will let you know, when I found out what the problem is.
Best Regards, Oliver On 4/29/08, Dietrich Streifert <[EMAIL PROTECTED]> wrote: > > I wonder why oweinmann is member of the group staff. Maybe there is an > entry for oweinmann in /etc/passwd? > > So I'm running out of ideas :-( Mabye someone out there can take over. > > Good luck and report back what you have found. > > > Oliver Weinmann schrieb: > > I changed both groups and users to "no". Still no difference. Another > strange thing i came across. > > as user "oweinmann" > > $ id > uid=11611(oweinmann) gid=1613(domain users) > $ id -a oweinmann > uid=11611(oweinmann) gid=1613(domain users) groups=10(staff) > $ id -a > > why is the id -a oweinmann working as user "oweinmann" but not id -a???? > > > On 4/29/08, Dietrich Streifert <[EMAIL PROTECTED]> wrote: > > > > Please try to set combinations of > > > > winbind enum groups = No > > > > and test again. > > > > This could be the reason why getent groups never ends. This is known to > > be a problem with big AD user/groups databases. > > > > Have a look at this and related paramters in <samba installation > > path>/swat/help/manpages/smb.conf.5.html > > > > > > > > Oliver Weinmann schrieb: > > > > It's the latest stable. > > > > # smbd -V > > Version 3.0.28a > > > > [global] > > netbios name = rose8 > > realm = VEGAGROUP.NET <http://vegagroup.net/> > > workgroup = VEGA > > security = ADS > > encrypt passwords = yes > > password server = * > > os level = 20 > > socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 > > idmap uid = 1100-200000 > > idmap gid = 1100-200000 > > idmap backend = rid:VEGA=1100-200000 > > allow trusted domains = no > > winbind enum users = yes > > winbind enum groups = yes > > template homedir = /home/%U > > template shell = /bin/sh > > preferred master = no > > winbind nested groups = Yes > > winbind use default domain = Yes > > #winbind separator = + > > #winbind normalize names = yes > > log level = 10 > > max log size = 50 > > log file = /var/log/samba/log.%m > > dns proxy = no > > wins server = 172.20.205.1 > > allow trusted domains = No > > client use spnego = Yes > > use kerberos keytab = true > > winbind offline logon = yes > > > > I really appreciate your big effort. Thanks! > > > > On 4/29/08, Dietrich Streifert <[EMAIL PROTECTED]> wrote: > > > > > > Which samba version do you use? > > > > > > Please post the global configuration section of smb.conf. > > > > > > > > > Oliver Weinmann schrieb: > > > > > > Here could be a problem. I could not change our win 2k3 schema. They > > > were afraid it could break something... tsss. So i had to use the > > > idmap_rid > > > module. Which does a good job actually. It uses the last portion of the AD > > > users SID and adds it to a base set in smb.conf. I issued your commands: > > > > > > bash-2.03# getent passwd | grep oweinmann > > > oweinmann2:*:15042:1613:Oliver Weinmann2:/home/oweinmann2:/bin/sh > > > oweinmann:*:11611:1613:Oliver Weinmann:/home/oweinmann:/bin/sh > > > oweinmann1:*:15041:1613:Oliver Weinmann1:/home/oweinmann1:/bin/sh > > > bash-2.03# id -a oweinmann > > > uid=11611(oweinmann) gid=1613(domain users) groups=10(staff) > > > bash-2.03# su oweinmann > > > $ id > > > uid=11611(oweinmann) gid=1613(domain users) > > > $ id -a > > > > > > the "id -a" as user "oweinmann" seems to get stuck. It just sits > > > there. I noticed when issuing "groups oweinmann" as root it also gets > > > stuck. > > > On some users the "groups" command seems to be working on some other > > > don't. > > > > > > > > > On 4/29/08, Dietrich Streifert <[EMAIL PROTECTED]> wrote: > > > > > > > > We have several installations where we use the two different AD > > > > schema extensions (SFU from Windows Services for Unix and rfc2307bis > > > > from > > > > Windows Server 2003R2) to put the needed information in. > > > > > > > > We are using the idmap_ad module to map the uid, gid, home etc. > > > > information from the AD. > > > > > > > > The local users and the AD users are completely separated. We do not > > > > mix up local users and AD users. > > > > > > > > The first basic test if the AD user information retreival is working > > > > is to use the getent command: > > > > > > > > getent <someADUser> > > > > > > > > So for a test user account I get: > > > > > > > > korund{root}[/]: getent passwd testuser > > > > testuser:*:1004:1000:Lastname, > > > > Firstname:/home/testuser:/bin/tcsh > > > > > > > > If this works the first step is done. > > > > > > > > The second test is to get all related Information for one user: > > > > > > > > korund{root}[/]: id -a testuser > > > > uid=1004(testuser) gid=1000(visionet) groups=1033(devjavalib) > > > > > > > > The third test is to su - testuser and again try to issue both > > > > commands obove. If the retreived information is the same you should all > > > > be > > > > done (except from pam.conf which is another story). > > > > > > > > > > > > > > > > > > > > > > > > > > > > Oliver Weinmann schrieb: > > > > > > > > Could the problem be that the AD users are not in any of the local > > > > groups on the machine? How do you manage your AD users to be members of > > > > local groups e.g. staff, sys etc.? pam_groups? > > > > > > > > On 4/29/08, Oliver Weinmann <[EMAIL PROTECTED]> wrote: > > > > > > > > > > there is nothing in /etc/profile and the user oweinmann has no > > > > > .bashrc. The problem seems to be related to nscd. When nscd is turned > > > > > on i > > > > > can login and issue commands and I don't get kicked out of the ssh > > > > > login. > > > > > There is no idle session timeout set. If there was I would get kicked > > > > > out > > > > > when nscd is turned on as well. Only when logged in as an AD user I > > > > > get > > > > > kicked out... > > > > > > > > > > On 4/29/08, Dietrich Streifert <[EMAIL PROTECTED]> > > > > > wrote: > > > > > > > > > > > > So there must be something in your bash init files, /etc/profile > > > > > > or ~/.bashrc (sorry I'm not a bash user) which causes the problem. > > > > > > > > > > > > Maybe something which forms the shell prompt like whoami etc. > > > > > > > > > > > > Maybe there is something like a autologout set for the csh or in > > > > > > sshd with idle session timeout. > > > > > > > > > > > > > > > > > > Oliver Weinmann schrieb: > > > > > > > > > > > > Hi, > > > > > > > > > > > > no, there was nothing in /var/adm/messages, but guess what with > > > > > > the csh ls -alrt and such commands work fine... But i get kicked > > > > > > out of the > > > > > > ssh session after 2 minutes... :( > > > > > > > > > > > > > > > > > > On 4/29/08, Dietrich Streifert <[EMAIL PROTECTED]> > > > > > > wrote: > > > > > > > > > > > > > > Are there any messages in /var/adm/messages which are related > > > > > > > to nss ? > > > > > > > > > > > > > > As I can see you are using bash as your shell. > > > > > > > > > > > > > > Try using csh. Does something change? > > > > > > > > > > > > > > Oliver Weinmann schrieb: > > > > > > > > > > > > > > su to user oweinmann works but when i ussie the ldd -r > > > > > > > /usr/lib/nss_winbind.so command it gets put in the background.. > > > > > > > :( i then do > > > > > > > fg 2 and this is the output: > > > > > > > > > > > > > > bash-2.03$ ldd -r /usr/lib/nss_winbind.so > > > > > > > > > > > > > > [2]+ Stopped ldd -r /usr/lib/nss_winbind.so > > > > > > > bash-2.03$ fg 2 > > > > > > > ldd -r /usr/lib/nss_winbind.so > > > > > > > libthread.so.1 => /usr/lib/libthread.so.1 > > > > > > > libsocket.so.1 => /usr/lib/libsocket.so.1 > > > > > > > libdl.so.1 => /usr/lib/libdl.so.1 > > > > > > > libc.so.1 => /usr/lib/libc.so.1 > > > > > > > libnsl.so.1 => /usr/lib/libnsl.so.1 > > > > > > > libmp.so.2 => /usr/lib/libmp.so.2 > > > > > > > /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 > > > > > > > > > > > > > > bash-2.03$ ls -alrt /etc/nsswitch.conf > > > > > > > > > > > > > > [2]+ Stopped ls -alrt /etc/nsswitch.conf > > > > > > > bash-2.03$ fg 2 > > > > > > > ls -alrt /etc/nsswitch.conf > > > > > > > -rw-r--r-- 1 root sys 1320 Apr 28 13:19 > > > > > > > /etc/nsswitch.conf > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 4/29/08, Dietrich Streifert <[EMAIL PROTECTED]> > > > > > > > wrote: > > > > > > > > > > > > > > > > Please try to login (or su) to the user oweinmann and issue > > > > > > > > then ldd -r /usr/lib/nss_winbind.so > > > > > > > > > > > > > > > > For some reason I think that non root users are not able to > > > > > > > > read one of the involved files. > > > > > > > > > > > > > > > > This could be > > > > > > > > > > > > > > > > /etc/nsswitch.conf > > > > > > > > /usr/lib/nss_winbind.so > > > > > > > > > > > > > > > > or some of the files found by the ldd -r command. The fact > > > > > > > > that you can issue commands while nscd is running points to > > > > > > > > this fact becaus > > > > > > > > nscd is running as root and has permissions to read all of > > > > > > > > those files. > > > > > > > > > > > > > > > > /etc/nsswitch.conf should be readable by everyone. > > > > > > > > > > > > > > > > I compiled samba myself with a full stack of openssl, iconv, > > > > > > > > heimdal kerberos, cyrus-sasl, openldap and samba. While people > > > > > > > > often speak > > > > > > > > of the Windows DLL hell this is the Solaris shared library hell > > > > > > > > :-( But it > > > > > > > > works. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Oliver Weinmann schrieb: > > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > bash-2.03# ldd -r /usr/lib/nss_winbind.so > > > > > > > > libthread.so.1 => /usr/lib/libthread.so.1 > > > > > > > > libsocket.so.1 => /usr/lib/libsocket.so.1 > > > > > > > > libdl.so.1 => /usr/lib/libdl.so.1 > > > > > > > > libc.so.1 => /usr/lib/libc.so.1 > > > > > > > > libnsl.so.1 => /usr/lib/libnsl.so.1 > > > > > > > > libmp.so.2 => /usr/lib/libmp.so.2 > > > > > > > > /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 > > > > > > > > > > > > > > > > I changed the permissions and files exactly to be the same > > > > > > > > but i still cant issue commands... :( > > > > > > > > > > > > > > > > bash-2.03# ls -alrt /usr/lib/nss_winbind.so* > > > > > > > > -rwxr-xr-x 1 root other 74744 Apr 29 09:03 > > > > > > > > /usr/lib/nss_winbind.so.1 > > > > > > > > lrwxrwxrwx 1 root other 25 Apr 29 09:04 > > > > > > > > /usr/lib/nss_winbind.so -> /usr/lib/nss_winbind.so.1 > > > > > > > > > > > > > > > > Could this also be a problem of a compiling? Have you > > > > > > > > compiled the samba yourself or are you using prebuilt packages? > > > > > > > > > > > > > > > > On 4/29/08, Dietrich Streifert < > > > > > > > > [EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > > > > which output gives ldd -r /usr/lib/nss_winbind.so ? > > > > > > > > > > > > > > > > > > I have the following naming and permission for > > > > > > > > > nss_winbind: > > > > > > > > > > > > > > > > > > lrwxrwxrwx 1 root other 16 Jan 15 2004 > > > > > > > > > nss_winbind.so -> nss_winbind.so.1 > > > > > > > > > -rwxr-xr-x 1 root other 44540 Apr 28 17:35 > > > > > > > > > nss_winbind.so.1 > > > > > > > > > > > > > > > > > > Please try with the exactly same naming and permissions of > > > > > > > > > your files. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Oliver Weinmann schrieb: > > > > > > > > > > > > > > > > > > > I will try to get hands on the latest patches for > > > > > > > > > > solaris 8 and see if that > > > > > > > > > > fixes the nscd problems. I can't believe that > > > > > > > > > > samba-winbind is not running > > > > > > > > > > 100% well on a Solaris 8 machine. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 4/28/08, Oliver Weinmann < > > > > > > > > > > [EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Just for fun i changed the perms of > > > > > > > > > > > /usr/lib/libnss_winbind.so to 777 > > > > > > > > > > > > > > > > > > > > > > bash-2.03# chmod 777 /usr/lib/libnss_winbind.so > > > > > > > > > > > bash-2.03# ls -alrt /usr/lib/libnss_winbind.so > > > > > > > > > > > -rwxrwxrwx 1 root other 74744 Apr 28 13:32 > > > > > > > > > > > /usr/lib/libnss_winbind.so > > > > > > > > > > > > > > > > > > > > > > nscd is turned off. I can login as an AD users but I > > > > > > > > > > > cant start any > > > > > > > > > > > command. :( > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > login as: oweinmann > > > > > > > > > > > Using keyboard-interactive authentication. > > > > > > > > > > > Password: > > > > > > > > > > > Last login: Mon Apr 28 15:17:11 2008 from > > > > > > > > > > > vb8860.vegagrou > > > > > > > > > > > bash-2.03$ ls -alrt > > > > > > > > > > > > > > > > > > > > > > [1]+ Stopped ls -alrt > > > > > > > > > > > bash-2.03$ id > > > > > > > > > > > > > > > > > > > > > > [2]+ Stopped id > > > > > > > > > > > bash-2.03$ group > > > > > > > > > > > > > > > > > > > > > > [3]+ Stopped group > > > > > > > > > > > bash-2.03$ echo "TEST" > > > > > > > > > > > TEST > > > > > > > > > > > bash-2.03$ > > > > > > > > > > > Some commands are working and some others are put in > > > > > > > > > > > background and the > > > > > > > > > > > session closes after one or two minutes? > > > > > > > > > > > > > > > > > > > > > > When I turn on nscd everything is fine, except ls > > > > > > > > > > > -alrt not working. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 4/28/08, Gerald (Jerry) Carter <[EMAIL PROTECTED]> > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > > > > > > > > > Hash: SHA1 > > > > > > > > > > > > > > > > > > > > > > > > Oliver Weinmann wrote: > > > > > > > > > > > > | forgot to mention that the nss_winbind links are > > > > > > > > > > > > there: > > > > > > > > > > > > | > > > > > > > > > > > > | bash-2.03# ls -alrt /usr/lib/nss_w* > > > > > > > > > > > > | lrwxrwxrwx 1 root other 28 Apr 23 > > > > > > > > > > > > 14:30 > > > > > > > > > > > > | /usr/lib/nss_winbind.so.2 -> > > > > > > > > > > > > /usr/lib/libnss_winbind.so.1 > > > > > > > > > > > > | lrwxrwxrwx 1 root other 28 Apr 23 > > > > > > > > > > > > 14:30 > > > > > > > > > > > > | /usr/lib/nss_winbind.so.1 -> > > > > > > > > > > > > /usr/lib/libnss_winbind.so.1 > > > > > > > > > > > > | lrwxrwxrwx 1 root other 28 Apr 23 > > > > > > > > > > > > 14:30 > > > > > > > > > > > > | /usr/lib/nss_winbind.so -> > > > > > > > > > > > > /usr/lib/libnss_winbind.so.1 > > > > > > > > > > > > > > > > > > > > > > > > Check the perms on /usr/lib/libnss_winbind.so.1. > > > > > > > > > > > > Sounds > > > > > > > > > > > > like it might be rwx for root only. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > cheers, jerry > > > > > > > > > > > > - -- > > > > > > > > > > > > > > > > > > > > > > > > ===================================================================== > > > > > > > > > > > > Samba ------- > > > > > > > > > > > > http://www.samba.org > > > > > > > > > > > > Likewise Software --------- > > > > > > > > > > > > http://www.likewisesoftware.com > > > > > > > > > > > > "What man is a man who does not make the world > > > > > > > > > > > > better?" --Balian > > > > > > > > > > > > -----BEGIN PGP SIGNATURE----- > > > > > > > > > > > > Version: GnuPG v1.4.2.2 (Darwin) > > > > > > > > > > > > Comment: Using GnuPG with Mozilla - > > > > > > > > > > > > http://enigmail.mozdev.org > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > iD8DBQFIFcnJIR7qMdg1EfYRAp+uAKCoT5s9gRV+x0M+PUrFnYWVRtqmcwCg293J > > > > > > > > > > > > 0OxWwTr/wJPDW67YmZCAfQo= > > > > > > > > > > > > =6S2v > > > > > > > > > > > > -----END PGP SIGNATURE----- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > Mit freundlichen Grüßen > > > > > > > > > Dietrich Streifert > > > > > > > > > -- > > > > > > > > > Visionet GmbH > > > > > > > > > Firmensitz: Am Weichselgarten 7, 91058 Erlangen > > > > > > > > > Registergericht: Handelsregister Fürth, HRB 6573 > > > > > > > > > Geschäftsführer: Stefan Lindner > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Mit freundlichen Grüßen > > > > > > > > Dietrich Streifert > > > > > > > > -- > > > > > > > > Visionet GmbH > > > > > > > > Firmensitz: Am Weichselgarten 7, 91058 Erlangen > > > > > > > > Registergericht: Handelsregister Fürth, HRB 6573 > > > > > > > > Geschäftsführer: Stefan Lindner > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Mit freundlichen Grüßen > > > > > > > Dietrich Streifert > > > > > > > -- > > > > > > > Visionet GmbH > > > > > > > Firmensitz: Am Weichselgarten 7, 91058 Erlangen > > > > > > > Registergericht: Handelsregister Fürth, HRB 6573 > > > > > > > Geschäftsführer: Stefan Lindner > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Mit freundlichen Grüßen > > > > > > Dietrich Streifert > > > > > > -- > > > > > > Visionet GmbH > > > > > > Firmensitz: Am Weichselgarten 7, 91058 Erlangen > > > > > > Registergericht: Handelsregister Fürth, HRB 6573 > > > > > > Geschäftsführer: Stefan Lindner > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Mit freundlichen Grüßen > > > > Dietrich Streifert > > > > -- > > > > Visionet GmbH > > > > Firmensitz: Am Weichselgarten 7, 91058 Erlangen > > > > Registergericht: Handelsregister Fürth, HRB 6573 > > > > Geschäftsführer: Stefan Lindner > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > Mit freundlichen Grüßen > > > Dietrich Streifert > > > -- > > > Visionet GmbH > > > Firmensitz: Am Weichselgarten 7, 91058 Erlangen > > > Registergericht: Handelsregister Fürth, HRB 6573 > > > Geschäftsführer: Stefan Lindner > > > > > > > > > > > > > > > > > > > -- > > Mit freundlichen Grüßen > > Dietrich Streifert > > -- > > Visionet GmbH > > Firmensitz: Am Weichselgarten 7, 91058 Erlangen > > Registergericht: Handelsregister Fürth, HRB 6573 > > Geschäftsführer: Stefan Lindner > > > > > > > > > > > > -- > Mit freundlichen Grüßen > Dietrich Streifert > -- > Visionet GmbH > Firmensitz: Am Weichselgarten 7, 91058 Erlangen > Registergericht: Handelsregister Fürth, HRB 6573 > Geschäftsführer: Stefan Lindner > > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba