OMG Jerry YOU ARE A GOD! Enum users and enum groups did the trick I turned
them off and I can now login to admsrv dude thank you s much I've been
trying to figure that out for 2 weeks I OWE U BEER or wine whatever you want
!
On 10/3/05, Matt Marcus [EMAIL PROTECTED] wrote:
Jerry,
Thank you sooo much for your answers to my questions I was beggining to
lose hope :)
As for your answer below, do you have any online resources that may go
over how to configure a chroot environment, I'm not familure with it at all?
The application we're using on this box requires Solaris 8 so an upgrade to
solaris 10 is not currently possible.
Samba has to have a uid/gid for each user/group in the
Windows domain. If you don't want to use the global
/etc/nsswitch.conf, you could use a chroot environment
or a Solaris 10 zone.
I will attempt the changes you suggested today. Basically I'm having a
problem with this product named Helios Ethershare its an old school legacy
OPI and appletalk filesharing system. There is an administration service
named admsrv that allows you to configure the ethershare application via a
client gui. It is this app thats causing all the issues with winbind. The
app should essentially consult nsswitch.conf, find the root user, if the
root user does not exist it will consult its own passwd database for root,
if it can't find an account there it will consult nsswitch for some other
means of auth. Unfortuently when winbind is running the app doesn't see root
in /etc/passwd or in its own passwd database and then begins to consult
winbind. However the app hangs while logging in for 30 minutes but stopping
winbind allows you to login instantly. I'm attaching my smb.conf as well
as 3 text files named (TrussAdmSrvFailed.out, TrussAdmsrvSuccess.out, and
TrussWinbindFailedAuth.out) The first two are truss outputs of the
application admsrv in both a successful state without winbind and an
unsucessful state with winbind. The last is a truss of winbind while a
failed login is in progress. I hope this is enough to help let me know if
there is something else that may help with debugging this.
# Samba config file created using SWAT
# from 170.165.228.218 http://170.165.228.218/ (
170.165.228.218http://170.165.228.218/
)
# Date: 2005/09/29 16:51:36
# Global parameters
[global]
workgroup = NDMSNET
realm = NEWSDAY.AD.TRB
netbios name = NDCCS
server string = Consolidated Content Server
interfaces = 170.165.195.177 http://170.165.195.177/
bind interfaces only = Yes
security = ADS
map to guest = Bad User
lanman auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
getwd cache = No
wins server = 170.165.228.9 http://170.165.228.9/
ldap ssl = no
idmap uid = 1-3
idmap gid = 1-3
winbind separator = +
winbind use default domain = Yes
admin users = root, NDMSNET+marcusm
wide links = No
[Laser]
comment = Laser Print Queue Share
path = /opi_laser
read only = No
[Imagers]
comment = Image Setter Queue Share
path = /opi_imagers
read only = No
[XML]
comment = XML Share For Order Entry
path = /app/samba/Mounts
read only = No
[ToPlate]
comment = PDF To Plate Share
path = /psfiles/To_Plate
read only = No
[RipCheck]
comment = Rip Validation Share
path = /app/samba/PagMounts
[MattsHome]
comment = Home Dir
path = /usr/users/mmarcus
read only = No
create mask = 0664
directory mask = 0775
browseable = No
[HammerThis]
comment = Samba3 Stress Test
path = /vol11
admin users = NDMSNET+marcusm, NDMSNET+benzej
read only = No
guest ok = Yes
On 10/3/05, Gerald (Jerry) Carter [EMAIL PROTECTED] wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Matt Marcus wrote:
| 1 - Does PAM have to be configured when using winbind
| and samba 3 in an ADS environment? Everything is currently
| working and I've done nothing to configure PAM, yet
| all online documetation states this is a necissary step?
No. You only need PAM if you want to use pam (or build pam_winbindd.so)
| 2 - Can samba 3 still use ads and winbind without
| adding winbind to nsswitch.conf? If not is there anyway
| to force winbind to leave all applications with the
| exception of samba out of its control eg helios
| admsrv, afpserv or anything else installed on the
| system that may consult nsswitch that knows
| nothing about domains or winbind?
Samba has to have a uid/gid for each user/group in the
Windows domain. If you don't want to use the global
/etc/nsswitch.conf, you could use a chroot environment
or a Solaris 10 zone.
| 3 - Why does wbinfo -u fail to return entries from
| the domain controler periodically? Is this normal
| behavior or did I mess up configuration someplace?
No. wbinfo -u should consistently return all users.
| 4 - wbinfo -u seems to work 80% of the time but
| when it takes a long time to query the domain
| controller access to any
