Re: [Samba] nss_winbind / offline logon
Steve Rippl wrote: On Fri, 2009-10-16 at 14:37 +0300, Petteri Heinonen wrote: Hello list users, I have been struggling to make my AD integrated Debian Lenny box to work fluently also when network connectivity is down. What I would like to achieve: 1) When no network available, local user should still work normally 2) If possible, AD located users should still be able to login if they have previously logged in successfully (cached login) Number 2 is more like optional, but number 1 would be very much needed. However, it seems that winbind somehow blocks login process for local accounts too if it is not able to get network connection to AD during system boot. These are the relevant lines in my nsswitch.conf: passwd: files winbind group: files winbind shadow: files I think this does what you want allowing local account to still function... passwd: compat [!NOTFOUND=return] winbind group: compat winbind shadow: compat Thanks Steve, but didn't help. I have tried several combinations of NOTFOUND and SUCCESS etc here. Also, this is what man page of nsswitch.conf says: success No error occurred and the wanted entry is returned. The default action for this is 'return'. So when user is found locally, the default action should anyway be 'return', that is, NOT to continue to winbind module. That is exactly the problem I'm having; why does nsswitch continue to query anything from winbind because the user is already found from local database? -Petteri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nss_winbind / offline logon
James Zuelow wrote: James Zuelow Network Specialist City and Borough of Juneau MIS (907)586-0236 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Petteri Heinonen Sent: Friday, 16 October, 2009 03:37 To: samba@lists.samba.org Subject: [Samba] nss_winbind / offline logon Hello list users, I have been struggling to make my AD integrated Debian Lenny box to work fluently also when network connectivity is down. What I would like to achieve: 1) When no network available, local user should still work normally 2) If possible, AD located users should still be able to login if they have previously logged in successfully (cached login) Number 2 is more like optional, but number 1 would be very much needed. However, it seems that winbind somehow blocks login process for local accounts too if it is not able to get network connection to AD during system boot. These are the relevant lines in my nsswitch.conf: passwd: files winbind group: files winbind shadow: files Now, I would think that with this configuration, that no matter what is the status of winbindd daemon, local users like root should be able to login. But that is not the case here. The login hangs for about 5 minutes, and after that it succeeds. If I remove winbind from nsswitch.conf or configure init system so that winbindd is not started up during boot, then logins for local accounts go through normally. a) make nsswitch understand that I do not want it to query anything from winbind if user is found from local files b) make winbind even somehow responsive also upon the situation where it has to start up without network connection Any help or pointers would be greatly appreciated. So for goal number 1, local user logins (hopefully without a 5 minute pause) I would check your PAM configuration. The first thing to look at is make sure that pam_winbind.so is set up as sufficient, and not required. If it is sufficient and your pam is set up like this: auth sufficient pam_winbind.so auth sufficient pam_unix.so use_first_pass What happens if you swap places, so that pam_unix comes before pam_winbind? I no longer have a system set up for AD account logins, so I can't test. This is from memory when I had a laptop (Debian Lenny even) that would do AD account logins, but it would always allow local account logins when the network was disconnected without a long pause. HTH! James Hi James. I have at least somehow ruled out the PAM as the source of this problem. As I explained, removing/adding winbind in nsswitch.conf has direct relation to the functionality: if winbind is in nsswitch.conf, logins take forever. If winbind is not listed in nsswitch.conf, logins of local users are fast as normal. But anyway, here are the relevant parts of my pam config: authsufficient pam_unix.so nullok_secure authsufficient pam_krb5.so debug minimum_uid=1 use_first_pass authrequiredpam_deny.so account sufficient pam_unix.so account sufficient pam_krb5.so debug minimum_uid=1 account requiredpam_deny.so session optionalpam_unix.so session optionalpam_krb5.so debug minimum_uid=1 session requiredpam_mkhomedir.so umask=0022 skel=/etc/skel I have also tried with PAM winbind module instead of krb5. That does not change the behavior. Here is also my smb.conf in case someone notices something being wrong there. Although I really think that it should not matter what is the winbind config in this case; nss_winbind should return something in reasonable time whatever the winbind/samba config is. Offline logon and refresh tickets have been disable there, as they are only related to PAM winbind module, which is not in use currently. [global] workgroup = COMPANY netbios name = SMBTR01 domain master = no local master = no preferred master = no server string = wins support = no wins server = dc1-fi.company.com dns proxy = no realm = COMPANY.COM security = ads encrypt passwords = yes password server = dc1-fi.company.com use kerberos keytab = yes client use spnego = yes # logging log level = 2 log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 # disable printing load printers = no printing = bsd printcap name = /dev/null show add printer wizard = no disable spoolss = yes # winbind #winbind separator = \ winbind use default domain = yes idmap uid = 1-2 idmap gid = 1-2 idmap backend = ldap:ldaps://ldaptr01.company.com:636 idmap cache time = 300 idmap negative cache time = 300 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash winbind cache time = 300 winbind normalize names = yes #winbind offline logon = yes #winbind refresh tickets = yes ldap suffix = dc=company,dc=com ldap admin dn = cn=admin,dc=company,dc=com
[Samba] nss_winbind / offline logon
Hello list users, I have been struggling to make my AD integrated Debian Lenny box to work fluently also when network connectivity is down. What I would like to achieve: 1) When no network available, local user should still work normally 2) If possible, AD located users should still be able to login if they have previously logged in successfully (cached login) Number 2 is more like optional, but number 1 would be very much needed. However, it seems that winbind somehow blocks login process for local accounts too if it is not able to get network connection to AD during system boot. These are the relevant lines in my nsswitch.conf: passwd: files winbind group: files winbind shadow: files Now, I would think that with this configuration, that no matter what is the status of winbindd daemon, local users like root should be able to login. But that is not the case here. The login hangs for about 5 minutes, and after that it succeeds. If I remove winbind from nsswitch.conf or configure init system so that winbindd is not started up during boot, then logins for local accounts go through normally. Currently I use pam_krb5 for authentication, but I have also tried with pam_winbind. This does not affect to the outcome; logins for local users are very slow when machine is not in network, no matter what is the pam configuration. Nsswitch seems to be the culprit here; for some reason it wants to query winbind even though user in question is local. And on the other hand, winbindd seems to be in unresponsive state after startup if it does have connection to AD. Some logs in winbind.log which might be related to this: [2009/10/16 14:32:16, 0] winbindd/winbindd_dual.c:async_request_timeout_handler(182) async_request_timeout_handler: child pid 2418 is not responding. Closing connection to it. [2009/10/16 14:32:16, 1] winbindd/winbindd_util.c:trustdom_recv(260) Could not receive trustdoms When machine is online and winbindd is able to open connections to AD, everything works ok. So I believe that winbind configuration should be ok also. Samba/Winbind version used is 3.2.5. Any clues how to a) make nsswitch understand that I do not want it to query anything from winbind if user is found from local files b) make winbind even somehow responsive also upon the situation where it has to start up without network connection Any help or pointers would be greatly appreciated. Regards, Petteri Heinonen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] OpenLDAP compatible AD schema
Hello list users, I've been trying to setup a translucent OpenLDAP proxy to provide access for our company's Linux hosts to Active Directory data. Translucent proxy is needed as I need to transparently add Linux specific attributes (such as home directory, default shell etc) to AD provided data. However, to accomplish that, I would need an OpenLDAP compatible LDAP schema of Active Directory. I noticed that Samba 4 actually has AD schema (files MS-AD_Schema_2K8_Attributes.txt and MS-AD_Schema_2K8_Classes.txt), but it is in format not understood by OpenLDAP. Is there OpenLDAP compatible AD schema available anywhere, or could this AD schema provided with Samba 4 be somehow converted to be OpenLDAP compatible? Regards, Petteri Heinonen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Internal Error Signal 11 (Samba 3.2.3)
Hello list users. In my journey to world of Linux/Windows interoperability, I have now almost reached my goal to successfully authenticate Linux users using Windows Server 2003 SP2. The (hopefully) last obstacle is that "wbinfo -i " causes the following error to be produced in log.wb- file (consequently, logins are failing also of course). Samba version is 3.2.3. Used config and log file below. Any help would be much appreciated. With some help, I guess I should also be able to use gdb to further study the coredump, if that's what is needed. -Regards, Petteri Heinonen Config: [global] # general part security = ADS interfaces = eth0 realm = DOMAIN.FI workgroup = DOMAIN netbios name = PJHVMWARE1 domain master = no local master = no preferred master = no server string = %h encrypt passwords = yes wins support = no wins server = ad3.domain.fi use kerberos keytab = yes password server = ad3.domain.fi # logging log level = 10 log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 # disable printing load printers = no printing = bsd printcap name = /dev/null show add printer wizard = no disable spoolss = yes # winbind config winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind offline logon = no winbind separator = + winbind nss info = sfu winbind cache time = 60 idmap backend = ad idmap domains = DOMAIN idmap uid = 1-5 idmap gid = 1-5 idmap config DOMAIN:schema_mode = sfu idmap config DOMAIN:readonly = yes idmap config DOMAIN:backend = ad template shell = /bin/bash template homedir = /home/%D/%U client use spnego = yes Log: [2009/03/23 21:06:34, 10] libads/ldap_schema.c:ads_check_posix_schema_mapping(263) ads_check_posix_schema_mapping for schema mode: 1 [2009/03/23 21:06:34, 5] libads/ldap_utils.c:ads_do_search_retry_internal(64) Search for (|(attributeId=1.2.840.113556.1.6.18.1.310)(attributeId=1.2.840.113556.1.6.18.1.311)(attributeId=1.2.840.113556.1.6.18.1.344)(attributeId=1.2.840.113556.1.6.18.1.312)(attributeId=1.2.840.113556.1.6.18.1.337)) in gave 5 replies OID 1.2.840.113556.1.6.18.1.310 has name: msSFU30UidNumber OID 1.2.840.113556.1.6.18.1.311 has name: msSFU30GidNumber OID 1.2.840.113556.1.6.18.1.312 has name: msSFU30LoginShell OID 1.2.840.113556.1.6.18.1.337 has name: msSFU30Gecos OID 1.2.840.113556.1.6.18.1.344 has name: msSFU30HomeDirectory [2009/03/23 21:06:34, 0] lib/fault.c:fault_report(40) === [2009/03/23 21:06:34, 0] lib/fault.c:fault_report(41) INTERNAL ERROR: Signal 11 in pid 9215 (3.2.3) Please read the Trouble-Shooting section of the Samba3-HOWTO [2009/03/23 21:06:34, 0] lib/fault.c:fault_report(43) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2009/03/23 21:06:34, 0] lib/fault.c:fault_report(44) === [2009/03/23 21:06:34, 0] lib/util.c:smb_panic(1663) PANIC (pid 9215): internal error [2009/03/23 21:06:34, 0] lib/util.c:log_stack_trace(1767) BACKTRACE: 19 stack frames: #0 /usr/sbin/winbindd(log_stack_trace+0x2d) [0xb7d6963c] #1 /usr/sbin/winbindd(smb_panic+0x80) [0xb7d69799] #2 /usr/sbin/winbindd [0xb7d56e23] #3 [0xb7c78400] #4 /usr/lib/samba/nss_info/sfu.so [0xb75d0884] #5 /usr/sbin/winbindd(nss_get_info+0x194) [0xb7ecf1d2] #6 /usr/sbin/winbindd(nss_get_info_cached+0x20a) [0xb7cdc30c] #7 /usr/sbin/winbindd [0xb7cf3080] #8 /usr/sbin/winbindd [0xb7cda77d] #9 /usr/sbin/winbindd(winbindd_dual_userinfo+0x15f) [0xb7ccb5df] #10 /usr/sbin/winbindd [0xb7cf8247] #11 /usr/sbin/winbindd [0xb7cf842d] #12 /usr/sbin/winbindd(async_request+0x18b) [0xb7cf8db5] #13 /usr/sbin/winbindd(async_domain_request+0x57) [0xb7cf8f50] #14 /usr/sbin/winbindd [0xb7cd2979] #15 /usr/sbin/winbindd(rescan_trusted_domains+0x49) [0xb7cd2d33] #16 /usr/sbin/winbindd(main+0xd75) [0xb7cc8904] #17 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5) [0xb795b685] #18 /usr/sbin/winbindd [0xb7cc6691] [2009/03/23 21:06:34, 0] lib/fault.c:dump_core(201) dumping core in /var/log/samba/cores/winbindd -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] Windows server 2003 SP2, SFU 3.5 and Samba 3.0.28
Ok after examining the source code for couple of hours, I found a solution. Added this in smb.conf: idmap config HOMELINUX:schema_mode = sfu and now wbinfo -i works as expected. It seems that merely having this winbind nss info = sfu in config was not enough for idmap to start using SFU schema. -Petteri Heinonen -Original Message- From: samba-bounces+petteri.heinonen=sasken@lists.samba.org [mailto:samba-bounces+petteri.heinonen=sasken@lists.samba.org] On Behalf Of Petteri Heinonen Sent: 21. maaliskuuta 2009 23:09 To: samba@lists.samba.org Subject: [Samba] Windows server 2003 SP2, SFU 3.5 and Samba 3.0.28 Hello list users, I have been struggling with this combination in the subject field couple of days now, so I decided to ask for some advice here. Hopefully someone can point me to a right direction. The ultimate goal for me is to authenticate users using AD, so that the UID/GID values configured for users with SFU would also be in use in all our Linux machines. My understanding is that using correctly configured winbind + pam + nsswitch should produce the desired result. I have been able to join a Linux box to our Windows server 2003 hosted domain, but getting user/group info out of AD seems to cause some trouble. I have been mostly experimenting with wbinfo tool. Running "wbinfo -i someuser" results in "Could not get info for user someuser", with logs as below. One specific question which has been troubling me is that what should be the value in for winbind nss info? Googling has revealed that the two possibilities are "sfu" and "rfc2307". But I haven't been able to find any decent documentation about when sfu should be used and when rfc2307. Are these somehow related to what SFU version is in use at the AD side? - Regards, Petteri Heinonen log.winbindd: [2009/03/21 22:59:04, 6] nsswitch/winbindd.c:new_connection(628) accepted socket 18 [2009/03/21 22:59:04, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(491) [ 1876]: request interface version [2009/03/21 22:59:04, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524) [ 1876]: request location of privileged pipe [2009/03/21 22:59:04, 6] nsswitch/winbindd.c:new_connection(628) accepted socket 19 [2009/03/21 22:59:04, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(346) [ 1876]: getpwnam someuser [2009/03/21 22:59:05, 5] nsswitch/winbindd_async.c:winbindd_sid2uid_recv(347) sid2uid returned an error [2009/03/21 22:59:05, 5] nsswitch/winbindd_user.c:getpwsid_sid2uid_recv(266) Could not query uid for user DOMAIN\someuser log.winbindd-idmap: [2009/03/21 22:59:04, 4] nsswitch/winbindd_dual.c:fork_domain_child(1065) child daemon request 48 [2009/03/21 22:59:04, 3] nsswitch/winbindd_async.c:winbindd_dual_sid2uid(374) [ 1862]: sid to uid S-1-5-21-2285760618-154678-830142390-7708 [2009/03/21 22:59:04, 7] nsswitch/idmap_ad.c:ad_idmap_cached_connection_internal(77) Current tickets expire in 35425 seconds (at 1237704569, time is now 1237669144) [2009/03/21 22:59:05, 5] libads/ldap_utils.c:ads_do_search_retry_internal(64) Search for (|(attributeId=1.3.6.1.1.1.1.0)(attributeId=1.3.6.1.1.1.1.1)(attributeId =1.3.6.1.1.1.1.3)(attributeId=1.3.6.1.1.1.1.4)(attributeId=1.3.6.1.1.1.1 .2)) in gave 0 replies [2009/03/21 22:59:05, 3] libads/ldap_schema.c:ads_check_posix_schema_mapping(243) ads_check_posix_schema_mapping: failed NT_STATUS_NONE_MAPPED [2009/03/21 22:59:05, 2] nsswitch/idmap_ad.c:ad_idmap_cached_connection(152) ad_idmap_cached_connection: Failed to obtain schema details! [2009/03/21 22:59:05, 1] nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(514) ADS uninitialized [2009/03/21 22:59:05, 2] nsswitch/idmap.c:idmap_backends_sids_to_unixids(1163) ERROR: NTSTATUS = 0xc001 smb.conf: [global] # general part security = ADS interfaces = eth0 realm = DOMAIN.FI workgroup = DOMAIN netbios name = LUPUS domain master = no local master = no preferred master = no server string = %h encrypt passwords = yes wins support = no wins server = ad1.domain.fi use kerberos keytab = yes password server = ad1.domain.fi # logging log level = 8 log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 # disable printing load printers = no printing = bsd printcap name = /dev/null show add printer wizard = no disable spoolss = yes #winbind winbind enum users = no winbind enum groups = no winbind use default domain = yes winbind nested groups = yes winbind separator = + winbind nss info = rfc2307 winbind cache time = 120 idmap backend = ad idmap uid = 2000-2 idmap gid = 2000-2 template shell = /bin/bash template homedir = /home/%D/%U client use spnego = yes SASKEN BUSINESS DISCLAIMER - This message may contain confidential, proprietary or legally privileged information. In case you are not the original intended Rec
[Samba] Windows server 2003 SP2, SFU 3.5 and Samba 3.0.28
Hello list users, I have been struggling with this combination in the subject field couple of days now, so I decided to ask for some advice here. Hopefully someone can point me to a right direction. The ultimate goal for me is to authenticate users using AD, so that the UID/GID values configured for users with SFU would also be in use in all our Linux machines. My understanding is that using correctly configured winbind + pam + nsswitch should produce the desired result. I have been able to join a Linux box to our Windows server 2003 hosted domain, but getting user/group info out of AD seems to cause some trouble. I have been mostly experimenting with wbinfo tool. Running "wbinfo -i someuser" results in "Could not get info for user someuser", with logs as below. One specific question which has been troubling me is that what should be the value in for winbind nss info? Googling has revealed that the two possibilities are "sfu" and "rfc2307". But I haven't been able to find any decent documentation about when sfu should be used and when rfc2307. Are these somehow related to what SFU version is in use at the AD side? - Regards, Petteri Heinonen log.winbindd: [2009/03/21 22:59:04, 6] nsswitch/winbindd.c:new_connection(628) accepted socket 18 [2009/03/21 22:59:04, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(491) [ 1876]: request interface version [2009/03/21 22:59:04, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524) [ 1876]: request location of privileged pipe [2009/03/21 22:59:04, 6] nsswitch/winbindd.c:new_connection(628) accepted socket 19 [2009/03/21 22:59:04, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(346) [ 1876]: getpwnam someuser [2009/03/21 22:59:05, 5] nsswitch/winbindd_async.c:winbindd_sid2uid_recv(347) sid2uid returned an error [2009/03/21 22:59:05, 5] nsswitch/winbindd_user.c:getpwsid_sid2uid_recv(266) Could not query uid for user DOMAIN\someuser log.winbindd-idmap: [2009/03/21 22:59:04, 4] nsswitch/winbindd_dual.c:fork_domain_child(1065) child daemon request 48 [2009/03/21 22:59:04, 3] nsswitch/winbindd_async.c:winbindd_dual_sid2uid(374) [ 1862]: sid to uid S-1-5-21-2285760618-154678-830142390-7708 [2009/03/21 22:59:04, 7] nsswitch/idmap_ad.c:ad_idmap_cached_connection_internal(77) Current tickets expire in 35425 seconds (at 1237704569, time is now 1237669144) [2009/03/21 22:59:05, 5] libads/ldap_utils.c:ads_do_search_retry_internal(64) Search for (|(attributeId=1.3.6.1.1.1.1.0)(attributeId=1.3.6.1.1.1.1.1)(attributeId =1.3.6.1.1.1.1.3)(attributeId=1.3.6.1.1.1.1.4)(attributeId=1.3.6.1.1.1.1 .2)) in gave 0 replies [2009/03/21 22:59:05, 3] libads/ldap_schema.c:ads_check_posix_schema_mapping(243) ads_check_posix_schema_mapping: failed NT_STATUS_NONE_MAPPED [2009/03/21 22:59:05, 2] nsswitch/idmap_ad.c:ad_idmap_cached_connection(152) ad_idmap_cached_connection: Failed to obtain schema details! [2009/03/21 22:59:05, 1] nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(514) ADS uninitialized [2009/03/21 22:59:05, 2] nsswitch/idmap.c:idmap_backends_sids_to_unixids(1163) ERROR: NTSTATUS = 0xc001 smb.conf: [global] # general part security = ADS interfaces = eth0 realm = DOMAIN.FI workgroup = DOMAIN netbios name = LUPUS domain master = no local master = no preferred master = no server string = %h encrypt passwords = yes wins support = no wins server = ad1.domain.fi use kerberos keytab = yes password server = ad1.domain.fi # logging log level = 8 log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 # disable printing load printers = no printing = bsd printcap name = /dev/null show add printer wizard = no disable spoolss = yes #winbind winbind enum users = no winbind enum groups = no winbind use default domain = yes winbind nested groups = yes winbind separator = + winbind nss info = rfc2307 winbind cache time = 120 idmap backend = ad idmap uid = 2000-2 idmap gid = 2000-2 template shell = /bin/bash template homedir = /home/%D/%U client use spnego = yes SASKEN BUSINESS DISCLAIMER - This message may contain confidential, proprietary or legally privileged information. In case you are not the original intended Recipient of the message, you must not, directly or indirectly, use, Disclose, distribute, print, or copy any part of this message and you are requested to delete it and inform the sender. Any views expressed in this message are those of the individual sender unless otherwise stated. Nothing contained in this message shall be construed as an offer or acceptance of any offer by Sasken Communication Technologies Limited ("Sasken") unless sent with that express intent and with due authority of Sasken. Sasken has taken enough precautions to prevent the spread of viruses. However the company accepts no liability f