Michaels, Stephen P.
2002-Nov-04 17:46 UTC
[Samba] passwd command problem with Solaris/winbind/pam
Hi-
I am running Samba 2.2.5 on Solaris 8 with winbind and pam configured. I
have the following in my nsswitch.conf:
passwd: files winbind
group: files winbind
Now local users on the Solaris 8 machine cannot change there password using
the passwd command:
Here is the sample output:
# passwd michasp1
Enter new password:
Enter new password again:
Supported configurations for passwd management are as follows:
passwd: files
passwd: files ldap
passwd: files nis
passwd: files nisplus
passwd: compat
passwd: compat AND
passwd_compat: ldap OR
passwd_compat: nisplus
Please check your /etc/nsswitch.conf file
Permission denied
#
Does anybody have a workaround solution for this or I am doing something
wrong?
Thanks
Stephen P. Michaels
ISS-1 Server Systems Group
The Johns Hopkins University Applied Physics Laboratory
11100 Johns Hopkins Rd.
Laurel, MD. 20723-6099
(443) 778-7527
DeStefano, Paul
2002-Nov-08 18:29 UTC
[Samba] passwd command problem with Solaris/winbind/pam
Hello Stephen and All,
Yes, I think so. Someone I know had a good idea and it worked out pretty
well.
My understanding of the problem: Solaris /usr/bin/passwd doesn't tolerate
the "winbind" nameservice in /etc/nsswitch.conf.
His solution: Only use winbind resolution for samba, and leave passwd and
the rest of Solaris alone. We can accomplish this using library
interposition on samba (and any process which requires winbind resolution).
Like overloading operators, you can override the normal system calls linked
when smbd loads. (I'd never heard of interposers before, but always
wondered when I'd get to use LD_PRELOAD. Whee.) Some info:
http://www.itworld.com/AppDev/1006/UIR000929interposers/.
Here's the skinny. He wrote an interposer library for fopen(2) that opens
/usr/local/samba/lib/nsswitch.conf instead of /etc/nsswitch.conf. So,
basically, if arg=/etc/nsswitch.conf, return this other file instead. We
LD_PRELOAD-ed it for smbd and winbindd, and removed winbind from the
"real"
nsswitch.conf. Now, smbd (and winbindd, though I don't think it needs it)
gets name resolution through winbind because it thinks winbind is in
nsswitch.conf, BUT NOTHING ELSE does. This has the side benefit that logins
and utilities like 'finger' do not have to perform winbind resolution
either, so they're fast, again. (We're not using the Samba PAM module;
we
don't let Windows Domain users login to our Solaris box, so we don't
need to
have winbind resolution in the normal utilities. We just use winbind to
authenticate users when accessing samba shares.)
Now, one problem. nscd (Name Service Caching Daemon) will now run! That
sounds good, right, because normally when winbind is in nsswitch.conf, nscd
bails? Well, when nscd is running, name resolution is done by nscd, NOT the
application, so our fopen(2) override is ineffective. nscd doesn't crash,
but doesn't resolve through winbind either, so smbd fails to lookup Windows
Domain accounts. Solution: turn off nscd, easy as that.
Okay, so that's what we did. We're satisfied with it. If you don't
need
nscd, I think you will be too. Your reactions are eagerly anticipated!
I bet I can convince my friend to post the source, if you really want it.
But I encourage you to write your own interposer; it's pretty easy and maybe
you'll notice something we didn't.
__
Paul DeStefano
-----Original Message-----
From: Michaels, Stephen P. [mailto:Steve.Michaels@jhuapl.edu]
Sent: November 04, 2002 9:45 AM
To: 'samba@lists.samba.org.'
Subject: [Samba] passwd command problem with Solaris/winbind/pam
Hi-
I am running Samba 2.2.5 on Solaris 8 with winbind and pam configured. I
have the following in my nsswitch.conf:
passwd: files winbind
group: files winbind
Now local users on the Solaris 8 machine cannot change there password using
the passwd command:
Here is the sample output:
# passwd michasp1
Enter new password:
Enter new password again:
Supported configurations for passwd management are as follows:
passwd: files
passwd: files ldap
passwd: files nis
passwd: files nisplus
passwd: compat
passwd: compat AND
passwd_compat: ldap OR
passwd_compat: nisplus
Please check your /etc/nsswitch.conf file
Permission denied
#
Does anybody have a workaround solution for this or I am doing something
wrong?
Thanks
Stephen P. Michaels
ISS-1 Server Systems Group
The Johns Hopkins University Applied Physics Laboratory
11100 Johns Hopkins Rd.
Laurel, MD. 20723-6099
(443) 778-7527
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
MCCALL,DON (HP-USA,ex1)
2002-Nov-08 18:41 UTC
[Samba] passwd command problem with Solaris/winbind/pam
Hi Paul, pretty neat. HP-UX also has this issue; I think the real answer is to get the vendor(s) to modify the code so that winbind is a 'valid' source, same as 'files', 'nis' 'compat' etc... For one thing, the interposititor solution doesn't take into account someone on the Unix side doing a 'll' or 'ls -l' on the directory with files owned by winbindd users, so all you get is the uid/gid number for those files (since the standard ls, etc are going to use calls that are going to be routed thru the 'real' nsswitch.conf file)... Just something to keep in mind when implementing this particular workaround... Hope this helps, Don> -----Original Message----- > From: DeStefano, Paul [mailto:Paul.DeStefano@nwdc.ibs-lmco.com] > Sent: Friday, November 08, 2002 13:28 > To: 'samba@lists.samba.org.' > Cc: 'samba-technical@lists.samba.org' > Subject: RE: [Samba] passwd command problem with Solaris/winbind/pam > > > Hello Stephen and All, > > Yes, I think so. Someone I know had a good idea and it > worked out pretty > well. > > My understanding of the problem: Solaris /usr/bin/passwd > doesn't tolerate > the "winbind" nameservice in /etc/nsswitch.conf. > > His solution: Only use winbind resolution for samba, and > leave passwd and > the rest of Solaris alone. We can accomplish this using library > interposition on samba (and any process which requires > winbind resolution). > Like overloading operators, you can override the normal > system calls linked > when smbd loads. (I'd never heard of interposers before, but always > wondered when I'd get to use LD_PRELOAD. Whee.) Some info: > http://www.itworld.com/AppDev/1006/UIR000929interposers/. > > Here's the skinny. He wrote an interposer library for > fopen(2) that opens > /usr/local/samba/lib/nsswitch.conf instead of /etc/nsswitch.conf. So, > basically, if arg=/etc/nsswitch.conf, return this other file > instead. We > LD_PRELOAD-ed it for smbd and winbindd, and removed winbind > from the "real" > nsswitch.conf. Now, smbd (and winbindd, though I don't think > it needs it) > gets name resolution through winbind because it thinks winbind is in > nsswitch.conf, BUT NOTHING ELSE does. This has the side > benefit that logins > and utilities like 'finger' do not have to perform winbind resolution > either, so they're fast, again. (We're not using the Samba > PAM module; we > don't let Windows Domain users login to our Solaris box, so > we don't need to > have winbind resolution in the normal utilities. We just use > winbind to > authenticate users when accessing samba shares.) > > Now, one problem. nscd (Name Service Caching Daemon) will > now run! That > sounds good, right, because normally when winbind is in > nsswitch.conf, nscd > bails? Well, when nscd is running, name resolution is done > by nscd, NOT the > application, so our fopen(2) override is ineffective. nscd > doesn't crash, > but doesn't resolve through winbind either, so smbd fails to > lookup Windows > Domain accounts. Solution: turn off nscd, easy as that. > > Okay, so that's what we did. We're satisfied with it. If > you don't need > nscd, I think you will be too. Your reactions are eagerly > anticipated! > > I bet I can convince my friend to post the source, if you > really want it. > But I encourage you to write your own interposer; it's pretty > easy and maybe > you'll notice something we didn't. > > __ > Paul DeStefano > > > -----Original Message----- > From: Michaels, Stephen P. [mailto:Steve.Michaels@jhuapl.edu] > Sent: November 04, 2002 9:45 AM > To: 'samba@lists.samba.org.' > Subject: [Samba] passwd command problem with Solaris/winbind/pam > > > Hi- > I am running Samba 2.2.5 on Solaris 8 with winbind and pam > configured. I > have the following in my nsswitch.conf: > > passwd: files winbind > group: files winbind > > Now local users on the Solaris 8 machine cannot change there > password using > the passwd command: > Here is the sample output: > > # passwd michasp1 > Enter new password: > Enter new password again: > Supported configurations for passwd management are as follows: > passwd: files > passwd: files ldap > passwd: files nis > passwd: files nisplus > passwd: compat > passwd: compat AND > passwd_compat: ldap OR > passwd_compat: nisplus > Please check your /etc/nsswitch.conf file > Permission denied > # > > Does anybody have a workaround solution for this or I am > doing something > wrong? > Thanks > > > > Stephen P. Michaels > ISS-1 Server Systems Group > The Johns Hopkins University Applied Physics Laboratory > 11100 Johns Hopkins Rd. > Laurel, MD. 20723-6099 > (443) 778-7527 > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
Hi all I am running Samba 2.2.8a on Solaris 8 with winbind and pam configured. I use the following keywords in my nsswitch.conf: passwd: files winbind group: files winbind Now local users on the Solaris 8 machine cannot change there password using the passwd command: Here is the sample output:># passwd abcdef >Enter new password: >Enter new password again: >Supported configurations for passwd management are as follows: > passwd: files > passwd: files ldap > passwd: files nis > passwd: files nisplus > passwd: compat > passwd: compat AND > passwd_compat: ldap OR > passwd_compat: nisplus >Please check your /etc/nsswitch.conf file >Permission denied >#Does anybody have a solution for this ? Thanks & Greetz Gunther Vanaken SUN System Engineer