RE: [Samba] winbind and Solaris 9 with AD
Hi, I have attached a pam.conf file for Solaris 9. I had to re-create the file. It has been tested for telnet,rlogin and ftp using winbind for 3.0.1 as a W2003 Server member. /Patrik On Mon, 2004-01-19 at 15:45, Ganguly, Sapan wrote: > Patrik, > > Hello! I have been waiting for you to get back, you may be able to help me. > I am having trouble making winbind work with Solaris 9. I was wondering if > you could post a copy of your pam.conf again so that I can double check that > I have a correct copy of it? > > The problem I am having is that when I try to log in with an NT username and > password the login process hangs after I put the password in. I don't know > why this happens because getent works. I decided to log what is going on in > PAM, here is what I got - > > Jan 14 13:29:55 sun001 pam_winbind[15352]: [ID 571141 auth.debug] > libpam_winbind:pam_sm_close_sessio > n handler > Jan 14 13:29:59 sun001 login: [ID 634615 auth.debug] > pam_authtok_get:pam_sm_authenticate: flags = 0 Jan 14 13:30:05 sun001 login: > [ID 378613 auth.debug] pam_dhkeys: user ganguly not found Jan 14 13:30:05 > sun001 login: [ID 896952 auth.debug] pam_unix_auth: entering > pam_sm_authenticate() Jan 14 13:30:05 sun001 login: [ID 219349 auth.debug] > pam_unix_auth: user ganguly not found Jan 14 13:30:05 sun001 > pam_winbind[15369]: [ID 572310 auth.info] Verify user `ganguly' Jan 14 > 13:30:05 sun001 pam_winbind[15369]: [ID 614614 auth.notice] user 'ganguly' > granted acces Jan 14 13:30:05 sun001 login[15369]: [ID 509786 auth.debug] > roles pam_sm_authenticate, service = tel net user = ganguly ruser = not set > rhost = 192.168.224.90 > > Thanks for any help you can offer! > > Sapan > > -Original Message- > From: Patrik Gustavsson [mailto:[EMAIL PROTECTED] > Sent: 19 January 2004 14:39 > To: Unix Service (ANTS) > Cc: '[EMAIL PROTECTED]' > Subject: Re: [Samba] winbind and Solaris 9 with AD > > > Hi, > > I have the following libraries and links in /usr/lib and > it works: > > libnss_winbind.so > libnss_winbind.so.1 -> libnss_winbind.so > nss_winbind.so.1 -> libnss_winbind.so > > /Patrik > On Mon, 2004-01-19 at 13:13, Unix Service (ANTS) wrote: > > Hi > > > > have been trying to get winbind working on Solaris 9 but to no effect. > > > > version info: > > > > samba: 3.0.0 > > openldap: 2.1.23 > > kerberos: MIT 1.3.1 > > > > Have followed the instructions in every howto, usenet posting I could > > find: > > > > nscd not running > > created relevant links in /lib and /lib/security/sparcv9 applied patch > > for nsswitch as recommended > > > > kinit -e works > > net ads join works > > wbinfo -t works > > wbinfo -u gives list of all users in all trusted domains getent > > doesn't work samba authentication doesn't work - get the following in > > winbindd.log: > > > > [2004/01/19 10:59:27, 5] nsswitch/winbindd_pam.c:(379) > > NTLM CRAP authentication for user [DEV]\[test7] returned > > NT_STATUS_OK (PAM: 0) [2004/01/19 10:59:27, 3] > > nsswitch/winbindd_acct.c:(875) > > [ 3551]: create_user: user=>(test7), group=>() > > [2004/01/19 10:59:27, 5] nsswitch/winbindd_acct.c:(521) > > wb_getgrnam: Did not find group (nobody) > > > > my smb.conf is: > > > > workgroup = DEV > > #workgroup = DEV.ANTS.AD.ANPLC.CO.UK > > realm = DEV.ANTS.AD.ANPLC.CO.UK > > security = ADS > > password server = lonsd010.dev.ants.ad.anplc.co.uk > > dns proxy = no > > idmap gid = 7-8 > > idmap uid = 80-90 > > winbind cache time = 15 > > winbind use default domain = yes > > winbind enum users = yes > > winbind enum groups = yes > > encrypt passwords = yes > > log level = 9 > > > > [temp] > > path = /tmp > > read list = @users > > > > [docs] > > path = /var/tmp/samba-3.0.0 > > read list = @users > > > > I would appreciate any pointers as to further debugging I could do or > > possible problems as being able to use winbind to deal with samba > > authentication would make life a great deal easier. > > > > > > > > > > ** > > * > > This communication (including any attachments) contains confidential > information. If you are not the intended recipient and you have received > this communication in error, you should destroy it without copying, > disclosing or otherwise using its contents. Please notify the sender > immediate
RE: [Samba] winbind and Solaris 9 with AD
I wonder if that is my problem too? How do you force it all to compile at 32 bit? -Original Message- From: Unix Service (ANTS) [mailto:[EMAIL PROTECTED] Sent: 25 January 2004 17:43 To: '[EMAIL PROTECTED]' Subject: RE: [Samba] winbind and Solaris 9 with AD Hi have resolved the problem as to why getent and samba authentication via winbind were not working. It's really stupid - we were building 64 bit and then copying the 64 bit winbind nss lib into /usr/lib - doh!. So getent ( 32 bit ) would try and load a 64 bit winbind nss lib which obviously could not work , and it was failing silently. Recompiling 32 bit version of library has done the trick and getent works ok and users do not need unix accounts to access samba areas. Will post full build procedure tomorrow and am now trying to get the logging on to the Solaris 9 host using AD account details. Isn't working yet - have redirected all auth.debug to a file and am getting the following: Jan 22 22:02:18 ants725 pam_winbind[21561]: [ID 614614 auth.notice] user 'test7' granted acces Jan 22 22:02:18 ants725 login[21561]: [ID 468494 auth.crit] login account failure: No account present for user i.e. the pam authentication is working but then login doen't appear to be able to find the user's account. Anyway - will have a play and post back if I get any further. thanks to everyone who replied to my post - sorry it was such an idiotic problem in the end. tim *** This communication (including any attachments) contains confidential information. If you are not the intended recipient and you have received this communication in error, you should destroy it without copying, disclosing or otherwise using its contents. Please notify the sender immediately of the error. Internet communications are not necessarily secure and may be intercepted or changed after they are sent. Abbey National Treasury Services plc does not accept liability for any loss you may suffer as a result of interception or any liability for such changes. If you wish to confirm the origin or content of this communication, please contact the sender by using an alternative means of communication. This communication does not create or modify any contract and, unless otherwise stated, is not intended to be contractually binding. Abbey National Treasury Services plc. Registered Office: Abbey National House, 2 Triton Square, Regents Place, London NW1 3AN. Registered in England under Company Registration Number: 2338548. Regulated by the Financial Services Authority (FSA). *** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] winbind and Solaris 9 with AD
On Mon, 2004-01-26 at 04:42, Unix Service (ANTS) wrote: > Hi > have resolved the problem as to why getent and samba authentication via > winbind were not working. > Jan 22 22:02:18 ants725 pam_winbind[21561]: [ID 614614 auth.notice] user > 'test7' granted acces > Jan 22 22:02:18 ants725 login[21561]: [ID 468494 auth.crit] login account > failure: No account present for user > > i.e. the pam authentication is working but then login doen't appear to be > able to find the user's account. > > Anyway - will have a play and post back if I get any further. What is your 'template shell'? That is what becomes the shell in the user's passwd entry. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] winbind and Solaris 9 with AD
Hi have resolved the problem as to why getent and samba authentication via winbind were not working. It's really stupid - we were building 64 bit and then copying the 64 bit winbind nss lib into /usr/lib - doh!. So getent ( 32 bit ) would try and load a 64 bit winbind nss lib which obviously could not work , and it was failing silently. Recompiling 32 bit version of library has done the trick and getent works ok and users do not need unix accounts to access samba areas. Will post full build procedure tomorrow and am now trying to get the logging on to the Solaris 9 host using AD account details. Isn't working yet - have redirected all auth.debug to a file and am getting the following: Jan 22 22:02:18 ants725 pam_winbind[21561]: [ID 614614 auth.notice] user 'test7' granted acces Jan 22 22:02:18 ants725 login[21561]: [ID 468494 auth.crit] login account failure: No account present for user i.e. the pam authentication is working but then login doen't appear to be able to find the user's account. Anyway - will have a play and post back if I get any further. thanks to everyone who replied to my post - sorry it was such an idiotic problem in the end. tim *** This communication (including any attachments) contains confidential information. If you are not the intended recipient and you have received this communication in error, you should destroy it without copying, disclosing or otherwise using its contents. Please notify the sender immediately of the error. Internet communications are not necessarily secure and may be intercepted or changed after they are sent. Abbey National Treasury Services plc does not accept liability for any loss you may suffer as a result of interception or any liability for such changes. If you wish to confirm the origin or content of this communication, please contact the sender by using an alternative means of communication. This communication does not create or modify any contract and, unless otherwise stated, is not intended to be contractually binding. Abbey National Treasury Services plc. Registered Office: Abbey National House, 2 Triton Square, Regents Place, London NW1 3AN. Registered in England under Company Registration Number: 2338548. Regulated by the Financial Services Authority (FSA). *** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] winbind and Solaris 9 with AD
-Original Message- Hi Tim, I have winbind working with Solaris 9 ok, my only problem came because I have idmap in LDAP and I'd put double quotes around the dn of the LDAP admin account which broke things. Don't think I had to do anything special to compile this, make sure you have installed the latest Solaris 9 patch cluster from sunsolve. I compiled with these options, ./configure --with-kerberos=/usr/local --with-ads --with-acl-support --with-pam --with-winbind I don't think --with-pam is needed if you only want winbind to work for smb connections to Samba (ie not for telnet etc.). Does wbinfo -u work? thats fundamental to getent working. Also I assume you have MIT kerberos 1.3.1 installed as Samba will not work with Sun kereros, thanks Andy. From: Ganguly, Sapan [mailto:[EMAIL PROTECTED] Posted At: 22 January 2004 11:09 Posted To: Samba Conversation: [Samba] winbind and Solaris 9 with AD Subject: RE: [Samba] winbind and Solaris 9 with AD P.S I used the pam.conf that Patrik Gustavsson posted here. -Original Message- From: Wright, Tim (ANTS) [mailto:[EMAIL PROTECTED] Sent: 21 January 2004 16:37 To: 'Ganguly, Sapan ' Subject: RE: [Samba] winbind and Solaris 9 with AD hi I've been looking at my problem and compring the Solaris 9 box to a working Linux box. I noticed that if I take the winbind entry out of nsswitch.conf on the linux box then samba will no longer accept connections from users with no unix account or relevanr username map. So I'm assuming that if I can get getent working on the Solaris box then the samba authentication problem will be solved as well. So would you be able to provide me with a step by step of how you built and configured samba/winbind on the host where getent works ( including other stuff like kerberos and openldap compiles )? I can't offer much in return but if I can get getent working then I will look at getting logging on to the box working as well ( unless of course you 've already cracked it yourself ). anyway any help you could give me would be greatly appreciated. thanks tim -Original Message- From: Ganguly, Sapan [mailto:[EMAIL PROTECTED] Sent: 19 January 2004 13:06 To: 'Unix Service (ANTS)'; '[EMAIL PROTECTED]' Subject: RE: [Samba] winbind and Solaris 9 with AD I'm having trouble with this too but getent works for me, I'm not using AD though. Have you edited nsswitch.conf? Passwd: files winbind Group: files winbind I'm stuck on getting logging in working...Sun seems to think there may be some bug with PAM. -Original Message- From: Unix Service (ANTS) [mailto:[EMAIL PROTECTED] Sent: 19 January 2004 12:13 To: '[EMAIL PROTECTED]' Subject: [Samba] winbind and Solaris 9 with AD Hi have been trying to get winbind working on Solaris 9 but to no effect. version info: samba: 3.0.0 openldap: 2.1.23 kerberos: MIT 1.3.1 Have followed the instructions in every howto, usenet posting I could find: nscd not running created relevant links in /lib and /lib/security/sparcv9 applied patch for nsswitch as recommended kinit -e works net ads join works wbinfo -t works wbinfo -u gives list of all users in all trusted domains getent doesn't work samba authentication doesn't work - get the following in winbindd.log: [2004/01/19 10:59:27, 5] nsswitch/winbindd_pam.c:(379) NTLM CRAP authentication for user [DEV]\[test7] returned NT_STATUS_OK (PAM: 0) [2004/01/19 10:59:27, 3] nsswitch/winbindd_acct.c:(875) [ 3551]: create_user: user=>(test7), group=>() [2004/01/19 10:59:27, 5] nsswitch/winbindd_acct.c:(521) wb_getgrnam: Did not find group (nobody) my smb.conf is: workgroup = DEV #workgroup = DEV.ANTS.AD.ANPLC.CO.UK realm = DEV.ANTS.AD.ANPLC.CO.UK security = ADS password server = lonsd010.dev.ants.ad.anplc.co.uk dns proxy = no idmap gid = 7-8 idmap uid = 80-90 winbind cache time = 15 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes encrypt passwords = yes log level = 9 [temp] path = /tmp read list = @users [docs] path = /var/tmp/samba-3.0.0 read list = @users I would appreciate any pointers as to further debugging I could do or possible problems as being able to use winbind to deal with samba authentication would make life a great deal easier. *** This communication (including any attachments) contains confidential information. If you are not the intended recipient and you have received this communication in error, you should destroy it without copying, disclosing or otherwise using its contents. Please notify the sender immediately of the error. Internet communications are not necessarily secure and may be intercepted or changed after they are sent. Abbey National Treasury Services plc does not accept liability for any loss you may suffer as a resul
RE: [Samba] winbind and Solaris 9 with AD
P.S I used the pam.conf that Patrik Gustavsson posted here. -Original Message- From: Wright, Tim (ANTS) [mailto:[EMAIL PROTECTED] Sent: 21 January 2004 16:37 To: 'Ganguly, Sapan ' Subject: RE: [Samba] winbind and Solaris 9 with AD hi I've been looking at my problem and compring the Solaris 9 box to a working Linux box. I noticed that if I take the winbind entry out of nsswitch.conf on the linux box then samba will no longer accept connections from users with no unix account or relevanr username map. So I'm assuming that if I can get getent working on the Solaris box then the samba authentication problem will be solved as well. So would you be able to provide me with a step by step of how you built and configured samba/winbind on the host where getent works ( including other stuff like kerberos and openldap compiles )? I can't offer much in return but if I can get getent working then I will look at getting logging on to the box working as well ( unless of course you 've already cracked it yourself ). anyway any help you could give me would be greatly appreciated. thanks tim -Original Message- From: Ganguly, Sapan [mailto:[EMAIL PROTECTED] Sent: 19 January 2004 13:06 To: 'Unix Service (ANTS)'; '[EMAIL PROTECTED]' Subject: RE: [Samba] winbind and Solaris 9 with AD I'm having trouble with this too but getent works for me, I'm not using AD though. Have you edited nsswitch.conf? Passwd: files winbind Group: files winbind I'm stuck on getting logging in working...Sun seems to think there may be some bug with PAM. -Original Message- From: Unix Service (ANTS) [mailto:[EMAIL PROTECTED] Sent: 19 January 2004 12:13 To: '[EMAIL PROTECTED]' Subject: [Samba] winbind and Solaris 9 with AD Hi have been trying to get winbind working on Solaris 9 but to no effect. version info: samba: 3.0.0 openldap: 2.1.23 kerberos: MIT 1.3.1 Have followed the instructions in every howto, usenet posting I could find: nscd not running created relevant links in /lib and /lib/security/sparcv9 applied patch for nsswitch as recommended kinit -e works net ads join works wbinfo -t works wbinfo -u gives list of all users in all trusted domains getent doesn't work samba authentication doesn't work - get the following in winbindd.log: [2004/01/19 10:59:27, 5] nsswitch/winbindd_pam.c:(379) NTLM CRAP authentication for user [DEV]\[test7] returned NT_STATUS_OK (PAM: 0) [2004/01/19 10:59:27, 3] nsswitch/winbindd_acct.c:(875) [ 3551]: create_user: user=>(test7), group=>() [2004/01/19 10:59:27, 5] nsswitch/winbindd_acct.c:(521) wb_getgrnam: Did not find group (nobody) my smb.conf is: workgroup = DEV #workgroup = DEV.ANTS.AD.ANPLC.CO.UK realm = DEV.ANTS.AD.ANPLC.CO.UK security = ADS password server = lonsd010.dev.ants.ad.anplc.co.uk dns proxy = no idmap gid = 7-8 idmap uid = 80-90 winbind cache time = 15 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes encrypt passwords = yes log level = 9 [temp] path = /tmp read list = @users [docs] path = /var/tmp/samba-3.0.0 read list = @users I would appreciate any pointers as to further debugging I could do or possible problems as being able to use winbind to deal with samba authentication would make life a great deal easier. *** This communication (including any attachments) contains confidential information. If you are not the intended recipient and you have received this communication in error, you should destroy it without copying, disclosing or otherwise using its contents. Please notify the sender immediately of the error. Internet communications are not necessarily secure and may be intercepted or changed after they are sent. Abbey National Treasury Services plc does not accept liability for any loss you may suffer as a result of interception or any liability for such changes. If you wish to confirm the origin or content of this communication, please contact the sender by using an alternative means of communication. This communication does not create or modify any contract and, unless otherwise stated, is not intended to be contractually binding. Abbey National Treasury Services plc. Registered Office: Abbey National House, 2 Triton Square, Regents Place, London NW1 3AN. Registered in England under Company Registration Number: 2338548. Regulated by the Financial Services Authority (FSA). *** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba *** This communication (including any attachments) contains confidential information. If you are not the intended recipient and you have received this commu
RE: [Samba] winbind and Solaris 9 with AD
You should note that I'm not using ADS, I'm in an NT4 domain.
OK, from memory this is what I did. (If anyone can see any errors in this,
please let me know!)
First I compiled Samba with the following -
./configure --with-winbind --with-pam --with-pam_smbpass
--with-included-popt
make
make install
I then created these links in /usr/lib, I think I had to copy
libnss_winbind.so from samba/sources/nsswitch directory (compile directory)
to /usr/lib
libnss_winbind.so
libnss_winbind.so.1 -> libnss_winbind.so
nss_winbind.so.1 -> libnss_winbind.so
After that I dropped in my smb.conf from an Linux machine I had already
built with samba 3. Here is what it looks like -
# Global parameters
[global]
workgroup = MYDOMAIN
server string = SUN001
log file = /var/log/samba/log.%m
max log size = 50
name resolve order = wins lmhosts bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
local master = No
dns proxy = No
wins server = 192.168.224.25
ldap suffix = dc=uk,dc=trt,dc=thales
ldap machine suffix = dc=uk,dc=trt,dc=thales
ldap user suffix = dc=uk,dc=trt,dc=thales
ldap group suffix = dc=uk,dc=trt,dc=thales
ldap idmap suffix = ou=idmap,dc=uk,dc=trt,dc=thales
ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales
idmap backend = ldap:ldap://lnxs001
idmap uid = 1-2
idmap gid = 1-2
template homedir = /mnt/spare/%U
template shell = /bin/bash
winbind separator = -
winbind use default domain = Yes
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[public]
path = /public
read only = No
guest ok = Yes
My LDAP server is a separate Redhat 9.0 machine with OpenLDAP running.
Next I ran 'smbpasswd -w x' where x is my LDAP admin password, this
gives samba write access to your LDAP server.
Then I had to make my samba server a member of my domain -
net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd
Now I edited nsswitch.conf
Passwd: files winbind
Group: files winbind
Then I created the startup scripts for samba and winbind (don't for get to
chmod it to make it executable) -
#!/sbin/sh
##
## samba.server
##
if [ ! -d /usr/bin ]
then# /usr not mounted
exit
fi
killproc() {# kill the named process(es)
pid=`/usr/bin/ps -e |
/usr/bin/grep -w $1 |
/usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
[ "$pid" != "" ] && kill $pid
}
# Start/stop processes required for Samba server
case "$1" in
'start')
#
# Edit these lines to suit your installation (paths, workgroup,
host)
#
echo Starting SMBD
/usr/local/samba/sbin/smbd -D -d 10 -s
/usr/local/samba/lib/smb.conf
echo Starting NMBD
/usr/local/samba/sbin/nmbd -D -l /usr/local/samba/var/log -s
/usr/local/samba/lib/smb.conf
echo Starting Winbind Daemon
/usr/local/samba/sbin/winbindd -B -d 10 -s
/usr/local/samba/lib/smb.conf
;;
'stop')
killproc nmbd
killproc smbd
killproc winbindd
;;
*)
echo "Usage: /etc/init.d/samba.server { start | stop }"
;;
esac
After I started samba up with this script and ran getent it worked.
I could type out all of my OpenLDAP config for you too but at this stage it
probably isn't very useful to you. What I think you should try first is
using a simpler idmap backend first. Make that work and then do the LDAP
stuff.
-Original Message-----
From: Wright, Tim (ANTS) [mailto:[EMAIL PROTECTED]
Sent: 21 January 2004 16:37
To: 'Ganguly, Sapan '
Subject: RE: [Samba] winbind and Solaris 9 with AD
hi
I've been looking at my problem and compring the Solaris 9 box to a working
Linux box. I noticed that if I take the winbind entry out of nsswitch.conf
on the linux box then samba will no longer accept connections from users
with no unix account or relevanr username map.
So I'm assuming that if I can get getent working on the Solaris box then the
samba authentication problem will be solved as well.
So would you be able to provide me with a step by step of how you built and
configured samba/winbind on the host where getent works ( including other
stuff like kerberos and openldap compiles )? I can't offer much in return
but if I can get getent working then I will look at getting logging on
RE: [Samba] winbind and Solaris 9 with AD
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 20 Jan 2004, Unix Service (ANTS) wrote: Why is the linux box now calling a different function to the solaris host - is it because the linux host has already "created" the user and has it cached some where ( if so, how can I delete the cache entry to see a successful call to create_user etc. ). wbinfo -x 'username' cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song" --Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFADfNyIR7qMdg1EfYRAtfgAKDDnk0zur2urnCJ5EhrMBDeAvXlKgCfeKBy LP/jQE1NkML2bHX8o/QUIY8= =oEMD -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] winbind and Solaris 9 with AD
Hi have started compsring the winbindd log from the Solaris 9 host which isnt't working and a linux host which is and the first thing I've noticed is the following: they both look the same up to the following point: Solaris: [2004/01/20 17:48:31, 10] nsswitch/winbindd.c:(455) client_read: read 1568 bytes. Need 0 more for a full request. [2004/01/20 17:48:31, 10] nsswitch/winbindd.c:(305) process_request: request fn CREATE_USER [2004/01/20 17:48:31, 3] nsswitch/winbindd_acct.c:(875) [28202]: create_user: user=>(test7), group=>() Linux: [2004/01/20 17:45:13, 10] nsswitch/winbindd.c:winbind_client_read(455) client_read: read 1568 bytes. Need 0 more for a full request. [2004/01/20 17:45:13, 10] nsswitch/winbindd.c:process_request(305) process_request: request fn GETPWNAM [2004/01/20 17:45:13, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(112) [ 4318]: getpwnam dev+test7 Why is the linux box now calling a different function to the solaris host - is it because the linux host has already "created" the user and has it cached some where ( if so, how can I delete the cache entry to see a successful call to create_user etc. ). thanks tim *** This communication (including any attachments) contains confidential information. If you are not the intended recipient and you have received this communication in error, you should destroy it without copying, disclosing or otherwise using its contents. Please notify the sender immediately of the error. Internet communications are not necessarily secure and may be intercepted or changed after they are sent. Abbey National Treasury Services plc does not accept liability for any loss you may suffer as a result of interception or any liability for such changes. If you wish to confirm the origin or content of this communication, please contact the sender by using an alternative means of communication. This communication does not create or modify any contract and, unless otherwise stated, is not intended to be contractually binding. Abbey National Treasury Services plc. Registered Office: Abbey National House, 2 Triton Square, Regents Place, London NW1 3AN. Registered in England under Company Registration Number: 2338548. Regulated by the Financial Services Authority (FSA). *** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] winbind and Solaris 9 with AD
Have done some more digging through the log files and found the following ( see extracts at bottom ): 21.22.05 smbd asks winbind to create user 21.22.05 winbindd appears to do this successfully ( wb_storepwnam: Success ) 21.22.13 smbd never seems to receive notification of this and times out. I don't know enough about the smbd/winbindd interaction to work out what's happening ( will look at a working linux box to try and get an idea ) - has anyone seen this before or know what could possibly cause this behaviour? thanks tim Log.smbd: [2004/01/19 21:22:05, 3] auth/auth_util.c:(1009) User test7 does not exist, trying to add it [2004/01/19 21:22:05, 10] auth/auth_util.c:(74) auth_add_user_script: no 'add user script'. Asking winbindd [2004/01/19 21:22:05, 10] nsswitch/wb_client.c:(390) winbind_create_user: test7 [2004/01/19 21:22:05, 5] lib/username.c:(288) Finding user DEV\test7 [2004/01/19 21:22:05, 5] lib/username.c:(223) Trying _Get_Pwnam(), username as lowercase is dev\test7 [2004/01/19 21:22:05, 5] lib/username.c:(230) Trying _Get_Pwnam(), username as given is DEV\test7 [2004/01/19 21:22:05, 5] lib/username.c:(239) Trying _Get_Pwnam(), username as uppercase is DEV\TEST7 [2004/01/19 21:22:05, 5] lib/username.c:(247) Checking combinations of 0 uppercase letters in dev\test7 [2004/01/19 21:22:05, 5] lib/username.c:(251) Get_Pwnam_internals didn't find user [DEV\test7]! [2004/01/19 21:22:05, 5] lib/username.c:(288) Finding user test7 [2004/01/19 21:22:05, 5] lib/username.c:(223) Trying _Get_Pwnam(), username as lowercase is test7 ^C[2004/01/19 21:22:05, 5] lib/username.c:(239) Trying _Get_Pwnam(), username as uppercase is TEST7 [2004/01/19 21:22:05, 5] lib/username.c:(247) Checking combinations of 0 uppercase letters in test7 [2004/01/19 21:22:05, 5] lib/username.c:(251) Get_Pwnam_internals didn't find user [test7]! [2004/01/19 21:22:05, 0] auth/auth_util.c:(1017) make_server_info_info3: pdb_init_sam failed! [2004/01/19 21:22:05, 5] auth/auth.c:(268) check_ntlm_password: winbind authentication for user [test7] FAILED with error NT_STATUS_NO_SUCH_USER [2004/01/19 21:22:05, 2] auth/auth.c:(309) check_ntlm_password: Authentication for user [test7] -> [test7] FAILED with e rror NT_STATUS_NO_SUCH_USER [2004/01/19 21:22:05, 5] auth/auth_util.c:(1185) attempting to free (and zero) a user_info structure [2004/01/19 21:22:05, 10] auth/auth_util.c:(1188) structure was created for test7 [2004/01/19 21:22:06, 6] lib/util_sock.c:(407) write_socket(16,98) [2004/01/19 21:22:06, 6] lib/util_sock.c:(410) write_socket(16,98) wrote 98 [2004/01/19 21:22:13, 10] lib/util_sock.c:(336) read_socket_data: recv of 4 returned 0. Error = Error 0 [2004/01/19 21:22:13, 10] lib/util_sock.c:(512) receive_smb: length < 0! [2004/01/19 21:22:13, 3] smbd/process.c:(1099) timeout_processing: End of file from client (client has disconnected). [2004/01/19 21:22:13, 5] lib/gencache.c:(88) Closing cache file [2004/01/19 21:22:13, 5] libsmb/namecache.c:(79) Log.winbind: [2004/01/19 21:22:05, 10] nsswitch/winbindd.c:(305) process_request: request fn CREATE_USER [2004/01/19 21:22:05, 3] nsswitch/winbindd_acct.c:(875) [27622]: create_user: user=>(test7), group=>() [2004/01/19 21:22:05, 5] nsswitch/winbindd_acct.c:(521) wb_getgrnam: Did not find group (nobody) [2004/01/19 21:22:05, 10] sam/idmap_tdb.c:(125) db_allocate_id: ID_USERID (*id).uid = 80 [2004/01/19 21:22:05, 10] nsswitch/winbindd_acct.c:(157) passwd2string: converting passwd struct for test7 [2004/01/19 21:22:05, 10] nsswitch/winbindd_acct.c:(486) wb_storepwnam: Success -> "test7:x:80:60001:test7:/home/ANTS431/test7:/bin /false" [2004/01/19 21:22:05, 10] nsswitch/winbindd.c:(502) client_write: wrote 1304 bytes. [2004/01/19 21:22:13, 10] nsswitch/winbindd.c:(455) client_read: read 0 bytes. Need 1568 more for a full request. *** This communication (including any attachments) contains confidential information. If you are not the intended recipient and you have received this communication in error, you should destroy it without copying, disclosing or otherwise using its contents. Please notify the sender immediately of the error. Internet communications are not necessarily secure and may be intercepted or changed after they are sent. Abbey National Treasury Services plc does not accept liability for any loss you may suffer as a result of interception or any liability for such changes. If you wish to confirm the origin or content of this communication, please contact the sender by using an alternative means of communication. This communication does not create or modify any contract and, unless otherwise stated, is not intended to be contractually binding. Abbey National Treasury Services plc. Registered Office: Abbey National House, 2 Triton Square, Regents Place, London NW1 3AN. Registered in England under Company Regist
RE: [Samba] winbind and Solaris 9 with AD
Looked through source and noticed there were some debug entries at level 10 for winbind - so upped log level and this time I get this: [2004/01/19 18:18:47, 10] nsswitch/winbindd.c:(305) process_request: request fn CREATE_USER [2004/01/19 18:18:48, 3] nsswitch/winbindd_acct.c:(875) [17805]: create_user: user=>(test7), group=>() [2004/01/19 18:18:48, 5] libads/ldap_utils.c:(52) Search for (objectCategory=user) gave 18764 replies [2004/01/19 18:18:48, 5] nsswitch/winbindd_acct.c:(521) wb_getgrnam: Did not find group (nobody) -Original Message- From: Patrik Gustavsson [mailto:[EMAIL PROTECTED] Sent: 19 January 2004 14:39 To: Unix Service (ANTS) Cc: '[EMAIL PROTECTED]' Subject: Re: [Samba] winbind and Solaris 9 with AD Hi, I have the following libraries and links in /usr/lib and it works: libnss_winbind.so libnss_winbind.so.1 -> libnss_winbind.so nss_winbind.so.1 -> libnss_winbind.so /Patrik On Mon, 2004-01-19 at 13:13, Unix Service (ANTS) wrote: > Hi > > have been trying to get winbind working on Solaris 9 but to no effect. > > version info: > > samba: 3.0.0 > openldap: 2.1.23 > kerberos: MIT 1.3.1 > > Have followed the instructions in every howto, usenet posting I could > find: > > nscd not running > created relevant links in /lib and /lib/security/sparcv9 applied patch > for nsswitch as recommended > > kinit -e works > net ads join works > wbinfo -t works > wbinfo -u gives list of all users in all trusted domains getent > doesn't work samba authentication doesn't work - get the following in > winbindd.log: > > [2004/01/19 10:59:27, 5] nsswitch/winbindd_pam.c:(379) > NTLM CRAP authentication for user [DEV]\[test7] returned > NT_STATUS_OK (PAM: 0) [2004/01/19 10:59:27, 3] > nsswitch/winbindd_acct.c:(875) > [ 3551]: create_user: user=>(test7), group=>() > [2004/01/19 10:59:27, 5] nsswitch/winbindd_acct.c:(521) > wb_getgrnam: Did not find group (nobody) > > my smb.conf is: > > workgroup = DEV > #workgroup = DEV.ANTS.AD.ANPLC.CO.UK > realm = DEV.ANTS.AD.ANPLC.CO.UK > security = ADS > password server = lonsd010.dev.ants.ad.anplc.co.uk > dns proxy = no > idmap gid = 7-8 > idmap uid = 80-90 > winbind cache time = 15 > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > encrypt passwords = yes > log level = 9 > > [temp] > path = /tmp > read list = @users > > [docs] > path = /var/tmp/samba-3.0.0 > read list = @users > > I would appreciate any pointers as to further debugging I could do or > possible problems as being able to use winbind to deal with samba > authentication would make life a great deal easier. > > > > > ** > * > This communication (including any attachments) contains confidential information. If you are not the intended recipient and you have received this communication in error, you should destroy it without copying, disclosing or otherwise using its contents. Please notify the sender immediately of the error. > > Internet communications are not necessarily secure and may be > intercepted or changed after they are sent. Abbey National Treasury > Services plc does not accept liability for any loss you may suffer as > a result of interception or any liability for such changes. If you > wish to confirm the origin or content of this communication, please > contact the sender by using an alternative means of communication. > > This communication does not create or modify any contract and, unless > otherwise stated, is not intended to be contractually binding. > > Abbey National Treasury Services plc. Registered Office: Abbey > National House, 2 Triton Square, Regents Place, London NW1 3AN. Registered in England under Company Registration Number: 2338548. Regulated by the Financial Services Authority (FSA). > *** -- "In a world without fences who needs Gates" Patrik Gustavsson, Senior Technical Consultant [EMAIL PROTECTED] Telephone: +46 60 671540 http://glen.swedenMobile: +46 70 3551040 SUN MICROSYSTEMS Fax: +46 60 671550 -- *** This communication (including any attachments) contains confidential information. If you are not the intended recipient and you have received this communication in error, you should destroy it without copying, disclosing or otherwise using its contents. Please notify the sender immediately of the error. Internet communications are not necessarily secure and ma
RE: [Samba] winbind and Solaris 9 with AD
Hi Thanks to everyone for their intial replies. I have edited nsswitch.conf and I have the links that Patrik mentioned. I'm not really too fussed about getent working ( only in so far as getent not working maybe indicates a more general problem ) or allowing users to log on - I just want users without unix accounts to be able to access samba shares without having to use username.map or leaving shares wide open. So all I'm looking at is using winbind for samba authentication only - has anybody got this working on Solaris 9 with 3.0.0 and security=ADS? tim *** This communication (including any attachments) contains confidential information. If you are not the intended recipient and you have received this communication in error, you should destroy it without copying, disclosing or otherwise using its contents. Please notify the sender immediately of the error. Internet communications are not necessarily secure and may be intercepted or changed after they are sent. Abbey National Treasury Services plc does not accept liability for any loss you may suffer as a result of interception or any liability for such changes. If you wish to confirm the origin or content of this communication, please contact the sender by using an alternative means of communication. This communication does not create or modify any contract and, unless otherwise stated, is not intended to be contractually binding. Abbey National Treasury Services plc. Registered Office: Abbey National House, 2 Triton Square, Regents Place, London NW1 3AN. Registered in England under Company Registration Number: 2338548. Regulated by the Financial Services Authority (FSA). *** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] winbind and Solaris 9 with AD
Patrik, Hello! I have been waiting for you to get back, you may be able to help me. I am having trouble making winbind work with Solaris 9. I was wondering if you could post a copy of your pam.conf again so that I can double check that I have a correct copy of it? The problem I am having is that when I try to log in with an NT username and password the login process hangs after I put the password in. I don't know why this happens because getent works. I decided to log what is going on in PAM, here is what I got - Jan 14 13:29:55 sun001 pam_winbind[15352]: [ID 571141 auth.debug] libpam_winbind:pam_sm_close_sessio n handler Jan 14 13:29:59 sun001 login: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0 Jan 14 13:30:05 sun001 login: [ID 378613 auth.debug] pam_dhkeys: user ganguly not found Jan 14 13:30:05 sun001 login: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jan 14 13:30:05 sun001 login: [ID 219349 auth.debug] pam_unix_auth: user ganguly not found Jan 14 13:30:05 sun001 pam_winbind[15369]: [ID 572310 auth.info] Verify user `ganguly' Jan 14 13:30:05 sun001 pam_winbind[15369]: [ID 614614 auth.notice] user 'ganguly' granted acces Jan 14 13:30:05 sun001 login[15369]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = tel net user = ganguly ruser = not set rhost = 192.168.224.90 Thanks for any help you can offer! Sapan -Original Message- From: Patrik Gustavsson [mailto:[EMAIL PROTECTED] Sent: 19 January 2004 14:39 To: Unix Service (ANTS) Cc: '[EMAIL PROTECTED]' Subject: Re: [Samba] winbind and Solaris 9 with AD Hi, I have the following libraries and links in /usr/lib and it works: libnss_winbind.so libnss_winbind.so.1 -> libnss_winbind.so nss_winbind.so.1 -> libnss_winbind.so /Patrik On Mon, 2004-01-19 at 13:13, Unix Service (ANTS) wrote: > Hi > > have been trying to get winbind working on Solaris 9 but to no effect. > > version info: > > samba: 3.0.0 > openldap: 2.1.23 > kerberos: MIT 1.3.1 > > Have followed the instructions in every howto, usenet posting I could > find: > > nscd not running > created relevant links in /lib and /lib/security/sparcv9 applied patch > for nsswitch as recommended > > kinit -e works > net ads join works > wbinfo -t works > wbinfo -u gives list of all users in all trusted domains getent > doesn't work samba authentication doesn't work - get the following in > winbindd.log: > > [2004/01/19 10:59:27, 5] nsswitch/winbindd_pam.c:(379) > NTLM CRAP authentication for user [DEV]\[test7] returned > NT_STATUS_OK (PAM: 0) [2004/01/19 10:59:27, 3] > nsswitch/winbindd_acct.c:(875) > [ 3551]: create_user: user=>(test7), group=>() > [2004/01/19 10:59:27, 5] nsswitch/winbindd_acct.c:(521) > wb_getgrnam: Did not find group (nobody) > > my smb.conf is: > > workgroup = DEV > #workgroup = DEV.ANTS.AD.ANPLC.CO.UK > realm = DEV.ANTS.AD.ANPLC.CO.UK > security = ADS > password server = lonsd010.dev.ants.ad.anplc.co.uk > dns proxy = no > idmap gid = 7-8 > idmap uid = 80-90 > winbind cache time = 15 > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > encrypt passwords = yes > log level = 9 > > [temp] > path = /tmp > read list = @users > > [docs] > path = /var/tmp/samba-3.0.0 > read list = @users > > I would appreciate any pointers as to further debugging I could do or > possible problems as being able to use winbind to deal with samba > authentication would make life a great deal easier. > > > > > ** > * > This communication (including any attachments) contains confidential information. If you are not the intended recipient and you have received this communication in error, you should destroy it without copying, disclosing or otherwise using its contents. Please notify the sender immediately of the error. > > Internet communications are not necessarily secure and may be > intercepted or changed after they are sent. Abbey National Treasury > Services plc does not accept liability for any loss you may suffer as > a result of interception or any liability for such changes. If you > wish to confirm the origin or content of this communication, please > contact the sender by using an alternative means of communication. > > This communication does not create or modify any contract and, unless > otherwise stated, is not intended to be contractually binding. > > Abbey National Treasury Services plc. Registered Office: Abbey > National House, 2 Triton Square, Regents Place, London NW1 3AN. Registered in England under Company Registration Number: 2338548. Regulated by the Financia
Re: [Samba] winbind and Solaris 9 with AD
Hi, I have the following libraries and links in /usr/lib and it works: libnss_winbind.so libnss_winbind.so.1 -> libnss_winbind.so nss_winbind.so.1 -> libnss_winbind.so /Patrik On Mon, 2004-01-19 at 13:13, Unix Service (ANTS) wrote: > Hi > > have been trying to get winbind working on Solaris 9 but to no effect. > > version info: > > samba: 3.0.0 > openldap: 2.1.23 > kerberos: MIT 1.3.1 > > Have followed the instructions in every howto, usenet posting I could > find: > > nscd not running > created relevant links in /lib and /lib/security/sparcv9 > applied patch for nsswitch as recommended > > kinit -e works > net ads join works > wbinfo -t works > wbinfo -u gives list of all users in all trusted domains > getent doesn't work > samba authentication doesn't work - get the following in winbindd.log: > > [2004/01/19 10:59:27, 5] nsswitch/winbindd_pam.c:(379) > NTLM CRAP authentication for user [DEV]\[test7] returned > NT_STATUS_OK (PAM: 0) > [2004/01/19 10:59:27, 3] nsswitch/winbindd_acct.c:(875) > [ 3551]: create_user: user=>(test7), group=>() > [2004/01/19 10:59:27, 5] nsswitch/winbindd_acct.c:(521) > wb_getgrnam: Did not find group (nobody) > > my smb.conf is: > > workgroup = DEV > #workgroup = DEV.ANTS.AD.ANPLC.CO.UK > realm = DEV.ANTS.AD.ANPLC.CO.UK > security = ADS > password server = lonsd010.dev.ants.ad.anplc.co.uk > dns proxy = no > idmap gid = 7-8 > idmap uid = 80-90 > winbind cache time = 15 > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > encrypt passwords = yes > log level = 9 > > [temp] > path = /tmp > read list = @users > > [docs] > path = /var/tmp/samba-3.0.0 > read list = @users > > I would appreciate any pointers as to further debugging I could do or > possible problems as being able to use winbind to deal with samba > authentication would make life a great deal easier. > > > > > *** > This communication (including any attachments) contains confidential information. > If you are not the intended recipient and you have received this communication in > error, you should destroy it without copying, disclosing or otherwise using its > contents. Please notify the sender immediately of the error. > > Internet communications are not necessarily secure and may be intercepted or changed > after they are sent. Abbey National Treasury Services plc does not accept liability > for any loss you may suffer as a result of interception or any liability for such > changes. If you wish to confirm the origin or content of this communication, please > contact the sender by using an alternative means of communication. > > This communication does not create or modify any contract and, unless otherwise > stated, is not intended to be contractually binding. > > Abbey National Treasury Services plc. Registered Office: Abbey National House, 2 > Triton Square, Regents Place, London NW1 3AN. Registered in England under Company > Registration Number: 2338548. Regulated by the Financial Services Authority (FSA). > *** -- "In a world without fences who needs Gates" Patrik Gustavsson, Senior Technical Consultant [EMAIL PROTECTED] Telephone: +46 60 671540 http://glen.swedenMobile: +46 70 3551040 SUN MICROSYSTEMS Fax: +46 60 671550 -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] winbind and Solaris 9 with AD
I'm having trouble with this too but getent works for me, I'm not using AD though. Have you edited nsswitch.conf? Passwd: files winbind Group: files winbind I'm stuck on getting logging in working...Sun seems to think there may be some bug with PAM. -Original Message- From: Unix Service (ANTS) [mailto:[EMAIL PROTECTED] Sent: 19 January 2004 12:13 To: '[EMAIL PROTECTED]' Subject: [Samba] winbind and Solaris 9 with AD Hi have been trying to get winbind working on Solaris 9 but to no effect. version info: samba: 3.0.0 openldap: 2.1.23 kerberos: MIT 1.3.1 Have followed the instructions in every howto, usenet posting I could find: nscd not running created relevant links in /lib and /lib/security/sparcv9 applied patch for nsswitch as recommended kinit -e works net ads join works wbinfo -t works wbinfo -u gives list of all users in all trusted domains getent doesn't work samba authentication doesn't work - get the following in winbindd.log: [2004/01/19 10:59:27, 5] nsswitch/winbindd_pam.c:(379) NTLM CRAP authentication for user [DEV]\[test7] returned NT_STATUS_OK (PAM: 0) [2004/01/19 10:59:27, 3] nsswitch/winbindd_acct.c:(875) [ 3551]: create_user: user=>(test7), group=>() [2004/01/19 10:59:27, 5] nsswitch/winbindd_acct.c:(521) wb_getgrnam: Did not find group (nobody) my smb.conf is: workgroup = DEV #workgroup = DEV.ANTS.AD.ANPLC.CO.UK realm = DEV.ANTS.AD.ANPLC.CO.UK security = ADS password server = lonsd010.dev.ants.ad.anplc.co.uk dns proxy = no idmap gid = 7-8 idmap uid = 80-90 winbind cache time = 15 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes encrypt passwords = yes log level = 9 [temp] path = /tmp read list = @users [docs] path = /var/tmp/samba-3.0.0 read list = @users I would appreciate any pointers as to further debugging I could do or possible problems as being able to use winbind to deal with samba authentication would make life a great deal easier. *** This communication (including any attachments) contains confidential information. If you are not the intended recipient and you have received this communication in error, you should destroy it without copying, disclosing or otherwise using its contents. Please notify the sender immediately of the error. Internet communications are not necessarily secure and may be intercepted or changed after they are sent. Abbey National Treasury Services plc does not accept liability for any loss you may suffer as a result of interception or any liability for such changes. If you wish to confirm the origin or content of this communication, please contact the sender by using an alternative means of communication. This communication does not create or modify any contract and, unless otherwise stated, is not intended to be contractually binding. Abbey National Treasury Services plc. Registered Office: Abbey National House, 2 Triton Square, Regents Place, London NW1 3AN. Registered in England under Company Registration Number: 2338548. Regulated by the Financial Services Authority (FSA). *** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
