samba - Oct 2005 - Samba 3.20 Solaris questions PLEASE HELP!

Hello,
 I have samba 3.20 running in test on Solaris 8 and 9 beautifully it is
curently configured as a Domain Client it authenticates using winbind and
nsswitch libraries using ADS with windows 2003 server. I have krb5 and ldap
working just fine but I now find myself with a mess of bugs and questions
and I could really use some of your expertise in the matters so here they
go, Thank you soooo much in advance to anyone who has some answers for me.
  Questions
 1 - Does PAM have to be configured when using winbind and samba 3 in an ADS
environment? Everything is currently working and I've done nothing to
configure PAM, yet all online documetation states this is a necissary step?
 2 - Can samba 3 still use ads and winbind without adding winbind to
nsswitch.conf? If not is there anyway to force winbind to leave all
applications with the exception of samba out of its control eg helios
admsrv, afpserv or anything else installed on the system that may consult
nsswitch that knows nothing about domains or winbind?
 3 - Why does wbinfo -u fail to return entries from the domain controler
periodically? Is this normal behavior or did I mess up configuration
someplace?
 4 - wbinfo -u seems to work 80% of the time but when it takes a long time
to query the domain controller access to any service on the sun server is
slow?
  PLEASE HELP GUYS !

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matt Marcus wrote:

|  1 - Does PAM have to be configured when using winbind
| and samba 3 in an ADS environment? Everything is currently
| working and I've done nothing to configure PAM, yet
| all online documetation states this is a necissary step?

No.  You only need PAM if you want to use pam (or build pam_winbindd.so)

|  2 - Can samba 3 still use ads and winbind without
| adding winbind to nsswitch.conf? If not is there anyway
| to force winbind to leave all applications with the
| exception of samba out of its control eg helios
| admsrv, afpserv or anything else installed on the
| system that may consult nsswitch that knows
| nothing about domains or winbind?

Samba has to have a uid/gid for each user/group in the
Windows domain.  If you don't want to use the global
/etc/nsswitch.conf, you could use a chroot environment
or a Solaris 10 zone.


|  3 - Why does wbinfo -u fail to return entries from
| the domain controler periodically? Is this normal
| behavior or did I mess up configuration someplace?

No.  wbinfo -u should consistently return all users.

|  4 - wbinfo -u seems to work 80% of the time but
| when it takes a long time to query the domain
| controller access to any service on the sun server is
| slow?

enumerating users and groups is slow.  We're working
on fixing this but for now you might just prefer to
set 'winbind enum {users,groups} = no' in smb.conf.
This will break any applications that use
{set,get,end}{pw,gr}ent() but such application tend to
be fairly rare tehse days (although IIRC id and finger are
one of them).






cheers, jerry
====================================================================Alleviating
the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"There's an anonymous coward in all of us."              
--anonymous
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDQSgXIR7qMdg1EfYRAqFoAKCI5t/v4nIGbtmhaErP2w5IsOjgqgCfdXql
nzsYgIU2rZvGB885XzLzbgc=xUOl
-----END PGP SIGNATURE-----

OMG Jerry YOU ARE A GOD! Enum users and enum groups did the trick I turned
them off and I can now login to admsrv dude thank you soooo much I've been
trying to figure that out for 2 weeks I OWE U BEER or wine whatever you want
!!!!!!!!!!!!!

On 10/3/05, Matt Marcus <unixwizard@gmail.com>
wrote:
>
> Jerry,
> Thank you sooo much for your answers to my questions I was beggining to
> lose hope :)
>  As for your answer below, do you have any online resources that may go
> over how to configure a chroot environment, I'm not familure with it at
all?
> The application we're using on this box requires Solaris 8 so an
upgrade to
> solaris 10 is not currently possible.
>  Samba has to have a uid/gid for each user/group in the
> Windows domain. If you don't want to use the global
> /etc/nsswitch.conf, you could use a chroot environment
> or a Solaris 10 zone.
>  I will attempt the changes you suggested today. Basically I'm having a
> problem with this product named Helios Ethershare its an old school legacy
> OPI and appletalk filesharing system. There is an administration service
> named admsrv that allows you to configure the ethershare application via a
> client gui. It is this app thats causing all the issues with winbind. The
> app should essentially consult nsswitch.conf, find the root user, if the
> root user does not exist it will consult its own passwd database for root,
> if it can't find an account there it will consult nsswitch for some
other
> means of auth. Unfortuently when winbind is running the app doesn't see
root
> in /etc/passwd or in its own passwd database and then begins to consult
> winbind. However the app hangs while logging in for 30 minutes but stopping
> winbind allows you to login instantly. I'm attaching my smb.conf as
well
> as 3 text files named (TrussAdmSrvFailed.out, TrussAdmsrvSuccess.out, and
> TrussWinbindFailedAuth.out) The first two are truss outputs of the
> application admsrv in both a successful state without winbind and an
> unsucessful state with winbind. The last is a truss of winbind while a
> failed login is in progress. I hope this is enough to help let me know if
> there is something else that may help with debugging this.
>
> # Samba config file created using SWAT
> # from 170.165.228.218 <http://170.165.228.218/> (
170.165.228.218<http://170.165.228.218/>
> )
> # Date: 2005/09/29 16:51:36
>
> # Global parameters
> [global]
> workgroup = NDMSNET
> realm = NEWSDAY.AD.TRB
> netbios name = NDCCS
> server string = Consolidated Content Server
> interfaces = 170.165.195.177 <http://170.165.195.177/>
> bind interfaces only = Yes
> security = ADS
> map to guest = Bad User
> lanman auth = No
> client NTLMv2 auth = Yes
> client lanman auth = No
> client plaintext auth = No
> getwd cache = No
> wins server = 170.165.228.9 <http://170.165.228.9/>
> ldap ssl = no
> idmap uid = 10000-30000
> idmap gid = 10000-30000
> winbind separator = +
> winbind use default domain = Yes
> admin users = root, NDMSNET+marcusm
> wide links = No
>
> [Laser]
> comment = Laser Print Queue Share
> path = /opi_laser
> read only = No
>
> [Imagers]
> comment = Image Setter Queue Share
> path = /opi_imagers
> read only = No
>
> [XML]
> comment = XML Share For Order Entry
> path = /app/samba/Mounts
> read only = No
>
> [ToPlate]
> comment = PDF To Plate Share
> path = /psfiles/To_Plate
> read only = No
>
> [RipCheck]
> comment = Rip Validation Share
> path = /app/samba/PagMounts
>
> [MattsHome]
> comment = Home Dir
> path = /usr/users/mmarcus
> read only = No
> create mask = 0664
> directory mask = 0775
> browseable = No
>
> [HammerThis]
> comment = Samba3 Stress Test
> path = /vol11
> admin users = NDMSNET+marcusm, NDMSNET+benzej
> read only = No
> guest ok = Yes
>
>
>  On 10/3/05, Gerald (Jerry) Carter <jerry@samba.org> wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Matt Marcus wrote:
> >
> > | 1 - Does PAM have to be configured when using winbind
> > | and samba 3 in an ADS environment? Everything is currently
> > | working and I've done nothing to configure PAM, yet
> > | all online documetation states this is a necissary step?
> >
> > No. You only need PAM if you want to use pam (or build
pam_winbindd.so)
> >
> > | 2 - Can samba 3 still use ads and winbind without
> > | adding winbind to nsswitch.conf? If not is there anyway
> > | to force winbind to leave all applications with the
> > | exception of samba out of its control eg helios
> > | admsrv, afpserv or anything else installed on the
> > | system that may consult nsswitch that knows
> > | nothing about domains or winbind?
> >
> > Samba has to have a uid/gid for each user/group in the
> > Windows domain. If you don't want to use the global
> > /etc/nsswitch.conf, you could use a chroot environment
> > or a Solaris 10 zone.
> >
> >
> > | 3 - Why does wbinfo -u fail to return entries from
> > | the domain controler periodically? Is this normal
> > | behavior or did I mess up configuration someplace?
> >
> > No. wbinfo -u should consistently return all users.
> >
> > | 4 - wbinfo -u seems to work 80% of the time but
> > | when it takes a long time to query the domain
> > | controller access to any service on the sun server is
> > | slow?
> >
> > enumerating users and groups is slow. We're working
> > on fixing this but for now you might just prefer to
> > set 'winbind enum {users,groups} = no' in smb.conf.
> > This will break any applications that use
> > {set,get,end}{pw,gr}ent() but such application tend to
> > be fairly rare tehse days (although IIRC id and finger are
> > one of them).
> >
> >
> >
> >
> >
> >
> > cheers, jerry
> >
====================================================================> >
Alleviating the pain of Windows(tm) ------- http://www.samba.org
> > GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc
> > "There's an anonymous coward in all of us." --anonymous
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.0 (GNU/Linux)
> > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> >
> > iD8DBQFDQSgXIR7qMdg1EfYRAqFoAKCI5t/v4nIGbtmhaErP2w5IsOjgqgCfdXql
> > nzsYgIU2rZvGB885XzLzbgc> > =xUOl
> > -----END PGP SIGNATURE-----
> >
>
>
>