[Samba] Smb.conf, template shell (quick one)
Just a quick question. When using winbind is it possible to have a different shell for each user? I have awkward users, some would like their default shell to be bash others want csh. What would I put in 'template shell = '? Thanks, Sapan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind problems
I posted my Redhat 9.0 ones on the list a while ago, have a search for them. -Original Message- From: John Simovic [mailto:[EMAIL PROTECTED] Sent: 11 February 2004 10:14 To: [EMAIL PROTECTED] Subject: [Samba] Winbind problems Can someone please send me a copy of their /etc/pam.d/login, system-auth files for redhat/fedora. I need to get winbind working and when I upgraded to samba 3 I forgot to copy them and now I can no longer auith via winbind. wbinfo -u works fine as does -g but my login files are wrong. Kind Regards -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Auto mapping to windows home drives?
This could be quite simple but I don't know how to do it. Does anyone know how I can automatically mount a users home drive (which is located on a windows server) when they log in? Is there a pam module for that? Thanks very much, Sapan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Auto mapping to windows home drives?
John, Sorry, I should have been more specific. I'm logging into a Linux/Solaris machine running winbind, I'm using my windows username and password to login. At the moment I use pam_mkhomedir to create a new home directory automatically but it would be nice to map to the users existing home drive on the NT server instead. Sapan -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: 10 February 2004 17:42 To: Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: Re: [Samba] Auto mapping to windows home drives? On Tue, 10 Feb 2004, Ganguly, Sapan wrote: This could be quite simple but I don't know how to do it. Does anyone know how I can automatically mount a users home drive (which is located on a windows server) when they log in? Is there a pam module for that? Have you read the Samba-HOWTO-Collection.pdf? I am sure I documented this. :) There are three ways by which you can automap a network drive connection: 1) Through the User Profile information in passwd backend. frodo:~ # pdbedit -Lv jht Unix username:jht NT username: Account Flags:[UX ] User SID: S-1-5-21-1593769616-160655940-3590153233-2000 Primary Group SID:S-1-5-21-1593769616-160655940-3590153233-512 Full Name:John H Terpstra Home Directory: \\frodo\jht HomeDir Drive:H: Logon Script: scripts\logon.bat Profile Path: \\frodo\Profiles\jht Domain: MIDEARTH Account desc: Master Sleuth and Watchmaker Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 20:14:07 GMT Kickoff time: Sat, 02 Jan 2038 00:00:00 GMT Password last set:Sat, 16 Aug 2003 22:57:25 GMT Password can change: Sat, 16 Aug 2003 22:57:25 GMT Password must change: Mon, 18 Jan 2038 20:14:07 GMT See above the Home Directory and HomeDir Drive entries. 2) By storing persistent drive connections as part of the users' desktop profile in their roaming profile. 3) Through a network logon script. The command that would do this for the home directory is: net use H: /home - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] idmap uid range 10000-20000: pam_winbind does NOT wor k ?
Mike, I got it working!! Have a look at what I have, here is my smb.conf and my pam.conf. # Global parameters [global] workgroup = RRLNTD01 server string = SUN001 security = DOMAIN password server = nts009 log level = 10 syslog = 7 log file = /var/log/samba/log.%m max log size = 50 name resolve order = wins lmhosts bcast socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = /etc/printcap local master = No dns proxy = No wins server = 192.168.224.25 ldap suffix = dc=uk,dc=trt,dc=thales ldap idmap suffix = ou=idmap ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales idmap backend = ldap:ldap://lnxs001 idmap uid = 1-2 idmap gid = 1-2 template homedir = /mnt/spare/%U template shell = /bin/bash winbind separator = - winbind use default domain = Yes # #ident @(#)pam.conf 1.2002/01/23 SMI # # Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the other section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth required pam_winbind.so login auth requisite pam_authtok_get.so.1 debug #login auth sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass debug login auth sufficient pam_dhkeys.so.1 debug login auth sufficient pam_unix_auth.so.1 debug login auth sufficient pam_dial_auth.so.1 debug #login auth sufficient /usr/lib/security/pam_winbind.so.1 debug try_first_pass # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth required pam_winbind.so rlogin auth sufficient pam_rhosts_auth.so.1 debug rlogin auth requisite pam_authtok_get.so.1 debug rlogin auth sufficient pam_dhkeys.so.1 debug rlogin auth sufficient pam_unix_auth.so.1 debug #rlogin auth sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass debug # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 debug rsh auth required pam_unix_auth.so.1 debug # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 debug ppp auth required pam_dhkeys.so.1 debug ppp auth required pam_unix_auth.so.1 debug ppp auth required pam_dial_auth.so.1 debug # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authenctication # other auth sufficient pam_winbind.so other auth requisite pam_authtok_get.so.1 debug other auth sufficient pam_dhkeys.so.1 debug other auth sufficient pam_unix_auth.so.1 debug #other auth sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass debug # # passwd command (explicit because of a different authentication module) # passwd auth required pam_passwd_auth.so.1 debug # # cron service (explicit because of non-usage of pam_roles.so.1) # cronaccount requiredpam_projects.so.1 debug cronaccount requiredpam_unix_account.so.1 debug # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account sufficient pam_winbind.so other account requisite pam_roles.so.1 debug other account sufficient pam_projects.so.1 debug other account sufficient pam_unix_account.so.1 debug #other account sufficient /usr/lib/security/pam_winbind.so.1 debug # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session requiredpam_mkhomedir.so skel=/etc/skel umask=0022 other session requiredpam_unix_session.so.1 debug other session sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass debug #other session requiredpam_mkhomedir.so.1 debug skel=/etc/skel umask=0022 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 debug other password requisite pam_authtok_get.so.1 debug other password requisite pam_authtok_check.so.1 debug other password required pam_authtok_store.so.1 debug # # Support for Kerberos V5 authentication (uncomment to use Kerberos) # #rlogin auth optional pam_krb5.so.1
RE: [Samba] Back to 3.0.1, Winbind and Solaris 9
Andy, Hello, thanks for the pointers but it still won't work. I didn't have pam_winbind.c or pam_winbind.h in the location you mention, I've put them there now but still no luck. I ran the crle command, do I have to do anything else to make that change take effect? My libnss_winbind.so is only 29k, is that right? My pam_winbind.so is 27k. Thanks, Sapan -Original Message- From: Andrew Smith-MAGAZINES [mailto:[EMAIL PROTECTED] Sent: 03 February 2004 18:17 To: Ganguly, Sapan ; [EMAIL PROTECTED] Subject: RE: [Samba] Back to 3.0.1, Winbind and Solaris 9 Hi Sapan, I've also got winbind authentication working with my Solaris 9. Just looked through the truss output from your su command and noticed that your library search path seems to be /usr/local/lib:/usr/lib. Now I can't think that should cause a problem but it is the only difference I can see between my system and yours. Can you try setting the search path as follows and see if that helps, crle -C /var/ld/ld.config -l /usr/lib:/usr/local/lib Also can you confirm you have all of the following files present? /usr/lib/security/pam_winbind.c /usr/lib/security/pam_winbind.h /usr/lib/security/pam_winbind.po /usr/lib/security/pam_winbind.so /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1 /usr/lib/libnss_winbind.so.2 /usr/lib/nss_winbind.so.1 /usr/lib/nss_winbind.so.2 cheers Andy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ganguly, Sapan Posted At: 29 January 2004 10:27 Posted To: Samba Conversation: [Samba] Back to 3.0.1, Winbind and Solaris 9 Subject: [Samba] Back to 3.0.1, Winbind and Solaris 9 I've gone back to 3.0.1 to try and get winbind to work with my Solaris 9 machine and NT4 domain. Everything works except user authentication. The wbinfo and getent commands do what they are supposed to. I've included a truss of 'su - ganguly' According to pamlog, the user 'ganguly' has been granted access but it is still hanging. How do I do a truss of a telnet login? I'm hoping some one out there is good with Solaris. Can you help? Thanks, Sapan BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Back to 3.0.1, Winbind and Solaris 9
Good news!!! When I use YOUR pam.conf it works! The only other thing is that when I do an 'id -a' it does not list all the groups I'm a member of. One more question, where in pam.conf should I put pam_mkhomedir.so so that home directories are created when the user logs in? Thanks! Sapan -Original Message- From: ww m-pubsyssamba [mailto:[EMAIL PROTECTED] Sent: 04 February 2004 10:30 To: Ganguly, Sapan Cc: [EMAIL PROTECTED] Subject: RE: [Samba] Back to 3.0.1, Winbind and Solaris 9 my libnss_winbind.so is 30k and pam_winbind.so is 28k. Also I'm using Samba 3.0.2pre1 now. The crle command takes immediate effect. I think someone's provided this already but I've included a working pam.conf (not actually needed for su). Also have you added valid template shell and homedir entries to smb.conf? thanks Andy. -Original Message- From: Ganguly, Sapan [mailto:[EMAIL PROTECTED] Sent: 04 February 2004 09:25 To: 'Andrew Smith-MAGAZINES'; '[EMAIL PROTECTED]' Subject: RE: [Samba] Back to 3.0.1, Winbind and Solaris 9 Andy, Hello, thanks for the pointers but it still won't work. I didn't have pam_winbind.c or pam_winbind.h in the location you mention, I've put them there now but still no luck. I ran the crle command, do I have to do anything else to make that change take effect? My libnss_winbind.so is only 29k, is that right? My pam_winbind.so is 27k. Thanks, Sapan -Original Message- From: Andrew Smith-MAGAZINES [mailto:[EMAIL PROTECTED] Sent: 03 February 2004 18:17 To: Ganguly, Sapan ; [EMAIL PROTECTED] Subject: RE: [Samba] Back to 3.0.1, Winbind and Solaris 9 Hi Sapan, I've also got winbind authentication working with my Solaris 9. Just looked through the truss output from your su command and noticed that your library search path seems to be /usr/local/lib:/usr/lib. Now I can't think that should cause a problem but it is the only difference I can see between my system and yours. Can you try setting the search path as follows and see if that helps, crle -C /var/ld/ld.config -l /usr/lib:/usr/local/lib Also can you confirm you have all of the following files present? /usr/lib/security/pam_winbind.c /usr/lib/security/pam_winbind.h /usr/lib/security/pam_winbind.po /usr/lib/security/pam_winbind.so /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1 /usr/lib/libnss_winbind.so.2 /usr/lib/nss_winbind.so.1 /usr/lib/nss_winbind.so.2 cheers Andy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ganguly, Sapan Posted At: 29 January 2004 10:27 Posted To: Samba Conversation: [Samba] Back to 3.0.1, Winbind and Solaris 9 Subject: [Samba] Back to 3.0.1, Winbind and Solaris 9 I've gone back to 3.0.1 to try and get winbind to work with my Solaris 9 machine and NT4 domain. Everything works except user authentication. The wbinfo and getent commands do what they are supposed to. I've included a truss of 'su - ganguly' According to pamlog, the user 'ganguly' has been granted access but it is still hanging. How do I do a truss of a telnet login? I'm hoping some one out there is good with Solaris. Can you help? Thanks, Sapan BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] How do I get pam_mkhomedir to work
I just got this working today, thanks to Andy from the BBC. Here is what my pam.conf looks like, warts and all! # #ident @(#)pam.conf 1.2002/01/23 SMI # # Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the other section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth required pam_winbind.so login auth requisite pam_authtok_get.so.1 debug #login auth sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass debug login auth sufficient pam_dhkeys.so.1 debug login auth sufficient pam_unix_auth.so.1 debug login auth sufficient pam_dial_auth.so.1 debug #login auth sufficient /usr/lib/security/pam_winbind.so.1 debug try_first_pass # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth required pam_winbind.so rlogin auth sufficient pam_rhosts_auth.so.1 debug rlogin auth requisite pam_authtok_get.so.1 debug rlogin auth sufficient pam_dhkeys.so.1 debug rlogin auth sufficient pam_unix_auth.so.1 debug #rlogin auth sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass debug # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 debug rsh auth required pam_unix_auth.so.1 debug # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 debug ppp auth required pam_dhkeys.so.1 debug ppp auth required pam_unix_auth.so.1 debug ppp auth required pam_dial_auth.so.1 debug # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authenctication # other auth sufficient pam_winbind.so other auth requisite pam_authtok_get.so.1 debug other auth sufficient pam_dhkeys.so.1 debug other auth sufficient pam_unix_auth.so.1 debug #other auth sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass debug # # passwd command (explicit because of a different authentication module) # passwd auth required pam_passwd_auth.so.1 debug # # cron service (explicit because of non-usage of pam_roles.so.1) # cronaccount requiredpam_projects.so.1 debug cronaccount requiredpam_unix_account.so.1 debug # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account sufficient pam_winbind.so other account requisite pam_roles.so.1 debug other account sufficient pam_projects.so.1 debug other account sufficient pam_unix_account.so.1 debug #other account sufficient /usr/lib/security/pam_winbind.so.1 debug # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session requiredpam_mkhomedir.so skel=/etc/skel umask=0022 other session requiredpam_unix_session.so.1 debug other session sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass debug #other session requiredpam_mkhomedir.so.1 debug skel=/etc/skel umask=0022 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 debug other password requisite pam_authtok_get.so.1 debug other password requisite pam_authtok_check.so.1 debug other password required pam_authtok_store.so.1 debug # # Support for Kerberos V5 authentication (uncomment to use Kerberos) # #rlogin auth optional pam_krb5.so.1 try_first_pass #login auth optional pam_krb5.so.1 try_first_pass #other auth optional pam_krb5.so.1 try_first_pass #cron account optionalpam_krb5.so.1 #other account optionalpam_krb5.so.1 #other session optionalpam_krb5.so.1 #other password optional pam_krb5.so.1 try_first_pass -Original Message- From: Buchan Milne [mailto:[EMAIL PROTECTED] Sent: 04 February 2004 16:17 To: Tim Simpson Cc: [EMAIL PROTECTED] Subject: Re: [Samba] How do I get pam_mkhomedir to work On 3 Feb 2004, Tim Simpson wrote: Message follows this disclaimer -- This email and any files transmitted with it is confidential and intended solely for the person or organisation to whom it
RE: [Samba] How do I get pam_mkhomedir to work
I'm using RedHat 9.0 and it works, here is what my files look like - /etc/pam.d/login looks like this - The authconfig tool in RedHat did everything except the pam_mkhomedir.so bit. #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_UNIX.so use_first_pass auth required pam_stack.so service=system-auth auth required pam_nologin.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_mkhomedir.so umask=0022 sessionoptional pam_console.so My /etc/pam.d/gdm looks like this - #%PAM-1.0 auth required pam_env.so auth required pam_stack.so service=system-auth auth required pam_nologin.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionoptional pam_console.so sessionrequired pam_mkhomedir.so skel=/etc/skel umask=0022 /etc/pam.d/system-auth looks like this - #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired /lib/security/$ISA/pam_env.so authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok authsufficient/lib/security/$ISA/pam_smb_auth.so use_first_pass nolocal authrequired /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so passwordrequired /lib/security/$ISA/pam_cracklib.so retry=3 type= passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow passwordrequired /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so I also use 'winbind use default domain = yes' in smb.conf. Sapan -Original Message- From: Tim Simpson [mailto:[EMAIL PROTECTED] Sent: 03 February 2004 16:41 To: [EMAIL PROTECTED] Subject: [Samba] How do I get pam_mkhomedir to work Message follows this disclaimer -- This email and any files transmitted with it is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient, you must not read, copy or disseminate the information or take any action in reliance on it and it would be appreciated if you would also notify the sender by reply email and then delete this email immediately. All messages passing out of this gateway are checked for viruses but Dundee City Council strongly recommends that you check for viruses using your own virus scanner as the Council will not take responsibility for any damage caused as a result of virus infection. -- Sorry if this is a simple question but I have been struggling for many days trying to samba-3.0.2rc2 working with a win2k AD wbinfo -t works wbinfo -u works wbinfo -g works getent passwd username works sharing dirs works in fact everything seems to work with the exception of a users directory being created using pam_mkhomedir.so I am running on Redhat 9 with Samba 3.0.2rc2 Samba was built using the following options configure --with-quotas --with-pam I presume it is something wrong with my pam config which follows #%PAM-1.0 auth required pam_securetty.so #auth requiredpam_stack.so service=system-auth auth required pam_nologin.so auth sufficient pam_winbind.so auth required pam_env.so auth required pam_unix.so nullok use_first_pass accountsufficient pam_winbind.so accountrequired pam_unix.so #accountrequiredpam_stack.so service=system-auth #password requiredpam_stack.so service=system-auth #sessionrequiredpam_stack.so service=system-auth #sessionoptionalpam_console.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022 password required pam_unix.so nullok obscure min=4 max=8 session required pam_unix.so session optional pam_lastlog.so session optional pam_motd.so session optional pam_mail.so standard noenv I have tried many varations of this file from various postings but all to no avail the relevant part of smb.conf follow # Global parameters [global] workgroup = LEARNINGDOMAIN realm = LEARNINGDOMAIN.ORG server string = %L running Samba %v security = ADS obey pam restrictions = Yes password server = pdc.learningdomain.org passwd program = /usr/bin/passwd %u unix password sync = Yes log level = 3 log file = /var/log/samba/log.%m preferred master = No local master = No domain
RE: [Samba] RE: Back to 3.0.1, Winbind and Solaris 9 (Mike Dorofe ev )
Hi Mike, Thanks for replying! I have tried that but I still have the same problem. I think that PAM is doing its job, I've set up logging so that everything in pam.conf logs to /var/log/pamlog. In pamlog I see user 'ganguly' granted access. There is something else that is stopping this working, I just can't see what it is. Any ideas? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 30 January 2004 03:36 To: [EMAIL PROTECTED] Subject: [Samba] RE: Back to 3.0.1, Winbind and Solaris 9 (Mike Dorofeev ) Hi Sapan! See the Vol 13 Digest MSG 34 of 28 Jan 04: here it is: --- IT WORKS!!! I can telnet, ftp, rsh... to my Samba 3.0.1 box (Solaris 9 sparc) here is (at the end) my pam.conf (in case somebody is interested in) The trick is commenting other accound... winbind... string in pam.conf! My English is corrupted wnen i'm full #other account sufficient /usr/lib/security/pam_winbind.so.1 Thanks Andrew Barlett! and since now i just LOVE SAMBA :) (BTW, samba 3.0.1 and 3.0.2rc tested on solaris 9 and worked OK!) --- The pam.conf mentioned here is attached to the digest vol13 issue 49 Sincerely yours, Mike Yes, I used your pam.conf and I have the patch installed. I can't think what else the problem could be. I can't see what happens after I type in my password. Pamlog looks like this - Jan 29 11:28:27 sun001 login: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0 Jan 29 11:28:31 sun001 login: [ID 378613 auth.debug] pam_dhkeys: user ganguly not found Jan 29 11:28:31 sun001 login: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jan 29 11:28:31 sun001 login: [ID 219349 auth.debug] pam_unix_auth: user ganguly not found Jan 29 11:28:31 sun001 pam_winbind[1138]: [ID 572310 auth.info] Verify user `ganguly' Jan 29 11:28:31 sun001 pam_winbind[1138]: [ID 614614 auth.notice] user 'ganguly' granted acces Jan 29 11:28:31 sun001 login[1138]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = teln et user = ganguly ruser = not set rhost = pc8723_w2k.uk.trt.thales It tells me that the user is granted access but then nothing happens, I don't get a shell even though I have an entry in smb.conf 'template shell = /bin/bash' Strange huh? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Compile options?
Does anyone know where I can find a full list of compile options and what they mean? Thanks, Sapan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Back to 3.0.1, Winbind and Solaris 9
I've gone back to 3.0.1 to try and get winbind to work with my Solaris 9 machine and NT4 domain. Everything works except user authentication. The wbinfo and getent commands do what they are supposed to. I've included a truss of 'su - ganguly' According to pamlog, the user 'ganguly' has been granted access but it is still hanging. How do I do a truss of a telnet login? I'm hoping some one out there is good with Solaris. Can you help? Thanks, Sapan execve(/usr/bin/su, 0xFFBFFD44, 0xFFBFFD54) argc = 3 mmap(0x, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFF3B resolvepath(/usr/bin/su, /usr/bin/su, 1023) = 11 resolvepath(/usr/lib/ld.so.1, /usr/lib/ld.so.1, 1023) = 16 stat(/usr/bin/su, 0xFFBFFB28) = 0 open(/var/ld/ld.config, O_RDONLY) = 3 fstat(3, 0xFFBFF5D0)= 0 mmap(0x, 104, PROT_READ, MAP_SHARED, 3, 0) = 0xFF3A close(3)= 0 open(/usr/local/lib/libcmd.so.1, O_RDONLY)Err#2 ENOENT open(/usr/lib/libcmd.so.1, O_RDONLY) = 3 fstat(3, 0xFFBFF464)= 0 mmap(0x, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF39 mmap(0x, 90112, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF37 mmap(0xFF384000, 1131, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 16384) = 0xFF384000 munmap(0xFF374000, 65536) = 0 resolvepath(/usr/lib/libcmd.so.1, /usr/lib/libcmd.so.1, 1023) = 20 memcntl(0xFF37, 3720, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0 close(3)= 0 open(/usr/local/lib/libbsm.so.1, O_RDONLY)Err#2 ENOENT open(/usr/lib/libbsm.so.1, O_RDONLY) = 3 fstat(3, 0xFFBFF464)= 0 mmap(0xFF39, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF39 mmap(0x, 180224, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF34 mmap(0xFF366000, 14676, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 90112) = 0xFF366000 mmap(0xFF36A000, 2520, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANON, -1, 0) = 0xFF36A000 munmap(0xFF356000, 65536) = 0 resolvepath(/usr/lib/libbsm.so.1, /usr/lib/libbsm.so.1, 1023) = 20 memcntl(0xFF34, 26520, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0 close(3)= 0 open(/usr/local/lib/libproject.so.1, O_RDONLY) Err#2 ENOENT open(/usr/lib/libproject.so.1, O_RDONLY) = 3 fstat(3, 0xFFBFF464)= 0 mmap(0xFF39, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF39 mmap(0x, 90112, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF32 mmap(0xFF334000, 1424, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 16384) = 0xFF334000 munmap(0xFF324000, 65536) = 0 resolvepath(/usr/lib/libproject.so.1, /usr/lib/libproject.so.1, 1023) = 24 memcntl(0xFF32, 5912, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0 close(3)= 0 open(/usr/local/lib/libpam.so.1, O_RDONLY)Err#2 ENOENT open(/usr/lib/libpam.so.1, O_RDONLY) = 3 fstat(3, 0xFFBFF464)= 0 mmap(0xFF39, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF39 mmap(0x, 98304, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF30 mmap(0xFF316000, 6315, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 24576) = 0xFF316000 munmap(0xFF306000, 65536) = 0 resolvepath(/usr/lib/libpam.so.1, /usr/lib/libpam.so.1, 1023) = 20 memcntl(0xFF30, 6976, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0 close(3)= 0 open(/usr/local/lib/libc.so.1, O_RDONLY) Err#2 ENOENT open(/usr/lib/libc.so.1, O_RDONLY)= 3 fstat(3, 0xFFBFF464)= 0 mmap(0xFF39, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF39 mmap(0x, 802816, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF20 mmap(0xFF2BC000, 24472, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 704512) = 0xFF2BC000 mmap(0xFF2C2000, 6588, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANON, -1, 0) = 0xFF2C2000 munmap(0xFF2AC000, 65536) = 0 resolvepath(/usr/lib/libc.so.1, /usr/lib/libc.so.1, 1023) = 18 memcntl(0xFF20, 117256, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0 close(3)= 0 open(/usr/local/lib/libc.so.1, O_RDONLY) Err#2 ENOENT open(/usr/lib/libc.so.1, O_RDONLY)= 3 fstat(3, 0xFFBFF464)= 0 close(3)= 0 open(/usr/local/lib/libsocket.so.1, O_RDONLY) Err#2 ENOENT open(/usr/lib/libsocket.so.1, O_RDONLY) = 3 fstat(3, 0xFFBFF464)= 0 mmap(0xFF39, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF39 mmap(0x, 114688,
RE: [Samba] Back to 3.0.1, Winbind and Solaris 9
Hello Patrik, Yes, I used your pam.conf and I have the patch installed. I can't think what else the problem could be. I can't see what happens after I type in my password. Pamlog looks like this - Jan 29 11:28:27 sun001 login: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0 Jan 29 11:28:31 sun001 login: [ID 378613 auth.debug] pam_dhkeys: user ganguly not found Jan 29 11:28:31 sun001 login: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jan 29 11:28:31 sun001 login: [ID 219349 auth.debug] pam_unix_auth: user ganguly not found Jan 29 11:28:31 sun001 pam_winbind[1138]: [ID 572310 auth.info] Verify user `ganguly' Jan 29 11:28:31 sun001 pam_winbind[1138]: [ID 614614 auth.notice] user 'ganguly' granted acces Jan 29 11:28:31 sun001 login[1138]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = teln et user = ganguly ruser = not set rhost = pc8723_w2k.uk.trt.thales It tells me that the user is granted access but then nothing happens, I don't get a shell even though I have an entry in smb.conf 'template shell = /bin/bash' Strange huh? -Original Message- From: Patrik Gustavsson [mailto:[EMAIL PROTECTED] Sent: 29 January 2004 11:13 To: Ganguly, Sapan Cc: 'Samba'; '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Subject: Re: [Samba] Back to 3.0.1, Winbind and Solaris 9 Did you use the pam.conf file I sent you ? I will attached again. Do you have patch 113476-08 or later installed ? /Patrik On Thu, 2004-01-29 at 11:26, Ganguly, Sapan wrote: I've gone back to 3.0.1 to try and get winbind to work with my Solaris 9 machine and NT4 domain. Everything works except user authentication. The wbinfo and getent commands do what they are supposed to. I've included a truss of 'su - ganguly' According to pamlog, the user 'ganguly' has been granted access but it is still hanging. How do I do a truss of a telnet login? I'm hoping some one out there is good with Solaris. Can you help? Thanks, Sapan __ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- In a world without fences who needs Gates Patrik Gustavsson, Senior Technical Consultant [EMAIL PROTECTED] Telephone: +46 60 671540 http://glen.swedenMobile: +46 70 3551040 SUN MICROSYSTEMS Fax: +46 60 671550 -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Back to 3.0.1, Winbind and Solaris 9
Ah, I compiled with gcc 3.3.2. My machine is an Enterprise 220R so I guess I would have compiled in 64 bit by default right? How do I force it to compile everything in 32 bit? I think I installed the OS to be compatible with 32 bit apps. I have the same symbolic links as you but what is /usr/lib/security/sparcv9 for? What is the difference between /usr/lib/security and /lib/security? -Original Message- From: Patrik Gustavsson [mailto:[EMAIL PROTECTED] Sent: 29 January 2004 12:46 To: Ganguly, Sapan Cc: 'Patrik Gustavsson'; 'Samba'; '[EMAIL PROTECTED]' Subject: RE: [Samba] Back to 3.0.1, Winbind and Solaris 9 Ok, Lets take a step back, I have used the pam.conf file on both 3.0.1 and 3.0.2rc1 and it works. The libraries is 32 bits and is installed in /usr/lib/security and has been compiled with gcc 3.2.3. The only thing I have changed is that Samba is compiling pam_winbind.so instead of pam_winbind.so.1, so I renamed pam_winbind.so to pam_winbind.so.1 in /usr/lib/security and created a symlink from pam_winbind.so to pam_winbind.so.1 lrwxrwxrwx 1 root other 16 Jan 26 14:13 pam_winbind.so - pam_winbind.so.1 -rwxr-xr-x 1 root other 27904 Jan 28 15:25 pam_winbind.so.1 /Patrik On Thu, 2004-01-29 at 12:29, Ganguly, Sapan wrote: Hello Patrik, Yes, I used your pam.conf and I have the patch installed. I can't think what else the problem could be. I can't see what happens after I type in my password. Pamlog looks like this - Jan 29 11:28:27 sun001 login: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0 Jan 29 11:28:31 sun001 login: [ID 378613 auth.debug] pam_dhkeys: user ganguly not found Jan 29 11:28:31 sun001 login: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jan 29 11:28:31 sun001 login: [ID 219349 auth.debug] pam_unix_auth: user ganguly not found Jan 29 11:28:31 sun001 pam_winbind[1138]: [ID 572310 auth.info] Verify user `ganguly' Jan 29 11:28:31 sun001 pam_winbind[1138]: [ID 614614 auth.notice] user 'ganguly' granted acces Jan 29 11:28:31 sun001 login[1138]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = teln et user = ganguly ruser = not set rhost = pc8723_w2k.uk.trt.thales It tells me that the user is granted access but then nothing happens, I don't get a shell even though I have an entry in smb.conf 'template shell = /bin/bash' Strange huh? -Original Message- From: Patrik Gustavsson [mailto:[EMAIL PROTECTED] Sent: 29 January 2004 11:13 To: Ganguly, Sapan Cc: 'Samba'; '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Subject: Re: [Samba] Back to 3.0.1, Winbind and Solaris 9 Did you use the pam.conf file I sent you ? I will attached again. Do you have patch 113476-08 or later installed ? /Patrik On Thu, 2004-01-29 at 11:26, Ganguly, Sapan wrote: I've gone back to 3.0.1 to try and get winbind to work with my Solaris 9 machine and NT4 domain. Everything works except user authentication. The wbinfo and getent commands do what they are supposed to. I've included a truss of 'su - ganguly' According to pamlog, the user 'ganguly' has been granted access but it is still hanging. How do I do a truss of a telnet login? I'm hoping some one out there is good with Solaris. Can you help? Thanks, Sapan __ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- In a world without fences who needs Gates Patrik Gustavsson, Senior Technical Consultant [EMAIL PROTECTED] Telephone: +46 60 671540 http://glen.swedenMobile: +46 70 3551040 SUN MICROSYSTEMS Fax: +46 60 671550 -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Back to 3.0.1, Winbind and Solaris 9
OK, I've checked that, my libraries are 32 bit. I've just had a look at my config.log, here are just a few of the errors in it, I did a search on google but the general opinion seems to be that they don't matter?! Is that true? In file included from configure:5267: /usr/include/net/if.h:231: error: field `ifa_addr' has incomplete type /usr/include/net/if.h:233: error: field `ifu_broadaddr' has incomplete type /usr/include/net/if.h:234: error: field `ifu_dstaddr' has incomplete type /usr/include/net/if.h:266: error: field `lnr_addr' has incomplete type /usr/include/net/if.h:335: error: field `lifru_addr' has incomplete type /usr/include/net/if.h:336: error: field `lifru_dstaddr' has incomplete type /usr/include/net/if.h:337: error: field `lifru_broadaddr' has incomplete type /usr/include/net/if.h:338: error: field `lifru_token' has incomplete type /usr/include/net/if.h:339: error: field `lifru_subnet' has incomplete type /usr/include/net/if.h:378: error: field `sa_addr' has incomplete type /usr/include/net/if.h:388: error: field `slr_src' has incomplete type /usr/include/net/if.h:389: error: field `slr_grp' has incomplete type /usr/include/net/if.h:408: error: field `ifru_addr' has incomplete type /usr/include/net/if.h:409: error: field `ifru_dstaddr' has incomplete type /usr/include/net/if.h:411: error: field `ifru_broadaddr' has incomplete type /usr/include/net/if.h:479: error: parse error before sa_family_t /usr/include/net/if.h:482: error: parse error before '}' token /usr/include/net/if.h:492: error: parse error before sa_family_t /usr/include/net/if.h:501: error: parse error before '}' token /usr/include/net/if.h:632: error: field `ifta_saddr' has incomplete type /usr/include/net/if.h:633: error: field `ifta_daddr' has incomplete type configure:5303: WARNING: net/if.h: present but cannot be compiled configure:5305: WARNING: net/if.h: check for missing prerequisite headers? configure:5307: WARNING: net/if.h: proceeding with the preprocessor's result configure:5310: checking for net/if.h #include sys/priv.h configure:5615: result: no configure:5619: checking sys/priv.h presence configure:5626: gcc -E -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 conftest.c configure:5622:22: sys/priv.h: No such file or directory configure:5632: $? = 1 configure: failed program was: #line 5621 configure configure:5942: checking security/pam_modules.h usability configure:5951: gcc -c -O -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 conftest.c 5 In file included from configure:5979: /usr/include/security/pam_modules.h:17: error: parse error before '*' token /usr/include/security/pam_modules.h:24: error: parse error before '*' token /usr/include/security/pam_modules.h:31: error: parse error before '*' token /usr/include/security/pam_modules.h:38: error: parse error before '*' token /usr/include/security/pam_modules.h:45: error: parse error before '*' token /usr/include/security/pam_modules.h:59: error: parse error before '*' token /usr/include/security/pam_modules.h:71: error: parse error before '*' token /usr/include/security/pam_modules.h:74: error: parse error before '*' token /usr/include/security/pam_modules.h:83: error: parse error before '*' token configure:5954: $? = 1 configure: failed program was: #line 5944 configure #include security/pam_modules.h configure:5969: result: no configure:5973: checking security/pam_modules.h presence configure:5980: gcc -E -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 conftest.c configure:5986: $? = 0 configure:6004: result: yes configure:6015: WARNING: security/pam_modules.h: present but cannot be compiled configure:6017: WARNING: security/pam_modules.h: check for missing prerequisite headers? configure:6019: WARNING: security/pam_modules.h: proceeding with the preprocessor's result configure:6022: checking for security/pam_modules.h configure:6029: result: yes configure:5942: checking security/_pam_macros.h usability configure:5951: gcc -c -O -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 conftest.c 5 configure:5979:34: security/_pam_macros.h: No such file or directory configure:5954: $? = 1 configure: failed program was: #line 5944 configure -Original Message- From: Patrik Gustavsson [mailto:[EMAIL PROTECTED] Sent: 29 January 2004 14:07 To: Ganguly, Sapan Cc: 'Samba'; '[EMAIL PROTECTED]' Subject: RE: [Samba] Back to 3.0.1, Winbind and Solaris 9 /lib is symlink to /usr/lib The 32 bits pam libs are installed in /usr/lib/security and 64 bits are installed in /usr/lib/security/sparcv9 If you want to know if your libs are 32 or 64 bits, run file command, # file /usr/lib/security/pam_winbind.so.1 /usr/lib/security/pam_winbind.so.1: ELF 32-bit MSB dynamic lib SPARC Version 1, dynamically linked, not stripped # file /usr/lib/security/sparcv9/pam_unix.so.1 /usr/lib/security/sparcv9/pam_unix.so.1:ELF 64-bit MSB dynamic lib SPARCV9 Version 1, dynamically linked, not stripped I think the compiler is compiling 32 bits by default. /Patrik On Thu, 2004-01-29
RE: [Samba] Back to 3.0.1, Winbind and Solaris 9
The size of my libnss_winbind.so is 29k and my pam_winbind.so is 27k. Are yours this size? I seem to remember that from a previous compile that libnss_winbind.so was about 737k. -Original Message- From: Patrik Gustavsson [mailto:[EMAIL PROTECTED] Sent: 29 January 2004 14:07 To: Ganguly, Sapan Cc: 'Samba'; '[EMAIL PROTECTED]' Subject: RE: [Samba] Back to 3.0.1, Winbind and Solaris 9 /lib is symlink to /usr/lib The 32 bits pam libs are installed in /usr/lib/security and 64 bits are installed in /usr/lib/security/sparcv9 If you want to know if your libs are 32 or 64 bits, run file command, # file /usr/lib/security/pam_winbind.so.1 /usr/lib/security/pam_winbind.so.1: ELF 32-bit MSB dynamic lib SPARC Version 1, dynamically linked, not stripped # file /usr/lib/security/sparcv9/pam_unix.so.1 /usr/lib/security/sparcv9/pam_unix.so.1:ELF 64-bit MSB dynamic lib SPARCV9 Version 1, dynamically linked, not stripped I think the compiler is compiling 32 bits by default. /Patrik On Thu, 2004-01-29 at 14:31, Ganguly, Sapan wrote: Ah, I compiled with gcc 3.3.2. My machine is an Enterprise 220R so I guess I would have compiled in 64 bit by default right? How do I force it to compile everything in 32 bit? I think I installed the OS to be compatible with 32 bit apps. I have the same symbolic links as you but what is /usr/lib/security/sparcv9 for? What is the difference between /usr/lib/security and /lib/security? -Original Message- From: Patrik Gustavsson [mailto:[EMAIL PROTECTED] Sent: 29 January 2004 12:46 To: Ganguly, Sapan Cc: 'Patrik Gustavsson'; 'Samba'; '[EMAIL PROTECTED]' Subject: RE: [Samba] Back to 3.0.1, Winbind and Solaris 9 Ok, Lets take a step back, I have used the pam.conf file on both 3.0.1 and 3.0.2rc1 and it works. The libraries is 32 bits and is installed in /usr/lib/security and has been compiled with gcc 3.2.3. The only thing I have changed is that Samba is compiling pam_winbind.so instead of pam_winbind.so.1, so I renamed pam_winbind.so to pam_winbind.so.1 in /usr/lib/security and created a symlink from pam_winbind.so to pam_winbind.so.1 lrwxrwxrwx 1 root other 16 Jan 26 14:13 pam_winbind.so - pam_winbind.so.1 -rwxr-xr-x 1 root other 27904 Jan 28 15:25 pam_winbind.so.1 /Patrik On Thu, 2004-01-29 at 12:29, Ganguly, Sapan wrote: Hello Patrik, Yes, I used your pam.conf and I have the patch installed. I can't think what else the problem could be. I can't see what happens after I type in my password. Pamlog looks like this - Jan 29 11:28:27 sun001 login: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0 Jan 29 11:28:31 sun001 login: [ID 378613 auth.debug] pam_dhkeys: user ganguly not found Jan 29 11:28:31 sun001 login: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jan 29 11:28:31 sun001 login: [ID 219349 auth.debug] pam_unix_auth: user ganguly not found Jan 29 11:28:31 sun001 pam_winbind[1138]: [ID 572310 auth.info] Verify user `ganguly' Jan 29 11:28:31 sun001 pam_winbind[1138]: [ID 614614 auth.notice] user 'ganguly' granted acces Jan 29 11:28:31 sun001 login[1138]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = teln et user = ganguly ruser = not set rhost = pc8723_w2k.uk.trt.thales It tells me that the user is granted access but then nothing happens, I don't get a shell even though I have an entry in smb.conf 'template shell = /bin/bash' Strange huh? -Original Message- From: Patrik Gustavsson [mailto:[EMAIL PROTECTED] Sent: 29 January 2004 11:13 To: Ganguly, Sapan Cc: 'Samba'; '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Subject: Re: [Samba] Back to 3.0.1, Winbind and Solaris 9 Did you use the pam.conf file I sent you ? I will attached again. Do you have patch 113476-08 or later installed ? /Patrik On Thu, 2004-01-29 at 11:26, Ganguly, Sapan wrote: I've gone back to 3.0.1 to try and get winbind to work with my Solaris 9 machine and NT4 domain. Everything works except user authentication. The wbinfo and getent commands do what they are supposed to. I've included a truss of 'su - ganguly' According to pamlog, the user 'ganguly' has been granted access but it is still hanging. How do I do a truss of a telnet login? I'm hoping some one out there is good with Solaris. Can you help? Thanks, Sapan __ __ __ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- In a world without fences who needs Gates Patrik Gustavsson, Senior Technical Consultant [EMAIL PROTECTED] Telephone: +46 60 671540 http://glen.swedenMobile: +46 70 3551040 SUN MICROSYSTEMS
RE: [Samba] winbind and Solaris 9 with AD
I wonder if that is my problem too? How do you force it all to compile at 32 bit? -Original Message- From: Unix Service (ANTS) [mailto:[EMAIL PROTECTED] Sent: 25 January 2004 17:43 To: '[EMAIL PROTECTED]' Subject: RE: [Samba] winbind and Solaris 9 with AD Hi have resolved the problem as to why getent and samba authentication via winbind were not working. It's really stupid - we were building 64 bit and then copying the 64 bit winbind nss lib into /usr/lib - doh!. So getent ( 32 bit ) would try and load a 64 bit winbind nss lib which obviously could not work , and it was failing silently. Recompiling 32 bit version of library has done the trick and getent works ok and users do not need unix accounts to access samba areas. Will post full build procedure tomorrow and am now trying to get the logging on to the Solaris 9 host using AD account details. Isn't working yet - have redirected all auth.debug to a file and am getting the following: Jan 22 22:02:18 ants725 pam_winbind[21561]: [ID 614614 auth.notice] user 'test7' granted acces Jan 22 22:02:18 ants725 login[21561]: [ID 468494 auth.crit] login account failure: No account present for user i.e. the pam authentication is working but then login doen't appear to be able to find the user's account. Anyway - will have a play and post back if I get any further. thanks to everyone who replied to my post - sorry it was such an idiotic problem in the end. tim *** This communication (including any attachments) contains confidential information. If you are not the intended recipient and you have received this communication in error, you should destroy it without copying, disclosing or otherwise using its contents. Please notify the sender immediately of the error. Internet communications are not necessarily secure and may be intercepted or changed after they are sent. Abbey National Treasury Services plc does not accept liability for any loss you may suffer as a result of interception or any liability for such changes. If you wish to confirm the origin or content of this communication, please contact the sender by using an alternative means of communication. This communication does not create or modify any contract and, unless otherwise stated, is not intended to be contractually binding. Abbey National Treasury Services plc. Registered Office: Abbey National House, 2 Triton Square, Regents Place, London NW1 3AN. Registered in England under Company Registration Number: 2338548. Regulated by the Financial Services Authority (FSA). *** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Solaris 9 compile errors, samba 3.0.2rc1
I've tried compiling samba 3.0.2rc1, 'gcc -v' gives me - Reading specs from /usr/local/lib/gcc-lib/sparc-sun-solaris2.9/3.3.2/specs Configured with: ../configure --with-as=/usr/ccs/bin/as --with-ld=/usr/ccs/bin/ld --disable-nls Thread model: posix gcc version 3.3.2 Here are a few bits from my config.log that I probably need help with, tell me if you need the whole thing - In file included from configure:5980: /usr/include/security/pam_modules.h:17: error: parse error before '*' token /usr/include/security/pam_modules.h:24: error: parse error before '*' token /usr/include/security/pam_modules.h:31: error: parse error before '*' token /usr/include/security/pam_modules.h:38: error: parse error before '*' token /usr/include/security/pam_modules.h:45: error: parse error before '*' token /usr/include/security/pam_modules.h:59: error: parse error before '*' token /usr/include/security/pam_modules.h:71: error: parse error before '*' token /usr/include/security/pam_modules.h:74: error: parse error before '*' token /usr/include/security/pam_modules.h:83: error: parse error before '*' token #include security/pam_modules.h configure:5970: result: no configure:5974: checking security/pam_modules.h presence configure:5981: gcc -E -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 conftest.c configure:5987: $? = 0 configure:6005: result: yes configure:6016: WARNING: security/pam_modules.h: present but cannot be compiled configure:6018: WARNING: security/pam_modules.h: check for missing prerequisite headers? configure:6020: WARNING: security/pam_modules.h: proceeding with the preprocessor's result configure:6023: checking for security/pam_modules.h configure:6030: result: yes configure:5943: checking security/_pam_macros.h usability configure:5952: gcc -c -O -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 conftest.c 5 configure:5980:34: security/_pam_macros.h: No such file or directory configure:5955: $? = 1 configure: failed program was: #line 5945 configure In file included from configure:6501: /usr/include/netinet/ip.h:61: error: field `ip_src' has incomplete type /usr/include/netinet/ip.h:61: error: field `ip_dst' has incomplete type /usr/include/netinet/ip.h:134: error: field `ipt_addr' has incomplete type configure:6476: $? = 1 configure: failed program was: #line 6466 configure configure:6618:17: nss.h: No such file or directory configure:6628: $? = 1 configure: failed program was: #line 6617 configure #include ns_api.h configure:6611: result: no configure:6615: checking ns_api.h presence configure:6622: gcc -E -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 conftest.c configure:6618:20: ns_api.h: No such file or directory configure:6628: $? = 1 configure: failed program was: #line 6617 configure #include confdefs.h #include ns_api.h configure:6646: result: no configure:6664: checking for ns_api.h configure:6671: result: no configure:6584: checking sys/security.h usability configure:6593: gcc -c -O -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 conftest.c 5 configure:6621:26: sys/security.h: No such file or directory configure:6596: $? = 1 configure: failed program was: #line 6586 configure There are more but they are pretty similar to these. Can you help? Thanks, Sapan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] How do I get Winbind accounts in LDAP?
John, What options did you compile samba with on Solaris 9? Maybe that's where I went wrong? I don't suppose you have copies of the pam.conf from when you did it do you? -Original Message- From: Ganguly, Sapan Sent: 14 January 2004 13:40 To: 'John H Terpstra'; Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? John, OK, I took out the winbind uid and winbind gid lines. Here is what I have in /lib, how do I know which is the appropriate version name? I've tried these ones. -rwxr-xr-x 1 root other 751048 Dec 11 13:36 libnss_winbind.so lrwxrwxrwx 1 root other 17 Dec 4 14:20 libnss_winbind.so.1 - libnss_winbind.so lrwxrwxrwx 1 root other 17 Dec 4 14:19 libnss_winbind.so.2 - libnss_winbind.so lrwxrwxrwx 1 root other 17 Dec 4 14:20 nss_winbind.so.1 - libnss_winbind.so lrwxrwxrwx 1 root other 17 Dec 4 14:21 nss_winbind.so.2 - libnss_winbind.so I've done everything else too but my login still hangs at the password: prompt after I have typed the password in. Although when I did a 'getent group' it did pause for a few seconds several times during the listing, that may just be because we have a lot of NT groups. 'getent passwd' worked fine and listed all the unix users as well as all the NT users in a split second. My /etc/nsswitch.conf is configured and I have done the 'smbpasswd -w' command to put my LDAP password into secets.tdb. Here is what I get in my pamlog, as you can see, it does say access granted on the last line. I think the first line is me killing the telnet session of a previous attempt. Jan 14 13:29:55 sun001 pam_winbind[15352]: [ID 571141 auth.debug] libpam_winbind:pam_sm_close_sessio n handler Jan 14 13:29:59 sun001 login: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0 Jan 14 13:30:05 sun001 login: [ID 378613 auth.debug] pam_dhkeys: user ganguly not found Jan 14 13:30:05 sun001 login: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jan 14 13:30:05 sun001 login: [ID 219349 auth.debug] pam_unix_auth: user ganguly not found Jan 14 13:30:05 sun001 pam_winbind[15369]: [ID 572310 auth.info] Verify user `ganguly' Jan 14 13:30:05 sun001 pam_winbind[15369]: [ID 614614 auth.notice] user 'ganguly' granted acces Jan 14 13:30:05 sun001 login[15369]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = tel net user = ganguly ruser = not set rhost = 192.168.224.90 Does anyone have any ideas on what the problem could be? According to this log access is granted right? So why does it just sit there at password:? Thanks, Sapan -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: 13 January 2004 16:39 To: Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? On Tue, 13 Jan 2004, Ganguly, Sapan wrote: John, Any ideas? When I try to log in it seems to get past the PAM stuff but then it just sits there, I don't get a prompt. I've enabled debug on all the modules in pam.conf, should I post the log files? You should get rid of the winbind uid and winbind gid parameters as they have been superceded by idmap uid and idmap gid. Did you install the libnss_winbind.so module you built (it's in the ~samba/sources/nsswitch directory) as /lib/nss_winbind.so and link it to the appropriate version name? Have you modified in /etc/nsswitch.conf the following: passwd: files winbind group: files winbind Do you obtain correct domain account information from: getent passwd and getent group You will need to install the LDAP admin password into your Samba secrets.tdb file. The command that does that is: smbpasswd -w 'secret_password' PAM provides authentication, NSS (name service switch) does Identity resolution. It is the instrument that will permit the LDAP database to be populated via winbind. I hope this helps. Cheers, John T. Sapan -Original Message- From: Ganguly, Sapan Sent: 08 January 2004 17:39 To: 'John H Terpstra'; Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? John, Wbinfo -u lists all my NT user and wbinfo -g lists all my NT groups. Here is a copy of my smb.conf, I took it from a working Redhat 9.0 machine I built. [global] # LDAP stuff for the idmap backend ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales ldap suffix = dc=uk,dc=trt,dc=thales ldap idmap suffix = ou=idmap # Winbind stuff winbind separator = - idmap uid = 1-2 winbind uid = 1-2 idmap gid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes #template homedir = /home/%D/%U #template homedir = /home/%U template homedir = /mnt/spare/%U template shell = /bin/bash idmap backend = ldap:ldap://lnxs001 # workgroup = NT-Domain-Name or Workgroup-Name workgroup
RE: [Samba] Samba Winbind and LDAP backend
Andy, Thanks for clearing that up, I didn't think I needed to setup up the LDAP client, everything I've done so far has indicated that winbind is putting information into my idmap ou. Yep, getent does work and I'm using a pam.conf specifically for Solaris 9 that I've seen posted here on the mailing list. I've applied the Solaris patch that is mentioned in the HOWTO also. I've just compiled and tried out 3.0.2rc1 as well, I get the same problem with that so I'm guessing the problem may not even lie with samba/winbind. I can't think what else it could be. I'll try compiling using a different compiler. Oh, one other thing, I'm not using Active Directory, this is all on an old NT4 domain. -Original Message- From: ww m-pubsyssamba [mailto:[EMAIL PROTECTED] Sent: 23 January 2004 16:09 To: Ganguly, Sapan ; [EMAIL PROTECTED] Subject: RE: [Samba] Samba Winbind and LDAP backend Firstly, no you definitely don't need to setup LDAP native client in Solaris, SAMBA/winbind does all the LDAP reads for Solaris and Solaris talks direct to winbind. I've had this work with solaris 8 now, have you verified that the idmap data is written into the idmap ou specified in smb.conf (probably not necessary for winbind authentication but since you raised the question)? Most important have you updated the pam.conf as detailed in SAMBA-HowTo-collection guide (more or less accurate for Solaris 9)? Does getent list your AD domain users? this needs to work for winbind authentication, thanks Andy. -Original Message- From: Ganguly, Sapan [mailto:[EMAIL PROTECTED] Posted At: 23 January 2004 15:42 Posted To: Samba Conversation: [Samba] Samba Winbind and LDAP backend Subject: [Samba] Samba Winbind and LDAP backend Just a quick question, it may sound a bit stupid but I just want to make sure. I have a Solaris 9 machine running winbind, the backend is an OpenLDAP database running on a RedHat 9 machine. My question is, apart from the 'smbpasswd -w' command and the obvious stuff in smb.conf, do I have to set up the LDAP client on Solaris for Samba to be able to put new mappings into the LDAP database? The reason I ask is because everything seems to work (ntlm_auth, wbinfo, getent) except logins (via telnet, etc), I'm stuck for ideas. The next thing I will try is recompiling with a different version of gcc and maybe try 3.0.2 instead. Sapan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba Winbind and LDAP backend
P.S. One thing has changed since I installed 3.0.2rc1, before I could do the following - id -a windowuser And I would get a list of all the windows groups that windows user is a member of, but now it just hangs. -Original Message- From: Ganguly, Sapan Sent: 23 January 2004 18:00 To: 'ww m-pubsyssamba'; Ganguly, Sapan ; '[EMAIL PROTECTED]' Subject: RE: [Samba] Samba Winbind and LDAP backend Andy, Thanks for clearing that up, I didn't think I needed to setup up the LDAP client, everything I've done so far has indicated that winbind is putting information into my idmap ou. Yep, getent does work and I'm using a pam.conf specifically for Solaris 9 that I've seen posted here on the mailing list. I've applied the Solaris patch that is mentioned in the HOWTO also. I've just compiled and tried out 3.0.2rc1 as well, I get the same problem with that so I'm guessing the problem may not even lie with samba/winbind. I can't think what else it could be. I'll try compiling using a different compiler. Oh, one other thing, I'm not using Active Directory, this is all on an old NT4 domain. -Original Message- From: ww m-pubsyssamba [mailto:[EMAIL PROTECTED] Sent: 23 January 2004 16:09 To: Ganguly, Sapan ; [EMAIL PROTECTED] Subject: RE: [Samba] Samba Winbind and LDAP backend Firstly, no you definitely don't need to setup LDAP native client in Solaris, SAMBA/winbind does all the LDAP reads for Solaris and Solaris talks direct to winbind. I've had this work with solaris 8 now, have you verified that the idmap data is written into the idmap ou specified in smb.conf (probably not necessary for winbind authentication but since you raised the question)? Most important have you updated the pam.conf as detailed in SAMBA-HowTo-collection guide (more or less accurate for Solaris 9)? Does getent list your AD domain users? this needs to work for winbind authentication, thanks Andy. -Original Message- From: Ganguly, Sapan [mailto:[EMAIL PROTECTED] Posted At: 23 January 2004 15:42 Posted To: Samba Conversation: [Samba] Samba Winbind and LDAP backend Subject: [Samba] Samba Winbind and LDAP backend Just a quick question, it may sound a bit stupid but I just want to make sure. I have a Solaris 9 machine running winbind, the backend is an OpenLDAP database running on a RedHat 9 machine. My question is, apart from the 'smbpasswd -w' command and the obvious stuff in smb.conf, do I have to set up the LDAP client on Solaris for Samba to be able to put new mappings into the LDAP database? The reason I ask is because everything seems to work (ntlm_auth, wbinfo, getent) except logins (via telnet, etc), I'm stuck for ideas. The next thing I will try is recompiling with a different version of gcc and maybe try 3.0.2 instead. Sapan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] winbind and Solaris 9 with AD
You should note that I'm not using ADS, I'm in an NT4 domain.
OK, from memory this is what I did. (If anyone can see any errors in this,
please let me know!)
First I compiled Samba with the following -
./configure --with-winbind --with-pam --with-pam_smbpass
--with-included-popt
make
make install
I then created these links in /usr/lib, I think I had to copy
libnss_winbind.so from samba/sources/nsswitch directory (compile directory)
to /usr/lib
libnss_winbind.so
libnss_winbind.so.1 - libnss_winbind.so
nss_winbind.so.1 - libnss_winbind.so
After that I dropped in my smb.conf from an Linux machine I had already
built with samba 3. Here is what it looks like -
# Global parameters
[global]
workgroup = MYDOMAIN
server string = SUN001
log file = /var/log/samba/log.%m
max log size = 50
name resolve order = wins lmhosts bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
local master = No
dns proxy = No
wins server = 192.168.224.25
ldap suffix = dc=uk,dc=trt,dc=thales
ldap machine suffix = dc=uk,dc=trt,dc=thales
ldap user suffix = dc=uk,dc=trt,dc=thales
ldap group suffix = dc=uk,dc=trt,dc=thales
ldap idmap suffix = ou=idmap,dc=uk,dc=trt,dc=thales
ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales
idmap backend = ldap:ldap://lnxs001
idmap uid = 1-2
idmap gid = 1-2
template homedir = /mnt/spare/%U
template shell = /bin/bash
winbind separator = -
winbind use default domain = Yes
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[public]
path = /public
read only = No
guest ok = Yes
My LDAP server is a separate Redhat 9.0 machine with OpenLDAP running.
Next I ran 'smbpasswd -w x' where x is my LDAP admin password, this
gives samba write access to your LDAP server.
Then I had to make my samba server a member of my domain -
net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd
Now I edited nsswitch.conf
Passwd: files winbind
Group: files winbind
Then I created the startup scripts for samba and winbind (don't for get to
chmod it to make it executable) -
#!/sbin/sh
##
## samba.server
##
if [ ! -d /usr/bin ]
then# /usr not mounted
exit
fi
killproc() {# kill the named process(es)
pid=`/usr/bin/ps -e |
/usr/bin/grep -w $1 |
/usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
[ $pid != ] kill $pid
}
# Start/stop processes required for Samba server
case $1 in
'start')
#
# Edit these lines to suit your installation (paths, workgroup,
host)
#
echo Starting SMBD
/usr/local/samba/sbin/smbd -D -d 10 -s
/usr/local/samba/lib/smb.conf
echo Starting NMBD
/usr/local/samba/sbin/nmbd -D -l /usr/local/samba/var/log -s
/usr/local/samba/lib/smb.conf
echo Starting Winbind Daemon
/usr/local/samba/sbin/winbindd -B -d 10 -s
/usr/local/samba/lib/smb.conf
;;
'stop')
killproc nmbd
killproc smbd
killproc winbindd
;;
*)
echo Usage: /etc/init.d/samba.server { start | stop }
;;
esac
After I started samba up with this script and ran getent it worked.
I could type out all of my OpenLDAP config for you too but at this stage it
probably isn't very useful to you. What I think you should try first is
using a simpler idmap backend first. Make that work and then do the LDAP
stuff.
-Original Message-
From: Wright, Tim (ANTS) [mailto:[EMAIL PROTECTED]
Sent: 21 January 2004 16:37
To: 'Ganguly, Sapan '
Subject: RE: [Samba] winbind and Solaris 9 with AD
hi
I've been looking at my problem and compring the Solaris 9 box to a working
Linux box. I noticed that if I take the winbind entry out of nsswitch.conf
on the linux box then samba will no longer accept connections from users
with no unix account or relevanr username map.
So I'm assuming that if I can get getent working on the Solaris box then the
samba authentication problem will be solved as well.
So would you be able to provide me with a step by step of how you built and
configured samba/winbind on the host where getent works ( including other
stuff like kerberos and openldap compiles )? I can't offer much in return
but if I can get getent working then I will look at getting logging on to
the box working as well ( unless of course you 've already cracked it
yourself ).
anyway any help you could give me would be greatly appreciated.
thanks
tim
RE: [Samba] winbind and Solaris 9 with AD
P.S I used the pam.conf that Patrik Gustavsson posted here. -Original Message- From: Wright, Tim (ANTS) [mailto:[EMAIL PROTECTED] Sent: 21 January 2004 16:37 To: 'Ganguly, Sapan ' Subject: RE: [Samba] winbind and Solaris 9 with AD hi I've been looking at my problem and compring the Solaris 9 box to a working Linux box. I noticed that if I take the winbind entry out of nsswitch.conf on the linux box then samba will no longer accept connections from users with no unix account or relevanr username map. So I'm assuming that if I can get getent working on the Solaris box then the samba authentication problem will be solved as well. So would you be able to provide me with a step by step of how you built and configured samba/winbind on the host where getent works ( including other stuff like kerberos and openldap compiles )? I can't offer much in return but if I can get getent working then I will look at getting logging on to the box working as well ( unless of course you 've already cracked it yourself ). anyway any help you could give me would be greatly appreciated. thanks tim -Original Message- From: Ganguly, Sapan [mailto:[EMAIL PROTECTED] Sent: 19 January 2004 13:06 To: 'Unix Service (ANTS)'; '[EMAIL PROTECTED]' Subject: RE: [Samba] winbind and Solaris 9 with AD I'm having trouble with this too but getent works for me, I'm not using AD though. Have you edited nsswitch.conf? Passwd: files winbind Group: files winbind I'm stuck on getting logging in working...Sun seems to think there may be some bug with PAM. -Original Message- From: Unix Service (ANTS) [mailto:[EMAIL PROTECTED] Sent: 19 January 2004 12:13 To: '[EMAIL PROTECTED]' Subject: [Samba] winbind and Solaris 9 with AD Hi have been trying to get winbind working on Solaris 9 but to no effect. version info: samba: 3.0.0 openldap: 2.1.23 kerberos: MIT 1.3.1 Have followed the instructions in every howto, usenet posting I could find: nscd not running created relevant links in /lib and /lib/security/sparcv9 applied patch for nsswitch as recommended kinit -e works net ads join works wbinfo -t works wbinfo -u gives list of all users in all trusted domains getent doesn't work samba authentication doesn't work - get the following in winbindd.log: [2004/01/19 10:59:27, 5] nsswitch/winbindd_pam.c:(379) NTLM CRAP authentication for user [DEV]\[test7] returned NT_STATUS_OK (PAM: 0) [2004/01/19 10:59:27, 3] nsswitch/winbindd_acct.c:(875) [ 3551]: create_user: user=(test7), group=() [2004/01/19 10:59:27, 5] nsswitch/winbindd_acct.c:(521) wb_getgrnam: Did not find group (nobody) my smb.conf is: workgroup = DEV #workgroup = DEV.ANTS.AD.ANPLC.CO.UK realm = DEV.ANTS.AD.ANPLC.CO.UK security = ADS password server = lonsd010.dev.ants.ad.anplc.co.uk dns proxy = no idmap gid = 7-8 idmap uid = 80-90 winbind cache time = 15 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes encrypt passwords = yes log level = 9 [temp] path = /tmp read list = @users [docs] path = /var/tmp/samba-3.0.0 read list = @users I would appreciate any pointers as to further debugging I could do or possible problems as being able to use winbind to deal with samba authentication would make life a great deal easier. *** This communication (including any attachments) contains confidential information. If you are not the intended recipient and you have received this communication in error, you should destroy it without copying, disclosing or otherwise using its contents. Please notify the sender immediately of the error. Internet communications are not necessarily secure and may be intercepted or changed after they are sent. Abbey National Treasury Services plc does not accept liability for any loss you may suffer as a result of interception or any liability for such changes. If you wish to confirm the origin or content of this communication, please contact the sender by using an alternative means of communication. This communication does not create or modify any contract and, unless otherwise stated, is not intended to be contractually binding. Abbey National Treasury Services plc. Registered Office: Abbey National House, 2 Triton Square, Regents Place, London NW1 3AN. Registered in England under Company Registration Number: 2338548. Regulated by the Financial Services Authority (FSA). *** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba *** This communication (including any attachments) contains confidential information. If you are not the intended recipient and you have received this communication in error, you should destroy it without copying, disclosing or otherwise using its
RE: [Samba] winbind hang
Ric, Are you using winbind to let windows users log into your Solaris machine? -Original Message- From: Ric Tibbetts [mailto:[EMAIL PROTECTED] Sent: 20 January 2004 13:44 To: [EMAIL PROTECTED] Subject: [Samba] winbind hang All; I'm having an odd problem with winbind. I just installed Samba 3.0.2 pre1 on a Solaris 9 server. smbd/nmbd/winbindd all start ok. But when it first starts, if I try wbinfo -u, it hangs. As does getent passwd. This will continue for the first couple hours after a restart. Then, things will suddenly start to work, and be fine for the rest of the time. Until I have to restart it again. Any thoughts? This also occured with Samba 3.0.1 I would greatly appreciate any ideas on what's causing this. -Ric -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] winbind and Solaris 9 with AD
I'm having trouble with this too but getent works for me, I'm not using AD though. Have you edited nsswitch.conf? Passwd: files winbind Group: files winbind I'm stuck on getting logging in working...Sun seems to think there may be some bug with PAM. -Original Message- From: Unix Service (ANTS) [mailto:[EMAIL PROTECTED] Sent: 19 January 2004 12:13 To: '[EMAIL PROTECTED]' Subject: [Samba] winbind and Solaris 9 with AD Hi have been trying to get winbind working on Solaris 9 but to no effect. version info: samba: 3.0.0 openldap: 2.1.23 kerberos: MIT 1.3.1 Have followed the instructions in every howto, usenet posting I could find: nscd not running created relevant links in /lib and /lib/security/sparcv9 applied patch for nsswitch as recommended kinit -e works net ads join works wbinfo -t works wbinfo -u gives list of all users in all trusted domains getent doesn't work samba authentication doesn't work - get the following in winbindd.log: [2004/01/19 10:59:27, 5] nsswitch/winbindd_pam.c:(379) NTLM CRAP authentication for user [DEV]\[test7] returned NT_STATUS_OK (PAM: 0) [2004/01/19 10:59:27, 3] nsswitch/winbindd_acct.c:(875) [ 3551]: create_user: user=(test7), group=() [2004/01/19 10:59:27, 5] nsswitch/winbindd_acct.c:(521) wb_getgrnam: Did not find group (nobody) my smb.conf is: workgroup = DEV #workgroup = DEV.ANTS.AD.ANPLC.CO.UK realm = DEV.ANTS.AD.ANPLC.CO.UK security = ADS password server = lonsd010.dev.ants.ad.anplc.co.uk dns proxy = no idmap gid = 7-8 idmap uid = 80-90 winbind cache time = 15 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes encrypt passwords = yes log level = 9 [temp] path = /tmp read list = @users [docs] path = /var/tmp/samba-3.0.0 read list = @users I would appreciate any pointers as to further debugging I could do or possible problems as being able to use winbind to deal with samba authentication would make life a great deal easier. *** This communication (including any attachments) contains confidential information. If you are not the intended recipient and you have received this communication in error, you should destroy it without copying, disclosing or otherwise using its contents. Please notify the sender immediately of the error. Internet communications are not necessarily secure and may be intercepted or changed after they are sent. Abbey National Treasury Services plc does not accept liability for any loss you may suffer as a result of interception or any liability for such changes. If you wish to confirm the origin or content of this communication, please contact the sender by using an alternative means of communication. This communication does not create or modify any contract and, unless otherwise stated, is not intended to be contractually binding. Abbey National Treasury Services plc. Registered Office: Abbey National House, 2 Triton Square, Regents Place, London NW1 3AN. Registered in England under Company Registration Number: 2338548. Regulated by the Financial Services Authority (FSA). *** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] winbind and Solaris 9 with AD
Patrik, Hello! I have been waiting for you to get back, you may be able to help me. I am having trouble making winbind work with Solaris 9. I was wondering if you could post a copy of your pam.conf again so that I can double check that I have a correct copy of it? The problem I am having is that when I try to log in with an NT username and password the login process hangs after I put the password in. I don't know why this happens because getent works. I decided to log what is going on in PAM, here is what I got - Jan 14 13:29:55 sun001 pam_winbind[15352]: [ID 571141 auth.debug] libpam_winbind:pam_sm_close_sessio n handler Jan 14 13:29:59 sun001 login: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0 Jan 14 13:30:05 sun001 login: [ID 378613 auth.debug] pam_dhkeys: user ganguly not found Jan 14 13:30:05 sun001 login: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jan 14 13:30:05 sun001 login: [ID 219349 auth.debug] pam_unix_auth: user ganguly not found Jan 14 13:30:05 sun001 pam_winbind[15369]: [ID 572310 auth.info] Verify user `ganguly' Jan 14 13:30:05 sun001 pam_winbind[15369]: [ID 614614 auth.notice] user 'ganguly' granted acces Jan 14 13:30:05 sun001 login[15369]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = tel net user = ganguly ruser = not set rhost = 192.168.224.90 Thanks for any help you can offer! Sapan -Original Message- From: Patrik Gustavsson [mailto:[EMAIL PROTECTED] Sent: 19 January 2004 14:39 To: Unix Service (ANTS) Cc: '[EMAIL PROTECTED]' Subject: Re: [Samba] winbind and Solaris 9 with AD Hi, I have the following libraries and links in /usr/lib and it works: libnss_winbind.so libnss_winbind.so.1 - libnss_winbind.so nss_winbind.so.1 - libnss_winbind.so /Patrik On Mon, 2004-01-19 at 13:13, Unix Service (ANTS) wrote: Hi have been trying to get winbind working on Solaris 9 but to no effect. version info: samba: 3.0.0 openldap: 2.1.23 kerberos: MIT 1.3.1 Have followed the instructions in every howto, usenet posting I could find: nscd not running created relevant links in /lib and /lib/security/sparcv9 applied patch for nsswitch as recommended kinit -e works net ads join works wbinfo -t works wbinfo -u gives list of all users in all trusted domains getent doesn't work samba authentication doesn't work - get the following in winbindd.log: [2004/01/19 10:59:27, 5] nsswitch/winbindd_pam.c:(379) NTLM CRAP authentication for user [DEV]\[test7] returned NT_STATUS_OK (PAM: 0) [2004/01/19 10:59:27, 3] nsswitch/winbindd_acct.c:(875) [ 3551]: create_user: user=(test7), group=() [2004/01/19 10:59:27, 5] nsswitch/winbindd_acct.c:(521) wb_getgrnam: Did not find group (nobody) my smb.conf is: workgroup = DEV #workgroup = DEV.ANTS.AD.ANPLC.CO.UK realm = DEV.ANTS.AD.ANPLC.CO.UK security = ADS password server = lonsd010.dev.ants.ad.anplc.co.uk dns proxy = no idmap gid = 7-8 idmap uid = 80-90 winbind cache time = 15 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes encrypt passwords = yes log level = 9 [temp] path = /tmp read list = @users [docs] path = /var/tmp/samba-3.0.0 read list = @users I would appreciate any pointers as to further debugging I could do or possible problems as being able to use winbind to deal with samba authentication would make life a great deal easier. ** * This communication (including any attachments) contains confidential information. If you are not the intended recipient and you have received this communication in error, you should destroy it without copying, disclosing or otherwise using its contents. Please notify the sender immediately of the error. Internet communications are not necessarily secure and may be intercepted or changed after they are sent. Abbey National Treasury Services plc does not accept liability for any loss you may suffer as a result of interception or any liability for such changes. If you wish to confirm the origin or content of this communication, please contact the sender by using an alternative means of communication. This communication does not create or modify any contract and, unless otherwise stated, is not intended to be contractually binding. Abbey National Treasury Services plc. Registered Office: Abbey National House, 2 Triton Square, Regents Place, London NW1 3AN. Registered in England under Company Registration Number: 2338548. Regulated by the Financial Services Authority (FSA). *** -- In a world without fences who needs Gates Patrik Gustavsson, Senior Technical Consultant [EMAIL PROTECTED] Telephone: +46 60 671540 http://glen.swedenMobile: +46 70 3551040 SUN MICROSYSTEMS Fax: +46 60 671550
RE: [Samba] How do I get Winbind accounts in LDAP?
If you're interested, Sun has told me that there is some kind of bug with the way nsswitch.conf is dealt with in Solaris 9 but since nsswitch.conf is not a pubic interface...blah blah blah they are still deciding whether they should deal with it or not. In the mean time I'm still wondering how anyone else got this to work, this bug can't only be affecting me?! Does anyone have a working winbind pam.conf from Solaris 9 that I can look at? Thanks, Sap -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: 13 January 2004 16:39 To: Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? On Tue, 13 Jan 2004, Ganguly, Sapan wrote: John, Any ideas? When I try to log in it seems to get past the PAM stuff but then it just sits there, I don't get a prompt. I've enabled debug on all the modules in pam.conf, should I post the log files? You should get rid of the winbind uid and winbind gid parameters as they have been superceded by idmap uid and idmap gid. Did you install the libnss_winbind.so module you built (it's in the ~samba/sources/nsswitch directory) as /lib/nss_winbind.so and link it to the appropriate version name? Have you modified in /etc/nsswitch.conf the following: passwd: files winbind group: files winbind Do you obtain correct domain account information from: getent passwd and getent group You will need to install the LDAP admin password into your Samba secrets.tdb file. The command that does that is: smbpasswd -w 'secret_password' PAM provides authentication, NSS (name service switch) does Identity resolution. It is the instrument that will permit the LDAP database to be populated via winbind. I hope this helps. Cheers, John T. Sapan -Original Message- From: Ganguly, Sapan Sent: 08 January 2004 17:39 To: 'John H Terpstra'; Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? John, Wbinfo -u lists all my NT user and wbinfo -g lists all my NT groups. Here is a copy of my smb.conf, I took it from a working Redhat 9.0 machine I built. [global] # LDAP stuff for the idmap backend ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales ldap suffix = dc=uk,dc=trt,dc=thales ldap idmap suffix = ou=idmap # Winbind stuff winbind separator = - idmap uid = 1-2 winbind uid = 1-2 idmap gid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes #template homedir = /home/%D/%U #template homedir = /home/%U template homedir = /mnt/spare/%U template shell = /bin/bash idmap backend = ldap:ldap://lnxs001 # workgroup = NT-Domain-Name or Workgroup-Name workgroup = DOMAIN # server string is the equivalent of the NT Description field server string = SUN001 # if you want to automatically load your printer list rather # than setting them up individually then you'll need this printcap name = /etc/printcap load printers = yes # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m # Put a capping on the size of the log files (in Kb). max log size = 50 # Security mode. Most people will want user level security. See # security_level.txt for details. security = user # Use password server option only with security = server ; password server = NT-Server-Name # Most people will find that this option gives better performance. # See speed.txt and the manual pages for details socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # Browser Control Options: # set local master to no if you don't want Samba to become a master # browser on your network. Otherwise the normal election rules apply local master = no # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both wins server = 192.168.224.25 # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names # via DNS nslookups. The built-in default for versions 1.9.17 is yes, # this has been changed in version 1.9.18 to no. dns proxy = no Thanks, Sapan -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 16:58 To: Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Sapan, I recently installed Samba-3 on Solaris 9 and had no problem with PAM and NSS functionality. Logons using domain users worked well. As I do not have a Sun box it is a little difficult for me to help you directly. What output do you get from: wbinfo -u wbinfo -g Please send me your smb.conf file so I can see what may be going on. - John T. On Thu, 8 Jan 2004, Ganguly, Sapan wrote: Yep, I've done that, I basically followed the Solaris 9 HOWTO
RE: [Samba] How do I get Winbind accounts in LDAP?
John, OK, I took out the winbind uid and winbind gid lines. Here is what I have in /lib, how do I know which is the appropriate version name? I've tried these ones. -rwxr-xr-x 1 root other 751048 Dec 11 13:36 libnss_winbind.so lrwxrwxrwx 1 root other 17 Dec 4 14:20 libnss_winbind.so.1 - libnss_winbind.so lrwxrwxrwx 1 root other 17 Dec 4 14:19 libnss_winbind.so.2 - libnss_winbind.so lrwxrwxrwx 1 root other 17 Dec 4 14:20 nss_winbind.so.1 - libnss_winbind.so lrwxrwxrwx 1 root other 17 Dec 4 14:21 nss_winbind.so.2 - libnss_winbind.so I've done everything else too but my login still hangs at the password: prompt after I have typed the password in. Although when I did a 'getent group' it did pause for a few seconds several times during the listing, that may just be because we have a lot of NT groups. 'getent passwd' worked fine and listed all the unix users as well as all the NT users in a split second. My /etc/nsswitch.conf is configured and I have done the 'smbpasswd -w' command to put my LDAP password into secets.tdb. Here is what I get in my pamlog, as you can see, it does say access granted on the last line. I think the first line is me killing the telnet session of a previous attempt. Jan 14 13:29:55 sun001 pam_winbind[15352]: [ID 571141 auth.debug] libpam_winbind:pam_sm_close_sessio n handler Jan 14 13:29:59 sun001 login: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0 Jan 14 13:30:05 sun001 login: [ID 378613 auth.debug] pam_dhkeys: user ganguly not found Jan 14 13:30:05 sun001 login: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jan 14 13:30:05 sun001 login: [ID 219349 auth.debug] pam_unix_auth: user ganguly not found Jan 14 13:30:05 sun001 pam_winbind[15369]: [ID 572310 auth.info] Verify user `ganguly' Jan 14 13:30:05 sun001 pam_winbind[15369]: [ID 614614 auth.notice] user 'ganguly' granted acces Jan 14 13:30:05 sun001 login[15369]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = tel net user = ganguly ruser = not set rhost = 192.168.224.90 Does anyone have any ideas on what the problem could be? According to this log access is granted right? So why does it just sit there at password:? Thanks, Sapan -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: 13 January 2004 16:39 To: Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? On Tue, 13 Jan 2004, Ganguly, Sapan wrote: John, Any ideas? When I try to log in it seems to get past the PAM stuff but then it just sits there, I don't get a prompt. I've enabled debug on all the modules in pam.conf, should I post the log files? You should get rid of the winbind uid and winbind gid parameters as they have been superceded by idmap uid and idmap gid. Did you install the libnss_winbind.so module you built (it's in the ~samba/sources/nsswitch directory) as /lib/nss_winbind.so and link it to the appropriate version name? Have you modified in /etc/nsswitch.conf the following: passwd: files winbind group: files winbind Do you obtain correct domain account information from: getent passwd and getent group You will need to install the LDAP admin password into your Samba secrets.tdb file. The command that does that is: smbpasswd -w 'secret_password' PAM provides authentication, NSS (name service switch) does Identity resolution. It is the instrument that will permit the LDAP database to be populated via winbind. I hope this helps. Cheers, John T. Sapan -Original Message- From: Ganguly, Sapan Sent: 08 January 2004 17:39 To: 'John H Terpstra'; Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? John, Wbinfo -u lists all my NT user and wbinfo -g lists all my NT groups. Here is a copy of my smb.conf, I took it from a working Redhat 9.0 machine I built. [global] # LDAP stuff for the idmap backend ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales ldap suffix = dc=uk,dc=trt,dc=thales ldap idmap suffix = ou=idmap # Winbind stuff winbind separator = - idmap uid = 1-2 winbind uid = 1-2 idmap gid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes #template homedir = /home/%D/%U #template homedir = /home/%U template homedir = /mnt/spare/%U template shell = /bin/bash idmap backend = ldap:ldap://lnxs001 # workgroup = NT-Domain-Name or Workgroup-Name workgroup = DOMAIN # server string is the equivalent of the NT Description field server string = SUN001 # if you want to automatically load your printer list rather # than setting them up individually then you'll need this printcap name = /etc/printcap load printers = yes # this tells Samba to use a separate log file for each machine # that connects log file
RE: [Samba] How do I get Winbind accounts in LDAP?
John, Any ideas? When I try to log in it seems to get past the PAM stuff but then it just sits there, I don't get a prompt. I've enabled debug on all the modules in pam.conf, should I post the log files? Sapan -Original Message- From: Ganguly, Sapan Sent: 08 January 2004 17:39 To: 'John H Terpstra'; Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? John, Wbinfo -u lists all my NT user and wbinfo -g lists all my NT groups. Here is a copy of my smb.conf, I took it from a working Redhat 9.0 machine I built. [global] # LDAP stuff for the idmap backend ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales ldap suffix = dc=uk,dc=trt,dc=thales ldap idmap suffix = ou=idmap # Winbind stuff winbind separator = - idmap uid = 1-2 winbind uid = 1-2 idmap gid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes #template homedir = /home/%D/%U #template homedir = /home/%U template homedir = /mnt/spare/%U template shell = /bin/bash idmap backend = ldap:ldap://lnxs001 # workgroup = NT-Domain-Name or Workgroup-Name workgroup = DOMAIN # server string is the equivalent of the NT Description field server string = SUN001 # if you want to automatically load your printer list rather # than setting them up individually then you'll need this printcap name = /etc/printcap load printers = yes # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m # Put a capping on the size of the log files (in Kb). max log size = 50 # Security mode. Most people will want user level security. See # security_level.txt for details. security = user # Use password server option only with security = server ; password server = NT-Server-Name # Most people will find that this option gives better performance. # See speed.txt and the manual pages for details socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # Browser Control Options: # set local master to no if you don't want Samba to become a master # browser on your network. Otherwise the normal election rules apply local master = no # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both wins server = 192.168.224.25 # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names # via DNS nslookups. The built-in default for versions 1.9.17 is yes, # this has been changed in version 1.9.18 to no. dns proxy = no Thanks, Sapan -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 16:58 To: Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Sapan, I recently installed Samba-3 on Solaris 9 and had no problem with PAM and NSS functionality. Logons using domain users worked well. As I do not have a Sun box it is a little difficult for me to help you directly. What output do you get from: wbinfo -u wbinfo -g Please send me your smb.conf file so I can see what may be going on. - John T. On Thu, 8 Jan 2004, Ganguly, Sapan wrote: Yep, I've done that, I basically followed the Solaris 9 HOWTO from the main HOWTO collection that comes with Samba 3.0, the only difference is that I used an /etc/pam.conf for Solaris 9 posted on the list by Patrik Gustavsson. I haven't managed to get hold of him, he says he has made it work on Solaris 9. I also want to get pam_mkhomedir work but I have to get past this bit first. From his email signature it looks like he work for Sun in Sweden but even the Sun helpdesk in the UK hasn't been able to get hold of him yet. -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 15:54 To: Ganguly, Sapan Cc: 'ww m-pubsyssamba'; '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? On Thu, 8 Jan 2004, Ganguly, Sapan wrote: I'm doing the same thing but with NT4 so I'm not using active directory. The only thing you haven't mentioned that I can think of is nsswitch.conf, you should have - Passwd: files winbind Group: files winbind Getent works for me, I'm stuck with getting log ons to the Solaris machine with NT usernames to work. If you want to log onto the Sun machine using Windows networking credentials you must configure PAM to support the use of pam_winbind.so. Have you done that? - John T. They seem to have changed something in Solaris 9, even Sun hasn't been able to help me! -Original Message- From: ww m-pubsyssamba [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 13:45 To: Ganguly, Sapan ; [EMAIL PROTECTED] Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Hi Sapan/All, ok this is all in my test/dev environment. I have a Sun Sparc
RE: [Samba] How do I get Winbind accounts in LDAP?
I'm doing the same thing but with NT4 so I'm not using active directory. The only thing you haven't mentioned that I can think of is nsswitch.conf, you should have - Passwd: files winbind Group: files winbind Getent works for me, I'm stuck with getting log ons to the Solaris machine with NT usernames to work. They seem to have changed something in Solaris 9, even Sun hasn't been able to help me! -Original Message- From: ww m-pubsyssamba [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 13:45 To: Ganguly, Sapan ; [EMAIL PROTECTED] Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Hi Sapan/All, ok this is all in my test/dev environment. I have a Sun Sparc workstation running Solaris 9 and an Intel server running Windows 2000 server acting as a Native mode AD DC. My Sparc system has Samba 3.0.1 installed and is successfully joined to the AD domain, I can authenticate via kerberos and wbinfo -u lists domain users etc. All I need LDAP for is centralising the IDMAP mappings across our theoretical Samba server infrastructure. On the same sparc system I also have SunONE DS 5.2 installed, this has the schema for Samba 3.0.1 successfully loaded. I have created the idamap OU in the directory and I have configured my smb.conf to use LDAP for idmap data, file attached. And I have set the LDAP admin account password with smbpasswd -w. I have also disabled nscd from starting up installed patch 113476-05 which is required for Solaris 9. I can also see winbindd establishing a connection to Sun LDAP in its access log. As I was writing this mail I have noticed that a getent for users and groups is not displaying any AD users/groups but is exiting with a status 0, this is despite the fact that wbinfo is correctly displaying all my AD users/groups!? I can see from a snoop and truss run on the getent that it is making LDAP calls to the AD DC but it's not returning anything!?! I have had this running on a Solaris 8 system in my test environment successfully and can't think of anything I've done differently. If anyone can help I'd greatly appreciate it, many thanks Andy. -Original Message- From: Ganguly, Sapan [mailto:[EMAIL PROTECTED] Posted At: 07 January 2004 16:44 Posted To: Samba Conversation: [Samba] How do I get Winbind accounts in LDAP? Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Andy, Tell us a bit more, I'm doing a similar thing I think. I'm not using Sun's LDAP service, I have OpenLDAP running on a Redhat 9.0 box and I'm logging into my Solaris 9.0 machine running winbind, with my NT username and password which creates an idmap in the openldap database on the Redhat boxwell, that's what it is supposed to do anyway...it works fine on Redhat, Solaris is proving to be a little more tricky. Is this what you are doing? -Original Message- From: ww m-pubsyssamba [mailto:[EMAIL PROTECTED] Sent: 07 January 2004 14:23 To: [EMAIL PROTECTED] Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Hi John/List, I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS 5.2 but without any success. I've tried what John T has suggested below but my idmap OU is still empty (adapted LDAP commnads for Sun DS). I cannot see any errors in either Samba or Sun DS logs, does anyone have any troubleshooting tips to help work out why this isn't working? many thanks Andy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John H Terpstra Posted At: 03 January 2004 23:54 Posted To: Samba Conversation: [Samba] How do I get Winbind accounts in LDAP? Subject: Re: [Samba] How do I get Winbind accounts in LDAP? Kent, Did you create the container for the ou=Idmap in your LDAP database? The IDMAP entries are automatically added to LDAP - IF the container exists, and so long as Samba can access that database. Also, I suggest you store your machine accounts in the Users container and not in the Computers container. Samba does not at this time search the Computers container correctly. Execute the following to find out if your LDAP database has an IDMAP container: slapcat | grep -i IDMAP If nothing is returned, execute this: ldapadd -x -D cn=admin,dc=tow,dc=net -w 'password' EOR dn: ou=Idmap,dc=abmas,dc=biz objectClass: organizationalunit ou: idmap structuralObjectClass: organizationalunit EOR Now you must stop samba, delete the winbind*tdb files, restart samba, run: wbinfo -u And that should automatically populate your LDAP IDMAP database. Cheers, John T. BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent
RE: [Samba] How do I get Winbind accounts in LDAP?
Yep, I've done that, I basically followed the Solaris 9 HOWTO from the main HOWTO collection that comes with Samba 3.0, the only difference is that I used an /etc/pam.conf for Solaris 9 posted on the list by Patrik Gustavsson. I haven't managed to get hold of him, he says he has made it work on Solaris 9. I also want to get pam_mkhomedir work but I have to get past this bit first. From his email signature it looks like he work for Sun in Sweden but even the Sun helpdesk in the UK hasn't been able to get hold of him yet. -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 15:54 To: Ganguly, Sapan Cc: 'ww m-pubsyssamba'; '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? On Thu, 8 Jan 2004, Ganguly, Sapan wrote: I'm doing the same thing but with NT4 so I'm not using active directory. The only thing you haven't mentioned that I can think of is nsswitch.conf, you should have - Passwd: files winbind Group: files winbind Getent works for me, I'm stuck with getting log ons to the Solaris machine with NT usernames to work. If you want to log onto the Sun machine using Windows networking credentials you must configure PAM to support the use of pam_winbind.so. Have you done that? - John T. They seem to have changed something in Solaris 9, even Sun hasn't been able to help me! -Original Message- From: ww m-pubsyssamba [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 13:45 To: Ganguly, Sapan ; [EMAIL PROTECTED] Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Hi Sapan/All, ok this is all in my test/dev environment. I have a Sun Sparc workstation running Solaris 9 and an Intel server running Windows 2000 server acting as a Native mode AD DC. My Sparc system has Samba 3.0.1 installed and is successfully joined to the AD domain, I can authenticate via kerberos and wbinfo -u lists domain users etc. All I need LDAP for is centralising the IDMAP mappings across our theoretical Samba server infrastructure. On the same sparc system I also have SunONE DS 5.2 installed, this has the schema for Samba 3.0.1 successfully loaded. I have created the idamap OU in the directory and I have configured my smb.conf to use LDAP for idmap data, file attached. And I have set the LDAP admin account password with smbpasswd -w. I have also disabled nscd from starting up installed patch 113476-05 which is required for Solaris 9. I can also see winbindd establishing a connection to Sun LDAP in its access log. As I was writing this mail I have noticed that a getent for users and groups is not displaying any AD users/groups but is exiting with a status 0, this is despite the fact that wbinfo is correctly displaying all my AD users/groups!? I can see from a snoop and truss run on the getent that it is making LDAP calls to the AD DC but it's not returning anything!?! I have had this running on a Solaris 8 system in my test environment successfully and can't think of anything I've done differently. If anyone can help I'd greatly appreciate it, many thanks Andy. -Original Message- From: Ganguly, Sapan [mailto:[EMAIL PROTECTED] Posted At: 07 January 2004 16:44 Posted To: Samba Conversation: [Samba] How do I get Winbind accounts in LDAP? Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Andy, Tell us a bit more, I'm doing a similar thing I think. I'm not using Sun's LDAP service, I have OpenLDAP running on a Redhat 9.0 box and I'm logging into my Solaris 9.0 machine running winbind, with my NT username and password which creates an idmap in the openldap database on the Redhat boxwell, that's what it is supposed to do anyway...it works fine on Redhat, Solaris is proving to be a little more tricky. Is this what you are doing? -Original Message- From: ww m-pubsyssamba [mailto:[EMAIL PROTECTED] Sent: 07 January 2004 14:23 To: [EMAIL PROTECTED] Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Hi John/List, I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS 5.2 but without any success. I've tried what John T has suggested below but my idmap OU is still empty (adapted LDAP commnads for Sun DS). I cannot see any errors in either Samba or Sun DS logs, does anyone have any troubleshooting tips to help work out why this isn't working? many thanks Andy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John H Terpstra Posted At: 03 January 2004 23:54 Posted To: Samba Conversation: [Samba] How do I get Winbind accounts in LDAP? Subject: Re: [Samba] How do I get Winbind accounts in LDAP? Kent, Did you create the container for the ou=Idmap in your LDAP database? The IDMAP entries are automatically added to LDAP - IF the container exists, and so long as Samba can access that database. Also, I suggest
RE: [Samba] How do I get Winbind accounts in LDAP?
John, Wbinfo -u lists all my NT user and wbinfo -g lists all my NT groups. Here is a copy of my smb.conf, I took it from a working Redhat 9.0 machine I built. [global] # LDAP stuff for the idmap backend ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales ldap suffix = dc=uk,dc=trt,dc=thales ldap idmap suffix = ou=idmap # Winbind stuff winbind separator = - idmap uid = 1-2 winbind uid = 1-2 idmap gid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes #template homedir = /home/%D/%U #template homedir = /home/%U template homedir = /mnt/spare/%U template shell = /bin/bash idmap backend = ldap:ldap://lnxs001 # workgroup = NT-Domain-Name or Workgroup-Name workgroup = DOMAIN # server string is the equivalent of the NT Description field server string = SUN001 # if you want to automatically load your printer list rather # than setting them up individually then you'll need this printcap name = /etc/printcap load printers = yes # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m # Put a capping on the size of the log files (in Kb). max log size = 50 # Security mode. Most people will want user level security. See # security_level.txt for details. security = user # Use password server option only with security = server ; password server = NT-Server-Name # Most people will find that this option gives better performance. # See speed.txt and the manual pages for details socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # Browser Control Options: # set local master to no if you don't want Samba to become a master # browser on your network. Otherwise the normal election rules apply local master = no # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both wins server = 192.168.224.25 # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names # via DNS nslookups. The built-in default for versions 1.9.17 is yes, # this has been changed in version 1.9.18 to no. dns proxy = no Thanks, Sapan -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 16:58 To: Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Sapan, I recently installed Samba-3 on Solaris 9 and had no problem with PAM and NSS functionality. Logons using domain users worked well. As I do not have a Sun box it is a little difficult for me to help you directly. What output do you get from: wbinfo -u wbinfo -g Please send me your smb.conf file so I can see what may be going on. - John T. On Thu, 8 Jan 2004, Ganguly, Sapan wrote: Yep, I've done that, I basically followed the Solaris 9 HOWTO from the main HOWTO collection that comes with Samba 3.0, the only difference is that I used an /etc/pam.conf for Solaris 9 posted on the list by Patrik Gustavsson. I haven't managed to get hold of him, he says he has made it work on Solaris 9. I also want to get pam_mkhomedir work but I have to get past this bit first. From his email signature it looks like he work for Sun in Sweden but even the Sun helpdesk in the UK hasn't been able to get hold of him yet. -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 15:54 To: Ganguly, Sapan Cc: 'ww m-pubsyssamba'; '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? On Thu, 8 Jan 2004, Ganguly, Sapan wrote: I'm doing the same thing but with NT4 so I'm not using active directory. The only thing you haven't mentioned that I can think of is nsswitch.conf, you should have - Passwd: files winbind Group: files winbind Getent works for me, I'm stuck with getting log ons to the Solaris machine with NT usernames to work. If you want to log onto the Sun machine using Windows networking credentials you must configure PAM to support the use of pam_winbind.so. Have you done that? - John T. They seem to have changed something in Solaris 9, even Sun hasn't been able to help me! -Original Message- From: ww m-pubsyssamba [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 13:45 To: Ganguly, Sapan ; [EMAIL PROTECTED] Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Hi Sapan/All, ok this is all in my test/dev environment. I have a Sun Sparc workstation running Solaris 9 and an Intel server running Windows 2000 server acting as a Native mode AD DC. My Sparc system has Samba 3.0.1 installed and is successfully joined to the AD domain, I can authenticate via kerberos and wbinfo -u lists domain users etc. All I need LDAP for is centralising the IDMAP mappings across our theoretical Samba server infrastructure. On the same sparc
RE: [Samba] help with winbind/pam
I use Redhat 9.0 and I have it working, I'm not sure if it's the same on Debian but here are what my files look like. They were generated by the 'authconfig' tool. The only line I added manually was the pam_mkhomedir.so line. My /etc/pam.d/login looks like this - (Note: pam_mkhomedir.so automatically makes home directories, you may not want that, it puts them in 'template homedir' which is specified in smb.conf) #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_UNIX.so use_first_pass auth required pam_stack.so service=system-auth auth required pam_nologin.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_mkhomedir.so umask=0022 sessionoptional pam_console.so My /etc/pam.d/gdm looks like this - #%PAM-1.0 auth required pam_env.so auth required pam_stack.so service=system-auth auth required pam_nologin.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionoptional pam_console.so sessionrequired pam_mkhomedir.so skel=/etc/skel umask=0022 /etc/pam.d/system-auth looks like this - #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired /lib/security/$ISA/pam_env.so authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok authsufficient/lib/security/$ISA/pam_smb_auth.so use_first_pass nolocal authrequired /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so passwordrequired /lib/security/$ISA/pam_cracklib.so retry=3 type= passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow passwordrequired /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so -Original Message- From: Charles McLaughlin [mailto:[EMAIL PROTECTED] Sent: 19 December 2003 05:19 To: [EMAIL PROTECTED] Subject: [Samba] help with winbind/pam Hello, I'm trying to get a debian sid box to authenticate against an NT4 domain. I've followed the instructions in the winbindd man page and I think I'm on the right track. However, I'm having problems with PAM. As the winbindd man page suggests, I edited the /etc/nsswitch.conf and added some winbindd related stuff to my smb.conf file. I also edited the /etc/pam.d/* files. This is where I'm having problems... more on that later. I joined the domain using this: net join -U Administrator I was prompted for a password and was allowed to join the domain. I ran the winbindd program just to make sure it is up and running, then I did this: wbinfo -t And that told me that the trust relationship with the domain is ok. So, my linux box is part of the NT4 domain and things look good. I can walk over to the N4 domain controller and see a computer account for my linux box. I can do wbinfo -u on my linux box and see a list of all the windows domain users... and I'm starting to smell success. But wait... Here is where the problem starts. I want use a Windows domain account to login to the linux box. For instance, I should be able to use the windows Administrator account to login on my linux box. So I go to a terminal and try to log in as Administrator and it says permission denied. I've screwed around with the /etc/pam.d/* files enough to allow me to login via a linux terminal using the Windows Administrator account, but I haven't been able to do the same with GDM/Gnome. I eventually screwed around with these files enough to lock myself out of my system, but got back in. ;-) So, I guess I need help understanding the /etc/pam.d/* files. The winbindd man page says this: --- In /etc/pam.d/* replace the auth lines with something like this: auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok Note in particular the use of the sufficient keyword and the use_first_pass keyword. Now replace the account lines with this: account required /lib/security/pam_winbind.so --- When I edited the pam.d files, anytime I saw a line that starts with auth, I commented it out and inserted all of the above lines that start with auth. Likewise, I made similar edits for lines that start with account. I don't really understand with this means though... Any suggestions? Am I doing something out of order? Thanks! Charles -- To unsubscribe from this list go to the following URL and read the instructions:
RE: [Samba] One last try...winbind Solaris 9
I've noticed that when I do a 'getent group' it takes much longer than 'getent passwd', is this usual? Does winbind cache information anywhere? If so how and when is it cleared out? -Original Message- From: Ganguly, Sapan [mailto:[EMAIL PROTECTED] Sent: 17 December 2003 18:00 To: '[EMAIL PROTECTED]' Subject: [Samba] One last try...winbind Solaris 9 I'm still stuck on the logging in part of winbind on Solaris 9. I've applied the required patch to the OS that is mentioned in the HOWTO and tried various other things. When I login at a command line console with a NT username and password I get a message (I've configured syslog.conf) saying that I've been granted access by pam_winbind but that is as far as it goes. I get no shell prompt or anything. Any ideas? What else can I do to get more information about what is going on? Thanks, Sapan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] winbind passwd nsswitch.conf
When I try to change the password of a unix user with passwd when winbind is in my nsswitch.conf I get an error - passwd: Unsupported nsswitch entry for passwd:. Use -r repository . Unexpected failure. Password file/table unchanged. This is a Solaris 9 machine by the way. My nsswitch.conf line looks like this - passwd: files winbind When I take winbind out I can use passwd to change unix user password again. Any ideas? Sapan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] getent passwd doesn't list domain users
Did you remember to edit /etc/nsswitch.conf, I always forget that. passwd: files winbind shadow: files group: files winbind -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 17 December 2003 16:29 To: [EMAIL PROTECTED] Subject: [Samba] getent passwd doesn't list domain users __ Hi all, I've configured samba 3.0 as a domain memeber in NT 4.0 domain. Server has been added to the domain, without any problems, BUT, for three days, I'm not able to find a way how to use NT domain resourses for this samba server. I can list domain users and groups with wbinfo command from but getent passwd lists only the local users. Does anyone know where can be the problem? Thanks Vasek -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Solaris Winbind LDAP pam_mkhomedir.so
OK, I definitely know that winbind is working now, I tried logging in at the console and a message comes up - Pam_winbind[413]: user 'nt_user' granted access But that is as far as it goes, I don't get a shell prompt. I eventually have to do a 'stop + A' and reboot the machine, from now on I'll do a 'telnet localhost' to test it. Here is what my pam.conf looks like, can you see any errors? # #ident @(#)pam.conf 1.2002/01/23 SMI # # Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the other section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth sufficient pam_dhkeys.so.1 login auth sufficient pam_unix_auth.so.1 login auth sufficient pam_dial_auth.so.1 login auth sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth sufficient pam_dhkeys.so.1 rlogin auth sufficient pam_unix_auth.so.1 rlogin auth sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_auth.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authenctication # other auth requisite pam_authtok_get.so.1 other auth sufficient pam_dhkeys.so.1 other auth sufficient pam_unix_auth.so.1 other auth sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass # # passwd command (explicit because of a different authentication module) # passwd auth required pam_passwd_auth.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cronaccount requiredpam_projects.so.1 cronaccount requiredpam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account sufficient pam_projects.so.1 other account sufficient pam_unix_account.so.1 other account sufficient /usr/lib/security/pam_winbind.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session requiredpam_unix_session.so.1 other session sufficient /usr/lib/security/pam_winbind.so.1 #other session sufficient /usr/lib/security/pam_mkhomedir.so.1 umask=0022 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 # # Support for Kerberos V5 authentication (uncomment to use Kerberos) # #rlogin auth optional pam_krb5.so.1 try_first_pass #login auth optional pam_krb5.so.1 try_first_pass #other auth optional pam_krb5.so.1 try_first_pass #cron account optionalpam_krb5.so.1 #other account optionalpam_krb5.so.1 #other session optionalpam_krb5.so.1 #other password optional pam_krb5.so.1 try_first_pass -Original Message- From: Ganguly, Sapan [mailto:[EMAIL PROTECTED] Sent: 15 December 2003 08:23 To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Subject: [Samba] Solaris Winbind LDAP pam_mkhomedir.so Dear list, How do I test whether I have access to my winbind LDAP backend from my Solaris 9 machine? My LDAP database is held on a Redhat 9.0 machine also running Samba 3.0.0. I know winbind works because getent and wbinfo show up my NT users and groups. I would also like to have people log into my Solaris 9 machine with their NT usernames, I have this working on Redhat already but Solaris is proving to be a little more tricky. I've copied a pam.conf from another post on this mailing list but when I try to log in with an NT user name the process just hangs
RE: RE: [Samba] getent passwd doesn't list domain users
Try putting - winbind use default domain = yes In your smb.conf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 17 December 2003 16:51 To: Ganguly, Sapan Subject: Odp: RE: [Samba] getent passwd doesn't list domain users Yes I did. I edited pam.d/login and system-auth, as well. any other idea? I'll appreciate all of them... V. Ganguly, Sapan [EMAIL PROTECTED] alesgroup.com Komu '[EMAIL PROTECTED]' 17.12.2003 17:30 [EMAIL PROTECTED], '[EMAIL PROTECTED]' [EMAIL PROTECTED] Kopie Pedmt RE: [Samba] getent passwd doesn't list domain users Did you remember to edit /etc/nsswitch.conf, I always forget that. passwd: files winbind shadow: files group: files winbind -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 17 December 2003 16:29 To: [EMAIL PROTECTED] Subject: [Samba] getent passwd doesn't list domain users __ Hi all, I've configured samba 3.0 as a domain memeber in NT 4.0 domain. Server has been added to the domain, without any problems, BUT, for three days, I'm not able to find a way how to use NT domain resourses for this samba server. I can list domain users and groups with wbinfo command from but getent passwd lists only the local users. Does anyone know where can be the problem? Thanks Vasek -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Questions about winbind idmap ldap
I use winbind to authenticate users on my linux machines so that I don't have to create separate linux Ids for everyone. I store the idmap in an LDAP database. If you want to do this too then create an LDAP database, I use OpenLDAP. If you want to know how to do this then let me know and I'll see if I can remember. Here is what my smb.conf looks like, it should give you a few clues. Don't forget to put the ldap password into secrets.tdb by 'smbpasswd -w'. You do need to follow the Samba HOWTO for some of the LDAP stuff, like where to put the samba.schema and how to initialize the LDAP database. # Global parameters [global] workgroup = NTDOMAIN server string = REDHAT9 log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = No dns proxy = No ldap suffix = dc=example,dc=com ldap machine suffix = dc=example,dc=com ldap user suffix = dc=example,dc=com ldap group suffix = dc=example,dc=com ldap idmap suffix = ou=idmap,dc=example,dc=com ldap admin dn = cn=admin,dc=example,dc=com idmap backend = ldap:ldap://localhost idmap uid = 1-2 idmap gid = 1-2 template homedir = /home/%U template shell = /bin/bash winbind separator = - winbind use default domain = Yes [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [public] path = /public read only = No guest ok = Yes /etc/nsswitch.conf should have lines that look like this - passwd: files winbind shadow: files group: files winbind My /etc/pam.d/login looks like this - (Note: pam_mkhomedir.so automatically makes home directories, you may not want that, it puts them in 'template homedir' which is specified in smb.conf) #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_UNIX.so use_first_pass auth required pam_stack.so service=system-auth auth required pam_nologin.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_mkhomedir.so umask=0022 sessionoptional pam_console.so My /etc/pam.d/gdm looks like this - #%PAM-1.0 auth required pam_env.so auth required pam_stack.so service=system-auth auth required pam_nologin.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionoptional pam_console.so sessionrequired pam_mkhomedir.so skel=/etc/skel umask=0022 /etc/pam.d/system-auth looks like this - #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired /lib/security/$ISA/pam_env.so authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok authsufficient/lib/security/$ISA/pam_smb_auth.so use_first_pass nolocal authrequired /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so passwordrequired /lib/security/$ISA/pam_cracklib.so retry=3 type= passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow passwordrequired /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so -Original Message- From: Gints Neimanis [mailto:[EMAIL PROTECTED] Sent: 14 December 2003 13:07 To: [EMAIL PROTECTED] Subject: [Samba] Questions about winbind idmap ldap We are using W2K domain with Samba3 servers. The implementation of samba servers with winbind authentication was successful. Now we are looking for winbind idmap ldap backend for distributing winbind users ID's, and I have following question: 1. Do I need put all users from W2K domain to LDAP by hand (with export - import tools)? 2. Or it is possible to automatically put successfully authenticated users to LDAP directory with some of useradd script? 3. Is any other documentation excepted SAMBA3 HOWTO, with closer look to winbind idmap LDAP? Regards, Gints Neimanis -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] One last try...winbind Solaris 9
I'm still stuck on the logging in part of winbind on Solaris 9. I've applied the required patch to the OS that is mentioned in the HOWTO and tried various other things. When I login at a command line console with a NT username and password I get a message (I've configured syslog.conf) saying that I've been granted access by pam_winbind but that is as far as it goes. I get no shell prompt or anything. Any ideas? What else can I do to get more information about what is going on? Thanks, Sapan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: RE: RE: [Samba] getent passwd doesn't list domain users
Try putting both links in anyway, it says you have to in the HOWTO. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 17 December 2003 17:45 To: Joe Blow Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Odp: RE: RE: [Samba] getent passwd doesn't list domain users Yes both of those thinks are probably ok. I've just one link, but it should be enought : ...lrwxrwxrwx1 root root 17 Nov 5 12:04 /lib/libnss_winbind.so.2 - libnss_winbind.so in a log log.mycomputer where mycomputer is a machine from which I'm trying access the samba server via srvmgr is a following record ..[2003/12/17 16:27:57, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: Authentication for user [VUlik] - [VUlik] FAILED with error NT_STATUS_NO_SUCH_USER and there is my smb.conf [global] dos charset = UTF-8 display charset = UTF-8 workgroup = MYDOMAIN server string = Backup Server interfaces = eth0, 172.17.1.x/24 security = DOMAIN auth methods = guest, sam, winbind obey pam restrictions = Yes passdb backend = tdbsam:/usr/local/samba/private/passdb.tdb, \ smbpasswd:/usr/local/samba/private/smbpasswd log level = 3 log file = /var/log/samba/log.%m name resolve order = hosts lmhosts wins bcast socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add machine script = /usr/sbin/useradd -n -d /dev/null -c -s /bin/false -M %u os level = 0 preferred master = No local master = No domain master = No wins server = 172.17.1.x idmap uid = 1-2 idmap gid = 1-2 winbind cache time = 15 winbind use default domain = Yes admin users = root, MYDOMAIN\vulik I'm really helpless Joe Blow [EMAIL PROTECTED] hoo.com Komu Odeslal: [EMAIL PROTECTED] samba-bounces+vul Kopie ik=cz.soluziona.c [EMAIL PROTECTED] Pedmt g RE: RE: [Samba] getent passwd doesn't list domain users 17.12.2003 18:27 --- Ganguly, Sapan [EMAIL PROTECTED] wrote: Try putting - winbind use default domain = yes In your smb.conf Also, make sure all your symlinks are good especially the ones in /lib. For example: lrwxrwxrwx1 root root 19 2003-12-01 17:48 libnss_winbind.so - libnss_winbind.so.2 lrwxrwxrwx1 root root 32 2003-12-01 17:48 libnss_winbind.so.2 - /usr/local/lib/libnss_winbind.so __ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Patch to Samba 3.0.1?
Dear list, Is it sufficient to patch my 3.0.0 install to 3.0.1 on my Solaris 9 machine? Or do I have to recompile the whole lot from scratch? Does the new version put all the files in the right places, e.g. pam_winbind.so and libnss_winbind.so? (I think the HOWTO still says you have to copy these to the right places and make links if you want to use winbind) I'm just wondering whether it would be worth my while upgrading as the only problem I have right now is that I cannot make PAM let me log in as an NT user and create home directories on the fly. Thanks, Sapan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Patch to Samba 3.0.1?
Ah! I've made a discovery, if I put the NT user I am trying to log in as into /etc/passwd then it will allow me to log in with the user's NT password. This isn't supposed to be the way it works right? I shouldn't have to have the users in /etc/passwd, that's the whole point of winbind, right? It still won't create the home drives on the fly though. Can anyone help me now? I don't seem to get any logs like I do on Redhat. -Original Message- From: Ganguly, Sapan [mailto:[EMAIL PROTECTED] Sent: 16 December 2003 10:20 To: '[EMAIL PROTECTED]' Subject: [Samba] Patch to Samba 3.0.1? Dear list, Is it sufficient to patch my 3.0.0 install to 3.0.1 on my Solaris 9 machine? Or do I have to recompile the whole lot from scratch? Does the new version put all the files in the right places, e.g. pam_winbind.so and libnss_winbind.so? (I think the HOWTO still says you have to copy these to the right places and make links if you want to use winbind) I'm just wondering whether it would be worth my while upgrading as the only problem I have right now is that I cannot make PAM let me log in as an NT user and create home directories on the fly. Thanks, Sapan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Patch to Samba 3.0.1?
Uhm, if you mean have I configured /etc/nsswitch.conf, yes the important lines look like this - Passwd: files winbind Group: files winbind Hosts: files dns -Original Message- From: Adam Williams [mailto:[EMAIL PROTECTED] Sent: 16 December 2003 13:58 To: Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] Patch to Samba 3.0.1? Ah! I've made a discovery, if I put the NT user I am trying to log in as into /etc/passwd then it will allow me to log in with the user's NT password. This isn't supposed to be the way it works right? I shouldn't have to have the users in /etc/passwd, that's the whole point of winbind, right? You have to have the users in NSS. Do you have winbind configured as a NSS provider? It still won't create the home drives on the fly though. Can anyone help me now? I don't seem to get any logs like I do on Redhat. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Solaris Winbind LDAP pam_mkhomedir.so
Dear list, How do I test whether I have access to my winbind LDAP backend from my Solaris 9 machine? My LDAP database is held on a Redhat 9.0 machine also running Samba 3.0.0. I know winbind works because getent and wbinfo show up my NT users and groups. I would also like to have people log into my Solaris 9 machine with their NT usernames, I have this working on Redhat already but Solaris is proving to be a little more tricky. I've copied a pam.conf from another post on this mailing list but when I try to log in with an NT user name the process just hangs after I type the password. I don't see anything in the logs either. I would also like to use pam_mkhomedir.so in my pam.conf so that when people log in a home directory is automatically created but that's not going to work until I can actually log in anyway. It was easy under Redhat. Does anyone have any advice? I'm going to look a bit silly if I can't make this work. Thanks, Sapan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] DNS and DHCP setup
Check this out - http://voidmain.kicks-ass.net/redhat/redhat_8_dhcp_dynamic_dns.html http://voidmain.kicks-ass.net/redhat/redhat_9_dhcp_dynamic_dns.html I think these are both pretty much the same. -Original Message- From: Tarjei Huse [mailto:[EMAIL PROTECTED] Sent: 15 December 2003 16:14 To: [EMAIL PROTECTED] Subject: [Samba] DNS and DHCP setup Hi, Does anyone know of a document that gives details on how to set up Bind 9 and DHCPD 3.x so that dns is updated when clients log on? I saw this is not in the howto collection (http://www.bibsyst.no/samba/docs/man/DNSDHCP.html#id2981727) so I was kind of hoping someone else has some notes. I would be greatfull for any tips and links. Tarjei -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] pam_mkhomedir.so on Solaris 9
Hello, I need a little help, so far I have winbind working on Solaris 9. wbinfo and getent give me what they are supposed to. Now I want to create home directories on the fly when a user logs in with their windows username and password. I got pam_mkhomedir.so from the link below, its right at the bottom of the page. http://lists.spack.org/archives/padl.com/3749.html http://lists.spack.org/archives/padl.com/3749.html The trouble is that I don't know where in my pam.conf I should put it, pam.conf in Solaris 9 seems to be different to pam.conf is Solaris 8. Does anyone have any ideas? The rest of my pam.conf looks like Patrik Gustavsson's - http://marc.theaimsgroup.com/?l=samba http://marc.theaimsgroup.com/?l=sambam=105765221028976w=2 m=105765221028976w=2 But I haven't got this to work yet either, when I try to log in as a windows user it just hangs at the password prompt but I thought that this may be due to the home directory not being present yet. Thanks, Sapan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: Character set conversion problems with 3.0
When I compiled on Solaris 9 this problem seemed to go away if I put in /usr/local/lib in LD_LIBRARY_PATH and then re-compiled. I'm not entirely sure that's what fixed it but you could try it if you want. -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: 11 December 2003 17:26 To: Jérôme Fenal Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Re: Character set conversion problems with 3.0 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jérôme Fenal wrote: | John P. Nelson wrote: | | I've just compiled Samba 3.0.0 on a Solaris 8 system (gcc, if it | matters), and whenever I run anything from the samba suite, I get a | series of error message about character set conversions: | | Conversion from UCS-2LE to CP850 not supported | Conversion from UTF8 to CP850 not supported | ... | | and about 10 more, all involving CP850 (the standard DOS codepage, | presumably). Now, obviously I've misconfigured something (iconv?), | either at compile time or at run time. Do I need to recompile to fix | this, or is it something I need to do in the smb.conf or other | control file? | | I don't really care about character conversions - I'm happy to let | Samba do whatever the default thing is, if I could just get it to | shut up. | | Any ideas? | | Install libiconv first (either from source or from a package as | delivered by sunfreeware.com), then configure --with-libiconv. or try 3.0.1rc2. We've added some internal code to work around common character set issues like these. cheers, jerry - -- ~ Hewlett-Packard- http://www.hp.com ~ SAMBA Team -- http://www.samba.org ~ GnuPG Key http://www.plainjoe.org/gpg_public.asc ~ If we're adding to the noise, turn off this song --Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/2KiKIR7qMdg1EfYRAqGZAJ0duaBZOxhGJvvn5JDcvBCikR9AUQCgmvbP y/2BA56Co7R4m1s3wuik0M0= =i/uv -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind Working!!!
I got winbind working!! For anyone who is interested here is what my smb.conf looks like - [global] workgroup = DOMAIN server string = winbind client log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no dns proxy = no idmap uid = 1-2 idmap gid = 1-2 template homedir = /home/%D/%U template shell = /bin/bash winbind seperator = - winbind use default domain = yes I then joined the domain with - net rpc join -S pdc -U administrator%password Then I ran authconfig (I'm using redhat 9.0) to setup PAM for smb authentication. I can now login to my linux machines with my windoze username and password. The only thing I haven't managed to do yet is automatically create the home directories, does anyone know how to do that? I seem to remember reading somewhere that this is also a PAM thing but I can't seem to find that article again. Thanks, Sapan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] NT4-Samba Migration Test Results
John, Thank you very much, that has filled in a few gaps but I have one more question. Once I've used pdbedit to migrate everything to an LDAP backend how should the scripts part of my smb.conf look then? You see, the way I did it was to set up my LDAP database first, then setup Samba and put the scripts from smbldap-tools into my smb.conf. I then ran 'net rpc vampire' and that took everything across, all the users, groups, and computers went into the database. The only problem was that the most groups were empty, in fact the only group that is populated is Domain Users. We have a lot of groups on our site, each time a new project is started we create a new group and put the team members in it, we have hundreds!! I did contemplate putting people back into their groups by hand and I'll have to do it if that's the only way but I suspect I'm just using a script wrongly or just not using the right scriptis there even a script for this? So before I start again and do it your way I'd just like to know the answer to that last little bit because although your method will give me a complete and correct initial database, when my administrators add users and groups to the system via NT's UserManager I suspect I will have the same problem. Oh, one more thing, the passwords don't seem to go across either, next to sambaNTPassword and sambaLMPassword I get XXX. This may be solved if I do things your way too, but this may also be a problem for administrators when adding users via UserManager when I convert back to an LDAP backendhmm...a few more questions have come up in my mind, but I'll save them for later...after I have re-read the documentation. Anyway, in the short term I can just add the hashes to an LDIF from a 'net rpc samdump' right? I really appreciate your help so far but I just have to iron these few things out, I can't really present this solution to a technical director just yet as I don't have it straight in my own head. I promise I have read ALL of the relevant parts of the HOWTO collection but for someone like me who is going straight from NT4 to Samba+LDAP you kind of have to piece things together from different parts of the documentation which is why I offered to write a complete HOWTO for this specific task, I will have to document it all for people here anyway. I'm going to stop now, I know I'm getting this product and support for it free, I don't want to push my luck! Thanks a lot, Sapan -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: 09 October 2003 03:32 To: Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] NT4-Samba Migration Test Results Sapan, It is of course a pleasure to help you, but I did expect that my reply was rather specific enough. Have you read the Samba-HOWTO-Collection.pdf? Chapter 31 covers the process (Section 31.1.1.2) covers this rather completely. Anyhow, here we go: 1. Configure smb.conf for BDC [globals] workgroup = NT4DOMAIN netbios name = NEWSERVER passdb backend = tdbsam domain master = No domain logons = Yes os level = 33 add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel %u add group script = /usr/sbin/groupadd %g add machine script = /usr/sbin/useradd -d /dev/null -s /bin/false %u wins server = x.x.x.x 2. Join the domain as a BDC server: net rpc join -UAdministrator%passsword 3. Migrate accounts: net rpc vampire -UAdministrator%password 4. Shutdown NT4 PDC 5. Convert Samba-3 BDC to PDC, and make it the WINS server: [globals] workgroup = NT4DOMAIN netbios name = NEWSERVER passdb backend = tdbsam domain master = Yes domain logons = Yes os level = 33 add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel %u add group script = /usr/sbin/groupadd %g add machine script = /usr/sbin/useradd -d /dev/null -s /bin/false %u wins support = Yes 6. Start Samba PDC. If all worked correctly then your existing Windows NT4 Domain clients will be able to log on just as with the original NT4 PDC. Gotchas: The biggest problem will be the migration of NT4 Group accounts. You will need to either: a) convert all group names to all lower-case and less than 32 characters _OR_ b) create your own replacement for the groupadd command on your system so that it can add group names that have a space character in them, and that can have an upper case character in them. You will also need to modify the way that the NT Group name is passed to the script. Here is a script that will do the trick, although it is NOT elegant nor does it do any safety checks. You might call this script: smbaddgrp.sh Of course it needs to be set to permissions to execute with: chmod 755 smbgrpadd.sh PS: That script is published
RE: [Samba] NT4-Samba Migration Test Results
If someone answers my question I'll even write a howto! -Original Message- From: Ganguly, Sapan Sent: 06 October 2003 10:06 To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Subject: Re: [Samba] NT4-Samba Migration Test Results Larry, I have found that the easiest way to migrate from NT4 to SAmba3 is to: 1. Use tdbsam as a medium for migration. 2. Before migrating accounts: i. Make sure that you configure your smb.conf carefully ii. Include all the user/group/machine scripts iii. Do NOT run smbd before vampire is run. 3. Set up the smb.conf for a Samba-BDC 4. Join the domain before running vampire 5. Then finally run vampire. IF you want to use an LDAP or smbpasswd backend, use pdbedit to migrate the database. - John T. John, Would it be possible for you to show us a copy of your smb.conf for each stage of your migration? I'm also interested in how you use pbedit to migrate the database. Thanks, Sapan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] RE: Samba 3.0 and LDAP as a PDC
If someone answers my question I will even write a howto! -Original Message- From: Ganguly, Sapan Sent: 01 October 2003 13:36 To: '[EMAIL PROTECTED]' Subject: Samba 3.0 and LDAP as a PDC Hello all, I hope this is an easy one, I've read all the howtos but I'm still very hazy on how to do this. What I want to do is replace my NT4 PDC with a Samba 3.0 PDC with an LDAP backend. I've got my OpenLDAP up and running with the basic People, Computers and Groups ou's. I've put the builtin NT groups in too. I have Samba 3.0 functioning as a BDC The trouble is that the 'net rpc vampire' command isn't working for me, probably because I haven't defined the smbldap scripts right in smb.conf. I've put all the relavent bits in smbldap_conf.pm. If anyone has done this already please may I see a copy of your smb.conf? 'net rpc samdump' works, I guess the output from that could be used to populate the the LDAP, is there a script for that? I've also tried the smbldap-migrate-accounts.pl script, to import all the information from a pwdump of my PDC, this sort of worked but it only created posix accounts, is this right? Also pwdump.exe does not seem to dump groups so what are you supposed to use smbldap-migrate-groups.pl with? I think I might be able to work this out if I can just get a look at someone else's smb.conf. Sapan Ganguly Thales Research -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT4-Samba Migration Test Results
Larry, I have found that the easiest way to migrate from NT4 to SAmba3 is to: 1. Use tdbsam as a medium for migration. 2. Before migrating accounts: i. Make sure that you configure your smb.conf carefully ii. Include all the user/group/machine scripts iii. Do NOT run smbd before vampire is run. 3. Set up the smb.conf for a Samba-BDC 4. Join the domain before running vampire 5. Then finally run vampire. IF you want to use an LDAP or smbpasswd backend, use pdbedit to migrate the database. - John T. John, Would it be possible for you to show us a copy of your smb.conf for each stage of your migration? I'm also interested in how you use pbedit to migrate the database. Thanks, Sapan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0 and LDAP as a PDC
Hello all, I hope this is an easy one, I've read all the howtos but I'm still very hazy on how to do this. What I want to do is replace my NT4 PDC with a Samba 3.0 PDC with an LDAP backend. I've got my OpenLDAP up and running with the basic People, Computers and Groups ou's. I've put the builtin NT groups in too. I have Samba 3.0 functioning as a BDC The trouble is that the 'net rpc vampire' command isn't working for me, probably because I haven't defined the smbldap scripts right in smb.conf. I've put all the relavent bits in smbldap_conf.pm. If anyone has done this already please may I see a copy of your smb.conf? 'net rpc samdump' works, I guess the output from that could be used to populate the the LDAP, is there a script for that? I've also tried the smbldap-migrate-accounts.pl script, to import all the information from a pwdump of my PDC, this sort of worked but it only created posix accounts, is this right? Also pwdump.exe does not seem to dump groups so what are you supposed to use smbldap-migrate-groups.pl with? I think I might be able to work this out if I can just get a look at someone else's smb.conf. Sapan Ganguly Thales Research -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
