samba - Jun 2009 - Samba 3.3.4-31 ssh/winbind login failure

Folks,

Got an odd one here that's had me scratching my head for a few days! Samba
3.3.4-31 from SuSE's RedHat repository, RHEL5 on x86.

Compiled OK once I'd worked out how to force a build on the libraries I
needed, I also added the code back in to support the 'winbind: ignore
domains'  directive in smb.conf. Discovered the hard way that 'make
install'
doesn't move the libnss* libraries over to /lib :)

/etc/nsswitch.conf and /etc/pam.d/system-auth configured for winbind
support, smb.conf configured for Active Directory once I worked out which
directives were actually in use, there's a lot of conflicting info out there
in web-land! Also discovered the hard way that wbinfo -u and -g won't work
unless you have 'winbind enumerate users = yes' and 'winbind
enumerate
groups = yes' in smb.conf. It would be nice if wbinfo says this rather than
just exiting!

What works:
all domain and file sharing, I can connect an XP network drive using my
Active Directory username, smbclient authenticates ok, 'net ads'
commands
are happy. Files created get the correct credentials.

What doesn't:
getent passwd and getent group (strace shows it's using the wrong directory
name for the priveleged winbind pipe)
ssh logins using AD username. I get the following logs:

/var/log/samba/winbindd.log
[2009/06/18 11:18:45,  0] winbindd/winbindd.c:request_len_recv(616)
  request_len_recv: Invalid request size received: 2088 (expected 2096)

/var/log/secure
Jun 18 11:18:45 old-fs2 sshd[25696]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=fs2.cam.cw.local
user=ADuser
Jun 18 11:18:45 old-fs2 sshd[25696]: pam_winbind(sshd:auth): [pamh:
0x09769350] ENTER: pam_sm_authenticate (flags: 0x0001)
Jun 18 11:18:45 old-fs2 sshd[25696]: pam_winbind(sshd:auth): getting
password (0x00000011)
Jun 18 11:18:45 old-fs2 sshd[25696]: pam_winbind(sshd:auth): pam_get_item
returned a password
Jun 18 11:18:45 old-fs2 sshd[25696]: pam_winbind(sshd:auth): Verify user
'ADuser'
Jun 18 11:18:45 old-fs2 sshd[25696]: pam_winbind(sshd:auth):
pam_winbind_request: write to socket failed!
Jun 18 11:18:45 old-fs2 sshd[25696]: pam_winbind(sshd:auth): internal module
error (retval = 3, user = 'ADuser')
Jun 18 11:18:45 old-fs2 sshd[25696]: pam_winbind(sshd:auth): [pamh:
0x09769350] LEAVE: pam_sm_authenticate returning 3
Jun 18 11:18:47 old-fs2 sshd[25696]: Failed password for ADuser from
10.134.0.102 port 54947 ssh2
Jun 18 11:18:48 old-fs2 sshd[25697]: Connection closed by 10.134.0.102

Obviously the 'write to socket failed' and the error in winbindd.log are
directly related, and last time I had an error like that it was because the
correct libnss* libraries hadn't been installed. Since file sharing and
smbclient can authenticate against AD correctly winbind is obviously
working, nothing in the debug level 20 logs to suggest otherwise.
pam_winbind is being correctly compiled and linked so I'm currently at a
loss.

Anyone lucky enough to have seen this before?

Cheers!

-- 
--
adrian/witchy
Owner of Binary Dinosaurs, the UK's biggest home  computer collection?
www.binarydinosaurs.co.uk

Folks,

Fixed it, looks like 'make install' doesn't move pam_winbind.so over
to
/lib/security either so I was using an old version. The libnss* libs not
going over correctly really should've given me a hint given that the
resulting error (request size 2088, expected 2096) is the same.

Create a link from /lib/security/pam_winbind.so to
/usr/lib/security/pam_winbind.so and suddenly all my problems vanished. I
can now:

map network drives to the samba box and create files with the correct Active
Directory user/group names
smbclient onto the samba box
ssh onto the samba box as an AD user, pick up the correct home directory and
use the correct user/group names.

-- 
--
adrian/witchy
Owner of Binary Dinosaurs, the UK's biggest home  computer collection?
www.binarydinosaurs.co.uk