[Samba] Samba winbind and nfsv4 krb5
Hi All, I'm struggling since weeks to get samba winbind and a kerberized nfs mount running. We have a Netapp SAN exporting the nfs share with sec=krb5 and a Linux Client Ubuntu 10.04 Server trying to access the exported share. Accessing the share without krb5 (sec=sys) works fine. The linux machine is joined to an Windows 2008R2 domain and user/group lookups login via ssh etc. work fine. I have read many articles about using winbind to aquire the Kerberos tickets on login. What I have done so far is join the linux machine to our AD: net ads join -U Administrator After this my krb5.keytab file is filled with the following: root@ubuntu100432:~# klist -kte Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal - 2 02/13/12 09:34:59 host/ubuntu100432.a.space.c...@a.space.corp (DES cbc mode with CRC-32) 2 02/13/12 09:34:59 host/ubuntu100432.a.space.c...@a.space.corp (DES cbc mode with RSA-MD5) 2 02/13/12 09:34:59 host/ubuntu100432.a.space.c...@a.space.corp (ArcFour with HMAC/md5) 2 02/13/12 09:34:59 host/ubuntu100...@a.space.corp (DES cbc mode with CRC-32) 2 02/13/12 09:34:59 host/ubuntu100...@a.space.corp (DES cbc mode with RSA-MD5) 2 02/13/12 09:34:59 host/ubuntu100...@a.space.corp (ArcFour with HMAC/md5) 2 02/13/12 09:34:59 UBUNTU100432$@A.SPACE.CORP (DES cbc mode with CRC-32) 2 02/13/12 09:34:59 UBUNTU100432$@A.SPACE.CORP (DES cbc mode with RSA-MD5) 2 02/13/12 09:34:59 UBUNTU100432$@A.SPACE.CORP (ArcFour with HMAC/md5) Then I add the nfs principal: net ads keytab add nfs -U Administrator This adds the princ to the keytab file: 2 02/13/12 09:36:11 nfs/ubuntu100432.a.space.c...@a.space.corp (DES cbc mode with CRC-32) 2 02/13/12 09:36:11 nfs/ubuntu100432.a.space.c...@a.space.corp (DES cbc mode with RSA-MD5) 2 02/13/12 09:36:11 nfs/ubuntu100432.a.space.c...@a.space.corp (ArcFour with HMAC/md5) 2 02/13/12 09:36:11 nfs/ubuntu100...@a.space.corp (DES cbc mode with CRC-32) 2 02/13/12 09:36:11 nfs/ubuntu100...@a.space.corp (DES cbc mode with RSA-MD5) 2 02/13/12 09:36:11 nfs/ubuntu100...@a.space.corp (ArcFour with HMAC/md5) I restart the portmap service (this restarts statd idmapd and gssd) Service portmap restart Now when I try to mount the share I always get an access denied: Looking at /var/log/daemon.log reveals: handling krb5 upcall Full hostname for 'ds-san-02.a.space.corp' is 'ds-san-02.a.space.corp' Full hostname for 'ubuntu100432.a.space.corp' is 'ubuntu100432.a.space.corp' Key table entry not found while getting keytab entry for 'root/ubuntu100432.a.space.c...@a.space.corp' Success getting keytab entry for 'nfs/ubuntu100432.a.space.c...@a.space.corp' WARNING: Client not found in Kerberos database while getting initial ticket for principal 'nfs/ubuntu100432.a.space.c...@a.space.corp' using keytab 'WRFILE:/etc/krb5.keytab' ERROR: No credentials found for connection to server ds-san-02.a.space.corp doing error downcall destroying client clnt13 destroying client clnt12 I checked the host in AD with setspn -L and this lists the following: Registered ServicePrincipalNames for CN=ubuntu100432 ace,DC=corp: NFS/ubuntu100432.a.space.corp NFS/ubuntu100432 HOST/ubuntu100432.a.space.corp HOST/UBUNTU100432 So there is no principal 'nfs/ubuntu100432.a.space.c...@a.space.corp'. Is there something special about Windows 2008 R2? Regards, Oliver -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind 3.3.1.5 as 2008 r2 domain member | groups are not resolving after couple of hours
Has really no one else this problem??? I mean if someone could make a recommendation what version to use with w2008r2 would be good too. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Oliver Weinmann Sent: 05 May 2011 09:19 To: 'samba@lists.samba.org' Subject: [Samba] winbind 3.3.1.5 as 2008 r2 domain member | groups are not resolving after couple of hours Dear All, I'm facing a really big issue. We have upgraded our Windows 2003 Domain to 2008 R2. I have configured the smb.conf as follows: [global] realm = A.SPACE.CORP workgroup = A security = ADS encrypt passwords = true password server = gedaspw02.a.space.corp gedasvw02.a.space.corp idmap config A : backend = ad idmap config A : default = yes idmap config A : range = 1-99 idmap config A : schema_mode = rfc2307 winbind nss info = rfc2307 winbind enum users = no winbind enum groups = no preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log level = 10 log file = /var/log/samba/log.%m dns proxy = no allow trusted domains = no client use spnego = Yes use kerberos keytab = true winbind refresh tickets = yes idmap cache time = 60 winbind cache time = 60 When I login as a domain user I always see the following error in /var/log/messages: May 5 08:10:18 gedaiv22 winbindd[25108]: ERROR: Initialization failed for alloc backend, deferred! The login works fine, but after a couple of hours, the users report that the groupids are no longer resolving. This is really a big issue and google is no help. :( Is there a recommendation what winbind version to use with windows 2008 r2? I used the latest rpm packages from sernet. Regards, Oli -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind 3.3.1.5 as 2008 r2 domain member | groups are not resolving after couple of hours
Dear All, I'm facing a really big issue. We have upgraded our Windows 2003 Domain to 2008 R2. I have configured the smb.conf as follows: [global] realm = A.SPACE.CORP workgroup = A security = ADS encrypt passwords = true password server = gedaspw02.a.space.corp gedasvw02.a.space.corp idmap config A : backend = ad idmap config A : default = yes idmap config A : range = 1-99 idmap config A : schema_mode = rfc2307 winbind nss info = rfc2307 winbind enum users = no winbind enum groups = no preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log level = 10 log file = /var/log/samba/log.%m dns proxy = no allow trusted domains = no client use spnego = Yes use kerberos keytab = true winbind refresh tickets = yes idmap cache time = 60 winbind cache time = 60 When I login as a domain user I always see the following error in /var/log/messages: May 5 08:10:18 gedaiv22 winbindd[25108]: ERROR: Initialization failed for alloc backend, deferred! The login works fine, but after a couple of hours, the users report that the groupids are no longer resolving. This is really a big issue and google is no help. :( Is there a recommendation what winbind version to use with windows 2008 r2? I used the latest rpm packages from sernet. Regards, Oli -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind - Domain Join Failed
Hey stuart, can you maybe post you smb.conf? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Joe Stuart Sent: Montag, 8. November 2010 18:20 To: samba@lists.samba.org Subject: [Samba] Winbind - Domain Join Failed Hi, I'm trying to setup winbind on Solaris 10 update 6 and am having an issue joining the domain. I'm running this command net ads join -U admin -d10 Here is the last paragraph or so of the debug output. [2010/11/08 11:12:37, 3] libsmb/cliconnect.c:1176(cli_session_setup) SPNEGO login failed: Invalid parameter [2010/11/08 11:12:37, 1] libsmb/cliconnect.c:2132(cli_full_connection) failed session setup with NT_STATUS_INVALID_PARAMETER [2010/11/08 11:12:37, 1] libnet/libnet_join.c:1903(libnet_Join) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : NULL dns_domain_name : NULL forest_name : NULL dn : NULL domain_sid : NULL domain_sid : (NULL SID) modified_config : 0x00 (0) error_string : 'failed to lookup DC info for domain 'MYDOMAIN.QA' over rpc: Invalid parameter' domain_is_ad : 0x00 (0) result : WERR_INVALID_PARAM Failed to join domain: failed to lookup DC info for domain 'MYDOMAIN.QA' over rpc: Invalid parameter I'm really stumped on this one, since I can run net ads info just fine. I also get no errors when running the kinit command. root# net ads info LDAP server: 10.16.100.200 LDAP server name: server1.mydomain.qa Realm: MYDOMAIN.QA Bind Path: dc=MYDOMAIN,dc=QA LDAP port: 389 Server time: Mon, 08 Nov 2010 11:16:57 CST KDC server: 10.16.100.200 Server time offset: 0 Thanks for any help in advance. -Joe -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!???
Hi, I'm sure this is not the correct behaviour. It used to work in samba 3.3 using the primary group set on the unix attributes tab. Of course this group has a GID, otherwise it wouldn't be visible. -Original Message- From: Andrew Lyon [mailto:andrew.l...@gmail.com] Sent: Sonntag, 24. Oktober 2010 17:20 To: Oliver Weinmann Cc: samba@lists.samba.org Subject: Re: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!??? On Sun, Oct 24, 2010 at 2:46 PM, Andrew Lyon andrew.l...@gmail.com wrote: -Original Message- From: Andrew Lyon [mailto:andrew.l...@gmail.com] Sent: Freitag, 22. Oktober 2010 11:50 To: Oliver Weinmann Cc: samba@lists.samba.org Subject: Re: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!??? On Wed, Oct 20, 2010 at 12:36 PM, Oliver Weinmann oliver.weinm...@vega.de wrote: Hi, Any news regarding this problem? I have testet samba 3.5.6 and the problem still persists. I had to downgrade to 3.3 on a few machines now. Regards, Oliver -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Oliver Weinmann Sent: Donnerstag, 9. September 2010 13:13 To: samba@lists.samba.org Subject: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!??? Dear All, I stepped over a strange issue today. I have one installation of samba winbind 3.3.2 on a Ubuntu machine. Changing the primary unix group of a user is updated immediately. On a newer samba 3.5.4 installation the primary group is not updated at all. It always displays domain users. Is there a new setting for the smb.conf? Here is my smb.conf: [global] netbios name = gedail1 realm = SOMEDOMAIN.NET workgroup = SOMEDOMAIN security = ADS encrypt passwords = true password server = server1.somedomain.net server2.somedomain.net os level = 20 idmap backend = ad idmap config SOMEDOMAIN : backend = ad idmap config SOMEDOMAIN : schema_mode = sfu idmap config SOMEDOMAIN : range = 0- winbind nss info = sfu winbind enum users = yes winbind enum groups = yes preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log level = 10 log file = /var/log/samba/log.%m dns proxy = no wins server = 172.20.200.18 172.18.200.20 allow trusted domains = no client use spnego = Yes use kerberos keytab = true winbind refresh tickets = yes idmap cache time = 1 winbind cache time = 1 It's a W2k3 AD Domain. Regards, Oliver -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba I've noticed the same with samba 3.5.6, our administrator user has primary group name/gid Domain Admins but the primary group on our linux systems is domain users. I've noticed that searching AD for users with rfc2307/sfu attributes shows the correct gid: net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory sAMAccountName uidNumber gidNumber -P sAMAccountName: Domain Users objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=josims,DC=local gidNumber: 1 sAMAccountName: test objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=josims,DC=local uidNumber: 10009 gidNumber: 10010 The gid returned is correct, and if I change it and remove the cache file it updates, so it is definitely being read from AD, but all users have gid domain users: wbinfo -i test test:*:10009:1:test:/home/test:/bin/bash Andy _ _ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email _ _ On Fri, Oct 22, 2010 at 10:55 AM, Oliver Weinmann oliver.weinm...@vega.de wrote: Good to know that I'm not the only one facing this serious problem. I would really like to know why this is not the case under samba 3.3. Currently I have stopped upgrading from 3.3 to 3.5.x because this problem is generating a lot of trouble for us when users of different projects create files and they are read/write for all members of domain users. The only way around this is to use the SGID on the folder to inherit the project group. Hi, I've
Re: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!???
Good to know that I'm not the only one facing this serious problem. I would really like to know why this is not the case under samba 3.3. Currently I have stopped upgrading from 3.3 to 3.5.x because this problem is generating a lot of trouble for us when users of different projects create files and they are read/write for all members of domain users. The only way around this is to use the SGID on the folder to inherit the project group. -Original Message- From: Andrew Lyon [mailto:andrew.l...@gmail.com] Sent: Freitag, 22. Oktober 2010 11:50 To: Oliver Weinmann Cc: samba@lists.samba.org Subject: Re: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!??? On Wed, Oct 20, 2010 at 12:36 PM, Oliver Weinmann oliver.weinm...@vega.de wrote: Hi, Any news regarding this problem? I have testet samba 3.5.6 and the problem still persists. I had to downgrade to 3.3 on a few machines now. Regards, Oliver -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Oliver Weinmann Sent: Donnerstag, 9. September 2010 13:13 To: samba@lists.samba.org Subject: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!??? Dear All, I stepped over a strange issue today. I have one installation of samba winbind 3.3.2 on a Ubuntu machine. Changing the primary unix group of a user is updated immediately. On a newer samba 3.5.4 installation the primary group is not updated at all. It always displays domain users. Is there a new setting for the smb.conf? Here is my smb.conf: [global] netbios name = gedail1 realm = SOMEDOMAIN.NET workgroup = SOMEDOMAIN security = ADS encrypt passwords = true password server = server1.somedomain.net server2.somedomain.net os level = 20 idmap backend = ad idmap config SOMEDOMAIN : backend = ad idmap config SOMEDOMAIN : schema_mode = sfu idmap config SOMEDOMAIN : range = 0- winbind nss info = sfu winbind enum users = yes winbind enum groups = yes preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log level = 10 log file = /var/log/samba/log.%m dns proxy = no wins server = 172.20.200.18 172.18.200.20 allow trusted domains = no client use spnego = Yes use kerberos keytab = true winbind refresh tickets = yes idmap cache time = 1 winbind cache time = 1 It's a W2k3 AD Domain. Regards, Oliver -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba I've noticed the same with samba 3.5.6, our administrator user has primary group name/gid Domain Admins but the primary group on our linux systems is domain users. I've noticed that searching AD for users with rfc2307/sfu attributes shows the correct gid: net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory sAMAccountName uidNumber gidNumber -P sAMAccountName: Domain Users objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=josims,DC=local gidNumber: 1 sAMAccountName: test objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=josims,DC=local uidNumber: 10009 gidNumber: 10010 The gid returned is correct, and if I change it and remove the cache file it updates, so it is definitely being read from AD, but all users have gid domain users: wbinfo -i test test:*:10009:1:test:/home/test:/bin/bash Andy __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!???
Hi, Any news regarding this problem? I have testet samba 3.5.6 and the problem still persists. I had to downgrade to 3.3 on a few machines now. Regards, Oliver -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Oliver Weinmann Sent: Donnerstag, 9. September 2010 13:13 To: samba@lists.samba.org Subject: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!??? Dear All, I stepped over a strange issue today. I have one installation of samba winbind 3.3.2 on a Ubuntu machine. Changing the primary unix group of a user is updated immediately. On a newer samba 3.5.4 installation the primary group is not updated at all. It always displays domain users. Is there a new setting for the smb.conf? Here is my smb.conf: [global] netbios name = gedail1 realm = SOMEDOMAIN.NET workgroup = SOMEDOMAIN security = ADS encrypt passwords = true password server = server1.somedomain.net server2.somedomain.net os level = 20 idmap backend = ad idmap config SOMEDOMAIN : backend = ad idmap config SOMEDOMAIN : schema_mode = sfu idmap config SOMEDOMAIN : range = 0- winbind nss info = sfu winbind enum users = yes winbind enum groups = yes preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log level = 10 log file = /var/log/samba/log.%m dns proxy = no wins server = 172.20.200.18 172.18.200.20 allow trusted domains = no client use spnego = Yes use kerberos keytab = true winbind refresh tickets = yes idmap cache time = 1 winbind cache time = 1 It's a W2k3 AD Domain. Regards, Oliver -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba-winbind 3.5.4 primary group is always domain users!!!???
Dear All, I stepped over a strange issue today. I have one installation of samba winbind 3.3.2 on a Ubuntu machine. Changing the primary unix group of a user is updated immediately. On a newer samba 3.5.4 installation the primary group is not updated at all. It always displays domain users. Is there a new setting for the smb.conf? Here is my smb.conf: [global] netbios name = gedail1 realm = SOMEDOMAIN.NET workgroup = SOMEDOMAIN security = ADS encrypt passwords = true password server = server1.somedomain.net server2.somedomain.net os level = 20 idmap backend = ad idmap config SOMEDOMAIN : backend = ad idmap config SOMEDOMAIN : schema_mode = sfu idmap config SOMEDOMAIN : range = 0- winbind nss info = sfu winbind enum users = yes winbind enum groups = yes preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log level = 10 log file = /var/log/samba/log.%m dns proxy = no wins server = 172.20.200.18 172.18.200.20 allow trusted domains = no client use spnego = Yes use kerberos keytab = true winbind refresh tickets = yes idmap cache time = 1 winbind cache time = 1 It's a W2k3 AD Domain. Regards, Oliver -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + set POSIX ACL's over Windows
Hi, thanks for the advice. I don't think QNAP supports NFSv4. But even if we need to be able to set the permissions over windows not on the cmdline. I discovered the following experimental modules for samba that should allow 1:1 mapping of ntfs acl's. But they are not very well documented. I might give it a try. vfs objects = acl_xattr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba + set POSIX ACL's over Windows
Hi, we recently purchased a NAS (QNAP) with Samba version 3.5.2. In order to assign permissions on subfolders we enabled Posix ACL's. The problem is that we need to allow only a certain group to do this. The ACL entries in our smb.conf are the following: acl compatibility = auto acl check permissions = Yes acl group control = Yes acl map full control = Yes force unknown acl user = No inherit acls = No nt acl support = Yes profile acls = No map acl inherit = Yes The parameter acl group control should allow us to do this. But we can't change the owner of the subfolder. When we try to set the group as owner we get the following error message: Unable to set new owner on New folder. You do not have the Restore privilege required to set this user/group as owner. I have goggled a lot but couldn't find a solution to this. Is there a way to set the group as owner on the Linux cmdline? Regards, Oliver Oliver Weinmann Unix and Storage Administrator VEGA Deutschland GmbH Europaplatz 5 64293 Darmstadt Germany Tel : +49 (0)6151 8257-0 Fax : +49 (0)6151 8257-744 Email : oliver.weinm...@vega.de Web : www.vega.de Registered office/Sitz: Köln, Register court/Registergericht: Köln, HRB 43180; Managing Directors/Geschäftsführer: Kurosch Balali, Sigmar Keller, John Lewis, Manfred Müller Notice of Confidentiality This transmission is intended for the named addressee only. It contains information which may be confidential and which may also be privileged. Unless you are the named addressee (or authorised to receive it for the addressee) you may not copy or use it, or disclose it to anyone else. If you have received this transmission in error please notify the sender immediately. . -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Getent passwd and getent group fail / Samba 3.5.2
I have investigated further and compared the behaviour of samba 3.3 and samba 3.5 on 2 identical SLES9 VM's. Samba 3.3 is working as expected with our Win2k3 SFU Domain and idmap_ad module. Samba 3.5 is not. I noticed that there are a few kerberos params that have changed in 3.5 but I just can't get 3.5 to work as expected: sles9test3:~ # testparm Load smb config files from /etc/samba/smb.conf rlimit_max: rlimit_max (1024) below minimum Windows limit (16384) Unknown parameter encountered: use kerberos keytab Ignoring unknown parameter use kerberos keytab Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions For example I can run getent passwd and getent group fine under 3.3 but not under 3.5. Also I created a user in AD tuser2 this user is visible within 1 minute under 3.3 under 3.5 it's not even visible after a reboot. Also group memberships of AD users are not updated under 3.5.2. I'm not sure if this is a bug. I tried a lot of things in smb.conf but it just doesn't work. At the moment I have to consider going back to 3.3. I googled a lot in the past days to find a correct smb.conf for 3.5 and idmap_ad but it's really hard to find a well documented howto. I would really appreciate if someone has a look on this. Here is my smb.conf: [global] netbios name = sles9test1 realm = SOMEDOMAIN.NET workgroup = SOMEDOMAIN security = ADS encrypt passwords = yes password server = dc.somedomain.net os level = 20 idmap backend = ad idmap config SOMEDOMAIN : backend = ad idmap config SOMEDOMAIN : schema_mode = sfu idmap config SOMEDOMAIN : range = 0- winbind nss info = sfu winbind enum users = yes winbind enum groups = yes preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log level = 10 log file = /var/log/samba/log.%m dns proxy = no wins server = 172.20.200.18 172.18.200.20 allow trusted domains = no client use spnego = Yes use kerberos keytab = true winbind refresh tickets = yes idmap cache time = 1 winbind cache time = 1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Idmap_ad not working correctly under samba 3.5.2
I have investigated further and compared the behaviour of samba 3.3 and samba 3.5 on 2 identical SLES9 VM's. Samba 3.3 is working as expected with our Win2k3 SFU Domain and idmap_ad module. Samba 3.5 is not. I noticed that there are a few kerberos params that have changed in 3.5 but I just can't get 3.5 to work as expected: sles9test3:~ # testparm Load smb config files from /etc/samba/smb.conf rlimit_max: rlimit_max (1024) below minimum Windows limit (16384) Unknown parameter encountered: use kerberos keytab Ignoring unknown parameter use kerberos keytab Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions For example I can run getent passwd and getent group fine under 3.3 but not under 3.5. Also I created a user in AD tuser2 this user is visible within 1 minute under 3.3 under 3.5 it's not even visible after a reboot. Also group memberships of AD users are not updated under 3.5.2. I'm not sure if this is a bug. I tried a lot of things in smb.conf but it just doesn't work. At the moment I have to consider going back to 3.3. I googled a lot in the past days to find a correct smb.conf for 3.5 and idmap_ad but it's really hard to find a well documented howto. I would really appreciate if someone has a look on this. Here is my smb.conf: [global] netbios name = sles9test1 realm = SOMEDOMAIN.NET workgroup = SOMEDOMAIN security = ADS encrypt passwords = yes password server = dc.somedomain.net os level = 20 idmap backend = ad idmap config SOMEDOMAIN : backend = ad idmap config SOMEDOMAIN : schema_mode = sfu idmap config SOMEDOMAIN : range = 0- winbind nss info = sfu winbind enum users = yes winbind enum groups = yes preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log level = 10 log file = /var/log/samba/log.%m dns proxy = no wins server = 172.20.200.18 172.18.200.20 allow trusted domains = no client use spnego = Yes use kerberos keytab = true winbind refresh tickets = yes idmap cache time = 1 winbind cache time = 1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Getent passwd and getent group fail / Samba 3.5.2
Im really totally lost about this problem. I tried a lot of things in smb.conf but it just doesn't work. I mean it is working fine on 3.3.2 so I don't think this is a problem in AD. It must be something that has changed in the config of 3.5.2 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Oliver Weinmann Sent: Dienstag, 4. Mai 2010 10:21 To: samba@lists.samba.org Subject: [Samba] Getent passwd and getent group fail / Samba 3.5.2 Hi all, I just stepped over a problem where I can't add a local user to an AD group. Running getent passwd and getent group doesn't display the AD users. Wbinfo -g and -u work fine. Here is my smb.conf: [global] netbios name = sles11test1 realm = SOMEDOMAIN.NET workgroup = SOMEDOMAIN security = ADS encrypt passwords = yes password server = someserver.somedomain.net idmap backend = ad idmap config SOMEDOMAIN : backend = ad idmap config SOMEDOMAIN : schema_mode = sfu idmap config SOMEDOMAIN : range = 0- winbind nss info = sfu winbind enum users = yes winbind enum groups = yes winbind offline logon = yes preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log file = /var/log/samba/log.%m log level = 3 dns proxy = no wins server = 172.20.200.18 172.18.200.20 allow trusted domains = No client use spnego = Yes kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab winbind refresh tickets = true idmap cache time = 1 idmap negative cache time = 1 winbind cache time = 1 In the log I get this error when running getent group: tail -f /var/log/samba/log.winbindd-idmap Could not get unix ID [2010/05/04 10:15:29.444783, 1] winbindd/idmap_ad.c:651(idmap_ad_sids_to_unixids) Could not get unix ID Getent group and passwd works fine e.g. on an old ubuntu install with samba 3.3.2. So far I have this problem on SLES9 and SLES11. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Getent passwd and getent group fail / Samba 3.5.2
Hi all, I just stepped over a problem where I can't add a local user to an AD group. Running getent passwd and getent group doesn't display the AD users. Wbinfo -g and -u work fine. Here is my smb.conf: [global] netbios name = sles11test1 realm = SOMEDOMAIN.NET workgroup = SOMEDOMAIN security = ADS encrypt passwords = yes password server = someserver.somedomain.net idmap backend = ad idmap config SOMEDOMAIN : backend = ad idmap config SOMEDOMAIN : schema_mode = sfu idmap config SOMEDOMAIN : range = 0- winbind nss info = sfu winbind enum users = yes winbind enum groups = yes winbind offline logon = yes preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log file = /var/log/samba/log.%m log level = 3 dns proxy = no wins server = 172.20.200.18 172.18.200.20 allow trusted domains = No client use spnego = Yes kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab winbind refresh tickets = true idmap cache time = 1 idmap negative cache time = 1 winbind cache time = 1 In the log I get this error when running getent group: tail -f /var/log/samba/log.winbindd-idmap Could not get unix ID [2010/05/04 10:15:29.444783, 1] winbindd/idmap_ad.c:651(idmap_ad_sids_to_unixids) Could not get unix ID Getent group and passwd works fine e.g. on an old ubuntu install with samba 3.3.2. So far I have this problem on SLES9 and SLES11. Oliver Weinmann Unix and Storage Administrator VEGA Deutschland GmbH Co. KG Europaplatz 5 64293 Darmstadt Germany Tel : +49 (0)6151 8257-0 Fax : +49 (0)6151 8257-799 Email : oliver.weinm...@vega.de Web : www.vega.de Registered office/Sitz: Köln, Register court/Registergericht: Köln, HRA 19223; Fully Liable Partner/Persönlich haftende Gesellschafterin: VEGA Deutschland Management GmbH, Registered office/Sitz: Köln, Register court/Registergericht: Köln, HRB 43189; Managing Directors/Geschäftsführer: Kurosch Balali, Sigmar Keller, John Lewis, Manfred Müller Notice of Confidentiality This transmission is intended for the named addressee only. It contains information which may be confidential and which may also be privileged. Unless you are the named addressee (or authorised to receive it for the addressee) you may not copy or use it, or disclose it to anyone else. If you have received this transmission in error please notify the sender immediately. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind 3.5.2 caching issues under SLES11???
Deleting the tdb files didn't solve the problem. It's really weird. For example I have a AD user that is member of three groups: Domain users (primary) And two other project groups. I removed him from the two project groups, the change is immediately effective under SLES9 3.5.2 Winbind but on the SLES11 system, even after a reboot the change is still not effective. I wonder where the hell this is beeing cached? Because if the winbind daemon would query active directory it should no longer list this user as a member of the two project groups. The Behaviour is the same throughout all of our SLES11 machines. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind 3.5.2 caching issues under SLES11???
netsamlogon_cache.tdb is probably the culprit. Once you log in using pam or for example wbinfo -a the problem should be gone. Volker Ok, I have now deleted the netsamlogon_cache.tdb, restarted the samba service and logged in as the user. The groups are now no longer shown. I tried the same steps again with a different user and the problem is the same again. This time it was sufficient to restart the samba service. I wonder why on the SLES9 system the change is immediately effective but on the SLES11 box I need to restart the winbind service? The configs are exactly the same on both machines. Anyway thanks for pointing this out Volker. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind 3.5.2 caching issues under SLES11???
Ok, there is no bug. I looked through the smb.conf and added the following parameters: idmap cache time = 1 idmap negative cache time = 1 winbind cache time = 1 Now SLES11 acts as expected. Also I noticed that running a su - username is not the same as wbinfo -a. :) Thanks and Regards, Oliver -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind 3.5.2 caching issues under SLES11???
Hi, I don't know if this is a problem of SLES11 or winbind itself. I recently installed the lastest samba winbind 3..5.2 on a SLES9 box and a SLES11 box. If I remove a user from a group in Active Directory the change is visible immediately on the SLES9 box but not on the SLES11 box. Both are running exactly the same version of winbind: gedaiv64:~ # cat /etc/SuSE-release SUSE Linux Enterprise Server 11 (x86_64) VERSION = 11 PATCHLEVEL = 0 gedaiv64:~ # smbd -V Version 3.5.2 gedaiv67:~ # cat /etc/SuSE-release SUSE LINUX Enterprise Server 9 (i586) VERSION = 9 PATCHLEVEL = 4 gedaiv67:~ # smbd -V Version 3.5.2 Smb.conf is identical: [global] netbios name = gedaiv67 realm = SOMEDOMAIN.NET workgroup = SOMEDOMAIN security = ADS encrypt passwords = yes idmap backend = ad idmap config VEGA : backend = ad idmap config VEGA : schema_mode = sfu idmap config VEGA : range = 0- winbind nss info = sfu winbind enum users = yes winbind enum groups = yes winbind offline logon = yes preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log file = /var/log/samba/log.%m log level = 3 dns proxy = no wins server = 172.20.200.18 172.18.200.20 allow trusted domains = No client use spnego = Yes kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab winbind refresh tickets = true idmap cache time = 300 Even after 10 minutes and more the change doesn't become effective on the SLES11 box. NSCD is of course turned off on both machines. Regards, Oliver -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Kerberos method not working like use kerberos keytab?
Hi, I have a couple of old samba 3.0.30 installations. I enabled the use kerberos keytab option in the smb.conf file to aquire a tgt automatically when a user logs in. This works fine on 3.0.30 installs. On newer samba versions I recognized that the option has been phased out and replaced by a newer option called kerberos method the man page is not really clear about what to choose here so I googled and found the following: For existing installs: use kerberos keytab = yes corresponds to secrets and keytab use kerberos keytab = no corresponds to secrets only http://www.mail-archive.com/samba-...@lists.samba.org/msg55272.html Setting kerberos method = secrets and keytab doesn't work for some reason. I have not changed the /etc/security/pam_winbind.conf: [global] # turn on debugging ;debug = no # request a cached login if possible # (needs winbind offline logon = yes in smb.conf) cached_login = yes # authenticate using kerberos krb5_auth = yes # when using kerberos, request a FILE krb5 credential cache type # (leave empty to just do krb5 authentication but not have a ticket # afterwards) krb5_ccache_type = FILE # make successful authentication dependend on membership of one SID # (can also take a name) ;require_membership_of = There is TGT aquired when a user logs in. Am I missing something in my configuration? This is really a cool feature for using NFSv4. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Kerberos method not working like use kerberos keytab?
Ok, problem solved. The TGT is only aquired when directly logging in as a user. Running su - as root doesn't aquire the ticket. Which is cool. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] URGENT HELP NEEDED!!! PLEASE!!
No ideas, anyone??? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Oliver Weinmann Sent: 02 October 2009 14:48 To: samba@lists.samba.org Subject: [Samba] URGENT HELP NEEDED!!! PLEASE!! Hi, I have a big big problem. I compiled Samba 3.2.6 for Solaris 8 and 10. Environment is Windows 2003 SFU. So far it looked like everything works as expected. Under Solaris 8 i get all groups of a user. Under Solaris 10 I can only see the primary group set under the Unix Attributes Tab in W2k3. I have compiled with the following settings: ./configure --with-ads --with-krb5=/opt/VEGA --with-openldap=/opt/VEGA --wit h-pam --with-winbind --with-shared-modules=idmap_ad --prefix=/opt/VEGA --with-sw atdir=/opt/VEGA/share/samba/swat --with-configdir=/opt/VEGA/etc/samba --with-pri vatedir=/opt/VEGA/etc/samba/private I'm using the following smb.conf under Solaris 8 and 10. It's 100% identical. But under Solaris 10 I can only see the primary group of a user. [global] netbios name = pegasus realm = SOMEREALM workgroup = SOMEWORKGROUP security = ADS encrypt passwords = yes password server = ad1 ad2 os level = 20 socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap backend = ad idmap config SOMEREALM:schema_mode = sfu winbind nss info = sfu allow trusted domains = no winbind enum users = no winbind enum groups = no preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log file = /var/log/samba/log.%m dns proxy = no allow trusted domains = No client use spnego = Yes use kerberos keytab = true winbind refresh tickets = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] URGENT HELP NEEDED!!! PLEASE!!
Hi, I have a big big problem. I compiled Samba 3.2.6 for Solaris 8 and 10. Environment is Windows 2003 SFU. So far it looked like everything works as expected. Under Solaris 8 i get all groups of a user. Under Solaris 10 I can only see the primary group set under the Unix Attributes Tab in W2k3. I have compiled with the following settings: ./configure --with-ads --with-krb5=/opt/VEGA --with-openldap=/opt/VEGA --wit h-pam --with-winbind --with-shared-modules=idmap_ad --prefix=/opt/VEGA --with-sw atdir=/opt/VEGA/share/samba/swat --with-configdir=/opt/VEGA/etc/samba --with-pri vatedir=/opt/VEGA/etc/samba/private I'm using the following smb.conf under Solaris 8 and 10. It's 100% identical. But under Solaris 10 I can only see the primary group of a user. [global] netbios name = pegasus realm = SOMEREALM workgroup = SOMEWORKGROUP security = ADS encrypt passwords = yes password server = ad1 ad2 os level = 20 socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap backend = ad idmap config SOMEREALM:schema_mode = sfu winbind nss info = sfu allow trusted domains = no winbind enum users = no winbind enum groups = no preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log file = /var/log/samba/log.%m dns proxy = no allow trusted domains = No client use spnego = Yes use kerberos keytab = true winbind refresh tickets = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.4 is unable to list users with getent and id (idmap_ad backend)
Dear All, I'm using Samba Version 3.2.6 under Solaris 8 with the following config: netbios name = pegasus realm = REALM.NET workgroup = REALM security = ADS encrypt passwords = yes password server = * os level = 20 socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap backend = ad idmap config REALM:schema_mode = sfu winbind nss info = sfu allow trusted domains = no winbind enum users = no winbind enum groups = no preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log file = /var/log/samba/log.%m dns proxy = no wins server = 172.20.200.18 172.18.200.20 allow trusted domains = No client use spnego = Yes use kerberos keytab = true winbind refresh tickets = yes This is working fine. Recently I compiled Samba 3.4 for Solaris 10 and I just can't get it to work with the idmap backend ad. Wbinfo -u and wbinfo -g show all my AD users but id username and getent passwd username shows nothing. The logs don't show anything suspicious except this error: lib/C.msg: No such file or directory I checked on the Solaris 8 box and this file doesn't exist either. So I suspect it not the be the cause of the problem. I noticed that the smb.conf needed some adjustment in samba 3.3.2. I got this working using: idmap config REALM : backend = ad idmap config REALM : schema_mode = sfu idmap config REALM : range = 0- Instead of idmap backend = ad But with 3.4 I had no luck. This is what my current config on Samba 3.4 looks like: [global] netbios name = Phobos realm = REALM.NET workgroup = REALM security = ADS encrypt passwords = yes password server = * os level = 20 #idmap backend = ad idmap config REALM : backend = ad idmap config REALM:schema_mode = sfu idmap config REALM : range = 0- winbind nss info = sfu winbind enum users = yes winbind enum groups = yes preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log file = /var/log/samba/log.%m log level = 10 dns proxy = no wins server = 172.20.200.18 172.18.200.20 allow trusted domains = no client use spnego = Yes #use kerberos keytab = true winbind refresh tickets = yes Any help would be appreciated. If I can't get it working I might need to get back using an older Version like 3.2.6. Regards, Oliver -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba winbind under Solaris 8 and Bash shell
Dear All, for several weeks and with several attempts using different versions and compilers etc. I'm trying to get Samba winbind running on a Solaris 8 workstation. I compiled Samba winbind with Sun studio 11 compiler and I really don't believe it has something to do with the compilation process. The problem I'm facing is that I can join our Win2k3 domain fine. I can lookup all the users and groups. That all is working fine and also at an acceptable speed. It improved a lot when I changed the log level from 10 to 3. I switched it to 10 to debug the problem. For testing I only configured the other section in /etc/pam.conf. I added: other sufficient pam_winbind.so.1 to the top of the auth and account sections. I can login with an AD user account. But whenever I switch to the bash shell i can't run any commands. Running a command results in the command beeing put into background immediately. This only occurs when I'm running the bash shell. Any other shell works just fine. But even here I get disconnect after a few minutes. I checked all the logs and this is all I get: Jul 9 07:22:34 suse8 nmbd[447]: [ID 702911 daemon.error] [2008/07/09 07:22:34, 0] nmbd/nmbd.c:(742) Jul 9 07:22:34 suse8 nmbd[447]: [ID 702911 daemon.error] standard input is no t a socket, assuming -D option Jul 9 07:22:35 suse8 smbd[449]: [ID 702911 daemon.error] [2008/07/09 07:22:35, 0] smbd/server.c:(986) Jul 9 07:22:35 suse8 smbd[449]: [ID 702911 daemon.error] standard input is no t a socket, assuming -D option Jul 9 07:22:36 suse8 winbindd[455]: [ID 702911 daemon.error] [2008/07/09 07:22: 36, 0] nsswitch/winbindd_cache.c:(2229) Jul 9 07:22:36 suse8 winbindd[455]: [ID 702911 daemon.error] initialize_winbi ndd_cache: clearing cache and re-creating with version number 1 Jul 9 07:22:45 suse8 smbd[452]: [ID 702911 daemon.error] [2008/07/09 07:22:45, 0] auth/auth_util.c:(792) Jul 9 07:22:45 suse8 smbd[452]: [ID 702911 daemon.error] create_builtin_admin istrators: Failed to create Administrators Jul 9 07:22:45 suse8 smbd[452]: [ID 702911 daemon.error] [2008/07/09 07:22:45, 0] auth/auth_util.c:(758) Jul 9 07:22:45 suse8 smbd[452]: [ID 702911 daemon.error] create_builtin_users : Failed to create Users Jul 9 07:22:54 suse8 ntpdate[180]: [ID 398266 daemon.notice] waiting 300 second s before trying again Jul 9 07:23:11 suse8 sshd[466]: [ID 129890 auth.error] pam_winbind(sshd): reque st failed: No such user, PAM error was No account present for user (13), NT erro r was NT_STATUS_NO_SUCH_USER Strange is that the NT_STATUS_NO_SUCH_USER appears after i successfully logged in via ssh and logged out. The Pam module is in place: ls -alrt /usr/lib/security/pam_winbind* -rw-r--r-- 1 root other 102364 Jul 8 14:53 /usr/lib/security/pam_winbind.so.1 and also the nss module: bash-2.03# ls -alrt /usr/lib/nss_* -rwxr-xr-x 1 root bin14564 Jan 5 2000 /usr/lib/nss_xfn.so.1 -rwxr-xr-x 1 root bin13476 Jun 13 2005 /usr/lib/nss_user.so.1 -rwxr-xr-x 1 root bin26296 Oct 20 2005 /usr/lib/nss_compat.so.1 -rwxr-xr-x 1 root bin54900 May 13 17:20 /usr/lib/nss_nisplus.so.1 -rwxr-xr-x 1 root bin46180 May 13 17:20 /usr/lib/nss_nis.so.1 -rwxr-xr-x 1 root bin89644 May 13 17:20 /usr/lib/nss_ldap.so.1 -rwxr-xr-x 1 root bin44836 May 13 17:20 /usr/lib/nss_files.so.1 -rwxr-xr-x 1 root bin24540 Jun 10 16:35 /usr/lib/nss_dns.so.1 -rw-r--r-- 1 root other 74372 Jul 8 14:19 /usr/lib/nss_winbind.so.1 -rw-r--r-- 1 root other1842164 Jul 8 14:20 /usr/lib/nss_wins.so.1 I haven't changed any permissions on the files that were installed by the make install script. Maybe there is something wrong? Or am I missing an important patch? bash-2.03# uname -a SunOS suse8 5.8 Generic_117350-55 sun4u sparc SUNW,Ultra-5_10 my smb.conf: [global] netbios name = suse8 realm = VEGAGROUP.NET workgroup = VEGA security = ADS encrypt passwords = yes password server = gedacv7 gedacv8 os level = 8 socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap backend = ad idmap config VEGA:schema_mode = sfu winbind nss info = sfu allow trusted domains = no winbind enum users = yes winbind enum groups = yes preferred master = no #winbind nested groups = Yes winbind use default domain = Yes log level = 3 max log size = 50 log file = /var/log/samba/log.%m dns proxy = no wins server = 172.20.205.7 172.20.205.8 client use spnego = Yes #use kerberos keytab = true #winbind offline logon = no First I thought this problem could be related to the idmap_rid module that I'm using. But even switching to idmap_ad didn't solve it. I'm really lost and don't know what else I could do to analyze the problem. Any help would be much
[Samba] still unable to compile samba-3.2.0 under solaris 8
Hi, I'm still unable to compile samba 3.2.0 under Solaris 8. After removing the bin/libtalloc.so.1 and bin/libtdb.so.1 I get another error: ./librpc/gen_ndr/srvsvc.h, line 242: warning: enumerator value overflows INT_MAX (2147483647) ./librpc/gen_ndr/wkssvc.h, line 10: warning: useless declaration ./librpc/gen_ndr/samr.h, line 633: warning: useless declaration ./librpc/gen_ndr/nbt.h, line 496: warning: useless declaration ./librpc/gen_ndr/netlogon.h, line 204: warning: useless declaration ./librpc/gen_ndr/netlogon.h, line 206: warning: useless declaration ./librpc/gen_ndr/libnet_join.h, line 10: warning: useless declaration lib/ldb/modules/asq.c, line 425: warning: statement not reached Linking non-shared library bin/libsmbclient.a Linking shared library bin/libsmbclient.so Text relocation remains referenced against symbol offset in file unknown 0x0 lib/ldb/common/ldb_modules.o ld: fatal: relocations remain against allocatable but non-writable sections *** Error code 1 make: Fatal error: Command failed for target `bin/libsmbclient.so' It seems that something with the sources is wrong? I'm able to compile the 3.0.30 version fine on the same build machine using the same environment settings. Regards, Oli -- Pt! Schon das coole Video vom GMX MultiMessenger gesehen? Der Eine für Alle: http://www.gmx.net/de/go/messenger03 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.2.0 doesn't compile under Solaris8
Dear All, Yesterday I downloaded the latest Samba release 3.2.0 and tried to compile it against blastwave.org packages, as I always do. But it fails with error: /usr/include/sys/termios.h, line 38: warning: macro redefined: CTRL ./librpc/gen_ndr/srvsvc.h, line 232: warning: enumerator value overflows INT_M AX (2147483647) ./librpc/gen_ndr/srvsvc.h, line 235: warning: enumerator value overflows INT_M AX (2147483647) ./librpc/gen_ndr/srvsvc.h, line 238: warning: enumerator value overflows INT_M AX (2147483647) ./librpc/gen_ndr/srvsvc.h, line 242: warning: enumerator value overflows INT_M AX (2147483647) ./librpc/gen_ndr/wkssvc.h, line 10: warning: useless declaration ./librpc/gen_ndr/samr.h, line 633: warning: useless declaration ./librpc/gen_ndr/nbt.h, line 496: warning: useless declaration ./librpc/gen_ndr/netlogon.h, line 204: warning: useless declaration ./librpc/gen_ndr/netlogon.h, line 206: warning: useless declaration ./librpc/gen_ndr/libnet_join.h, line 10: warning: useless declaration Linking non-shared library bin/libtalloc.a Compiling lib/replace/replace.c Compiling lib/replace/snprintf.c Compiling lib/replace/getpass.c Compiling lib/replace/strptime.c Compiling lib/replace/timegm.c Compiling lib/replace/inet_aton.c /usr/include/netdb.h, line 412: warning: macro redefined: MAXHOSTNAMELEN Compiling lib/replace/getifaddrs.c /usr/include/netdb.h, line 412: warning: macro redefined: MAXHOSTNAMELEN creating /opt/SOURCES/samba-3.2.0/source/exports/libtalloc.syms Linking shared library bin/libtalloc.so ln: cannot create bin/libtalloc.so.1: File exists *** Error code 2 make: Fatal error: Command failed for target `bin/libtalloc.so' Build failed! Exiting On the same build machine I'm able to compile Samba 3.0.30 without any problems at all. A few informations about my workstation: bash-2.03# uname -a SunOS ares 5.8 Generic_117350-02 sun4u sparc SUNW,Sun-Fire-480R I'm using Sun Studio 11 Compiler: bash-2.03# /opt/studio11/SUNWspro/bin/cc -V cc: Sun C 5.8 2005/10/13 usage: cc [ options] files. Use 'cc -flags' for details my environment variables: bash-2.03# echo $CPPFLAGS -I/opt/csw/include bash-2.03# echo $LD_OPTIONS -R/opt/csw/lib/$ISALIST -R/opt/csw/lib -L/opt/csw/lib and my configure options: *./configure –with-ads –with-krb5=/opt/csw –with-pam –with-winbind –with-shared-modules=idmap_ad –prefix=/opt/csw –with-swatdir=/opt/csw/share/samba/swat –with-configdir=/opt/csw/etc/samba –with-privatedir=/opt/csw/etc/samba/private* ** *I also tried using gcc from blastwave.org but it fails at the same stage.* ** *Any ideas? I couldn't find anything related on google as 3.2.0 is quite new I guess.* ** ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] unable to compile samba 3.2.0 under Solaris8
Dear All, Yesterday I downloaded the latest Samba release 3.2.0 and tried to compile it against blastwave.org packages, as I always do. But it fails with error: /usr/include/sys/termios.h, line 38: warning: macro redefined: CTRL ./librpc/gen_ndr/srvsvc.h, line 232: warning: enumerator value overflows INT_M AX (2147483647) ./librpc/gen_ndr/srvsvc.h, line 235: warning: enumerator value overflows INT_M AX (2147483647) ./librpc/gen_ndr/srvsvc.h, line 238: warning: enumerator value overflows INT_M AX (2147483647) ./librpc/gen_ndr/srvsvc.h, line 242: warning: enumerator value overflows INT_M AX (2147483647) ./librpc/gen_ndr/wkssvc.h, line 10: warning: useless declaration ./librpc/gen_ndr/samr.h, line 633: warning: useless declaration ./librpc/gen_ndr/nbt.h, line 496: warning: useless declaration ./librpc/gen_ndr/netlogon.h, line 204: warning: useless declaration ./librpc/gen_ndr/netlogon.h, line 206: warning: useless declaration ./librpc/gen_ndr/libnet_join.h, line 10: warning: useless declaration Linking non-shared library bin/libtalloc.a Compiling lib/replace/replace.c Compiling lib/replace/snprintf.c Compiling lib/replace/getpass.c Compiling lib/replace/strptime.c Compiling lib/replace/timegm.c Compiling lib/replace/inet_aton.c /usr/include/netdb.h, line 412: warning: macro redefined: MAXHOSTNAMELEN Compiling lib/replace/getifaddrs.c /usr/include/netdb.h, line 412: warning: macro redefined: MAXHOSTNAMELEN creating /opt/SOURCES/samba-3.2.0/source/exports/libtalloc.syms Linking shared library bin/libtalloc.so ln: cannot create bin/libtalloc.so.1: File exists *** Error code 2 make: Fatal error: Command failed for target `bin/libtalloc.so' Build failed! Exiting On the same build machine I'm able to compile Samba 3.0.30 without any problems at all. A few informations about my workstation: bash-2.03# uname -a SunOS ares 5.8 Generic_117350-02 sun4u sparc SUNW,Sun-Fire-480R I'm using Sun Studio 11 Compiler: bash-2.03# /opt/studio11/SUNWspro/bin/cc -V cc: Sun C 5.8 2005/10/13 usage: cc [ options] files. Use 'cc -flags' for details my environment variables: bash-2.03# echo $CPPFLAGS -I/opt/csw/include bash-2.03# echo $LD_OPTIONS -R/opt/csw/lib/$ISALIST -R/opt/csw/lib -L/opt/csw/lib and my configure options: ./configure –with-ads –with-krb5=/opt/csw –with-pam –with-winbind –with-shared-modules=idmap_ad –prefix=/opt/csw –with-swatdir=/opt/csw/share/samba/swat –with-configdir=/opt/csw/etc/samba –with-privatedir=/opt/csw/etc/samba/private I also tried using gcc from blastwave.org but it fails at the same stage. Any ideas? I couldn't find anything related on google as 3.2.0 is quite new I guess -- GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen! Jetzt dabei sein: http://www.shortview.de/[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Strange behaviour of winbind on solaris 8
I will try to get hands on the latest patches for solaris 8 and see if that fixes the nscd problems. I can't believe that samba-winbind is not running 100% well on a Solaris 8 machine. On 4/28/08, Oliver Weinmann [EMAIL PROTECTED] wrote: Just for fun i changed the perms of /usr/lib/libnss_winbind.so to 777 bash-2.03# chmod 777 /usr/lib/libnss_winbind.so bash-2.03# ls -alrt /usr/lib/libnss_winbind.so -rwxrwxrwx 1 root other 74744 Apr 28 13:32 /usr/lib/libnss_winbind.so nscd is turned off. I can login as an AD users but I cant start any command. :( login as: oweinmann Using keyboard-interactive authentication. Password: Last login: Mon Apr 28 15:17:11 2008 from vb8860.vegagrou bash-2.03$ ls -alrt [1]+ Stopped ls -alrt bash-2.03$ id [2]+ Stopped id bash-2.03$ group [3]+ Stopped group bash-2.03$ echo TEST TEST bash-2.03$ Some commands are working and some others are put in background and the session closes after one or two minutes? When I turn on nscd everything is fine, except ls -alrt not working. On 4/28/08, Gerald (Jerry) Carter [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Oliver Weinmann wrote: | forgot to mention that the nss_winbind links are there: | | bash-2.03# ls -alrt /usr/lib/nss_w* | lrwxrwxrwx 1 root other 28 Apr 23 14:30 | /usr/lib/nss_winbind.so.2 - /usr/lib/libnss_winbind.so.1 | lrwxrwxrwx 1 root other 28 Apr 23 14:30 | /usr/lib/nss_winbind.so.1 - /usr/lib/libnss_winbind.so.1 | lrwxrwxrwx 1 root other 28 Apr 23 14:30 | /usr/lib/nss_winbind.so - /usr/lib/libnss_winbind.so.1 Check the perms on /usr/lib/libnss_winbind.so.1. Sounds like it might be rwx for root only. cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIFcnJIR7qMdg1EfYRAp+uAKCoT5s9gRV+x0M+PUrFnYWVRtqmcwCg293J 0OxWwTr/wJPDW67YmZCAfQo= =6S2v -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA with NetApp filer
Hi, i just setup a NETAPP Filer and a few Unix/linux workstations myself with samba-winbind. I came across a lot of problems but I found out it's best to not use CIFS under Linux as it doesn't work 100%. Instead you should try to use NFS if you have a license for your netapp filer. We use mixed qtree styles to ensure that both, windows and unix can change the permissions on a file. Regards, Oli On 4/28/08, udomsak chundang [EMAIL PROTECTED] wrote: I'm newbies in SAMBA and NetApp filer , I use Filer with OpenLDAP as an authentication and authorization server , but look like NetApp doesn't work properly ( can't authentication ) , NetApp engineer suggest me that NetApp work properly with pure ActiveDirectory Environment. not SAMBA + OpenLDAP backend like me have. so I solve this problem by make Samba as native PDC and use OpenLDAP as database backend. So authentication are complete but next problem is home directory are not automatic create. then i try to solve this by mount NetApp CIFS share as '\homedir' and use mount.cifs to mount as local dir but not work too. even if i can mount CIFS on Filer but owner and permission after mount not work properly every file that i create on Filer are permission 777 and owner is who mount file system . but In correct way i want 'owner is who pass authentication and access only by owner ' So if i authenticate through Filer permission is ok. ( but must change permission by hand ) 1. It's possible that I use remote storage ( Filer ) as Samba local file ? 2. If it can , How do i ? everything on above is ok and correct if i use samba on local filesystem mount.cifs 192.168.1.2\\homedir /var/samba/cifs2 -o username=smb-perm,gid=513(domain users ) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Strange behaviour of winbind on solaris 8
su to user oweinmann works but when i ussie the ldd -r /usr/lib/nss_winbind.so command it gets put in the background.. :( i then do fg 2 and this is the output: bash-2.03$ ldd -r /usr/lib/nss_winbind.so [2]+ Stopped ldd -r /usr/lib/nss_winbind.so bash-2.03$ fg 2 ldd -r /usr/lib/nss_winbind.so libthread.so.1 =/usr/lib/libthread.so.1 libsocket.so.1 =/usr/lib/libsocket.so.1 libdl.so.1 =/usr/lib/libdl.so.1 libc.so.1 = /usr/lib/libc.so.1 libnsl.so.1 = /usr/lib/libnsl.so.1 libmp.so.2 =/usr/lib/libmp.so.2 /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 bash-2.03$ ls -alrt /etc/nsswitch.conf [2]+ Stopped ls -alrt /etc/nsswitch.conf bash-2.03$ fg 2 ls -alrt /etc/nsswitch.conf -rw-r--r-- 1 root sys 1320 Apr 28 13:19 /etc/nsswitch.conf On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: Please try to login (or su) to the user oweinmann and issue then ldd -r /usr/lib/nss_winbind.so For some reason I think that non root users are not able to read one of the involved files. This could be /etc/nsswitch.conf /usr/lib/nss_winbind.so or some of the files found by the ldd -r command. The fact that you can issue commands while nscd is running points to this fact becaus nscd is running as root and has permissions to read all of those files. /etc/nsswitch.conf should be readable by everyone. I compiled samba myself with a full stack of openssl, iconv, heimdal kerberos, cyrus-sasl, openldap and samba. While people often speak of the Windows DLL hell this is the Solaris shared library hell :-( But it works. Oliver Weinmann schrieb: Hi, bash-2.03# ldd -r /usr/lib/nss_winbind.so libthread.so.1 =/usr/lib/libthread.so.1 libsocket.so.1 =/usr/lib/libsocket.so.1 libdl.so.1 =/usr/lib/libdl.so.1 libc.so.1 = /usr/lib/libc.so.1 libnsl.so.1 = /usr/lib/libnsl.so.1 libmp.so.2 =/usr/lib/libmp.so.2 /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 I changed the permissions and files exactly to be the same but i still cant issue commands... :( bash-2.03# ls -alrt /usr/lib/nss_winbind.so* -rwxr-xr-x 1 root other 74744 Apr 29 09:03 /usr/lib/nss_winbind.so.1 lrwxrwxrwx 1 root other 25 Apr 29 09:04 /usr/lib/nss_winbind.so - /usr/lib/nss_winbind.so.1 Could this also be a problem of a compiling? Have you compiled the samba yourself or are you using prebuilt packages? On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: which output gives ldd -r /usr/lib/nss_winbind.so ? I have the following naming and permission for nss_winbind: lrwxrwxrwx 1 root other 16 Jan 15 2004 nss_winbind.so - nss_winbind.so.1 -rwxr-xr-x 1 root other 44540 Apr 28 17:35 nss_winbind.so.1 Please try with the exactly same naming and permissions of your files. Oliver Weinmann schrieb: I will try to get hands on the latest patches for solaris 8 and see if that fixes the nscd problems. I can't believe that samba-winbind is not running 100% well on a Solaris 8 machine. On 4/28/08, Oliver Weinmann [EMAIL PROTECTED] wrote: Just for fun i changed the perms of /usr/lib/libnss_winbind.so to 777 bash-2.03# chmod 777 /usr/lib/libnss_winbind.so bash-2.03# ls -alrt /usr/lib/libnss_winbind.so -rwxrwxrwx 1 root other 74744 Apr 28 13:32 /usr/lib/libnss_winbind.so nscd is turned off. I can login as an AD users but I cant start any command. :( login as: oweinmann Using keyboard-interactive authentication. Password: Last login: Mon Apr 28 15:17:11 2008 from vb8860.vegagrou bash-2.03$ ls -alrt [1]+ Stopped ls -alrt bash-2.03$ id [2]+ Stopped id bash-2.03$ group [3]+ Stopped group bash-2.03$ echo TEST TEST bash-2.03$ Some commands are working and some others are put in background and the session closes after one or two minutes? When I turn on nscd everything is fine, except ls -alrt not working. On 4/28/08, Gerald (Jerry) Carter [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Oliver Weinmann wrote: | forgot to mention that the nss_winbind links are there: | | bash-2.03# ls -alrt /usr/lib/nss_w* | lrwxrwxrwx 1 root other 28 Apr 23 14:30 | /usr/lib/nss_winbind.so.2 - /usr/lib/libnss_winbind.so.1 | lrwxrwxrwx 1 root other 28 Apr 23 14:30 | /usr/lib/nss_winbind.so.1 - /usr/lib/libnss_winbind.so.1 | lrwxrwxrwx 1 root other 28 Apr 23 14:30 | /usr/lib/nss_winbind.so - /usr/lib/libnss_winbind.so.1 Check the perms on /usr/lib/libnss_winbind.so.1. Sounds like
Re: [Samba] Strange behaviour of winbind on solaris 8
Hi, no, there was nothing in /var/adm/messages, but guess what with the csh ls -alrt and such commands work fine... But i get kicked out of the ssh session after 2 minutes... :( On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: Are there any messages in /var/adm/messages which are related to nss ? As I can see you are using bash as your shell. Try using csh. Does something change? Oliver Weinmann schrieb: su to user oweinmann works but when i ussie the ldd -r /usr/lib/nss_winbind.so command it gets put in the background.. :( i then do fg 2 and this is the output: bash-2.03$ ldd -r /usr/lib/nss_winbind.so [2]+ Stopped ldd -r /usr/lib/nss_winbind.so bash-2.03$ fg 2 ldd -r /usr/lib/nss_winbind.so libthread.so.1 =/usr/lib/libthread.so.1 libsocket.so.1 =/usr/lib/libsocket.so.1 libdl.so.1 =/usr/lib/libdl.so.1 libc.so.1 = /usr/lib/libc.so.1 libnsl.so.1 = /usr/lib/libnsl.so.1 libmp.so.2 =/usr/lib/libmp.so.2 /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 bash-2.03$ ls -alrt /etc/nsswitch.conf [2]+ Stopped ls -alrt /etc/nsswitch.conf bash-2.03$ fg 2 ls -alrt /etc/nsswitch.conf -rw-r--r-- 1 root sys 1320 Apr 28 13:19 /etc/nsswitch.conf On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: Please try to login (or su) to the user oweinmann and issue then ldd -r /usr/lib/nss_winbind.so For some reason I think that non root users are not able to read one of the involved files. This could be /etc/nsswitch.conf /usr/lib/nss_winbind.so or some of the files found by the ldd -r command. The fact that you can issue commands while nscd is running points to this fact becaus nscd is running as root and has permissions to read all of those files. /etc/nsswitch.conf should be readable by everyone. I compiled samba myself with a full stack of openssl, iconv, heimdal kerberos, cyrus-sasl, openldap and samba. While people often speak of the Windows DLL hell this is the Solaris shared library hell :-( But it works. Oliver Weinmann schrieb: Hi, bash-2.03# ldd -r /usr/lib/nss_winbind.so libthread.so.1 =/usr/lib/libthread.so.1 libsocket.so.1 =/usr/lib/libsocket.so.1 libdl.so.1 =/usr/lib/libdl.so.1 libc.so.1 = /usr/lib/libc.so.1 libnsl.so.1 = /usr/lib/libnsl.so.1 libmp.so.2 =/usr/lib/libmp.so.2 /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 I changed the permissions and files exactly to be the same but i still cant issue commands... :( bash-2.03# ls -alrt /usr/lib/nss_winbind.so* -rwxr-xr-x 1 root other 74744 Apr 29 09:03 /usr/lib/nss_winbind.so.1 lrwxrwxrwx 1 root other 25 Apr 29 09:04 /usr/lib/nss_winbind.so - /usr/lib/nss_winbind.so.1 Could this also be a problem of a compiling? Have you compiled the samba yourself or are you using prebuilt packages? On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: which output gives ldd -r /usr/lib/nss_winbind.so ? I have the following naming and permission for nss_winbind: lrwxrwxrwx 1 root other 16 Jan 15 2004 nss_winbind.so - nss_winbind.so.1 -rwxr-xr-x 1 root other 44540 Apr 28 17:35 nss_winbind.so.1 Please try with the exactly same naming and permissions of your files. Oliver Weinmann schrieb: I will try to get hands on the latest patches for solaris 8 and see if that fixes the nscd problems. I can't believe that samba-winbind is not running 100% well on a Solaris 8 machine. On 4/28/08, Oliver Weinmann [EMAIL PROTECTED] wrote: Just for fun i changed the perms of /usr/lib/libnss_winbind.so to 777 bash-2.03# chmod 777 /usr/lib/libnss_winbind.so bash-2.03# ls -alrt /usr/lib/libnss_winbind.so -rwxrwxrwx 1 root other 74744 Apr 28 13:32 /usr/lib/libnss_winbind.so nscd is turned off. I can login as an AD users but I cant start any command. :( login as: oweinmann Using keyboard-interactive authentication. Password: Last login: Mon Apr 28 15:17:11 2008 from vb8860.vegagrou bash-2.03$ ls -alrt [1]+ Stopped ls -alrt bash-2.03$ id [2]+ Stopped id bash-2.03$ group [3]+ Stopped group bash-2.03$ echo TEST TEST bash-2.03$ Some commands are working and some others are put in background and the session closes after one or two minutes? When I turn on nscd everything is fine, except ls -alrt not working. On 4/28/08, Gerald (Jerry) Carter [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Oliver
Re: [Samba] Strange behaviour of winbind on solaris 8
there is nothing in /etc/profile and the user oweinmann has no .bashrc. The problem seems to be related to nscd. When nscd is turned on i can login and issue commands and I don't get kicked out of the ssh login. There is no idle session timeout set. If there was I would get kicked out when nscd is turned on as well. Only when logged in as an AD user I get kicked out... On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: So there must be something in your bash init files, /etc/profile or ~/.bashrc (sorry I'm not a bash user) which causes the problem. Maybe something which forms the shell prompt like whoami etc. Maybe there is something like a autologout set for the csh or in sshd with idle session timeout. Oliver Weinmann schrieb: Hi, no, there was nothing in /var/adm/messages, but guess what with the csh ls -alrt and such commands work fine... But i get kicked out of the ssh session after 2 minutes... :( On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: Are there any messages in /var/adm/messages which are related to nss ? As I can see you are using bash as your shell. Try using csh. Does something change? Oliver Weinmann schrieb: su to user oweinmann works but when i ussie the ldd -r /usr/lib/nss_winbind.so command it gets put in the background.. :( i then do fg 2 and this is the output: bash-2.03$ ldd -r /usr/lib/nss_winbind.so [2]+ Stopped ldd -r /usr/lib/nss_winbind.so bash-2.03$ fg 2 ldd -r /usr/lib/nss_winbind.so libthread.so.1 =/usr/lib/libthread.so.1 libsocket.so.1 =/usr/lib/libsocket.so.1 libdl.so.1 =/usr/lib/libdl.so.1 libc.so.1 = /usr/lib/libc.so.1 libnsl.so.1 = /usr/lib/libnsl.so.1 libmp.so.2 =/usr/lib/libmp.so.2 /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 bash-2.03$ ls -alrt /etc/nsswitch.conf [2]+ Stopped ls -alrt /etc/nsswitch.conf bash-2.03$ fg 2 ls -alrt /etc/nsswitch.conf -rw-r--r-- 1 root sys 1320 Apr 28 13:19 /etc/nsswitch.conf On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: Please try to login (or su) to the user oweinmann and issue then ldd -r /usr/lib/nss_winbind.so For some reason I think that non root users are not able to read one of the involved files. This could be /etc/nsswitch.conf /usr/lib/nss_winbind.so or some of the files found by the ldd -r command. The fact that you can issue commands while nscd is running points to this fact becaus nscd is running as root and has permissions to read all of those files. /etc/nsswitch.conf should be readable by everyone. I compiled samba myself with a full stack of openssl, iconv, heimdal kerberos, cyrus-sasl, openldap and samba. While people often speak of the Windows DLL hell this is the Solaris shared library hell :-( But it works. Oliver Weinmann schrieb: Hi, bash-2.03# ldd -r /usr/lib/nss_winbind.so libthread.so.1 =/usr/lib/libthread.so.1 libsocket.so.1 =/usr/lib/libsocket.so.1 libdl.so.1 =/usr/lib/libdl.so.1 libc.so.1 = /usr/lib/libc.so.1 libnsl.so.1 = /usr/lib/libnsl.so.1 libmp.so.2 =/usr/lib/libmp.so.2 /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 I changed the permissions and files exactly to be the same but i still cant issue commands... :( bash-2.03# ls -alrt /usr/lib/nss_winbind.so* -rwxr-xr-x 1 root other 74744 Apr 29 09:03 /usr/lib/nss_winbind.so.1 lrwxrwxrwx 1 root other 25 Apr 29 09:04 /usr/lib/nss_winbind.so - /usr/lib/nss_winbind.so.1 Could this also be a problem of a compiling? Have you compiled the samba yourself or are you using prebuilt packages? On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: which output gives ldd -r /usr/lib/nss_winbind.so ? I have the following naming and permission for nss_winbind: lrwxrwxrwx 1 root other 16 Jan 15 2004 nss_winbind.so - nss_winbind.so.1 -rwxr-xr-x 1 root other 44540 Apr 28 17:35 nss_winbind.so.1 Please try with the exactly same naming and permissions of your files. Oliver Weinmann schrieb: I will try to get hands on the latest patches for solaris 8 and see if that fixes the nscd problems. I can't believe that samba-winbind is not running 100% well on a Solaris 8 machine. On 4/28/08, Oliver Weinmann [EMAIL PROTECTED] wrote: Just for fun i changed the perms of /usr/lib/libnss_winbind.so to 777 bash-2.03# chmod 777 /usr/lib/libnss_winbind.so bash-2.03# ls -alrt /usr/lib/libnss_winbind.so -rwxrwxrwx 1 root other 74744 Apr 28 13:32 /usr/lib/libnss_winbind.so
Re: [Samba] Strange behaviour of winbind on solaris 8
Could the problem be that the AD users are not in any of the local groups on the machine? How do you manage your AD users to be members of local groups e.g. staff, sys etc.? pam_groups? On 4/29/08, Oliver Weinmann [EMAIL PROTECTED] wrote: there is nothing in /etc/profile and the user oweinmann has no .bashrc. The problem seems to be related to nscd. When nscd is turned on i can login and issue commands and I don't get kicked out of the ssh login. There is no idle session timeout set. If there was I would get kicked out when nscd is turned on as well. Only when logged in as an AD user I get kicked out... On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: So there must be something in your bash init files, /etc/profile or ~/.bashrc (sorry I'm not a bash user) which causes the problem. Maybe something which forms the shell prompt like whoami etc. Maybe there is something like a autologout set for the csh or in sshd with idle session timeout. Oliver Weinmann schrieb: Hi, no, there was nothing in /var/adm/messages, but guess what with the csh ls -alrt and such commands work fine... But i get kicked out of the ssh session after 2 minutes... :( On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: Are there any messages in /var/adm/messages which are related to nss ? As I can see you are using bash as your shell. Try using csh. Does something change? Oliver Weinmann schrieb: su to user oweinmann works but when i ussie the ldd -r /usr/lib/nss_winbind.so command it gets put in the background.. :( i then do fg 2 and this is the output: bash-2.03$ ldd -r /usr/lib/nss_winbind.so [2]+ Stopped ldd -r /usr/lib/nss_winbind.so bash-2.03$ fg 2 ldd -r /usr/lib/nss_winbind.so libthread.so.1 =/usr/lib/libthread.so.1 libsocket.so.1 =/usr/lib/libsocket.so.1 libdl.so.1 =/usr/lib/libdl.so.1 libc.so.1 = /usr/lib/libc.so.1 libnsl.so.1 = /usr/lib/libnsl.so.1 libmp.so.2 =/usr/lib/libmp.so.2 /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 bash-2.03$ ls -alrt /etc/nsswitch.conf [2]+ Stopped ls -alrt /etc/nsswitch.conf bash-2.03$ fg 2 ls -alrt /etc/nsswitch.conf -rw-r--r-- 1 root sys 1320 Apr 28 13:19 /etc/nsswitch.conf On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: Please try to login (or su) to the user oweinmann and issue then ldd -r /usr/lib/nss_winbind.so For some reason I think that non root users are not able to read one of the involved files. This could be /etc/nsswitch.conf /usr/lib/nss_winbind.so or some of the files found by the ldd -r command. The fact that you can issue commands while nscd is running points to this fact becaus nscd is running as root and has permissions to read all of those files. /etc/nsswitch.conf should be readable by everyone. I compiled samba myself with a full stack of openssl, iconv, heimdal kerberos, cyrus-sasl, openldap and samba. While people often speak of the Windows DLL hell this is the Solaris shared library hell :-( But it works. Oliver Weinmann schrieb: Hi, bash-2.03# ldd -r /usr/lib/nss_winbind.so libthread.so.1 =/usr/lib/libthread.so.1 libsocket.so.1 =/usr/lib/libsocket.so.1 libdl.so.1 =/usr/lib/libdl.so.1 libc.so.1 = /usr/lib/libc.so.1 libnsl.so.1 = /usr/lib/libnsl.so.1 libmp.so.2 =/usr/lib/libmp.so.2 /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 I changed the permissions and files exactly to be the same but i still cant issue commands... :( bash-2.03# ls -alrt /usr/lib/nss_winbind.so* -rwxr-xr-x 1 root other 74744 Apr 29 09:03 /usr/lib/nss_winbind.so.1 lrwxrwxrwx 1 root other 25 Apr 29 09:04 /usr/lib/nss_winbind.so - /usr/lib/nss_winbind.so.1 Could this also be a problem of a compiling? Have you compiled the samba yourself or are you using prebuilt packages? On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: which output gives ldd -r /usr/lib/nss_winbind.so ? I have the following naming and permission for nss_winbind: lrwxrwxrwx 1 root other 16 Jan 15 2004 nss_winbind.so - nss_winbind.so.1 -rwxr-xr-x 1 root other 44540 Apr 28 17:35 nss_winbind.so.1 Please try with the exactly same naming and permissions of your files. Oliver Weinmann schrieb: I will try to get hands on the latest patches for solaris 8 and see if that fixes the nscd problems. I can't believe that samba-winbind is not running 100
Re: [Samba] Strange behaviour of winbind on solaris 8
Here could be a problem. I could not change our win 2k3 schema. They were afraid it could break something... tsss. So i had to use the idmap_rid module. Which does a good job actually. It uses the last portion of the AD users SID and adds it to a base set in smb.conf. I issued your commands: bash-2.03# getent passwd | grep oweinmann oweinmann2:*:15042:1613:Oliver Weinmann2:/home/oweinmann2:/bin/sh oweinmann:*:11611:1613:Oliver Weinmann:/home/oweinmann:/bin/sh oweinmann1:*:15041:1613:Oliver Weinmann1:/home/oweinmann1:/bin/sh bash-2.03# id -a oweinmann uid=11611(oweinmann) gid=1613(domain users) groups=10(staff) bash-2.03# su oweinmann $ id uid=11611(oweinmann) gid=1613(domain users) $ id -a the id -a as user oweinmann seems to get stuck. It just sits there. I noticed when issuing groups oweinmann as root it also gets stuck. On some users the groups command seems to be working on some other don't. On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: We have several installations where we use the two different AD schema extensions (SFU from Windows Services for Unix and rfc2307bis from Windows Server 2003R2) to put the needed information in. We are using the idmap_ad module to map the uid, gid, home etc. information from the AD. The local users and the AD users are completely separated. We do not mix up local users and AD users. The first basic test if the AD user information retreival is working is to use the getent command: getent someADUser So for a test user account I get: korund{root}[/]: getent passwd testuser testuser:*:1004:1000:Lastname, Firstname:/home/testuser:/bin/tcsh If this works the first step is done. The second test is to get all related Information for one user: korund{root}[/]: id -a testuser uid=1004(testuser) gid=1000(visionet) groups=1033(devjavalib) The third test is to su - testuser and again try to issue both commands obove. If the retreived information is the same you should all be done (except from pam.conf which is another story). Oliver Weinmann schrieb: Could the problem be that the AD users are not in any of the local groups on the machine? How do you manage your AD users to be members of local groups e.g. staff, sys etc.? pam_groups? On 4/29/08, Oliver Weinmann [EMAIL PROTECTED] wrote: there is nothing in /etc/profile and the user oweinmann has no .bashrc. The problem seems to be related to nscd. When nscd is turned on i can login and issue commands and I don't get kicked out of the ssh login. There is no idle session timeout set. If there was I would get kicked out when nscd is turned on as well. Only when logged in as an AD user I get kicked out... On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: So there must be something in your bash init files, /etc/profile or ~/.bashrc (sorry I'm not a bash user) which causes the problem. Maybe something which forms the shell prompt like whoami etc. Maybe there is something like a autologout set for the csh or in sshd with idle session timeout. Oliver Weinmann schrieb: Hi, no, there was nothing in /var/adm/messages, but guess what with the csh ls -alrt and such commands work fine... But i get kicked out of the ssh session after 2 minutes... :( On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: Are there any messages in /var/adm/messages which are related to nss ? As I can see you are using bash as your shell. Try using csh. Does something change? Oliver Weinmann schrieb: su to user oweinmann works but when i ussie the ldd -r /usr/lib/nss_winbind.so command it gets put in the background.. :( i then do fg 2 and this is the output: bash-2.03$ ldd -r /usr/lib/nss_winbind.so [2]+ Stopped ldd -r /usr/lib/nss_winbind.so bash-2.03$ fg 2 ldd -r /usr/lib/nss_winbind.so libthread.so.1 =/usr/lib/libthread.so.1 libsocket.so.1 =/usr/lib/libsocket.so.1 libdl.so.1 =/usr/lib/libdl.so.1 libc.so.1 = /usr/lib/libc.so.1 libnsl.so.1 = /usr/lib/libnsl.so.1 libmp.so.2 =/usr/lib/libmp.so.2 /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 bash-2.03$ ls -alrt /etc/nsswitch.conf [2]+ Stopped ls -alrt /etc/nsswitch.conf bash-2.03$ fg 2 ls -alrt /etc/nsswitch.conf -rw-r--r-- 1 root sys 1320 Apr 28 13:19 /etc/nsswitch.conf On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: Please try to login (or su) to the user oweinmann and issue then ldd -r /usr/lib/nss_winbind.so For some reason I think that non root users are not able to read one of the involved files. This could be /etc/nsswitch.conf /usr/lib/nss_winbind.so or some of the files found
Re: [Samba] Strange behaviour of winbind on solaris 8
It's the latest stable. # smbd -V Version 3.0.28a [global] netbios name = rose8 realm = VEGAGROUP.NET workgroup = VEGA security = ADS encrypt passwords = yes password server = * os level = 20 socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap uid = 1100-20 idmap gid = 1100-20 idmap backend = rid:VEGA=1100-20 allow trusted domains = no winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/sh preferred master = no winbind nested groups = Yes winbind use default domain = Yes #winbind separator = + #winbind normalize names = yes log level = 10 max log size = 50 log file = /var/log/samba/log.%m dns proxy = no wins server = 172.20.205.1 allow trusted domains = No client use spnego = Yes use kerberos keytab = true winbind offline logon = yes I really appreciate your big effort. Thanks! On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: Which samba version do you use? Please post the global configuration section of smb.conf. Oliver Weinmann schrieb: Here could be a problem. I could not change our win 2k3 schema. They were afraid it could break something... tsss. So i had to use the idmap_rid module. Which does a good job actually. It uses the last portion of the AD users SID and adds it to a base set in smb.conf. I issued your commands: bash-2.03# getent passwd | grep oweinmann oweinmann2:*:15042:1613:Oliver Weinmann2:/home/oweinmann2:/bin/sh oweinmann:*:11611:1613:Oliver Weinmann:/home/oweinmann:/bin/sh oweinmann1:*:15041:1613:Oliver Weinmann1:/home/oweinmann1:/bin/sh bash-2.03# id -a oweinmann uid=11611(oweinmann) gid=1613(domain users) groups=10(staff) bash-2.03# su oweinmann $ id uid=11611(oweinmann) gid=1613(domain users) $ id -a the id -a as user oweinmann seems to get stuck. It just sits there. I noticed when issuing groups oweinmann as root it also gets stuck. On some users the groups command seems to be working on some other don't. On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: We have several installations where we use the two different AD schema extensions (SFU from Windows Services for Unix and rfc2307bis from Windows Server 2003R2) to put the needed information in. We are using the idmap_ad module to map the uid, gid, home etc. information from the AD. The local users and the AD users are completely separated. We do not mix up local users and AD users. The first basic test if the AD user information retreival is working is to use the getent command: getent someADUser So for a test user account I get: korund{root}[/]: getent passwd testuser testuser:*:1004:1000:Lastname, Firstname:/home/testuser:/bin/tcsh If this works the first step is done. The second test is to get all related Information for one user: korund{root}[/]: id -a testuser uid=1004(testuser) gid=1000(visionet) groups=1033(devjavalib) The third test is to su - testuser and again try to issue both commands obove. If the retreived information is the same you should all be done (except from pam.conf which is another story). Oliver Weinmann schrieb: Could the problem be that the AD users are not in any of the local groups on the machine? How do you manage your AD users to be members of local groups e.g. staff, sys etc.? pam_groups? On 4/29/08, Oliver Weinmann [EMAIL PROTECTED] wrote: there is nothing in /etc/profile and the user oweinmann has no .bashrc. The problem seems to be related to nscd. When nscd is turned on i can login and issue commands and I don't get kicked out of the ssh login. There is no idle session timeout set. If there was I would get kicked out when nscd is turned on as well. Only when logged in as an AD user I get kicked out... On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: So there must be something in your bash init files, /etc/profile or ~/.bashrc (sorry I'm not a bash user) which causes the problem. Maybe something which forms the shell prompt like whoami etc. Maybe there is something like a autologout set for the csh or in sshd with idle session timeout. Oliver Weinmann schrieb: Hi, no, there was nothing in /var/adm/messages, but guess what with the csh ls -alrt and such commands work fine... But i get kicked out of the ssh session after 2 minutes... :( On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: Are there any messages in /var/adm/messages which are related to nss ? As I can see you are using bash as your shell. Try using csh. Does something change? Oliver Weinmann schrieb
Re: [Samba] Strange behaviour of winbind on solaris 8
Yes, i added him to that group to see if that makes any difference. Thanks for all your help. And I will let you know, when I found out what the problem is. Best Regards, Oliver On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: I wonder why oweinmann is member of the group staff. Maybe there is an entry for oweinmann in /etc/passwd? So I'm running out of ideas :-( Mabye someone out there can take over. Good luck and report back what you have found. Oliver Weinmann schrieb: I changed both groups and users to no. Still no difference. Another strange thing i came across. as user oweinmann $ id uid=11611(oweinmann) gid=1613(domain users) $ id -a oweinmann uid=11611(oweinmann) gid=1613(domain users) groups=10(staff) $ id -a why is the id -a oweinmann working as user oweinmann but not id -a On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: Please try to set combinations of winbind enum groups = No and test again. This could be the reason why getent groups never ends. This is known to be a problem with big AD user/groups databases. Have a look at this and related paramters in samba installation path/swat/help/manpages/smb.conf.5.html Oliver Weinmann schrieb: It's the latest stable. # smbd -V Version 3.0.28a [global] netbios name = rose8 realm = VEGAGROUP.NET http://vegagroup.net/ workgroup = VEGA security = ADS encrypt passwords = yes password server = * os level = 20 socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap uid = 1100-20 idmap gid = 1100-20 idmap backend = rid:VEGA=1100-20 allow trusted domains = no winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/sh preferred master = no winbind nested groups = Yes winbind use default domain = Yes #winbind separator = + #winbind normalize names = yes log level = 10 max log size = 50 log file = /var/log/samba/log.%m dns proxy = no wins server = 172.20.205.1 allow trusted domains = No client use spnego = Yes use kerberos keytab = true winbind offline logon = yes I really appreciate your big effort. Thanks! On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: Which samba version do you use? Please post the global configuration section of smb.conf. Oliver Weinmann schrieb: Here could be a problem. I could not change our win 2k3 schema. They were afraid it could break something... tsss. So i had to use the idmap_rid module. Which does a good job actually. It uses the last portion of the AD users SID and adds it to a base set in smb.conf. I issued your commands: bash-2.03# getent passwd | grep oweinmann oweinmann2:*:15042:1613:Oliver Weinmann2:/home/oweinmann2:/bin/sh oweinmann:*:11611:1613:Oliver Weinmann:/home/oweinmann:/bin/sh oweinmann1:*:15041:1613:Oliver Weinmann1:/home/oweinmann1:/bin/sh bash-2.03# id -a oweinmann uid=11611(oweinmann) gid=1613(domain users) groups=10(staff) bash-2.03# su oweinmann $ id uid=11611(oweinmann) gid=1613(domain users) $ id -a the id -a as user oweinmann seems to get stuck. It just sits there. I noticed when issuing groups oweinmann as root it also gets stuck. On some users the groups command seems to be working on some other don't. On 4/29/08, Dietrich Streifert [EMAIL PROTECTED] wrote: We have several installations where we use the two different AD schema extensions (SFU from Windows Services for Unix and rfc2307bis from Windows Server 2003R2) to put the needed information in. We are using the idmap_ad module to map the uid, gid, home etc. information from the AD. The local users and the AD users are completely separated. We do not mix up local users and AD users. The first basic test if the AD user information retreival is working is to use the getent command: getent someADUser So for a test user account I get: korund{root}[/]: getent passwd testuser testuser:*:1004:1000:Lastname, Firstname:/home/testuser:/bin/tcsh If this works the first step is done. The second test is to get all related Information for one user: korund{root}[/]: id -a testuser uid=1004(testuser) gid=1000(visionet) groups=1033(devjavalib) The third test is to su - testuser and again try to issue both commands obove. If the retreived information is the same you should all be done (except from pam.conf which is another story). Oliver Weinmann schrieb: Could the problem be that the AD users are not in any
[Samba] Strange behaviour of winbind on solaris 8
Dear All, I came across a really strange behaviour when using winbind on solaris 8. Normally nscd should be turned off because it's causing problems in the username resolution etc. When I turn it off I can login e.g. using ssh as an AD users but when i start a command like ls it gets put in the background immediately? When nscd is turn on and login again I can issue commands with no problems, but doing an ls -alrt on a directory gets stuck if a file is owned by user that is not a AD user. my /etc/nsswitch.conf # # /etc/nsswitch.dns: # # An example file that could be copied over to /etc/nsswitch.conf; it uses # DNS for hosts lookups, otherwise it does not use any other naming service. # # hosts: and services: in this file are used only if the # /etc/netconfig file has a - for nametoaddr_libs of inet transports. passwd: files [NOTFOUND=CONTINUE] winbind [NOTFOUND=return] group: files [NOTFOUND=CONTINUE] winbind [NOTFOUND=return] # You must also set up the /etc/resolv.conf file for DNS name # server lookup. See resolv.conf(4). hosts: files dns ipnodes:files # Uncomment the following line and comment out the above to resolve # both IPv4 and IPv6 addresses from the ipnodes databases. Note that # IPv4 addresses are searched in all of the ipnodes databases before # searching the hosts databases. Before turning this option on, consult # the Network Administration Guide for more details on using IPv6. #ipnodes: files dns networks: files protocols: files rpc:files ethers: files netmasks: files bootparams: files publickey: files # At present there isn't a 'files' backend for netgroup; the system will # figure it out pretty quickly, and won't use netgroups at all. netgroup: files automount: files aliases:files services: files sendmailvars: files printers: user files auth_attr: files prof_attr: files project:files -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Strange behaviour of winbind on solaris 8
forgot to mention that the nss_winbind links are there: bash-2.03# ls -alrt /usr/lib/nss_w* lrwxrwxrwx 1 root other 28 Apr 23 14:30 /usr/lib/nss_winbind.so.2 - /usr/lib/libnss_winbind.so.1 lrwxrwxrwx 1 root other 28 Apr 23 14:30 /usr/lib/nss_winbind.so.1 - /usr/lib/libnss_winbind.so.1 lrwxrwxrwx 1 root other 28 Apr 23 14:30 /usr/lib/nss_winbind.so - /usr/lib/libnss_winbind.so.1 Changed the crle to only /usr/lib:/opt/csw/lib and disabled nscd at boot. After reboot i can no longer resolve usernames, wbinfo -t/-g/-u work fine. getent passwd and getent group are not showing AD users. when logging in as an AD users i can see the following in the /var/adm/messages logfile: Apr 28 13:20:09 rose8 sshd[516]: [ID 129890 auth.error] pam_winbind(sshd): request failed: No such user, PAM error was No account present for user (13), NT error was NT_STATUS_NO_SUCH_USER Apr 28 13:20:18 rose8 sshd[524]: [ID 800047 auth.error] error: PAM: No account present for user for illegal user oweinmann from vb8860.vegagroup.net On 4/28/08, Oliver Weinmann [EMAIL PROTECTED] wrote: I got: bash-2.03# ls -alrt /usr/lib/libnss_winbind.so* -rwxr-xr-x 1 root bin74744 Apr 21 14:45 /usr/lib/libnss_winbind.so.1 lrwxrwxrwx 1 root other 28 Apr 23 14:30 /usr/lib/libnss_winbind.so.2 - /usr/lib/libnss_winbind.so.1 lrwxrwxrwx 1 root other 28 Apr 23 14:30 /usr/lib/libnss_winbind.so - /usr/lib/libnss_winbind.so.1 so that's fine. i didn't have crle setup correctly since i have build against libraries from blastwave and they reside under /opt/csw/lib so i did: bash-2.03# crle -u -l /usr/lib:/usr/local/lib:/opt/csw/lib bash-2.03# crle Configuration file [version 4]: /var/ld/ld.config Default Library Path (ELF): /usr/lib:/usr/local/lib:/opt/csw/lib Trusted Directories (ELF):/usr/lib/secure (system default) Command line: crle -c /var/ld/ld.config -l /usr/lib:/usr/local/lib:/opt/csw/lib and I did change my nsswitch.conf to reflect the shadow entry. Still not working without nscd. :( I had no problems under Linux at all but under Solaris I'm lost. On 4/28/08, Scott Lovenberg [EMAIL PROTECTED] wrote: Oliver Weinmann wrote: On 4/28/08, Scott Lovenberg [EMAIL PROTECTED] wrote: Oliver Weinmann wrote: Dear All, I came across a really strange behaviour when using winbind on solaris 8. Normally nscd should be turned off because it's causing problems in the username resolution etc. When I turn it off I can login e.g. using ssh as an AD users but when i start a command like ls it gets put in the background immediately? When nscd is turn on and login again I can issue commands with no problems, but doing an ls -alrt on a directory gets stuck if a file is owned by user that is not a AD user. my /etc/nsswitch.conf # # /etc/nsswitch.dns: # # An example file that could be copied over to /etc/nsswitch.conf; it uses # DNS for hosts lookups, otherwise it does not use any other naming service. # # hosts: and services: in this file are used only if the # /etc/netconfig file has a - for nametoaddr_libs of inet transports. passwd: files [NOTFOUND=CONTINUE] winbind [NOTFOUND=return] group: files [NOTFOUND=CONTINUE] winbind [NOTFOUND=return] # You must also set up the /etc/resolv.conf file for DNS name # server lookup. See resolv.conf(4). hosts: files dns ipnodes:files # Uncomment the following line and comment out the above to resolve # both IPv4 and IPv6 addresses from the ipnodes databases. Note that # IPv4 addresses are searched in all of the ipnodes databases before # searching the hosts databases. Before turning this option on, consult # the Network Administration Guide for more details on using IPv6. #ipnodes: files dns networks: files protocols: files rpc:files ethers: files netmasks: files bootparams: files publickey: files # At present there isn't a 'files' backend for netgroup; the system will # figure it out pretty quickly, and won't use netgroups at all. netgroup: files automount: files aliases:files services: files sendmailvars: files printers: user files auth_attr: files prof_attr: files project:files Can you get the ls to work with numeric uids? And, I noticed that you don't have any entries for shadow... you're not using shadow passwords, right? I have no entry in nsswitch.conf for shadow. I'm mainly using AD users so I didn't add an entry for shadow pw's. I turned off nscd now and logged in as an AD user. The problem is not only when running ls. It happens on many commands: e.g. bash-2.03$ ls -alrt [1]+ Stopped ls
Re: [Samba] Strange behaviour of winbind on solaris 8
Just for fun i changed the perms of /usr/lib/libnss_winbind.so to 777 bash-2.03# chmod 777 /usr/lib/libnss_winbind.so bash-2.03# ls -alrt /usr/lib/libnss_winbind.so -rwxrwxrwx 1 root other 74744 Apr 28 13:32 /usr/lib/libnss_winbind.so nscd is turned off. I can login as an AD users but I cant start any command. :( login as: oweinmann Using keyboard-interactive authentication. Password: Last login: Mon Apr 28 15:17:11 2008 from vb8860.vegagrou bash-2.03$ ls -alrt [1]+ Stopped ls -alrt bash-2.03$ id [2]+ Stopped id bash-2.03$ group [3]+ Stopped group bash-2.03$ echo TEST TEST bash-2.03$ Some commands are working and some others are put in background and the session closes after one or two minutes? When I turn on nscd everything is fine, except ls -alrt not working. On 4/28/08, Gerald (Jerry) Carter [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Oliver Weinmann wrote: | forgot to mention that the nss_winbind links are there: | | bash-2.03# ls -alrt /usr/lib/nss_w* | lrwxrwxrwx 1 root other 28 Apr 23 14:30 | /usr/lib/nss_winbind.so.2 - /usr/lib/libnss_winbind.so.1 | lrwxrwxrwx 1 root other 28 Apr 23 14:30 | /usr/lib/nss_winbind.so.1 - /usr/lib/libnss_winbind.so.1 | lrwxrwxrwx 1 root other 28 Apr 23 14:30 | /usr/lib/nss_winbind.so - /usr/lib/libnss_winbind.so.1 Check the perms on /usr/lib/libnss_winbind.so.1. Sounds like it might be rwx for root only. cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIFcnJIR7qMdg1EfYRAp+uAKCoT5s9gRV+x0M+PUrFnYWVRtqmcwCg293J 0OxWwTr/wJPDW67YmZCAfQo= =6S2v -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind authenticated users lose connection over telnet or login
Dear All, We are running Samba 3.0.28a under Solaris 8. Everything is fine so far except logins trough telnet or directly on console (login). I know telnet is unsafe and we should not use it but some old software needs the ability to use telnet/rsh/rlogin etc. the problem that occurs is that after a few minutes the telnet session is dropped. The same for a login session. That only happens when we are using pam_winbind.so.1 in /etc/pam.conf. I posted this question a few weeks ago and no one really knew a solution to this problem. I know found out what could be the reason. I installed openssh and now when I login using ssh instead of telnet i don't lose the connection. The only difference is that openssh is not run through inetd. Are there any known issues when a server (telnet/login) is run through inetd? Oliver Weinmann Unix/Linux Administrator VEGA IT GmbH Europaplatz 5 D-64293 Darmstadt Germany Tel : +49 (0) 6151 8257 744 Fax : +49 (0)6151 8257-799 Email : [EMAIL PROTECTED] Web : www.vega-group.com Register court/Registergericht: Darmstadt, HRB No. 4096, Managing Directors/Geschäftsführer: Philip Cartmell, Susan Bygrave, John Lewis Notice of Confidentiality This transmission is intended for the named addressee only. It contains information which may be confidential and which may also be privileged. Unless you are the named addressee (or authorised to receive it for the addressee) you may not copy or use it, or disclose it to anyone else. If you have received this transmission in error please notify the sender immediately. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] RE: Samba 3.0.28a under Solaris 8 + libnss_winbind.so problem?
Hi, I'm really lost with this problem. Here is my /etc/pam.conf, maybe someone can help me, the system still keeps kicking me out of telnet and local console. id and group commands are now working, group is not working on every user. # #ident @(#)pam.conf 1.14 99/09/16 SMI # # Copyright (c) 1996-1999, Sun Microsystems, Inc. # All Rights Reserved. # # PAM configuration # # Authentication management # login auth required /usr/lib/security/pam_winbind.so login auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass # rlogin auth sufficient /usr/lib/security/pam_winbind.so rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1 rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass # dtlogin auth sufficient /usr/lib/security/pam_winbind.so dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass # rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1 other auth sufficient /usr/lib/security/pam_winbind.so other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass # # Account management # login account sufficient /usr/lib/security/pam_winbind.so login account requisite /usr/lib/security/$ISA/pam_roles.so.1 login account required /usr/lib/security/$ISA/pam_unix.so.1 # dtlogin account sufficient /usr/lib/security/pam_winbind.so dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1 dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1 # other account sufficient /usr/lib/security/pam_winbind.so other account requisite /usr/lib/security/$ISA/pam_roles.so.1 other account required /usr/lib/security/$ISA/pam_unix.so.1 # # Session management # other session required /usr/lib/security/$ISA/pam_unix.so.1 # # Password management # #other password sufficient /usr/lib/security/pam_winbind.so other password required /usr/lib/security/$ISA/pam_unix.so.1 dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1 # # Support for Kerberos V5 authentication (uncomment to use Kerberos) # #rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass #login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass #dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass #other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass #dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1 #other account optional /usr/lib/security/$ISA/pam_krb5.so.1 #other session optional /usr/lib/security/$ISA/pam_krb5.so.1 #other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -Original Message- From: Oliver Weinmann Sent: 04 April 2008 19:34 To: samba@lists.samba.org Subject: Samba 3.0.28a under Solaris 8 + libnss_winbind.so problem? Hi i compiled Samba 3.0.28a under Solaris 8 (sparc). Everything seems to be fine except the libnss_winbind.so. i copied it to /usr/lib and linked it to: libnss_winbind.so.1 libnss_winbind.so.2 nss_winbind.so.1 nss_winbind.so.1 now when i type: id user nothing happens. The same goes for group user. wbinfo -t / -g / -u all work fine. So it must be something with the nss I guess? But it's getting even more strange. After a reboot i can now use id, group still doesn't work and my telnet and login session get disconnected after a few minutes. If I change the /etc/pam.conf back to normal I don't get disconnected. Any ideas where I could look for debugging information? Oliver Weinmann Unix/Linux Administrator VEGA IT GmbH Europaplatz 5 D-64293 Darmstadt Germany Tel : +49 (0) 6151 8257 744 Fax : +49 (0)6151 8257-799 Email : [EMAIL PROTECTED] Web : www.vega-group.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] RE: Samba 3.0.28a under Solaris 8 + libnss_winbind.so problem?
Hi, yes it does. some users groups are shown using the group command and some others don't. the command just hangs and has no output. Thank you very much for your reply. Regards, Oli -Original Message- From: Dietrich Streifert [mailto:[EMAIL PROTECTED] Sent: 08 April 2008 12:27 To: Oliver Weinmann Cc: samba@lists.samba.org Subject: Re: [Samba] RE: Samba 3.0.28a under Solaris 8 + libnss_winbind.so problem? Hi, does your /etc/nsswitch.conf contain the winbind name service modules? This should look like this: passwd: files winbind group: files winbind Oliver Weinmann schrieb: Hi, I'm really lost with this problem. Here is my /etc/pam.conf, maybe someone can help me, the system still keeps kicking me out of telnet and local console. id and group commands are now working, group is not working on every user. # #ident @(#)pam.conf 1.14 99/09/16 SMI # # Copyright (c) 1996-1999, Sun Microsystems, Inc. # All Rights Reserved. # # PAM configuration # # Authentication management # login auth required /usr/lib/security/pam_winbind.so login auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass # rlogin auth sufficient /usr/lib/security/pam_winbind.so rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1 rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass # dtlogin auth sufficient /usr/lib/security/pam_winbind.so dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass # rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1 other auth sufficient /usr/lib/security/pam_winbind.so other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass # # Account management # login account sufficient /usr/lib/security/pam_winbind.so login account requisite /usr/lib/security/$ISA/pam_roles.so.1 login account required /usr/lib/security/$ISA/pam_unix.so.1 # dtlogin account sufficient /usr/lib/security/pam_winbind.so dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1 dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1 # other account sufficient /usr/lib/security/pam_winbind.so other account requisite /usr/lib/security/$ISA/pam_roles.so.1 other account required /usr/lib/security/$ISA/pam_unix.so.1 # # Session management # other session required /usr/lib/security/$ISA/pam_unix.so.1 # # Password management # #other password sufficient /usr/lib/security/pam_winbind.so other password required /usr/lib/security/$ISA/pam_unix.so.1 dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1 # # Support for Kerberos V5 authentication (uncomment to use Kerberos) # #rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass #login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass #dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass #other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass #dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1 #other account optional /usr/lib/security/$ISA/pam_krb5.so.1 #other session optional /usr/lib/security/$ISA/pam_krb5.so.1 #other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -Original Message- From: Oliver Weinmann Sent: 04 April 2008 19:34 To: samba@lists.samba.org Subject: Samba 3.0.28a under Solaris 8 + libnss_winbind.so problem? Hi i compiled Samba 3.0.28a under Solaris 8 (sparc). Everything seems to be fine except the libnss_winbind.so. i copied it to /usr/lib and linked it to: libnss_winbind.so.1 libnss_winbind.so.2 nss_winbind.so.1 nss_winbind.so.1 now when i type: id user nothing happens. The same goes for group user. wbinfo -t / -g / -u all work fine. So it must be something with the nss I guess? But it's getting even more strange. After a reboot i can now use id, group still doesn't work and my telnet and login session get disconnected after a few minutes. If I change the /etc/pam.conf back to normal I don't get disconnected. Any ideas where I could look for debugging information? Oliver Weinmann Unix/Linux Administrator VEGA IT GmbH Europaplatz 5 D-64293 Darmstadt Germany Tel : +49 (0) 6151 8257 744 Fax : +49 (0)6151 8257-799 Email : [EMAIL PROTECTED] Web : www.vega-group.com -- Mit freundlichen Grüßen Dietrich Streifert -- Visionet GmbH Firmensitz: Am Weichselgarten 7, 91058 Erlangen Registergericht: Handelsregister Fürth, HRB 6573 Geschäftsführer: Stefan Lindner __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- To unsubscribe from this list go to the following URL
[Samba] Samba 3.0.28a under Solaris 8 + libnss_winbind.so problem?
Hi i compiled Samba 3.0.28a under Solaris 8 (sparc). Everything seems to be fine except the libnss_winbind.so. i copied it to /usr/lib and linked it to: libnss_winbind.so.1 libnss_winbind.so.2 nss_winbind.so.1 nss_winbind.so.1 now when i use: id user nothing happens. group user is the same wbinfo -t / -g / -u all work fine. So it must be something with the nss I guess? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba 3.0.28a under Solaris 8 + libnss_winbind.so problem?
It's getting even more strange. After a reboot i can now use id, group still doesn't work and my telnet and login session get disconnected after a few minutes. If I change the /etc/pam.conf back to normal I don't get disconnected. Any ideas? On 4/4/08, Oliver Weinmann [EMAIL PROTECTED] wrote: Hi i compiled Samba 3.0.28a under Solaris 8 (sparc). Everything seems to be fine except the libnss_winbind.so. i copied it to /usr/lib and linked it to: libnss_winbind.so.1 libnss_winbind.so.2 nss_winbind.so.1 nss_winbind.so.1 now when i use: id user nothing happens. group user is the same wbinfo -t / -g / -u all work fine. So it must be something with the nss I guess? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0.28a under Solaris 8 + libnss_winbind.so problem?
Hi i compiled Samba 3.0.28a under Solaris 8 (sparc). Everything seems to be fine except the libnss_winbind.so. i copied it to /usr/lib and linked it to: libnss_winbind.so.1 libnss_winbind.so.2 nss_winbind.so.1 nss_winbind.so.1 now when i type: id user nothing happens. The same goes for group user. wbinfo -t / -g / -u all work fine. So it must be something with the nss I guess? But it's getting even more strange. After a reboot i can now use id, group still doesn't work and my telnet and login session get disconnected after a few minutes. If I change the /etc/pam.conf back to normal I don't get disconnected. Any ideas where I could look for debugging information? Oliver Weinmann Unix/Linux Administrator VEGA IT GmbH Europaplatz 5 D-64293 Darmstadt Germany Tel : +49 (0) 6151 8257 744 Fax : +49 (0)6151 8257-799 Email : [EMAIL PROTECTED] Web : www.vega-group.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Urgent... winbind and keytab file creation
Hi again and I really apreciate all your help. Thanks. By the way I was just reading a book called Using Samba yesterday. While looking at the book cover I fell over the name Gerarld Carter what a small world. :) It's a great book. Couldn't stop reading. I found that with the command net ads keytab add NFS. maybe that will solve the problem? I will give it a try and also append the prefered enctypes to krb5.conf. Regards, Oli -Original Message- From: simo [mailto:[EMAIL PROTECTED] Sent: 02 April 2008 17:47 To: Gerald (Jerry) Carter Cc: Oliver Weinmann; samba@lists.samba.org Subject: Re: [Samba] Urgent... winbind and keytab file creation On Wed, 2008-04-02 at 10:39 -0500, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Oliver Weinmann wrote: Ok. i got it. I had to change the parameter for: krb5_ccache_type = FILE now the users get a cached ticket at login. COOL :) but when the automount daemon tries to mount their home it fails: Apr 2 16:41:09 rhel4wbtest2 rpc.gssd[1793]: WARNING: Failed to create krb5 context for user with uid 82967 for server ds-san-02.vegagroup.net Apr 2 16:41:12 rhel4wbtest2 rpc.gssd[1793]: rpcsec_gss: gss_init_sec_context: (major) Miscellaneous failure - (minor) No credentials found with supported encryption types I expect the nfsv4 service is trying to use 3des or aes. I always set these enc types in /etc/krb5.conf [libdefaults] default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC Currently linux nfs server requires that both server and client use ONLY des keys Any other combination will simply fail. There are kernel patches reaching upstream that are adding 3des and aes but not yet rc4-hmac IIRC. Simo. -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Urgent... winbind and keytab file creation
Hi, the server is not linux. It's a NETAPP Filer. Regards, Oli -Original Message- From: simo [mailto:[EMAIL PROTECTED] Sent: 02 April 2008 17:47 To: Gerald (Jerry) Carter Cc: Oliver Weinmann; samba@lists.samba.org Subject: Re: [Samba] Urgent... winbind and keytab file creation On Wed, 2008-04-02 at 10:39 -0500, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Oliver Weinmann wrote: Ok. i got it. I had to change the parameter for: krb5_ccache_type = FILE now the users get a cached ticket at login. COOL :) but when the automount daemon tries to mount their home it fails: Apr 2 16:41:09 rhel4wbtest2 rpc.gssd[1793]: WARNING: Failed to create krb5 context for user with uid 82967 for server ds-san-02.vegagroup.net Apr 2 16:41:12 rhel4wbtest2 rpc.gssd[1793]: rpcsec_gss: gss_init_sec_context: (major) Miscellaneous failure - (minor) No credentials found with supported encryption types I expect the nfsv4 service is trying to use 3des or aes. I always set these enc types in /etc/krb5.conf [libdefaults] default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC Currently linux nfs server requires that both server and client use ONLY des keys Any other combination will simply fail. There are kernel patches reaching upstream that are adding 3des and aes but not yet rc4-hmac IIRC. Simo. -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Urgent... winbind and keytab file creation
Hi, I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos. Everything works fine so far. Now i need to have the host keytab generated by winbind to be in the default /etc/krb5/krb5.keytab in order to use nfs with kerberos security. The problem is i have set the parameter in smb.conf: use kerberos keytabe = true and as mentioned in man smb.conf i have set in krb5.conf default_keytab_name = FILE:/etc/krb5/krb5.keytab after a net join ads the krb5.keytab file is not created? do i have to create it myself? Is this not really implemented? What am I doing wrong? Help would be really apreciated. Thanks and Regards, Oliver Weinmann Unix/Linux Administrator VEGA IT GmbH Europaplatz 5 D-64293 Darmstadt Germany Tel : +49 (0) 6151 8257 744 Fax : +49 (0)6151 8257-799 Email : [EMAIL PROTECTED] Web : www.vega-group.com Register court/Registergericht: Darmstadt, HRB No. 4096, Managing Directors/Geschäftsführer: Philip Cartmell, Susan Bygrave, John Lewis Notice of Confidentiality This transmission is intended for the named addressee only. It contains information which may be confidential and which may also be privileged. Unless you are the named addressee (or authorised to receive it for the addressee) you may not copy or use it, or disclose it to anyone else. If you have received this transmission in error please notify the sender immediately. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Urgent... winbind and keytab file creation
not yet? does it create a keytab file? i tested the same thing on rhel4 with MIT kerberos and here it creates the krb5.keytab file under /etc/krb5.keytab i then linked it to /etc/krb5/krb5.keytab and now i can see all the keys with klist -k, but i can't use them: [EMAIL PROTECTED] etc]# klist -k Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal -- 2 host/[EMAIL PROTECTED] 2 host/[EMAIL PROTECTED] 2 host/[EMAIL PROTECTED] 2 host/[EMAIL PROTECTED] 2 host/[EMAIL PROTECTED] 2 host/[EMAIL PROTECTED] 2 [EMAIL PROTECTED] 2 [EMAIL PROTECTED] 2 [EMAIL PROTECTED] [EMAIL PROTECTED] etc]# kinit -k host/rhel4wbtest2.vegagroup.net kinit(v5): Cannot find KDC for requested realm while getting initial credentials -Original Message- From: Guenther Deschner [mailto:[EMAIL PROTECTED] Sent: 02 April 2008 11:39 To: Oliver Weinmann Cc: samba@lists.samba.org Subject: Re: [Samba] Urgent... winbind and keytab file creation -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Oliver Weinmann wrote: Hi, I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos. Everything works fine so far. Now i need to have the host keytab generated by winbind to be in the default /etc/krb5/krb5.keytab in order to use nfs with kerberos security. The problem is i have set the parameter in smb.conf: use kerberos keytabe = true and as mentioned in man smb.conf i have set in krb5.conf default_keytab_name = FILE:/etc/krb5/krb5.keytab after a net join ads the krb5.keytab file is not created? do i have to create it myself? Is this not really implemented? What am I doing wrong? Have you tried net ads keytab create ? Guenther - -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFH81Q/SOk3aI7hFogRAo9oAJ9olnYtnTFteNgF6jVpK/xdh9be8gCeNHVP WjEvra9U//Tj25Y8hFjnDwg= =peli -END PGP SIGNATURE- __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
winbind default encryption type for kerberos / RE: [Samba] Urgent... winbind and keytab file creation
Yes the net ads keytab create created the keytab file now. But in the logs i can see that the encryption type used is not good: Apr 2 12:37:18 rhel4wbtest1 sshd[4542]: pam_krb5: error reading keys for host/rhel4wbtest2.vegagroup.net from /etc/krb5/krb5.keytab: Bad encryption type Apr 2 12:37:18 rhel4wbtest1 sshd[4542]: pam_krb5: authentication fails for `tuser' does winbind by default use: rc4-hmac? -Original Message- From: Guenther Deschner [mailto:[EMAIL PROTECTED] Sent: 02 April 2008 11:39 To: Oliver Weinmann Cc: samba@lists.samba.org Subject: Re: [Samba] Urgent... winbind and keytab file creation -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Oliver Weinmann wrote: Hi, I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos. Everything works fine so far. Now i need to have the host keytab generated by winbind to be in the default /etc/krb5/krb5.keytab in order to use nfs with kerberos security. The problem is i have set the parameter in smb.conf: use kerberos keytabe = true and as mentioned in man smb.conf i have set in krb5.conf default_keytab_name = FILE:/etc/krb5/krb5.keytab after a net join ads the krb5.keytab file is not created? do i have to create it myself? Is this not really implemented? What am I doing wrong? Have you tried net ads keytab create ? Guenther - -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFH81Q/SOk3aI7hFogRAo9oAJ9olnYtnTFteNgF6jVpK/xdh9be8gCeNHVP WjEvra9U//Tj25Y8hFjnDwg= =peli -END PGP SIGNATURE- __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Urgent... winbind and keytab file creation
Hi and thanks for you answer. here is the output about the encryption used: [EMAIL PROTECTED] krb5]# klist -e -k Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal -- 2 host/[EMAIL PROTECTED] (DES cbc mode with CRC-32) 2 host/[EMAIL PROTECTED] (DES cbc mode with RSA-MD5) 2 host/[EMAIL PROTECTED] (ArcFour with HMAC/md5) 2 host/[EMAIL PROTECTED] (DES cbc mode with CRC-32) 2 host/[EMAIL PROTECTED] (DES cbc mode with RSA-MD5) 2 host/[EMAIL PROTECTED] (ArcFour with HMAC/md5) 2 [EMAIL PROTECTED] (DES cbc mode with CRC-32) 2 [EMAIL PROTECTED] (DES cbc mode with RSA-MD5) 2 [EMAIL PROTECTED] (ArcFour with HMAC/md5) i have to use pam_krb5 because i need to mount nfs shares with kerberos security. So when a user logs in he gets a valid TGT and is able to mount the share. if the keytab created cannot be used for this... can i somehow delete the host principal created by winbind, create a new one, that will work for pam_krb5 and let winbind use the newly created one? -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: 02 April 2008 15:10 To: Oliver Weinmann Cc: samba@lists.samba.org Subject: Re: [Samba] Urgent... winbind and keytab file creation -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Oliver Weinmann wrote: | Hi, | | I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos. Everything works fine so far. Now i need to have the host keytab generated by winbind to be in the default /etc/krb5/krb5.keytab in order to use nfs with kerberos security. The problem is i have set the parameter in smb.conf: | | use kerberos keytabe = true DOn't use this if you use Samba to joined the domain. It is really on;y useful for non-MS realms. jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH84WZIR7qMdg1EfYRAk6iAJ0d04pZey+cqgyzfOGbB6cmW+nhWwCgpOjV U+A6DB3LB7IZMlqBxWv0u6s= =MlpW -END PGP SIGNATURE- __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Urgent... winbind and keytab file creation
how? when i use pam_winbind to login and automount to mount a users home with kerberos security i dont get a TGT at login. So this doesn't seem to work with pam_winbind or? -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: 02 April 2008 15:45 To: Oliver Weinmann Cc: samba@lists.samba.org Subject: Re: [Samba] Urgent... winbind and keytab file creation -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Oliver Weinmann wrote: Hi and thanks for you answer. here is the output about the encryption used: [EMAIL PROTECTED] krb5]# klist -e -k Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal Enctypes look fine. i have to use pam_krb5 because i need to mount nfs shares with kerberos security. So when a user logs in he gets a valid TGT and is able to mount the share. pam_winbind will do that for you as well. if the keytab created cannot be used for this... can i somehow delete the host principal created by winbind, create a new one, that will work for pam_krb5 and let winbind use the newly created one? jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH843HIR7qMdg1EfYRAmDhAKC9ZLpFfsiBRZGqOS1uJDdke7r4qwCePF6D mYwG/R3TyRnd9DHFhhFLUpE= =Iu9j -END PGP SIGNATURE- __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Urgent... winbind and keytab file creation
Sounds cool. i made the changes. When i login as an ad user i don't get a ticket? Is there anything else i need to set? Cheers -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: 02 April 2008 16:08 To: Oliver Weinmann Cc: samba@lists.samba.org Subject: Re: [Samba] Urgent... winbind and keytab file creation -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Oliver Weinmann wrote: how? when i use pam_winbind to login and automount to mount a users home with kerberos security i dont get a TGT at login. So this doesn't seem to work with pam_winbind or? Install examples/pam_winbind/pam_winbind.conf to /etc/security/ and enable the krb5_auth option. Also set winbind refresh tickets = yes in smb.conf. cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH85NJIR7qMdg1EfYRArVHAJ4sn70tRJV6uM7coc9id1CjgUMlHQCfcJ7k XPb8CJDfP62ida5MuNjbEn4= =/0bH -END PGP SIGNATURE- __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Urgent... winbind and keytab file creation
Ok. i got it. I had to change the parameter for: krb5_ccache_type = FILE now the users get a cached ticket at login. COOL :) but when the automount daemon tries to mount their home it fails: Apr 2 16:41:09 rhel4wbtest2 rpc.gssd[1793]: WARNING: Failed to create krb5 context for user with uid 82967 for server ds-san-02.vegagroup.net Apr 2 16:41:12 rhel4wbtest2 rpc.gssd[1793]: rpcsec_gss: gss_init_sec_context: (major) Miscellaneous failure - (minor) No credentials found with supported encryption types Cheers, Oli -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Weinmann Sent: 02 April 2008 16:31 To: Gerald (Jerry) Carter Cc: samba@lists.samba.org Subject: RE: [Samba] Urgent... winbind and keytab file creation Sounds cool. i made the changes. When i login as an ad user i don't get a ticket? Is there anything else i need to set? Cheers -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: 02 April 2008 16:08 To: Oliver Weinmann Cc: samba@lists.samba.org Subject: Re: [Samba] Urgent... winbind and keytab file creation -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Oliver Weinmann wrote: how? when i use pam_winbind to login and automount to mount a users home with kerberos security i dont get a TGT at login. So this doesn't seem to work with pam_winbind or? Install examples/pam_winbind/pam_winbind.conf to /etc/security/ and enable the krb5_auth option. Also set winbind refresh tickets = yes in smb.conf. cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH85NJIR7qMdg1EfYRArVHAJ4sn70tRJV6uM7coc9id1CjgUMlHQCfcJ7k XPb8CJDfP62ida5MuNjbEn4= =/0bH -END PGP SIGNATURE- __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba-winbind under Solaris8
Dear All, I have successfully compiled MIT krb5 and samba 3.0.28a under Solaris8. Joining an AD domain works fine and also the commands wbinfo -t, -g and -u list all of the users. getent passwd and getent group are also working. The problem now is that when i run the group user command it just stays there and doesn't display any users. This works fine under Linux (SLES9, RHEL4) but not under Solaris8. I really have no clue, but that is just one problem. The other big problem is that now i get kicked out of the login shell or telnet/ssh after a few minutes and when I login as a domain user and start a command like ls it gets put in the background immediatley. Any suggestions? Regards, Oliver Oliver Weinmann Unix/Linux Administrator VEGA IT GmbH Europaplatz 5 D-64293 Darmstadt Germany Tel : +49 (0) 6151 8257 744 Fax : +49 (0)6151 8257-799 Email : [EMAIL PROTECTED] Web : www.vega-group.com Register court/Registergericht: Darmstadt, HRB No. 4096, Managing Directors/Geschäftsführer: Philip Cartmell, Susan Bygrave, John Lewis Notice of Confidentiality This transmission is intended for the named addressee only. It contains information which may be confidential and which may also be privileged. Unless you are the named addressee (or authorised to receive it for the addressee) you may not copy or use it, or disclose it to anyone else. If you have received this transmission in error please notify the sender immediately. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba