I have not yet had the time to finish up the patch that is referred to below. If anyone else wants to move it forward, I would be more than happy. In addition to the patches at http://www.cae.wisc.edu/~gerdts/samba/ I have a private CVS repository that I would happily tar up and send to anyone that would put it up on a public CVS server.
A "todo list" of sorts can be found at http://lists.samba.org/pipermail/samba-technical/2002-May/036877.html Mike On Thu, 2002-06-27 at 08:31, [EMAIL PROTECTED] wrote: > Hi, > > I have not installed samba until 2.2.5 now. > > But there is a bug in the winbindd code which has been fixed by Mike Gerdts, > see attached e-mail. > I assumed that this patch, wich works for me on samba 2.2.4 solaris 2.6, has > been added to the 2.2.5 release. > > Obviously not. > > <<Re: Samba, winbind, solaris and your patch>> > > Could you please give me feedback if this works for you an 2.2.5 also. > > Best Regards > > Roman > > > -----Ursprüngliche Nachricht----- > > Von: Allan Nielsen [SMTP:[EMAIL PROTECTED]] > > Gesendet am: Donnerstag, 27. Juni 2002 09:53 > > An: [EMAIL PROTECTED] > > Betreff: Winbind authenticatition of user accessing a share with > > encrypted password. > > > > Hi > > > > In relation to your posted message I have exactly the same problem on > > samba > > 2.2.5. > > Flags used are --with-winbind --with-winbind-auth-challenge > > --with-acl-support. > > After including --with-winbind-auth-challenge it is possible to get > > authentication with encrypted passwords from wbinfo -a user%password but > > when accessing a share as this user he is mapped to nobody. > > > > Did you succeed to solve your problem? > > > > I'm using samba now for 6-7 years starting with samba 1.9.18. > > > > I have 6 machines running samba v2.0.7 under linux and solaris > > I have upgraded one of the solaris machines to samba 2.2.3a including > > acl-support and winbind. > > > > I live in a win2k forest, so my domain has a trust relationship with an > > other win2k domain. > > My domain controllers are in mixed mode. > > > > In order to get winbindd and nsswitch up and running I had to adjust the > > Makefile as follows: > > > > nsswitch/libnss_winbind.so: $(WINBIND_NSS_PICOBJS) > > @echo "Linking $@" > > @$(SHLD) -h $@ -G -o $@ $(WINBIND_NSS_PICOBJS) $(LIBS) > > > > I added the $(LIBS) to the linker-line, without that I had errors when > > doing > > a 'ls -l' for a file which was owned by a DOMAIN+domuser account. > > > > Furthermore I had to copy the nsswitch/libnss_winbind.so as nss_winbind.so > > to /lib > > After configuring nsswitch.conf I can successfully do: > > > > wbinfo -u > > wbinfo -g > > getent passwd > > getent group > > > > From a NT4 or win2k-box I can modify acl an the samba-share as long as I > > use > > a useraccount which is not authenticated by winbind. > > > > when I use: > > wbinfo -a domain\\domuser%password (my winbind separator is '\') > > > > I'll get error: > > > > plaintext password authentication succeeded > > challenge/response password authentication failed > > Could not authenticate user domain\domuser%password with > > challenge/response > > > > Although encrypted passwords are enabled in smb.conf > > > > I can do a > > > > su - domain\\domuser%password > > > > on unix level > > > > When I do a smbclient //server/share -U domain\\domuser%password > > > > I'll get error: > > > > Domain=[DOMAIN] OS=[Unix] Server=[Samba 2.2.3a] > > tree connect failed: NT_STATUS_WRONG_PASSWORD > > > > I can not connect to that server using a winbind authenticated useraccount > > from neither NT4sp6 nor win2ksp2. > > > > In any case I can see in the winbindd-log that the demon is enumerating > > SID's to GID's and UID's, but it states that the password are not > > encrypted. > > > > I was reading through the docs and mailings for the last two days, but I > > did > > not get the proper advice in how to get it up and running. > > > > Can anybody help > > > > Best Regards > > > > Roman > > > > Med venlig hilsen / With kind Regards > > > > Allan Nielsen > > Advisory IT-Specialist > > > > IBM Danmark A/S - Sortemosevej 21 - 3450 Allerød - Phone: 4523 > > 9595 - Mobil: 23325107 - Fax: 4523 6803 - E-mail: > > [EMAIL PROTECTED] > > > ---- > > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: Re: Samba, winbind, solaris and your patch > Date: 13 May 2002 19:59:46 +0200 > > On Mon, 2002-05-13 at 11:20, [EMAIL PROTECTED] wrote: > > Hello Mike, > > > > I was veerrryyy interested in your work when I first saw your posting > > concerning winbind and the related problems when running it on more than > one > > machine. > > Glad to hear it. I was begininning to think that I was the only one > looking for this functionality. > > > I therefore immediately downloaded your patch and enhancements to winbind > > and applied it to samba 2.2.4. > > > > But when starting winbindd I get error messages in the log.winbindd > stating > > that the loader ld.so.1 can not find the symbol main in idmap_file.so. > > Hmmmm... not sure about that. Could you send me the version that you > compiled so that I can compare it against the one that works for me? > Also, please include any modifications that you did to the makefile to > get it to compile. > > > Any idea what could be wrong? > > Perhaps a different compiler and/or linker contributed to the problems. > I am using gcc 2.95.2 on Solaris 8. > > > My configuration is as follows: > > > > Solaris 2.6 > > Samba 2.2.4 > > gcc et al 2.95.3 > > > > > > Besides the problem that winbindd, without your patch, causes trouble in > an > > multi-machine environment I face the following problem, with and without > > your patch, as well: > > > > - winbindd is running > > - wbinfo -u --> shows all domain users > > - wbinfo -g --> shows all domain groups > > - getent passwd --> shows all, local and domain, users > > - getent group --> shows all, local and domain, groups > > - getent passwd domain+domuser --> shows passwd entry for specified domain > > user > > - wbinfo -a domain+domuser%passwd --> both authentication methods succeed > > - when install pam_winbind --> login to solaris as domain+domuser and > > domain-passwd works > > > > BUT > > > > connecting from an windows-box in explorer to a share on that > > winbind-machine is not working. > > I tried to track it down and I think I found out that when winbind tries > to > > call the solaris function 'getpwnam' that function returns a null-pointer. > > This is likely the bug related to the passwd structure on Solaris having > pw_age and pw_comment fields. See > http://lists.samba.org/pipermail/samba-technical/2002-May/036614.html > for details. If you didn't remove that part from my patch, you should > be protected from this bug. You may want to take a look at > source/lib/system.c. In wsys_getpwnam() there is another function that > copies the passwd structure (wsys_getpwnam). It looks as though it is > not called by anything, but perhaps I am missing some funky macro or > define that comes out of configure somewhere. > > If there is another problem, I am not sure where exactly it would be > at. The bug I found was quite difficult to find until I recompiled nscd > with debugging symbols. Unfortunately, that is not an option for most > people, especially with Solaris 2.6. AFAIK, Sun only gave the Solaris > 2.5.1, 2.6, and 7 code to univerisities. The only Sun source that I > have access to for debugging things like this is Solaris 8. > > > I assume from your postings that you are familiar with c, solaris and have > a > > running winbind environment. > > I have tried minimal functionality of winbindd. I do not want to use > the winbind PAM module because UNIX users should authenticate against > NIS. getent passwd <domain\\user> and getent passwd <uid> work just > fine. Exporer on NT4 and Win2k is able to create files and display ACLs > consistent with what I expect, given the U/GIDs assigned by winbindd. > ls and getfacl concur with the results that Windows explorer show. > Also, I explorer on Windows 98 is able to create directories just fine > (that is all I tried from 98). > > > Any idea what causes that problem, when I posted this problem to the > > samba-technical mailing list no one was responding except some other > usesrs > > facing the same problem. > > > > Can you contribute in any matter to this problems? > > > > Would be veeerrryyyy helpful. > > > > Thanks in advance and best regards > > > > Roman > > If you don't have a reason for not Cc'ing the list, please do so in the > future so that others can benefit from your question and my response. > It helps the samba team know that there is more than one person that > would like this functionality and they are more likely to include it in > future releases. > > Please let me know if this does or does not help. > Mike