Hello Stephen and All, Yes, I think so. Someone I know had a good idea and it worked out pretty well.
My understanding of the problem: Solaris /usr/bin/passwd doesn't tolerate the "winbind" nameservice in /etc/nsswitch.conf. His solution: Only use winbind resolution for samba, and leave passwd and the rest of Solaris alone. We can accomplish this using library interposition on samba (and any process which requires winbind resolution). Like overloading operators, you can override the normal system calls linked when smbd loads. (I'd never heard of interposers before, but always wondered when I'd get to use LD_PRELOAD. Whee.) Some info: http://www.itworld.com/AppDev/1006/UIR000929interposers/. Here's the skinny. He wrote an interposer library for fopen(2) that opens /usr/local/samba/lib/nsswitch.conf instead of /etc/nsswitch.conf. So, basically, if arg=/etc/nsswitch.conf, return this other file instead. We LD_PRELOAD-ed it for smbd and winbindd, and removed winbind from the "real" nsswitch.conf. Now, smbd (and winbindd, though I don't think it needs it) gets name resolution through winbind because it thinks winbind is in nsswitch.conf, BUT NOTHING ELSE does. This has the side benefit that logins and utilities like 'finger' do not have to perform winbind resolution either, so they're fast, again. (We're not using the Samba PAM module; we don't let Windows Domain users login to our Solaris box, so we don't need to have winbind resolution in the normal utilities. We just use winbind to authenticate users when accessing samba shares.) Now, one problem. nscd (Name Service Caching Daemon) will now run! That sounds good, right, because normally when winbind is in nsswitch.conf, nscd bails? Well, when nscd is running, name resolution is done by nscd, NOT the application, so our fopen(2) override is ineffective. nscd doesn't crash, but doesn't resolve through winbind either, so smbd fails to lookup Windows Domain accounts. Solution: turn off nscd, easy as that. Okay, so that's what we did. We're satisfied with it. If you don't need nscd, I think you will be too. Your reactions are eagerly anticipated! I bet I can convince my friend to post the source, if you really want it. But I encourage you to write your own interposer; it's pretty easy and maybe you'll notice something we didn't. __ Paul DeStefano -----Original Message----- From: Michaels, Stephen P. [mailto:Steve.Michaels@;jhuapl.edu] Sent: November 04, 2002 9:45 AM To: '[EMAIL PROTECTED]' Subject: [Samba] passwd command problem with Solaris/winbind/pam Hi- I am running Samba 2.2.5 on Solaris 8 with winbind and pam configured. I have the following in my nsswitch.conf: passwd: files winbind group: files winbind Now local users on the Solaris 8 machine cannot change there password using the passwd command: Here is the sample output: # passwd michasp1 Enter new password: Enter new password again: Supported configurations for passwd management are as follows: passwd: files passwd: files ldap passwd: files nis passwd: files nisplus passwd: compat passwd: compat AND passwd_compat: ldap OR passwd_compat: nisplus Please check your /etc/nsswitch.conf file Permission denied # Does anybody have a workaround solution for this or I am doing something wrong? Thanks Stephen P. Michaels ISS-1 Server Systems Group The Johns Hopkins University Applied Physics Laboratory 11100 Johns Hopkins Rd. Laurel, MD. 20723-6099 (443) 778-7527 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
