I want to authenticate for ssh logins. I will not be running the smbd or
nmbd daemons. Just winbind.
running your commands I got:
# ./wbinfo --allocate-uid
Could not allocate a uid
The second there is no --set-uid-mapping option.
On 12/21/10 1:43 PM, Gaiseric Vandal wrote:
Is this to support authentication for unix users (e.g. via ssh) or
windows users (via samba?)
I found that after upgrading from samba 3.0.x to 3.4.x that the idmap
allocation stopped working. In my case I already had the imdap
entries populated into ldap. can you use "wbinfo --allocate-uid"
or "wbinfo --set-uid-mapping " to manually create a UID-to-SID
mapping?
On 12/21/2010 01:44 PM, CJ Keist wrote:
Forgot to add, my nsswitch.conf file has the winbind option added to
the end of the passwd and group lines:
passwd: files winbind
group: files winbind
------------------------------------
I'm trying to setup a Solaris 10 Sparc station to authenticate users
on login with Windows ADS. I have found the documentation for this
but having no luck in getting the pam modules to work. Here is what
I have done so far:
Compiling Kerberos MIT5-1.8.3:
cd into the src directory
./configure --prefix=/opt/local
gmake
gmake install
Compiling Samba 3.5.6:
setenv CFLAGS "-O2"
setenv LDFLAGS "-L/opt/local/lib -Wl,-R/opt/local/lib"
setenv CPPFLAGS "-I/opt/local/include"
./configure --prefix=/opt/local --with-pam --with-ads --with-winbind
--with-krb5=/opt/local
gmake
gmake install
Compiles and installs with no errors. Here is my samba conf. file:
[global]
workgroup = DOMAINNAME
realm = DOMINNAME.EDU
security = ADS
password server = domainname.edu
log file = /var/samba/log/log.%m
max log size = 50
load printers = No
utmp = Yes
idmap backend = idmap_rid:DOMAINNAME=100000-500000
idmap uid = 100000-500000
idmap gid = 100000-500000
template homedir = /home/%U
template shell = /bin/tcsh
winbind cache time = 1800
winbind enum users = No
winbind enum groups = No
winbind use default domain = Yes
winbind separator = /
create krb5 conf = No
Krb5.conf:
[libdefaults]
default_realm = DOMAINNAME.EDU
[realms]
DOMAINNAME.EDU = {
kdc = server.domainname.edu
}
[domain_realm]
.server.domainname.edu = DOMAINNAME.EDU
server.domainname.edu = DOMAINNAME.EDU
Then I was able to join okay:
# ./net ads join -U user
Enter user's password:
Using short domain name -- DOMAINNAME
Joined 'SUNTEST1' to realm 'DomainName.EDU'
# ./net ads testjoin
Join is OK
I can get info from the ADS from wbinfo command just fine. But I
cannot get anything via
getent passwd user_name or getent group group_name
I did copy the libnss_winbind.so from the samba build and have the
pam_winbind.so linked in as well:
# cd /usr/lib
# ls -l *winbind*
-r-xr-xr-x 1 root root 50880 Dec 20 13:07 libnss_winbind.so
lrwxrwxrwx 1 root root 17 Dec 17 15:29
libnss_winbind.so.1 -> libnss_winbind.so
lrwxrwxrwx 1 root root 17 Dec 17 15:30
libnss_winbind.so.2 -> libnss_winbind.so
lrwxrwxrwx 1 root root 17 Dec 20 13:41
nss_winbind.so.1 -> libnss_winbind.so
lrwxrwxrwx 1 root root 17 Dec 20 13:41
nss_winbind.so.2 -> libnss_winbind.so
# cd /usr/lib/security/
# ls -l *winbind*
lrwxrwxrwx 1 root root 38 Dec 20 13:04 pam_winbind.so
-> /opt/local/lib/security/pam_winbind.so
lrwxrwxrwx 1 root root 38 Dec 20 13:05
pam_winbind.so.1 -> /opt/local/lib/security/pam_winbind.so
My pam.conf:
login auth sufficient /opt/local/lib/security/pam_winbind.so
try_first_pass
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
other auth sufficient /opt/local/lib/security/pam_winbind.so
try_first_pass
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
other session sufficient /opt/local/lib/security/pam_winbind.so
try_first
_pass
other session required pam_unix_session.so.1
What am I missing????
--
C. J. Keist Email: cj.ke...@colostate.edu
Systems Group Manager Phone: 970-491-0630
Engineering Network Services Fax: 970-491-5569
College of Engineering, CSU
Ft. Collins, CO 80523-1301
All I want is a chance to prove 'Money can't buy happiness'
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba