Re: [Samba] shell login with multiple domains via trusts
Eric, We have this working now, with multiple trusted domains and forests. We have 'use default domain' = true. Members in our default domain can use either userid or domain\userid to connect. Users from other domains must use domain\userid. Some potential gotcha's to consider: 1) Ensure that the username that is actually processed by the auth mechanism is domain\userid, and not domain\\userid. People using windows PuTTY to connect will sometimes use domain\\userid and fail. Using the correct format with a single \ works. However, those connecting from other linux/unix/mac systems and a command-line ssh command will need to use the domain\\userid format to properly escape the \ character so that it is properly passed down the line. (using a single \ here, results in an attempt to login with domainuserid...) 2) Group memberships may be interfering here. You may have a requirement that only members of domain users can log in -- this will often also assume the default domain, and users from other domains will not be members of your default domain's domain users group. Also, group checks against AD-based groups during SSH connections seems to be dicey, at best. 3) We've noted a change in domain group determination behavior between Samba 3.5.6 and 3.5.9.Previously, we could count on a userid from a trusted domain to show group memberships from both the local system, the user's home domain and from the system's default domain. (Probably from all trusted domains, but we didn't check/use that...) As of Samba 3.5.9, a logged on user from a trusted domain was only showing a group list showing memberships from the local system and the user's home domain. It no longer showed group memberships in groups in the system's default domain.(And this breaks our operations rather horribly... ;-) Cheers, -D --On Friday, September 16, 2011 5:11 PM -0400 Eric S. Hvozda hvo...@ack.org wrote: It's been a long journey, bear with me. we have multiple domains, that have interdomain trusts in separate forests. I can successfully authenticate via wbinfo -A A\\userA and wbinfo -A B\\userB; same with -K. The host is joined do AD A. UserA can authenticate successfully and get a shell. However I desire B\\UserB to also be able to login as well. However, I can only have users from domain A login, and even then, if and only if I have winbind use default domain = true. However it would seem that winbind use default domain = false is required to do what I desire. However, I can't seem to get PAM to deal with the domain portion of the string. ie A\\ of A\\UserA or B\\ of B\\UserB Anyone out doing this already? How do I get PAM to strip the DOMAIN portion or winbind to strip it prior to passing it to PAM? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Donald L. Meyer dlme...@illinois.edu - Technical System Manager, ACES TeleNet Service - Technical Lead, ACES Web Infrastructure Information Technology and Communication Services, College of ACES University of Illinois at Urbana-Champaign Video/H.323: 0012172445653 (GDS) Phone:+1.217.244.5653 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Cannot compile RHEL rpms using samba 3.4.2 series source
You may want to look at #6540 - I think it is already open on this issue. -D --On Saturday, October 03, 2009 10:54 AM +0200 Werner Maes werner.m...@icts.kuleuven.be wrote: Thanks for your effort, I' have a look on monday. Should we reopen this bug which has now status RESOLVED as a duplicate of bug 6742 but as we know now this is not the case ! -- Donald L. Meyer dlme...@illinois.edu - Technical System Manager, ACES TeleNet Service - Technical Lead, ACES Web Infrastructure Information Technology and Communication Services, College of ACES University of Illinois at Urbana-Champaign Video/H.323: 0012172445653 (GDS) Phone:+1.217.244.5653 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Cannot compile RHEL rpms using samba 3.4.2 series source
I've applied the patch for #6742 to the 3.4.2 package, and it makes no difference to the RHEL issue. (#6742 was reported for debian systems...) I have been able to determine that the problem appears to be with the carry-forward of the precompiled headers. The 'make pch' step proceeds without error, but as the process starts the main 'make all' part, it acts like the precompiled headers are not used. To verify this, I modified the 'make all' call from: make CFLAGS=$RPM_OPT_FLAGS -D_GNU_SOURCE -j2 \ all modules pam_smbpass to: make CFLAGS=$RPM_OPT_FLAGS -D_GNU_SOURCE -I. -I/usr/src/redhat/BUILD/samba-3.4.2/source3 \ -I/usr/src/redhat/BUILD/samba-3.4.2/source3/iniparser/src -Iinclude -I./include \ -I./../lib/replace -I./../lib/talloc -I./../lib/tevent -I./../lib/tdb/include -I./libaddns -I./librpc -I./.. \ -I/usr/src/redhat/BUILD/samba-3.4.2/lib/tdb/include -I./libaddns -I./librpc -I./../lib/popt \ -I/usr/src/redhat/BUILD/samba-3.4.2/source3/lib -I.. -I../source4 -j2 \ all modules pam_smbpass (Basically, including the entire list of include directories specified on the command line in the 'make pch' section.) This allows the build to proceed -- apparently properly -- until a later problem stops the process at 'ldb_modules.c': it complains about 'MODULESDIR' being undefined in function 'ldb_try_load_dso'. A little research and another addition results in something that at least completes the build: make CFLAGS=$RPM_OPT_FLAGS -D_GNU_SOURCE -I. -I/usr/src/redhat/BUILD/samba-3.4.2/source3 \ -I/usr/src/redhat/BUILD/samba-3.4.2/source3/iniparser/src -Iinclude -I./include \ -I./../lib/replace -I./../lib/talloc -I./../lib/tevent -I./../lib/tdb/include -I./libaddns -I./librpc -I./.. \ -I/usr/src/redhat/BUILD/samba-3.4.2/lib/tdb/include -I./libaddns -I./librpc -I./../lib/popt \ -I/usr/src/redhat/BUILD/samba-3.4.2/source3/lib -I.. -I../source4 -DMODULESDIR=\'/usr/lib/samba\' -j2 \ all modules pam_smbpass I haven't tested the resulting packages yet, though. Hopefully, someone more versed in the use of precompiled headers can take a look here and see what might be wrong... -D --On Friday, October 02, 2009 2:44 PM +0200 Michael Wood esiot...@gmail.com wrote: 2009/10/2 Werner Maes werner.m...@icts.kuleuven.be: [...] ps: or maybe the resolution only refers that it is a duplicate of bug 6742? Exactly. Did you try the patch attached to bug 6742? -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] compiling samba-3.4.x on RHEL4
Folks, I am running into this same problem -- the source of the problem appears (to me) to be earlier in the compile, before the warnings/errors that Werner quoted. I found reference to being unable to load config.h. The compile appears to be being executed with a current directory of 'samba-3.4.1/source3/', and is directly compiling replace.c and talloc.c in their respective directories. Both fail without access to config.h. To test, I set the current directory into the BUILD/samba-3.4.1/source3/ directory, and re-executed the gcc command from the output. With this, I was able to duplicate the warning/error output from the package build. When I appended -Iinclude to the same command, the compile completed successfully -- without any errors or warnings. Therefore, I have to conclude that the include paths are not being set correctly for these component compiles. I have not had the time yet to dig any deeper into the Makefile/specfile structure to determine where this problem lies. -D --On Thursday, September 10, 2009 4:37 PM +0200 Werner Maes werner.m...@icts.kuleuven.be wrote: replace.h is in /usr/src/redhat/BUILD/samba-3.4.1/lib/replace/ The Makefile can be found in /usr/src/redhat/BUILD/samba-3.4.1/source3/ so -I./../lib/replace should point to the folder where replace.h can be found? Or am I missing sometmhing? CPPFLAGS=-DHAVE_CONFIG_H -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -Iinclude -I./include -I. -I. -I./../lib/replace -I./../lib/talloc -I./../lib/tevent -I./../lib/tdb/include -I./libaddns -I./librpc -I./.. -I./../lib/popt -DLDAP_DEPRECATED werner ps: in samba 3.2.x 3.3.x the folder lib/replace was situated in the source/ folder, but in samba 3.4.x it is no longer there but one directory up ! Donald L. Meyer dlme...@illinois.edu - Technical System Manager, ACES TeleNet Service - Technical Lead, ACES Web Infrastructure Information Technology and Communication Services, College of ACES University of Illinois at Urbana-Champaign Video/H.323: 0012172445653 (GDS) Phone:+1.217.244.5653 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba