Folks,
Got an odd one here that's had me scratching my head for a few days! Samba
3.3.4-31 from SuSE's RedHat repository, RHEL5 on x86.
Compiled OK once I'd worked out how to force a build on the libraries I
needed, I also added the code back in to support the 'winbind: ignore
domains' directive in smb.conf. Discovered the hard way that 'make
install'
doesn't move the libnss* libraries over to /lib :)
/etc/nsswitch.conf and /etc/pam.d/system-auth configured for winbind
support, smb.conf configured for Active Directory once I worked out which
directives were actually in use, there's a lot of conflicting info out there
in web-land! Also discovered the hard way that wbinfo -u and -g won't work
unless you have 'winbind enumerate users = yes' and 'winbind
enumerate
groups = yes' in smb.conf. It would be nice if wbinfo says this rather than
just exiting!
What works:
all domain and file sharing, I can connect an XP network drive using my
Active Directory username, smbclient authenticates ok, 'net ads'
commands
are happy. Files created get the correct credentials.
What doesn't:
getent passwd and getent group (strace shows it's using the wrong directory
name for the priveleged winbind pipe)
ssh logins using AD username. I get the following logs:
/var/log/samba/winbindd.log
[2009/06/18 11:18:45, 0] winbindd/winbindd.c:request_len_recv(616)
request_len_recv: Invalid request size received: 2088 (expected 2096)
/var/log/secure
Jun 18 11:18:45 old-fs2 sshd[25696]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=fs2.cam.cw.local
user=ADuser
Jun 18 11:18:45 old-fs2 sshd[25696]: pam_winbind(sshd:auth): [pamh:
0x09769350] ENTER: pam_sm_authenticate (flags: 0x0001)
Jun 18 11:18:45 old-fs2 sshd[25696]: pam_winbind(sshd:auth): getting
password (0x00000011)
Jun 18 11:18:45 old-fs2 sshd[25696]: pam_winbind(sshd:auth): pam_get_item
returned a password
Jun 18 11:18:45 old-fs2 sshd[25696]: pam_winbind(sshd:auth): Verify user
'ADuser'
Jun 18 11:18:45 old-fs2 sshd[25696]: pam_winbind(sshd:auth):
pam_winbind_request: write to socket failed!
Jun 18 11:18:45 old-fs2 sshd[25696]: pam_winbind(sshd:auth): internal module
error (retval = 3, user = 'ADuser')
Jun 18 11:18:45 old-fs2 sshd[25696]: pam_winbind(sshd:auth): [pamh:
0x09769350] LEAVE: pam_sm_authenticate returning 3
Jun 18 11:18:47 old-fs2 sshd[25696]: Failed password for ADuser from
10.134.0.102 port 54947 ssh2
Jun 18 11:18:48 old-fs2 sshd[25697]: Connection closed by 10.134.0.102
Obviously the 'write to socket failed' and the error in winbindd.log are
directly related, and last time I had an error like that it was because the
correct libnss* libraries hadn't been installed. Since file sharing and
smbclient can authenticate against AD correctly winbind is obviously
working, nothing in the debug level 20 logs to suggest otherwise.
pam_winbind is being correctly compiled and linked so I'm currently at a
loss.
Anyone lucky enough to have seen this before?
Cheers!
--
--
adrian/witchy
Owner of Binary Dinosaurs, the UK's biggest home computer collection?
www.binarydinosaurs.co.uk