Re: [Samba] Solaris 10 winbind authentication with ADS
Thanks for the replies. I got this resolved. It was case of my eyes not seeing what was in front of my face. The solaris upgrade DID replaced my /usr/lib/nss_winbind.so.1 link with Solaris's on library of same name. So I just had to rename that and recreate my link to the samba compiled libnss_winbind.so file. This is how I have the links done in /usr/lib -r-xr-xr-x 1 root root 50880 Dec 27 13:14 libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 17 15:29 libnss_winbind.so.1 - libnss_winbind.so lrwxrwxrwx 1 root root 17 Jan 12 13:58 nss_winbind.so.1 - libnss_winbind.so On 1/7/11 5:36 AM, Michael Wood wrote: Hi On 6 January 2011 01:11, CJ Keistcj.ke...@colostate.edu wrote: Well, I did smart thing and upgraded my Solaris box to Solaris 10 update 9. And now my winbind authentication has broken. I have checked all my /usr/lib/*winbind* and /usr/lib/security/*winbind* libs and all are still good from my last install. /etc/pam.conf, nsswitch.conf are still intact. wbinfo seems to work fine. getent passwd username just returns empty. This is what I'm getting in my /var/samba/log/log.winbindd file: [2011/01/05 16:04:00.061446, 2] winbindd/winbindd.c:819(winbind_client_request_read) Could not read client request from fd 22: I/O error I don't run Solaris and am not using winbind, so this is just a guess, but I hope it helps. winbind communicates via a socket, which I think is put in /tmp by default (/tmp/.winbindd/ or something like that). Can you check what fd 22 is? e.g. using lsof. Maybe it's the socket. It might be that Solaris 10 changes something about /tmp that interferes with winbind's socket? Maybe try putting the socket somewhere else. I think you're supposed to be able to do this with winbind:socket dir = It seems the winbind:socket dir option was introduced in Samba 3.2.0. -- C. J. Keist Email: cj.ke...@colostate.edu Systems Group Manager Phone: 970-491-0630 Engineering Network ServicesFax: 970-491-5569 College of Engineering, CSU Ft. Collins, CO 80523-1301 All I want is a chance to prove 'Money can't buy happiness' -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Solaris 10 winbind authentication with ADS
Hi On 6 January 2011 01:11, CJ Keist cj.ke...@colostate.edu wrote: Well, I did smart thing and upgraded my Solaris box to Solaris 10 update 9. And now my winbind authentication has broken. I have checked all my /usr/lib/*winbind* and /usr/lib/security/*winbind* libs and all are still good from my last install. /etc/pam.conf, nsswitch.conf are still intact. wbinfo seems to work fine. getent passwd username just returns empty. This is what I'm getting in my /var/samba/log/log.winbindd file: [2011/01/05 16:04:00.061446, 2] winbindd/winbindd.c:819(winbind_client_request_read) Could not read client request from fd 22: I/O error I don't run Solaris and am not using winbind, so this is just a guess, but I hope it helps. winbind communicates via a socket, which I think is put in /tmp by default (/tmp/.winbindd/ or something like that). Can you check what fd 22 is? e.g. using lsof. Maybe it's the socket. It might be that Solaris 10 changes something about /tmp that interferes with winbind's socket? Maybe try putting the socket somewhere else. I think you're supposed to be able to do this with winbind:socket dir = It seems the winbind:socket dir option was introduced in Samba 3.2.0. -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Solaris 10 winbind authentication with ADS
So, no one has a clue here? -- Well, I did smart thing and upgraded my Solaris box to Solaris 10 update 9. And now my winbind authentication has broken. I have checked all my /usr/lib/*winbind* and /usr/lib/security/*winbind* libs and all are still good from my last install. /etc/pam.conf, nsswitch.conf are still intact. wbinfo seems to work fine. getent passwd username just returns empty. This is what I'm getting in my /var/samba/log/log.winbindd file: [2011/01/05 16:04:00.061446, 2] winbindd/winbindd.c:819(winbind_client_request_read) Could not read client request from fd 22: I/O error Anyone have any ideas what broke? # ./testparm Load smb config files from /opt/local/lib/smb.conf rlimit_max: rlimit_max (256) below minimum Windows limit (16384) Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = DOMAIN realm = DOMAIN.EDU interfaces = eri0 security = ADS password server = domain.edu log level = 10 winbind:10 log file = /var/samba/log/log.%m max log size = 50 load printers = No utmp = Yes idmap backend = rid:DOMAIN=10-50 idmap uid = 10-50 idmap gid = 10-50 template homedir = /home/%U template shell = /bin/tcsh winbind separator = / winbind cache time = 1800 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes create krb5 conf = No -- C. J. Keist Email: cj.ke...@colostate.edu Systems Group Manager Phone: 970-491-0630 Engineering Network ServicesFax: 970-491-5569 College of Engineering, CSU Ft. Collins, CO 80523-1301 All I want is a chance to prove 'Money can't buy happiness' -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Solaris 10 winbind authentication with ADS
I am guessing it also updated samba (unless you had previously patched samba.) Did you try backing up and deleting any TDB files relating to idmap or winbind and restarting samba? On 01/06/2011 03:49 PM, CJ Keist wrote: So, no one has a clue here? -- Well, I did smart thing and upgraded my Solaris box to Solaris 10 update 9. And now my winbind authentication has broken. I have checked all my /usr/lib/*winbind* and /usr/lib/security/*winbind* libs and all are still good from my last install. /etc/pam.conf, nsswitch.conf are still intact. wbinfo seems to work fine. getent passwd username just returns empty. This is what I'm getting in my /var/samba/log/log.winbindd file: [2011/01/05 16:04:00.061446, 2] winbindd/winbindd.c:819(winbind_client_request_read) Could not read client request from fd 22: I/O error Anyone have any ideas what broke? # ./testparm Load smb config files from /opt/local/lib/smb.conf rlimit_max: rlimit_max (256) below minimum Windows limit (16384) Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = DOMAIN realm = DOMAIN.EDU interfaces = eri0 security = ADS password server = domain.edu log level = 10 winbind:10 log file = /var/samba/log/log.%m max log size = 50 load printers = No utmp = Yes idmap backend = rid:DOMAIN=10-50 idmap uid = 10-50 idmap gid = 10-50 template homedir = /home/%U template shell = /bin/tcsh winbind separator = / winbind cache time = 1800 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes create krb5 conf = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Solaris 10 winbind authentication with ADS
Well, I did smart thing and upgraded my Solaris box to Solaris 10 update 9. And now my winbind authentication has broken. I have checked all my /usr/lib/*winbind* and /usr/lib/security/*winbind* libs and all are still good from my last install. /etc/pam.conf, nsswitch.conf are still intact. wbinfo seems to work fine. getent passwd username just returns empty. This is what I'm getting in my /var/samba/log/log.winbindd file: [2011/01/05 16:04:00.061446, 2] winbindd/winbindd.c:819(winbind_client_request_read) Could not read client request from fd 22: I/O error Anyone have any ideas what broke? # ./testparm Load smb config files from /opt/local/lib/smb.conf rlimit_max: rlimit_max (256) below minimum Windows limit (16384) Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = DOMAIN realm = DOMAIN.EDU interfaces = eri0 security = ADS password server = domain.edu log level = 10 winbind:10 log file = /var/samba/log/log.%m max log size = 50 load printers = No utmp = Yes idmap backend = rid:DOMAIN=10-50 idmap uid = 10-50 idmap gid = 10-50 template homedir = /home/%U template shell = /bin/tcsh winbind separator = / winbind cache time = 1800 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes create krb5 conf = No -- C. J. Keist Email: cj.ke...@colostate.edu Systems Group Manager Phone: 970-491-0630 Engineering Network ServicesFax: 970-491-5569 College of Engineering, CSU Ft. Collins, CO 80523-1301 All I want is a chance to prove 'Money can't buy happiness' -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] solaris 10 winbind authentication with ADS
On Mon, Dec 27, 2010 at 08:10:16AM -0700, CJ Keist wrote: Thank you. ./wbinfo -n login_name works. But the wbinfo -i doesn't work, Could not get info for user COLOSTATE\login. So windbind is working partially? Could there be something on the Windows domain controller that isn't allowing the information to my samba server? That's unlikely. Try wbinfo -n login_name and use the resulting SID to try wbinfo --sid-to-uid sid If the latter step fails, your id mapping does not work. If that works and the wbinfo -n still does not work, we need winbind debug level 10 logs. With best regards, Volker Lendecke -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] solaris 10 winbind authentication with ADS
Thank you. ./wbinfo -n login_name works. But the wbinfo -i doesn't work, Could not get info for user COLOSTATE\login. So windbind is working partially? Could there be something on the Windows domain controller that isn't allowing the information to my samba server? On 12/22/10 4:05 AM, Volker Lendecke wrote: On Tue, Dec 21, 2010 at 10:35:58AM -0700, CJ Keist wrote: getent passwd user_name or getent group group_name Try wbinfo -i user_name or wbinfo -i domain\\user_name That is a direct path without NSS intervention. This way you can reduce the problem to either winbind proper or nss problems. With best regards, Volker Lendecke -- C. J. Keist Email: cj.ke...@colostate.edu Systems Group Manager Phone: 970-491-0630 Engineering Network ServicesFax: 970-491-5569 College of Engineering, CSU Ft. Collins, CO 80523-1301 All I want is a chance to prove 'Money can't buy happiness' -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] solaris 10 winbind authentication with ADS
Made some progress here. I saw from the log files that samba couldn't find the /opt/local/lib/idmap/rid.so module. So I added --with-shared-modules=idmap_rid to my configure options. That got the rid.so to get installed and now the getent passwd login works! But getent passwd by itself doesn't?? Could there be a limit on what the getent will spit out? We have 30k+ accounts in our windows domain. But I still cannot ssh into this server. -- Forgot to add, my nsswitch.conf file has the winbind option added to the end of the passwd and group lines: passwd: files winbind group: files winbind I'm trying to setup a Solaris 10 Sparc station to authenticate users on login with Windows ADS. I have found the documentation for this but having no luck in getting the pam modules to work. Here is what I have done so far: Compiling Kerberos MIT5-1.8.3: cd into the src directory ./configure --prefix=/opt/local gmake gmake install Compiling Samba 3.5.6: setenv CFLAGS -O2 setenv LDFLAGS -L/opt/local/lib -Wl,-R/opt/local/lib setenv CPPFLAGS -I/opt/local/include ./configure --prefix=/opt/local --with-pam --with-ads --with-winbind --with-krb5=/opt/local gmake gmake install Compiles and installs with no errors. Here is my samba conf. file: [global] workgroup = DOMAINNAME realm = DOMINNAME.EDU security = ADS password server = domainname.edu log file = /var/samba/log/log.%m max log size = 50 load printers = No utmp = Yes idmap backend = idmap_rid:DOMAINNAME=10-50 idmap uid = 10-50 idmap gid = 10-50 template homedir = /home/%U template shell = /bin/tcsh winbind cache time = 1800 winbind enum users = No winbind enum groups = No winbind use default domain = Yes winbind separator = / create krb5 conf = No Krb5.conf: [libdefaults] default_realm = DOMAINNAME.EDU [realms] DOMAINNAME.EDU = { kdc = server.domainname.edu } [domain_realm] .server.domainname.edu = DOMAINNAME.EDU server.domainname.edu = DOMAINNAME.EDU Then I was able to join okay: # ./net ads join -U user Enter user's password: Using short domain name -- DOMAINNAME Joined 'SUNTEST1' to realm 'DomainName.EDU' # ./net ads testjoin Join is OK I can get info from the ADS from wbinfo command just fine. But I cannot get anything via getent passwd user_name or getent group group_name I did copy the libnss_winbind.so from the samba build and have the pam_winbind.so linked in as well: # cd /usr/lib # ls -l *winbind* -r-xr-xr-x 1 root root 50880 Dec 20 13:07 libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 17 15:29 libnss_winbind.so.1 - libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 17 15:30 libnss_winbind.so.2 - libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 20 13:41 nss_winbind.so.1 - libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 20 13:41 nss_winbind.so.2 - libnss_winbind.so # cd /usr/lib/security/ # ls -l *winbind* lrwxrwxrwx 1 root root 38 Dec 20 13:04 pam_winbind.so - /opt/local/lib/security/pam_winbind.so lrwxrwxrwx 1 root root 38 Dec 20 13:05 pam_winbind.so.1 - /opt/local/lib/security/pam_winbind.so My pam.conf: loginauth sufficient/opt/local/lib/security/pam_winbind.so try_first_pass loginauth requisitepam_authtok_get.so.1 loginauth requiredpam_dhkeys.so.1 loginauth requiredpam_unix_cred.so.1 loginauth requiredpam_unix_auth.so.1 loginauth requiredpam_dial_auth.so.1 otherauth sufficient/opt/local/lib/security/pam_winbind.so try_first_pass otherauth requisitepam_authtok_get.so.1 otherauth requiredpam_dhkeys.so.1 otherauth requiredpam_unix_cred.so.1 otherauth requiredpam_unix_auth.so.1 othersession sufficient/opt/local/lib/security/pam_winbind.so try_first _pass othersession requiredpam_unix_session.so.1 What am I missing -- C. J. Keist Email: cj.ke...@colostate.edu Systems Group Manager Phone: 970-491-0630 Engineering Network ServicesFax: 970-491-5569 College of Engineering, CSU Ft. Collins, CO 80523-1301 All I want is a chance to prove 'Money can't buy happiness' -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] solaris 10 winbind authentication with ADS
On Tue, Dec 21, 2010 at 10:35:58AM -0700, CJ Keist wrote: getent passwd user_name or getent group group_name Try wbinfo -i user_name or wbinfo -i domain\\user_name That is a direct path without NSS intervention. This way you can reduce the problem to either winbind proper or nss problems. With best regards, Volker Lendecke -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] solaris 10 winbind authentication with ADS
I'm trying to setup a Solaris 10 Sparc station to authenticate users on login with Windows ADS. I have found the documentation for this but having no luck in getting the pam modules to work. Here is what I have done so far: Compiling Kerberos MIT5-1.8.3: cd into the src directory ./configure --prefix=/opt/local gmake gmake install Compiling Samba 3.5.6: setenv CFLAGS -O2 setenv LDFLAGS -L/opt/local/lib -Wl,-R/opt/local/lib setenv CPPFLAGS -I/opt/local/include ./configure --prefix=/opt/local --with-pam --with-ads --with-winbind --with-krb5=/opt/local gmake gmake install Compiles and installs with no errors. Here is my samba conf. file: [global] workgroup = DOMAINNAME realm = DOMINNAME.EDU security = ADS password server = domainname.edu log file = /var/samba/log/log.%m max log size = 50 load printers = No utmp = Yes idmap backend = idmap_rid:DOMAINNAME=10-50 idmap uid = 10-50 idmap gid = 10-50 template homedir = /home/%U template shell = /bin/tcsh winbind cache time = 1800 winbind enum users = No winbind enum groups = No winbind use default domain = Yes winbind separator = / create krb5 conf = No Krb5.conf: [libdefaults] default_realm = DOMAINNAME.EDU [realms] DOMAINNAME.EDU = { kdc = server.domainname.edu } [domain_realm] .server.domainname.edu = DOMAINNAME.EDU server.domainname.edu = DOMAINNAME.EDU Then I was able to join okay: # ./net ads join -U user Enter user's password: Using short domain name -- DOMAINNAME Joined 'SUNTEST1' to realm 'DomainName.EDU' # ./net ads testjoin Join is OK I can get info from the ADS from wbinfo command just fine. But I cannot get anything via getent passwd user_name or getent group group_name I did copy the libnss_winbind.so from the samba build and have the pam_winbind.so linked in as well: # cd /usr/lib # ls -l *winbind* -r-xr-xr-x 1 root root 50880 Dec 20 13:07 libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 17 15:29 libnss_winbind.so.1 - libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 17 15:30 libnss_winbind.so.2 - libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 20 13:41 nss_winbind.so.1 - libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 20 13:41 nss_winbind.so.2 - libnss_winbind.so # cd /usr/lib/security/ # ls -l *winbind* lrwxrwxrwx 1 root root 38 Dec 20 13:04 pam_winbind.so - /opt/local/lib/security/pam_winbind.so lrwxrwxrwx 1 root root 38 Dec 20 13:05 pam_winbind.so.1 - /opt/local/lib/security/pam_winbind.so My pam.conf: loginauth sufficient/opt/local/lib/security/pam_winbind.so try_first_pass loginauth requisitepam_authtok_get.so.1 loginauth requiredpam_dhkeys.so.1 loginauth requiredpam_unix_cred.so.1 loginauth requiredpam_unix_auth.so.1 loginauth requiredpam_dial_auth.so.1 otherauth sufficient/opt/local/lib/security/pam_winbind.so try_first_pass otherauth requisitepam_authtok_get.so.1 otherauth requiredpam_dhkeys.so.1 otherauth requiredpam_unix_cred.so.1 otherauth requiredpam_unix_auth.so.1 othersession sufficient/opt/local/lib/security/pam_winbind.so try_first _pass othersession requiredpam_unix_session.so.1 What am I missing -- C. J. Keist Email: cj.ke...@colostate.edu Systems Group Manager Phone: 970-491-0630 Engineering Network ServicesFax: 970-491-5569 College of Engineering, CSU Ft. Collins, CO 80523-1301 All I want is a chance to prove 'Money can't buy happiness' -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] solaris 10 winbind authentication with ADS
Forgot to add, my nsswitch.conf file has the winbind option added to the end of the passwd and group lines: passwd: files winbind group: files winbind I'm trying to setup a Solaris 10 Sparc station to authenticate users on login with Windows ADS. I have found the documentation for this but having no luck in getting the pam modules to work. Here is what I have done so far: Compiling Kerberos MIT5-1.8.3: cd into the src directory ./configure --prefix=/opt/local gmake gmake install Compiling Samba 3.5.6: setenv CFLAGS -O2 setenv LDFLAGS -L/opt/local/lib -Wl,-R/opt/local/lib setenv CPPFLAGS -I/opt/local/include ./configure --prefix=/opt/local --with-pam --with-ads --with-winbind --with-krb5=/opt/local gmake gmake install Compiles and installs with no errors. Here is my samba conf. file: [global] workgroup = DOMAINNAME realm = DOMINNAME.EDU security = ADS password server = domainname.edu log file = /var/samba/log/log.%m max log size = 50 load printers = No utmp = Yes idmap backend = idmap_rid:DOMAINNAME=10-50 idmap uid = 10-50 idmap gid = 10-50 template homedir = /home/%U template shell = /bin/tcsh winbind cache time = 1800 winbind enum users = No winbind enum groups = No winbind use default domain = Yes winbind separator = / create krb5 conf = No Krb5.conf: [libdefaults] default_realm = DOMAINNAME.EDU [realms] DOMAINNAME.EDU = { kdc = server.domainname.edu } [domain_realm] .server.domainname.edu = DOMAINNAME.EDU server.domainname.edu = DOMAINNAME.EDU Then I was able to join okay: # ./net ads join -U user Enter user's password: Using short domain name -- DOMAINNAME Joined 'SUNTEST1' to realm 'DomainName.EDU' # ./net ads testjoin Join is OK I can get info from the ADS from wbinfo command just fine. But I cannot get anything via getent passwd user_name or getent group group_name I did copy the libnss_winbind.so from the samba build and have the pam_winbind.so linked in as well: # cd /usr/lib # ls -l *winbind* -r-xr-xr-x 1 root root 50880 Dec 20 13:07 libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 17 15:29 libnss_winbind.so.1 - libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 17 15:30 libnss_winbind.so.2 - libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 20 13:41 nss_winbind.so.1 - libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 20 13:41 nss_winbind.so.2 - libnss_winbind.so # cd /usr/lib/security/ # ls -l *winbind* lrwxrwxrwx 1 root root 38 Dec 20 13:04 pam_winbind.so - /opt/local/lib/security/pam_winbind.so lrwxrwxrwx 1 root root 38 Dec 20 13:05 pam_winbind.so.1 - /opt/local/lib/security/pam_winbind.so My pam.conf: loginauth sufficient/opt/local/lib/security/pam_winbind.so try_first_pass loginauth requisitepam_authtok_get.so.1 loginauth requiredpam_dhkeys.so.1 loginauth requiredpam_unix_cred.so.1 loginauth requiredpam_unix_auth.so.1 loginauth requiredpam_dial_auth.so.1 otherauth sufficient/opt/local/lib/security/pam_winbind.so try_first_pass otherauth requisitepam_authtok_get.so.1 otherauth requiredpam_dhkeys.so.1 otherauth requiredpam_unix_cred.so.1 otherauth requiredpam_unix_auth.so.1 othersession sufficient/opt/local/lib/security/pam_winbind.so try_first _pass othersession requiredpam_unix_session.so.1 What am I missing -- C. J. Keist Email: cj.ke...@colostate.edu Systems Group Manager Phone: 970-491-0630 Engineering Network ServicesFax: 970-491-5569 College of Engineering, CSU Ft. Collins, CO 80523-1301 All I want is a chance to prove 'Money can't buy happiness' -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] solaris 10 winbind authentication with ADS
Is this to support authentication for unix users (e.g. via ssh) or windows users (via samba?) I found that after upgrading from samba 3.0.x to 3.4.x that the idmap allocation stopped working. In my case I already had the imdap entries populated into ldap. can you use wbinfo --allocate-uid or wbinfo --set-uid-mapping to manually create a UID-to-SID mapping? On 12/21/2010 01:44 PM, CJ Keist wrote: Forgot to add, my nsswitch.conf file has the winbind option added to the end of the passwd and group lines: passwd: files winbind group: files winbind I'm trying to setup a Solaris 10 Sparc station to authenticate users on login with Windows ADS. I have found the documentation for this but having no luck in getting the pam modules to work. Here is what I have done so far: Compiling Kerberos MIT5-1.8.3: cd into the src directory ./configure --prefix=/opt/local gmake gmake install Compiling Samba 3.5.6: setenv CFLAGS -O2 setenv LDFLAGS -L/opt/local/lib -Wl,-R/opt/local/lib setenv CPPFLAGS -I/opt/local/include ./configure --prefix=/opt/local --with-pam --with-ads --with-winbind --with-krb5=/opt/local gmake gmake install Compiles and installs with no errors. Here is my samba conf. file: [global] workgroup = DOMAINNAME realm = DOMINNAME.EDU security = ADS password server = domainname.edu log file = /var/samba/log/log.%m max log size = 50 load printers = No utmp = Yes idmap backend = idmap_rid:DOMAINNAME=10-50 idmap uid = 10-50 idmap gid = 10-50 template homedir = /home/%U template shell = /bin/tcsh winbind cache time = 1800 winbind enum users = No winbind enum groups = No winbind use default domain = Yes winbind separator = / create krb5 conf = No Krb5.conf: [libdefaults] default_realm = DOMAINNAME.EDU [realms] DOMAINNAME.EDU = { kdc = server.domainname.edu } [domain_realm] .server.domainname.edu = DOMAINNAME.EDU server.domainname.edu = DOMAINNAME.EDU Then I was able to join okay: # ./net ads join -U user Enter user's password: Using short domain name -- DOMAINNAME Joined 'SUNTEST1' to realm 'DomainName.EDU' # ./net ads testjoin Join is OK I can get info from the ADS from wbinfo command just fine. But I cannot get anything via getent passwd user_name or getent group group_name I did copy the libnss_winbind.so from the samba build and have the pam_winbind.so linked in as well: # cd /usr/lib # ls -l *winbind* -r-xr-xr-x 1 root root 50880 Dec 20 13:07 libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 17 15:29 libnss_winbind.so.1 - libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 17 15:30 libnss_winbind.so.2 - libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 20 13:41 nss_winbind.so.1 - libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 20 13:41 nss_winbind.so.2 - libnss_winbind.so # cd /usr/lib/security/ # ls -l *winbind* lrwxrwxrwx 1 root root 38 Dec 20 13:04 pam_winbind.so - /opt/local/lib/security/pam_winbind.so lrwxrwxrwx 1 root root 38 Dec 20 13:05 pam_winbind.so.1 - /opt/local/lib/security/pam_winbind.so My pam.conf: loginauth sufficient/opt/local/lib/security/pam_winbind.so try_first_pass loginauth requisitepam_authtok_get.so.1 loginauth requiredpam_dhkeys.so.1 loginauth requiredpam_unix_cred.so.1 loginauth requiredpam_unix_auth.so.1 loginauth requiredpam_dial_auth.so.1 otherauth sufficient/opt/local/lib/security/pam_winbind.so try_first_pass otherauth requisitepam_authtok_get.so.1 otherauth requiredpam_dhkeys.so.1 otherauth requiredpam_unix_cred.so.1 otherauth requiredpam_unix_auth.so.1 othersession sufficient/opt/local/lib/security/pam_winbind.so try_first _pass othersession requiredpam_unix_session.so.1 What am I missing -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] solaris 10 winbind authentication with ADS
I want to authenticate for ssh logins. I will not be running the smbd or nmbd daemons. Just winbind. running your commands I got: # ./wbinfo --allocate-uid Could not allocate a uid The second there is no --set-uid-mapping option. On 12/21/10 1:43 PM, Gaiseric Vandal wrote: Is this to support authentication for unix users (e.g. via ssh) or windows users (via samba?) I found that after upgrading from samba 3.0.x to 3.4.x that the idmap allocation stopped working. In my case I already had the imdap entries populated into ldap. can you use wbinfo --allocate-uid or wbinfo --set-uid-mapping to manually create a UID-to-SID mapping? On 12/21/2010 01:44 PM, CJ Keist wrote: Forgot to add, my nsswitch.conf file has the winbind option added to the end of the passwd and group lines: passwd: files winbind group: files winbind I'm trying to setup a Solaris 10 Sparc station to authenticate users on login with Windows ADS. I have found the documentation for this but having no luck in getting the pam modules to work. Here is what I have done so far: Compiling Kerberos MIT5-1.8.3: cd into the src directory ./configure --prefix=/opt/local gmake gmake install Compiling Samba 3.5.6: setenv CFLAGS -O2 setenv LDFLAGS -L/opt/local/lib -Wl,-R/opt/local/lib setenv CPPFLAGS -I/opt/local/include ./configure --prefix=/opt/local --with-pam --with-ads --with-winbind --with-krb5=/opt/local gmake gmake install Compiles and installs with no errors. Here is my samba conf. file: [global] workgroup = DOMAINNAME realm = DOMINNAME.EDU security = ADS password server = domainname.edu log file = /var/samba/log/log.%m max log size = 50 load printers = No utmp = Yes idmap backend = idmap_rid:DOMAINNAME=10-50 idmap uid = 10-50 idmap gid = 10-50 template homedir = /home/%U template shell = /bin/tcsh winbind cache time = 1800 winbind enum users = No winbind enum groups = No winbind use default domain = Yes winbind separator = / create krb5 conf = No Krb5.conf: [libdefaults] default_realm = DOMAINNAME.EDU [realms] DOMAINNAME.EDU = { kdc = server.domainname.edu } [domain_realm] .server.domainname.edu = DOMAINNAME.EDU server.domainname.edu = DOMAINNAME.EDU Then I was able to join okay: # ./net ads join -U user Enter user's password: Using short domain name -- DOMAINNAME Joined 'SUNTEST1' to realm 'DomainName.EDU' # ./net ads testjoin Join is OK I can get info from the ADS from wbinfo command just fine. But I cannot get anything via getent passwd user_name or getent group group_name I did copy the libnss_winbind.so from the samba build and have the pam_winbind.so linked in as well: # cd /usr/lib # ls -l *winbind* -r-xr-xr-x 1 root root 50880 Dec 20 13:07 libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 17 15:29 libnss_winbind.so.1 - libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 17 15:30 libnss_winbind.so.2 - libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 20 13:41 nss_winbind.so.1 - libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 20 13:41 nss_winbind.so.2 - libnss_winbind.so # cd /usr/lib/security/ # ls -l *winbind* lrwxrwxrwx 1 root root 38 Dec 20 13:04 pam_winbind.so - /opt/local/lib/security/pam_winbind.so lrwxrwxrwx 1 root root 38 Dec 20 13:05 pam_winbind.so.1 - /opt/local/lib/security/pam_winbind.so My pam.conf: loginauth sufficient/opt/local/lib/security/pam_winbind.so try_first_pass loginauth requisitepam_authtok_get.so.1 loginauth requiredpam_dhkeys.so.1 loginauth requiredpam_unix_cred.so.1 loginauth requiredpam_unix_auth.so.1 loginauth requiredpam_dial_auth.so.1 otherauth sufficient/opt/local/lib/security/pam_winbind.so try_first_pass otherauth requisitepam_authtok_get.so.1 otherauth requiredpam_dhkeys.so.1 otherauth requiredpam_unix_cred.so.1 otherauth requiredpam_unix_auth.so.1 othersession sufficient/opt/local/lib/security/pam_winbind.so try_first _pass othersession requiredpam_unix_session.so.1 What am I missing -- C. J. Keist Email: cj.ke...@colostate.edu Systems Group Manager Phone: 970-491-0630 Engineering Network ServicesFax: 970-491-5569 College of Engineering, CSU Ft. Collins, CO 80523-1301 All I want is a chance to prove 'Money can't buy happiness' -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba