Re: [Samba] wbinfo -g gives no output , ndr_pull_error
Hello, sorry for the noise, I accidently hit the send button. Here is what I wanted to ask: I'm hitting the same problem on solaris 9 x86 and sparc with samba 3.5.6 (active directory on windows 2003 R2 SP2 with rfc2307 schema extension, openssl 0.9.8o, libiconv 1.13.1, heimdal 1.4, openldap 2.4.23) for both wbinfo -g and wbinfo -u. wbinfo -t and net ads testjoin give positive results. The same testbed except of using samba 3.4.9 does not show the problem. wbinfo -g and wbinfo -u work as expected. Names services using nss_winbind.so are working. The ndr_pull_error line seems to be a subsequent unable to display the error message error. The relevant lines in log.winbindd are [2010/10/28 17:51:31.512980, 6] winbindd/winbindd.c:768(new_connection) accepted socket 23 [2010/10/28 17:51:31.513254, 3] winbindd/winbindd_lookupsid.c:51(winbindd_lookupsid_send) lookupsid S-1-5-21-XX-YY-ZZ-513 [2010/10/28 17:51:31.513468, 1] ../librpc/ndr/ndr.c:395(ndr_pull_error) ndr_pull_error(1): String terminator not present or outside string boundaries [2010/10/28 17:51:31.513536, 5] winbindd/winbindd_lookupsid.c:94(winbindd_lookupsid_recv) Could not lookup sid S-1-5-21-XX-YY-ZZ-513: NT_STATUS_ARRAY_BOUNDS_EXCEEDED [2010/10/28 17:51:31.513729, 6] winbindd/winbindd.c:816(winbind_client_request_read) closing socket 22, client exited Did you get any feedback or further understandment on this issue? Regards... Am 26.10.2010 13:26, schrieb Dietrich Streifert: Hello, Am 06.07.2010 14:54, schrieb Alexander Muth: Hello, after upgrade Samba from 3.4.3 to 3.5.4 wbinfo -g gives no output. Log Entry: [2010/07/06 14:48:49.086377, 3] winbindd/winbindd_list_groups.c:58(winbindd_list_groups_send) list_groups [2010/07/06 14:48:49.086504, 1] ../librpc/ndr/ndr.c:395(ndr_pull_error) ndr_pull_error(1): String terminator not present or outside string boundaries wbinfo -u is working as expected. # net ads testjoin Join is OK # wbinfo -t checking the trust secret for domain GLA-RLP via RPC calls succeeded any Ideas how to get wbinfo -g working again? thanks Alexander -- Mit freundlichen Grüßen Dietrich Streifert -- Visionet GmbH Firmensitz: Am Weichselgarten 7, 91058 Erlangen Registergericht: Handelsregister Fürth, HRB 6573 Geschäftsführer: Stefan Lindner -- Mit freundlichen Grüßen Dietrich Streifert -- Visionet GmbH Firmensitz: Am Weichselgarten 7, 91058 Erlangen Registergericht: Handelsregister Fürth, HRB 6573 Geschäftsführer: Stefan Lindner -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba 3.4 and 3.5 bug or misconfig: why is idmap uid and idmap gid needed for an AD only idmap config?
Hello list, I'm currently struggling in creating a running config for samba 3.4.9 and 3.5.6 on solaris 9 (active directory on windows 2003 R2 SP2 with rfc2307 schema extension, openssl 0.9.8o, libiconv 1.13.1, heimdal 1.4, cyrus-sasl 2.1.23, openldap 2.4.23) The relevant part in smb.conf is in [global] winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind expand groups = 3 winbind nss info = rfc2307 idmap backend = tdb idmap config DOMAIN:readonly = yes idmap config DOMAIN:backend = ad idmap config DOMAIN:default = yes idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 1-65535 idmap uid = 65536 - 65537 idmap gid = 65536 - 65537 The setup basicly works, but some group ids are spotted into the group list which do not belong to gid numbers in AD. This seems to happen for users being members in nested groups while some of the groups have gid numbers assigned in AD and some group don't. A given user (testuser) is in 3 groups and additionally in the group domain-users. domain-users is member of four other groups without a gid number assigned. After su to testuser it depends on how id is called: srv{testuser}[/home/testuser]: id -a uid=10309(testuser) gid=11007(testgroup) groups=11007(testgroup),65536,65537,10010(domain-users),11009(testgroup3),11008(testgroup2) srv{testuser}[/home/testuser]: id -a testuser uid=10309(testuser) gid=11007(testgroup) groups=10010(domain-users),11008(testgroup2),11008(testgroup2),11009(testgroup3),11009(testgroup3) The additional ids show up as group id 65536 and 65537 in id -a but not in id -a testuser. Retreiving the groups of the user testuser via wbinfo -r gives: ./wbinfo -r testuser 11007 65536 65537 10010 11009 11008 also showing the non existing ad group ids (65536,65537) which correspond to the settings in idmap uid and idmap gid. I think the idmap default tdb backend is trying to map somehow ids to the groups which do not have gid numbers assigned in AD. So how can I get rid of this unwanted mappings? Why do they occus Any help would be great!. Regards... -- Mit freundlichen Grüßen Dietrich Streifert -- Visionet GmbH Firmensitz: Am Weichselgarten 7, 91058 Erlangen Registergericht: Handelsregister Fürth, HRB 6573 Geschäftsführer: Stefan Lindner -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 3.2.5 binaries
Maybe some people are using: http://ftp.suse.com/pub/projects/samba/STABLE/11.0/ Which is still serving 3.2.4 binaries. Miguel Medalha schrieb: There is a stable release 3.2.5, but no SuSE binaries. This was a security patch. Will there be an update? Please update. Thanks. What do you mean? http://ftp.sernet.de/pub/samba/recent/suse/ -- Mit freundlichen Grüßen Dietrich Streifert -- Visionet GmbH Firmensitz: Am Weichselgarten 7, 91058 Erlangen Registergericht: Handelsregister Fürth, HRB 6573 Geschäftsführer: Stefan Lindner -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Strange behaviour of winbind on solaris 8
which output gives ldd -r /usr/lib/nss_winbind.so ? I have the following naming and permission for nss_winbind: lrwxrwxrwx 1 root other 16 Jan 15 2004 nss_winbind.so - nss_winbind.so.1 -rwxr-xr-x 1 root other 44540 Apr 28 17:35 nss_winbind.so.1 Please try with the exactly same naming and permissions of your files. Oliver Weinmann schrieb: I will try to get hands on the latest patches for solaris 8 and see if that fixes the nscd problems. I can't believe that samba-winbind is not running 100% well on a Solaris 8 machine. On 4/28/08, Oliver Weinmann [EMAIL PROTECTED] wrote: Just for fun i changed the perms of /usr/lib/libnss_winbind.so to 777 bash-2.03# chmod 777 /usr/lib/libnss_winbind.so bash-2.03# ls -alrt /usr/lib/libnss_winbind.so -rwxrwxrwx 1 root other 74744 Apr 28 13:32 /usr/lib/libnss_winbind.so nscd is turned off. I can login as an AD users but I cant start any command. :( login as: oweinmann Using keyboard-interactive authentication. Password: Last login: Mon Apr 28 15:17:11 2008 from vb8860.vegagrou bash-2.03$ ls -alrt [1]+ Stopped ls -alrt bash-2.03$ id [2]+ Stopped id bash-2.03$ group [3]+ Stopped group bash-2.03$ echo TEST TEST bash-2.03$ Some commands are working and some others are put in background and the session closes after one or two minutes? When I turn on nscd everything is fine, except ls -alrt not working. On 4/28/08, Gerald (Jerry) Carter [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Oliver Weinmann wrote: | forgot to mention that the nss_winbind links are there: | | bash-2.03# ls -alrt /usr/lib/nss_w* | lrwxrwxrwx 1 root other 28 Apr 23 14:30 | /usr/lib/nss_winbind.so.2 - /usr/lib/libnss_winbind.so.1 | lrwxrwxrwx 1 root other 28 Apr 23 14:30 | /usr/lib/nss_winbind.so.1 - /usr/lib/libnss_winbind.so.1 | lrwxrwxrwx 1 root other 28 Apr 23 14:30 | /usr/lib/nss_winbind.so - /usr/lib/libnss_winbind.so.1 Check the perms on /usr/lib/libnss_winbind.so.1. Sounds like it might be rwx for root only. cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIFcnJIR7qMdg1EfYRAp+uAKCoT5s9gRV+x0M+PUrFnYWVRtqmcwCg293J 0OxWwTr/wJPDW67YmZCAfQo= =6S2v -END PGP SIGNATURE- -- Mit freundlichen Grüßen Dietrich Streifert -- Visionet GmbH Firmensitz: Am Weichselgarten 7, 91058 Erlangen Registergericht: Handelsregister Fürth, HRB 6573 Geschäftsführer: Stefan Lindner -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Strange behaviour of winbind on solaris 8
Please try to login (or su) to the user oweinmann and issue then ldd -r /usr/lib/nss_winbind.so For some reason I think that non root users are not able to read one of the involved files. This could be /etc/nsswitch.conf /usr/lib/nss_winbind.so or some of the files found by the ldd -r command. The fact that you can issue commands while nscd is running points to this fact becaus nscd is running as root and has permissions to read all of those files. /etc/nsswitch.conf should be readable by everyone. I compiled samba myself with a full stack of openssl, iconv, heimdal kerberos, cyrus-sasl, openldap and samba. While people often speak of the Windows DLL hell this is the Solaris shared library hell :-( But it works. Oliver Weinmann schrieb: Hi, bash-2.03# ldd -r /usr/lib/nss_winbind.so libthread.so.1 =/usr/lib/libthread.so.1 libsocket.so.1 =/usr/lib/libsocket.so.1 libdl.so.1 =/usr/lib/libdl.so.1 libc.so.1 = /usr/lib/libc.so.1 libnsl.so.1 = /usr/lib/libnsl.so.1 libmp.so.2 =/usr/lib/libmp.so.2 /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 I changed the permissions and files exactly to be the same but i still cant issue commands... :( bash-2.03# ls -alrt /usr/lib/nss_winbind.so* -rwxr-xr-x 1 root other 74744 Apr 29 09:03 /usr/lib/nss_winbind.so.1 lrwxrwxrwx 1 root other 25 Apr 29 09:04 /usr/lib/nss_winbind.so - /usr/lib/nss_winbind.so.1 Could this also be a problem of a compiling? Have you compiled the samba yourself or are you using prebuilt packages? On 4/29/08, *Dietrich Streifert* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: which output gives ldd -r /usr/lib/nss_winbind.so ? I have the following naming and permission for nss_winbind: lrwxrwxrwx 1 root other 16 Jan 15 2004 nss_winbind.so - nss_winbind.so.1 -rwxr-xr-x 1 root other 44540 Apr 28 17:35 nss_winbind.so.1 Please try with the exactly same naming and permissions of your files. Oliver Weinmann schrieb: I will try to get hands on the latest patches for solaris 8 and see if that fixes the nscd problems. I can't believe that samba-winbind is not running 100% well on a Solaris 8 machine. On 4/28/08, Oliver Weinmann [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Just for fun i changed the perms of /usr/lib/libnss_winbind.so to 777 bash-2.03# chmod 777 /usr/lib/libnss_winbind.so bash-2.03# ls -alrt /usr/lib/libnss_winbind.so -rwxrwxrwx 1 root other 74744 Apr 28 13:32 /usr/lib/libnss_winbind.so nscd is turned off. I can login as an AD users but I cant start any command. :( login as: oweinmann Using keyboard-interactive authentication. Password: Last login: Mon Apr 28 15:17:11 2008 from vb8860.vegagrou bash-2.03$ ls -alrt [1]+ Stopped ls -alrt bash-2.03$ id [2]+ Stopped id bash-2.03$ group [3]+ Stopped group bash-2.03$ echo TEST TEST bash-2.03$ Some commands are working and some others are put in background and the session closes after one or two minutes? When I turn on nscd everything is fine, except ls -alrt not working. On 4/28/08, Gerald (Jerry) Carter [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Oliver Weinmann wrote: | forgot to mention that the nss_winbind links are there: | | bash-2.03# ls -alrt /usr/lib/nss_w* | lrwxrwxrwx 1 root other 28 Apr 23 14:30 | /usr/lib/nss_winbind.so.2 - /usr/lib/libnss_winbind.so.1 | lrwxrwxrwx 1 root other 28 Apr 23 14:30 | /usr/lib/nss_winbind.so.1 - /usr/lib/libnss_winbind.so.1 | lrwxrwxrwx 1 root other 28 Apr 23 14:30 | /usr/lib/nss_winbind.so - /usr/lib/libnss_winbind.so.1 Check the perms on /usr/lib/libnss_winbind.so.1. Sounds like it might be rwx for root only. cheers, jerry - -- = Samba--- http://www.samba.org http://www.samba.org/ Likewise Software - http://www.likewisesoftware.com http
Re: [Samba] Strange behaviour of winbind on solaris 8
Are there any messages in /var/adm/messages which are related to nss ? As I can see you are using bash as your shell. Try using csh. Does something change? Oliver Weinmann schrieb: su to user oweinmann works but when i ussie the ldd -r /usr/lib/nss_winbind.so command it gets put in the background.. :( i then do fg 2 and this is the output: bash-2.03$ ldd -r /usr/lib/nss_winbind.so [2]+ Stopped ldd -r /usr/lib/nss_winbind.so bash-2.03$ fg 2 ldd -r /usr/lib/nss_winbind.so libthread.so.1 =/usr/lib/libthread.so.1 libsocket.so.1 =/usr/lib/libsocket.so.1 libdl.so.1 =/usr/lib/libdl.so.1 libc.so.1 = /usr/lib/libc.so.1 libnsl.so.1 = /usr/lib/libnsl.so.1 libmp.so.2 =/usr/lib/libmp.so.2 /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 bash-2.03$ ls -alrt /etc/nsswitch.conf [2]+ Stopped ls -alrt /etc/nsswitch.conf bash-2.03$ fg 2 ls -alrt /etc/nsswitch.conf -rw-r--r-- 1 root sys 1320 Apr 28 13:19 /etc/nsswitch.conf On 4/29/08, *Dietrich Streifert* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Please try to login (or su) to the user oweinmann and issue then ldd -r /usr/lib/nss_winbind.so For some reason I think that non root users are not able to read one of the involved files. This could be /etc/nsswitch.conf /usr/lib/nss_winbind.so or some of the files found by the ldd -r command. The fact that you can issue commands while nscd is running points to this fact becaus nscd is running as root and has permissions to read all of those files. /etc/nsswitch.conf should be readable by everyone. I compiled samba myself with a full stack of openssl, iconv, heimdal kerberos, cyrus-sasl, openldap and samba. While people often speak of the Windows DLL hell this is the Solaris shared library hell :-( But it works. Oliver Weinmann schrieb: Hi, bash-2.03# ldd -r /usr/lib/nss_winbind.so libthread.so.1 =/usr/lib/libthread.so.1 libsocket.so.1 =/usr/lib/libsocket.so.1 libdl.so.1 =/usr/lib/libdl.so.1 libc.so.1 = /usr/lib/libc.so.1 libnsl.so.1 = /usr/lib/libnsl.so.1 libmp.so.2 =/usr/lib/libmp.so.2 /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 I changed the permissions and files exactly to be the same but i still cant issue commands... :( bash-2.03# ls -alrt /usr/lib/nss_winbind.so* -rwxr-xr-x 1 root other 74744 Apr 29 09:03 /usr/lib/nss_winbind.so.1 lrwxrwxrwx 1 root other 25 Apr 29 09:04 /usr/lib/nss_winbind.so - /usr/lib/nss_winbind.so.1 Could this also be a problem of a compiling? Have you compiled the samba yourself or are you using prebuilt packages? On 4/29/08, *Dietrich Streifert* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: which output gives ldd -r /usr/lib/nss_winbind.so ? I have the following naming and permission for nss_winbind: lrwxrwxrwx 1 root other 16 Jan 15 2004 nss_winbind.so - nss_winbind.so.1 -rwxr-xr-x 1 root other 44540 Apr 28 17:35 nss_winbind.so.1 Please try with the exactly same naming and permissions of your files. Oliver Weinmann schrieb: I will try to get hands on the latest patches for solaris 8 and see if that fixes the nscd problems. I can't believe that samba-winbind is not running 100% well on a Solaris 8 machine. On 4/28/08, Oliver Weinmann [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Just for fun i changed the perms of /usr/lib/libnss_winbind.so to 777 bash-2.03# chmod 777 /usr/lib/libnss_winbind.so bash-2.03# ls -alrt /usr/lib/libnss_winbind.so -rwxrwxrwx 1 root other 74744 Apr 28 13:32 /usr/lib/libnss_winbind.so nscd is turned off. I can login as an AD users but I cant start any command. :( login as: oweinmann Using keyboard-interactive authentication. Password: Last login: Mon Apr 28 15:17:11 2008 from vb8860.vegagrou bash-2.03$ ls -alrt [1]+ Stopped ls -alrt bash-2.03$ id [2]+ Stopped id bash-2.03$ group [3]+ Stopped group bash-2.03$ echo TEST TEST bash-2.03$ Some commands are working and some others are put in background and the session closes after one
Re: [Samba] Strange behaviour of winbind on solaris 8
So there must be something in your bash init files, /etc/profile or ~/.bashrc (sorry I'm not a bash user) which causes the problem. Maybe something which forms the shell prompt like whoami etc. Maybe there is something like a autologout set for the csh or in sshd with idle session timeout. Oliver Weinmann schrieb: Hi, no, there was nothing in /var/adm/messages, but guess what with the csh ls -alrt and such commands work fine... But i get kicked out of the ssh session after 2 minutes... :( On 4/29/08, *Dietrich Streifert* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Are there any messages in /var/adm/messages which are related to nss ? As I can see you are using bash as your shell. Try using csh. Does something change? Oliver Weinmann schrieb: su to user oweinmann works but when i ussie the ldd -r /usr/lib/nss_winbind.so command it gets put in the background.. :( i then do fg 2 and this is the output: bash-2.03$ ldd -r /usr/lib/nss_winbind.so [2]+ Stopped ldd -r /usr/lib/nss_winbind.so bash-2.03$ fg 2 ldd -r /usr/lib/nss_winbind.so libthread.so.1 =/usr/lib/libthread.so.1 libsocket.so.1 =/usr/lib/libsocket.so.1 libdl.so.1 =/usr/lib/libdl.so.1 libc.so.1 = /usr/lib/libc.so.1 libnsl.so.1 = /usr/lib/libnsl.so.1 libmp.so.2 =/usr/lib/libmp.so.2 /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 bash-2.03$ ls -alrt /etc/nsswitch.conf [2]+ Stopped ls -alrt /etc/nsswitch.conf bash-2.03$ fg 2 ls -alrt /etc/nsswitch.conf -rw-r--r-- 1 root sys 1320 Apr 28 13:19 /etc/nsswitch.conf On 4/29/08, *Dietrich Streifert* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Please try to login (or su) to the user oweinmann and issue then ldd -r /usr/lib/nss_winbind.so For some reason I think that non root users are not able to read one of the involved files. This could be /etc/nsswitch.conf /usr/lib/nss_winbind.so or some of the files found by the ldd -r command. The fact that you can issue commands while nscd is running points to this fact becaus nscd is running as root and has permissions to read all of those files. /etc/nsswitch.conf should be readable by everyone. I compiled samba myself with a full stack of openssl, iconv, heimdal kerberos, cyrus-sasl, openldap and samba. While people often speak of the Windows DLL hell this is the Solaris shared library hell :-( But it works. Oliver Weinmann schrieb: Hi, bash-2.03# ldd -r /usr/lib/nss_winbind.so libthread.so.1 =/usr/lib/libthread.so.1 libsocket.so.1 =/usr/lib/libsocket.so.1 libdl.so.1 =/usr/lib/libdl.so.1 libc.so.1 = /usr/lib/libc.so.1 libnsl.so.1 = /usr/lib/libnsl.so.1 libmp.so.2 =/usr/lib/libmp.so.2 /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 I changed the permissions and files exactly to be the same but i still cant issue commands... :( bash-2.03# ls -alrt /usr/lib/nss_winbind.so* -rwxr-xr-x 1 root other 74744 Apr 29 09:03 /usr/lib/nss_winbind.so.1 lrwxrwxrwx 1 root other 25 Apr 29 09:04 /usr/lib/nss_winbind.so - /usr/lib/nss_winbind.so.1 Could this also be a problem of a compiling? Have you compiled the samba yourself or are you using prebuilt packages? On 4/29/08, *Dietrich Streifert* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: which output gives ldd -r /usr/lib/nss_winbind.so ? I have the following naming and permission for nss_winbind: lrwxrwxrwx 1 root other 16 Jan 15 2004 nss_winbind.so - nss_winbind.so.1 -rwxr-xr-x 1 root other 44540 Apr 28 17:35 nss_winbind.so.1 Please try with the exactly same naming and permissions of your files. Oliver Weinmann schrieb: I will try to get hands on the latest patches for solaris 8 and see if that fixes the nscd problems. I can't believe that samba-winbind is not running 100% well on a Solaris 8 machine. On 4/28/08, Oliver Weinmann [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Just for fun i changed the perms of /usr/lib/libnss_winbind.so to 777 bash-2.03# chmod 777 /usr/lib/libnss_winbind.so bash-2.03# ls
Re: [Samba] Strange behaviour of winbind on solaris 8
We have several installations where we use the two different AD schema extensions (SFU from Windows Services for Unix and rfc2307bis from Windows Server 2003R2) to put the needed information in. We are using the idmap_ad module to map the uid, gid, home etc. information from the AD. The local users and the AD users are completely separated. We do not mix up local users and AD users. The first basic test if the AD user information retreival is working is to use the getent command: getent someADUser So for a test user account I get: korund{root}[/]: getent passwd testuser testuser:*:1004:1000:Lastname, Firstname:/home/testuser:/bin/tcsh If this works the first step is done. The second test is to get all related Information for one user: korund{root}[/]: id -a testuser uid=1004(testuser) gid=1000(visionet) groups=1033(devjavalib) The third test is to su - testuser and again try to issue both commands obove. If the retreived information is the same you should all be done (except from pam.conf which is another story). Oliver Weinmann schrieb: Could the problem be that the AD users are not in any of the local groups on the machine? How do you manage your AD users to be members of local groups e.g. staff, sys etc.? pam_groups? On 4/29/08, *Oliver Weinmann* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: there is nothing in /etc/profile and the user oweinmann has no .bashrc. The problem seems to be related to nscd. When nscd is turned on i can login and issue commands and I don't get kicked out of the ssh login. There is no idle session timeout set. If there was I would get kicked out when nscd is turned on as well. Only when logged in as an AD user I get kicked out... On 4/29/08, *Dietrich Streifert* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: So there must be something in your bash init files, /etc/profile or ~/.bashrc (sorry I'm not a bash user) which causes the problem. Maybe something which forms the shell prompt like whoami etc. Maybe there is something like a autologout set for the csh or in sshd with idle session timeout. Oliver Weinmann schrieb: Hi, no, there was nothing in /var/adm/messages, but guess what with the csh ls -alrt and such commands work fine... But i get kicked out of the ssh session after 2 minutes... :( On 4/29/08, *Dietrich Streifert* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Are there any messages in /var/adm/messages which are related to nss ? As I can see you are using bash as your shell. Try using csh. Does something change? Oliver Weinmann schrieb: su to user oweinmann works but when i ussie the ldd -r /usr/lib/nss_winbind.so command it gets put in the background.. :( i then do fg 2 and this is the output: bash-2.03$ ldd -r /usr/lib/nss_winbind.so [2]+ Stopped ldd -r /usr/lib/nss_winbind.so bash-2.03$ fg 2 ldd -r /usr/lib/nss_winbind.so libthread.so.1 =/usr/lib/libthread.so.1 libsocket.so.1 =/usr/lib/libsocket.so.1 libdl.so.1 =/usr/lib/libdl.so.1 libc.so.1 = /usr/lib/libc.so.1 libnsl.so.1 = /usr/lib/libnsl.so.1 libmp.so.2 =/usr/lib/libmp.so.2 /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 bash-2.03$ ls -alrt /etc/nsswitch.conf [2]+ Stopped ls -alrt /etc/nsswitch.conf bash-2.03$ fg 2 ls -alrt /etc/nsswitch.conf -rw-r--r-- 1 root sys 1320 Apr 28 13:19 /etc/nsswitch.conf On 4/29/08, *Dietrich Streifert* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Please try to login (or su) to the user oweinmann and issue then ldd -r /usr/lib/nss_winbind.so For some reason I think that non root users are not able to read one of the involved files. This could be /etc/nsswitch.conf /usr/lib/nss_winbind.so or some of the files found by the ldd -r command. The fact that you can issue commands while nscd is running points to this fact becaus nscd is running as root and has permissions to read all of those files. /etc/nsswitch.conf should be readable by everyone. I compiled samba myself with a full stack of openssl, iconv, heimdal kerberos, cyrus-sasl, openldap and samba. While people often speak
Re: [Samba] Strange behaviour of winbind on solaris 8
Which samba version do you use? Please post the global configuration section of smb.conf. Oliver Weinmann schrieb: Here could be a problem. I could not change our win 2k3 schema. They were afraid it could break something... tsss. So i had to use the idmap_rid module. Which does a good job actually. It uses the last portion of the AD users SID and adds it to a base set in smb.conf. I issued your commands: bash-2.03# getent passwd | grep oweinmann oweinmann2:*:15042:1613:Oliver Weinmann2:/home/oweinmann2:/bin/sh oweinmann:*:11611:1613:Oliver Weinmann:/home/oweinmann:/bin/sh oweinmann1:*:15041:1613:Oliver Weinmann1:/home/oweinmann1:/bin/sh bash-2.03# id -a oweinmann uid=11611(oweinmann) gid=1613(domain users) groups=10(staff) bash-2.03# su oweinmann $ id uid=11611(oweinmann) gid=1613(domain users) $ id -a the id -a as user oweinmann seems to get stuck. It just sits there. I noticed when issuing groups oweinmann as root it also gets stuck. On some users the groups command seems to be working on some other don't. On 4/29/08, *Dietrich Streifert* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: We have several installations where we use the two different AD schema extensions (SFU from Windows Services for Unix and rfc2307bis from Windows Server 2003R2) to put the needed information in. We are using the idmap_ad module to map the uid, gid, home etc. information from the AD. The local users and the AD users are completely separated. We do not mix up local users and AD users. The first basic test if the AD user information retreival is working is to use the getent command: getent someADUser So for a test user account I get: korund{root}[/]: getent passwd testuser testuser:*:1004:1000:Lastname, Firstname:/home/testuser:/bin/tcsh If this works the first step is done. The second test is to get all related Information for one user: korund{root}[/]: id -a testuser uid=1004(testuser) gid=1000(visionet) groups=1033(devjavalib) The third test is to su - testuser and again try to issue both commands obove. If the retreived information is the same you should all be done (except from pam.conf which is another story). Oliver Weinmann schrieb: Could the problem be that the AD users are not in any of the local groups on the machine? How do you manage your AD users to be members of local groups e.g. staff, sys etc.? pam_groups? On 4/29/08, *Oliver Weinmann* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: there is nothing in /etc/profile and the user oweinmann has no .bashrc. The problem seems to be related to nscd. When nscd is turned on i can login and issue commands and I don't get kicked out of the ssh login. There is no idle session timeout set. If there was I would get kicked out when nscd is turned on as well. Only when logged in as an AD user I get kicked out... On 4/29/08, *Dietrich Streifert* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: So there must be something in your bash init files, /etc/profile or ~/.bashrc (sorry I'm not a bash user) which causes the problem. Maybe something which forms the shell prompt like whoami etc. Maybe there is something like a autologout set for the csh or in sshd with idle session timeout. Oliver Weinmann schrieb: Hi, no, there was nothing in /var/adm/messages, but guess what with the csh ls -alrt and such commands work fine... But i get kicked out of the ssh session after 2 minutes... :( On 4/29/08, *Dietrich Streifert* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Are there any messages in /var/adm/messages which are related to nss ? As I can see you are using bash as your shell. Try using csh. Does something change? Oliver Weinmann schrieb: su to user oweinmann works but when i ussie the ldd -r /usr/lib/nss_winbind.so command it gets put in the background.. :( i then do fg 2 and this is the output: bash-2.03$ ldd -r /usr/lib/nss_winbind.so [2]+ Stopped ldd -r /usr/lib/nss_winbind.so bash-2.03$ fg 2 ldd -r /usr/lib/nss_winbind.so libthread.so.1 = /usr/lib/libthread.so.1 libsocket.so.1 = /usr/lib/libsocket.so.1 libdl.so.1 =/usr/lib/libdl.so.1 libc.so.1 = /usr/lib/libc.so.1 libnsl.so.1 = /usr/lib
Re: [Samba] Strange behaviour of winbind on solaris 8
Please try to set combinations of winbind enum groups = No and test again. This could be the reason why getent groups never ends. This is known to be a problem with big AD user/groups databases. Have a look at this and related paramters in samba installation path/swat/help/manpages/smb.conf.5.html Oliver Weinmann schrieb: It's the latest stable. # smbd -V Version 3.0.28a [global] netbios name = rose8 realm = VEGAGROUP.NET http://VEGAGROUP.NET workgroup = VEGA security = ADS encrypt passwords = yes password server = * os level = 20 socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap uid = 1100-20 idmap gid = 1100-20 idmap backend = rid:VEGA=1100-20 allow trusted domains = no winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/sh preferred master = no winbind nested groups = Yes winbind use default domain = Yes #winbind separator = + #winbind normalize names = yes log level = 10 max log size = 50 log file = /var/log/samba/log.%m dns proxy = no wins server = 172.20.205.1 http://172.20.205.1 allow trusted domains = No client use spnego = Yes use kerberos keytab = true winbind offline logon = yes I really appreciate your big effort. Thanks! On 4/29/08, *Dietrich Streifert* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Which samba version do you use? Please post the global configuration section of smb.conf. Oliver Weinmann schrieb: Here could be a problem. I could not change our win 2k3 schema. They were afraid it could break something... tsss. So i had to use the idmap_rid module. Which does a good job actually. It uses the last portion of the AD users SID and adds it to a base set in smb.conf. I issued your commands: bash-2.03# getent passwd | grep oweinmann oweinmann2:*:15042:1613:Oliver Weinmann2:/home/oweinmann2:/bin/sh oweinmann:*:11611:1613:Oliver Weinmann:/home/oweinmann:/bin/sh oweinmann1:*:15041:1613:Oliver Weinmann1:/home/oweinmann1:/bin/sh bash-2.03# id -a oweinmann uid=11611(oweinmann) gid=1613(domain users) groups=10(staff) bash-2.03# su oweinmann $ id uid=11611(oweinmann) gid=1613(domain users) $ id -a the id -a as user oweinmann seems to get stuck. It just sits there. I noticed when issuing groups oweinmann as root it also gets stuck. On some users the groups command seems to be working on some other don't. On 4/29/08, *Dietrich Streifert* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: We have several installations where we use the two different AD schema extensions (SFU from Windows Services for Unix and rfc2307bis from Windows Server 2003R2) to put the needed information in. We are using the idmap_ad module to map the uid, gid, home etc. information from the AD. The local users and the AD users are completely separated. We do not mix up local users and AD users. The first basic test if the AD user information retreival is working is to use the getent command: getent someADUser So for a test user account I get: korund{root}[/]: getent passwd testuser testuser:*:1004:1000:Lastname, Firstname:/home/testuser:/bin/tcsh If this works the first step is done. The second test is to get all related Information for one user: korund{root}[/]: id -a testuser uid=1004(testuser) gid=1000(visionet) groups=1033(devjavalib) The third test is to su - testuser and again try to issue both commands obove. If the retreived information is the same you should all be done (except from pam.conf which is another story). Oliver Weinmann schrieb: Could the problem be that the AD users are not in any of the local groups on the machine? How do you manage your AD users to be members of local groups e.g. staff, sys etc.? pam_groups? On 4/29/08, *Oliver Weinmann* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: there is nothing in /etc/profile and the user oweinmann has no .bashrc. The problem seems to be related to nscd. When nscd is turned on i can login and issue commands and I don't get kicked out of the ssh login. There is no idle session timeout set. If there was I would get kicked out when nscd is turned on as well. Only when logged in as an AD user I get kicked out... On 4/29/08, *Dietrich Streifert* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote
Re: [Samba] Strange behaviour of winbind on solaris 8
I wonder why oweinmann is member of the group staff. Maybe there is an entry for oweinmann in /etc/passwd? So I'm running out of ideas :-( Mabye someone out there can take over. Good luck and report back what you have found. Oliver Weinmann schrieb: I changed both groups and users to no. Still no difference. Another strange thing i came across. as user oweinmann $ id uid=11611(oweinmann) gid=1613(domain users) $ id -a oweinmann uid=11611(oweinmann) gid=1613(domain users) groups=10(staff) $ id -a why is the id -a oweinmann working as user oweinmann but not id -a On 4/29/08, *Dietrich Streifert* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Please try to set combinations of winbind enum groups = No and test again. This could be the reason why getent groups never ends. This is known to be a problem with big AD user/groups databases. Have a look at this and related paramters in samba installation path/swat/help/manpages/smb.conf.5.html Oliver Weinmann schrieb: It's the latest stable. # smbd -V Version 3.0.28a [global] netbios name = rose8 realm = VEGAGROUP.NET http://vegagroup.net/ workgroup = VEGA security = ADS encrypt passwords = yes password server = * os level = 20 socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap uid = 1100-20 idmap gid = 1100-20 idmap backend = rid:VEGA=1100-20 allow trusted domains = no winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/sh preferred master = no winbind nested groups = Yes winbind use default domain = Yes #winbind separator = + #winbind normalize names = yes log level = 10 max log size = 50 log file = /var/log/samba/log.%m dns proxy = no wins server = 172.20.205.1 http://172.20.205.1/ allow trusted domains = No client use spnego = Yes use kerberos keytab = true winbind offline logon = yes I really appreciate your big effort. Thanks! On 4/29/08, *Dietrich Streifert* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Which samba version do you use? Please post the global configuration section of smb.conf. Oliver Weinmann schrieb: Here could be a problem. I could not change our win 2k3 schema. They were afraid it could break something... tsss. So i had to use the idmap_rid module. Which does a good job actually. It uses the last portion of the AD users SID and adds it to a base set in smb.conf. I issued your commands: bash-2.03# getent passwd | grep oweinmann oweinmann2:*:15042:1613:Oliver Weinmann2:/home/oweinmann2:/bin/sh oweinmann:*:11611:1613:Oliver Weinmann:/home/oweinmann:/bin/sh oweinmann1:*:15041:1613:Oliver Weinmann1:/home/oweinmann1:/bin/sh bash-2.03# id -a oweinmann uid=11611(oweinmann) gid=1613(domain users) groups=10(staff) bash-2.03# su oweinmann $ id uid=11611(oweinmann) gid=1613(domain users) $ id -a the id -a as user oweinmann seems to get stuck. It just sits there. I noticed when issuing groups oweinmann as root it also gets stuck. On some users the groups command seems to be working on some other don't. On 4/29/08, *Dietrich Streifert* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: We have several installations where we use the two different AD schema extensions (SFU from Windows Services for Unix and rfc2307bis from Windows Server 2003R2) to put the needed information in. We are using the idmap_ad module to map the uid, gid, home etc. information from the AD. The local users and the AD users are completely separated. We do not mix up local users and AD users. The first basic test if the AD user information retreival is working is to use the getent command: getent someADUser So for a test user account I get: korund{root}[/]: getent passwd testuser testuser:*:1004:1000:Lastname, Firstname:/home/testuser:/bin/tcsh If this works the first step is done. The second test is to get all related Information for one user: korund{root}[/]: id -a testuser uid=1004(testuser) gid=1000(visionet) groups=1033(devjavalib) The third test is to su - testuser and again try
Re: [Samba] RE: Samba 3.0.28a under Solaris 8 + libnss_winbind.so problem?
Hi, does your /etc/nsswitch.conf contain the winbind name service modules? This should look like this: passwd: files winbind group: files winbind Oliver Weinmann schrieb: Hi, I'm really lost with this problem. Here is my /etc/pam.conf, maybe someone can help me, the system still keeps kicking me out of telnet and local console. id and group commands are now working, group is not working on every user. # #ident @(#)pam.conf 1.14 99/09/16 SMI # # Copyright (c) 1996-1999, Sun Microsystems, Inc. # All Rights Reserved. # # PAM configuration # # Authentication management # login auth required /usr/lib/security/pam_winbind.so login auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass # rlogin auth sufficient /usr/lib/security/pam_winbind.so rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1 rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass # dtlogin auth sufficient /usr/lib/security/pam_winbind.so dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass # rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1 other auth sufficient /usr/lib/security/pam_winbind.so other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass # # Account management # login account sufficient /usr/lib/security/pam_winbind.so login account requisite /usr/lib/security/$ISA/pam_roles.so.1 login account required /usr/lib/security/$ISA/pam_unix.so.1 # dtlogin account sufficient /usr/lib/security/pam_winbind.so dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1 dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1 # other account sufficient /usr/lib/security/pam_winbind.so other account requisite /usr/lib/security/$ISA/pam_roles.so.1 other account required /usr/lib/security/$ISA/pam_unix.so.1 # # Session management # other session required /usr/lib/security/$ISA/pam_unix.so.1 # # Password management # #other password sufficient /usr/lib/security/pam_winbind.so other password required /usr/lib/security/$ISA/pam_unix.so.1 dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1 # # Support for Kerberos V5 authentication (uncomment to use Kerberos) # #rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass #login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass #dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass #other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass #dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1 #other account optional /usr/lib/security/$ISA/pam_krb5.so.1 #other session optional /usr/lib/security/$ISA/pam_krb5.so.1 #other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -Original Message- From: Oliver Weinmann Sent: 04 April 2008 19:34 To: samba@lists.samba.org Subject: Samba 3.0.28a under Solaris 8 + libnss_winbind.so problem? Hi i compiled Samba 3.0.28a under Solaris 8 (sparc). Everything seems to be fine except the libnss_winbind.so. i copied it to /usr/lib and linked it to: libnss_winbind.so.1 libnss_winbind.so.2 nss_winbind.so.1 nss_winbind.so.1 now when i type: id user nothing happens. The same goes for group user. wbinfo -t / -g / -u all work fine. So it must be something with the nss I guess? But it's getting even more strange. After a reboot i can now use id, group still doesn't work and my telnet and login session get disconnected after a few minutes. If I change the /etc/pam.conf back to normal I don't get disconnected. Any ideas where I could look for debugging information? Oliver Weinmann Unix/Linux Administrator VEGA IT GmbH Europaplatz 5 D-64293 Darmstadt Germany Tel : +49 (0) 6151 8257 744 Fax : +49 (0)6151 8257-799 Email : [EMAIL PROTECTED] Web : www.vega-group.com -- Mit freundlichen Grüßen Dietrich Streifert -- Visionet GmbH Firmensitz: Am Weichselgarten 7, 91058 Erlangen Registergericht: Handelsregister Fürth, HRB 6573 Geschäftsführer: Stefan Lindner -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Release timeframe for 3.0.26?
Hello List, Does anyone know when samba 3.0.26 will be available? I reviewed the last patches to idmap_ad.c and found the checkin of Günther which enables support to the SFU 2.0 schema. Thank you for any info. Best regards. -- Mit freundlichen Grüßen Dietrich Streifert -- Visionet GmbH Firmensitz: Am Weichselgarten 7, 91058 Erlangen Registergericht: Handelsregister Fürth, HRB 6573 Geschäftsführer: Stefan Lindner -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with 3.0.23 upgrade from 3.0.22 with rfc2307 patch
Maybe it's because some default values for winbind settings have changed. The relaesenotes say: winbind enum users Changed default No winbind enum groups Changed default No winbind nested groupsChanged default Yes Howard Wilkinson schrieb: I have managed to isolate where the problem is, now I need to work out what the problem is? I have a group cohtech:*:16777225:lesley,howard,ecbull in which I am a member - howard. I have a valid users = +cohtech entry in smb.conf for the share I am trying to connect to, I get the following reported in the machine.log file - zebra.log: string_to_sid: Sid +cohtech does not start with 'S-'. and the users get rejected. If I declare the user directly then access is allowed. This server gets its group database from the AD controllers via RFC2307. Anybody know why group expansion may be broken in 3.0.23? Howard Wilkinson wrote: No I already had this turned on! Gautier, B (Bob) wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Howard Wilkinson Sent: 18 July 2006 11:50 To: samba@lists.samba.org Subject: [Samba] Problem with 3.0.23 upgrade from 3.0.22 with rfc2307 patch I have upgraded one of my servers from a 3.0.22 implementation using the rfc2307 patch I supplied some months ago to the 3.0.23 release. I am now getting some unexplaned failures and would like some pointers as to where to start looking. The rfc2307 schema compatibility in the 'official' 3.0.23 version has to be turned on in smb.conf with winbind nss info = rfc2307 -- that might be something your older code did automatically. Bob G _ This email (including any attachments to it) is confidential, legally privileged, subject to copyright and is sent for the personal attention of the intended recipient only. If you have received this email in error, please advise us immediately and delete it. You are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Although we have taken reasonable precautions to ensure no viruses are present in this email, we cannot accept responsibility for any loss or damage arising from the viruses in this email or attachments. We exclude any liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided in this email or its attachments, unless that information is subsequently confirmed in writing. If this email contains an offer, that should be considered as an invitation to treat. _ -- Mit freundlichen Grüßen Dietrich Streifert Visionet GmbH -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.23 winbind use default domain = yes behaviour
Hi John, this is already filed as a bug: https://bugzilla.samba.org/show_bug.cgi?id=3920 and Jerry is working on it. I'v attached an inofficial not supported patch against relaease 3.0.23 of nsswitch/winbindd_group.c which reverted the change and worked for me. John schrieb: Hello list, I encountered a problem in Samba 3.0.23 regarding the winbind use default domain = yes behaviour. It only works for the users an NOT anymore for the Group. So this make getent group to show NETBIOSDOMAINNAME/group which course mail squid configuration to fail. My squid configuration allowed access based on the AD groups, which are provided by Winbindd. Tested distribution: SuSE 9.0, CentOS 4.3 Samba build: Sernet 3.0.23 Is this a bug or is this by design? Does anybody know a way to getent group to honour the winbind use default domain = yes option? Regards, John The Netherlands. -- Mit freundlichen Grüßen Dietrich Streifert Visionet GmbH --- samba-3.0.23.orig/source/nsswitch/winbindd_group.c Fri Jun 23 15:16:50 2006 +++ samba-3.0.23/source/nsswitch/winbindd_group.c Thu Jul 13 10:34:06 2006 @@ -42,7 +42,7 @@ { fstring full_group_name; - fill_domain_username( full_group_name, dom_name, gr_name, False); + fill_domain_username( full_group_name, dom_name, gr_name, True); gr-gr_gid = unix_gid; @@ -146,7 +146,7 @@ /* Append domain name */ - fill_domain_username(name, domain-name, the_name, False); + fill_domain_username(name, domain-name, the_name, True); len = strlen(name); @@ -752,7 +752,7 @@ /* Fill in group entry */ fill_domain_username(domain_group_name, ent-domain_name, -name_list[ent-sam_entry_index].acct_name, False); +name_list[ent-sam_entry_index].acct_name, True); result = fill_grent(group_list[group_list_ndx], ent-domain_name, @@ -929,7 +929,7 @@ groups.sam_entries)[i].acct_name; fstring name; - fill_domain_username(name, domain-name, group_name, False); + fill_domain_username(name, domain-name, group_name, True); /* Append to extra data */ memcpy(extra_data[extra_data_len], name, strlen(name)); -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba-3.0.22 - samba-3.0.23 pam_winbind issue(s)
I found a bug in nsswitch/pam_winbind.c which I reported to https://bugzilla.samba.org/show_bug.cgi?id=3916 I submitted shortly a patch which solves the issue. In _pam_parse (pam_winbind.c) there are two for statements which consume the parameters argc and argv. The first loop decrements argc and increments argv while trying to find out if a config file argument is given to pam_winbind. The second for statement, which does the usual loop through argv, assumes that argc and argv are at initial state so, in best case the loop is never entered and parameters like use_first_pass are not recognized. The patch can be found here: https://bugzilla.samba.org/attachment.cgi?id=2030 Please report if this Gerald (Jerry) Carter wrote: / -BEGIN PGP SIGNED MESSAGE- // Hash: SHA1 // // Rex Dieter wrote: // // After upgrading to 3.0.23 // * I needed to add idmap options (I used idmap // backend = rid), else winbind would only start in netlogon // proxy mode, and basically, didn't work. ): // // What do you mean by wouldn't work? Wouldn't return // users? That is to be expected. / Nothing worked. In particular, authentication no longer functioned as it did before the upgrade. Like I said, no biggie. EASYFIX. Since, as you said, it probably shouldn't have worked in that configuration before. / * login/authentication attempts now (most often) // ask for a password *twice*. ?? // // Known issue. We're workign on it. // https://bugzilla.samba.org/show_bug.cgi?id=3916 / Thanks. -- Mit freundlichen Grüßen Dietrich Streifert Visionet GmbH -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] documentation of pam_winbind.conf in samba-3.0.23
Hello List, is there any documentation of pam_winbind.conf for pam_winbind.so in samba-3.0.23. Especially what value is necessary for krb5_ccache_type to create a ticket file for the user in /tmp? Thank you for your help. -- Mit freundlichen Grüßen Dietrich Streifert Visionet GmbH -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re[2]: [Samba] RE: SPAM
Fortunately my ISP has a firewall wich blocks the virus attachments from most spam message I get since I subscribed for AND mailed to the samba list. But there are about 100 to 150 messages a day reaching my mailbox. The simpliest way to catch all the email addresses of the list is to become member of the mailing list and run a simple filter to collect all the email adresses. And then: happy spamming! The other possibility is that some users have infected systems wich send spam to all email adresses found in their inbox. I don't think the postmasters of the samba list can do anything about it. I will unsibscribe from the list after this message. Lets see if the spam rate goes down. Bye -- Best Regards, Dietrich Streifert -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0.0 ADS Member: How do I browse or connect as Domain Administrator
Hello List! I successfully installed, configured and joined Samba 3.0.0 on Solaris 9 to Windows 2000 Active Directory. In samba 2.2.7 I used to set a mapping from Administrator to root with username map and then put a local password with smbpasswd -a root. After this Administrator could browse and connect to samba shares as user root. In samba 3.0.0 this does not work anymore. For some reason the username map file is not read or the mapping is not done. log.smbd shows the output as attached. How is this done in samba 3.0.0 in general or especially with security = ADS? Any help would be great. Thank you. log.smbd --- [2003/10/08 11:19:00, 0] smbd/server.c:main(747) smbd version 3.0.0 started. Copyright Andrew Tridgell and the Samba Team 1992-2003 [2003/10/08 11:19:00, 1] smbd/sesssetup.c:reply_spnego_kerberos(218) Username Administrator is invalid on this system [2003/10/08 11:19:00, 1] smbd/sesssetup.c:reply_spnego_kerberos(218) Username Administrator is invalid on this system --- smb.conf: --- # Samba config file created using SWAT # from 192.168.0.2 (192.168.0.2) # Date: 2003/10/08 10:28:36 # Global parameters [global] unix charset = ISO-8859-1 workgroup = EDELSTEIN realm = EDELSTEIN.DE security = ADS wins server = 192.168.0.23 create mask = 0740 directory mask = 0750 username map = /opt/samba/private/username.map [homes] comment = Homedirectory read only = No [development] comment = Development path = /development read only = No --- username.map: --- root = Administrator --- -- Best Regards, Dietrich Streifert mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0.0: option admin user not working in smb.conf?
Hello List! I successfully installed, configured and joined Samba 3.0.0 on Solaris 9 to Windows 2000 Active Directory. I tried to set the option admin user in smb.conf to user (ingres). After doing so the user isn't able to connect or browse to the Samba server anymore. Without this option the user just connects fine and is able to browse the Samba server. The goal is to have the user connect with root privileges to the Sambe share. Any help would be great. Thank you. log.smbd --- smbd version 3.0.0 started. Copyright Andrew Tridgell and the Samba Team 1992-2003 [2003/10/08 11:27:52, 1] lib/username.c:map_username(106) # Username Mapfile /opt/samba/private/username.map for user [2003/10/08 11:27:52, 1] lib/username.c:map_username(106) # Username Mapfile /opt/samba/private/username.map for user ingres [2003/10/08 11:27:52, 0] smbd/service.c:set_admin_user(314) ingres logged in as admin user (root privileges) [2003/10/08 11:27:52, 0] smbd/service.c:make_connection_snum(569) make_connection: connection to development denied due to security descriptor. --- smb.conf: --- # Samba config file created using SWAT # from 192.168.0.2 (192.168.0.2) # Date: 2003/10/08 10:28:36 # Global parameters [global] unix charset = ISO-8859-1 workgroup = EDELSTEIN realm = EDELSTEIN.DE security = ADS wins server = 192.168.0.23 create mask = 0740 directory mask = 0750 username map = /opt/samba/private/username.map [homes] comment = Homedirectory read only = No [development] comment = Development path = /development read only = No admin users = ingres --- -- Best Regards, Dietrich Streifert mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba