Hi,
I was trying to setup winbind on a CentOS 4 host to authenticate to the AD
on my network. My smb.conf is very simple, I'm only setting workgroup,
realm, security, and I'm setting for winbind:
encrypt passwords = yes
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
When trying to start the service with "service winbind start", I'm
getting
these error messages:
Jan 10 16:18:00 myhost kernel: audit(1199999880.483:2): avc: denied {
write } for pid=4490 comm="winbindd" name="secrets.tdb"
dev=sda2 ino=192690
scontext=root:system_r:winbind_t tcontext=root:object_r:samba_etc_t
tclass=file
Jan 10 16:18:00 myhost winbindd[4490]: [2008/01/10 16:18:00, 0]
passdb/secrets.c:secrets_init(67)
Jan 10 16:18:00 myhost winbindd[4490]: Failed to open
/etc/samba/secrets.tdb
Jan 10 16:18:00 myhost winbindd[4490]: [2008/01/10 16:18:00, 0]
nsswitch/winbindd.c:main(1010)
Jan 10 16:18:00 myhost winbindd[4490]: Could not initialize domain trust
account secrets. Giving up
Clearly winbind is violating SELinux's targeted policy by trying to write
the secrets.tdb file on /etc/samba directory. I looked at smb.conf's man
page that I could set the directory of this file using the "private
dir"
directive on smb.conf's global section, and that's what I did, I set it
to
/var/cache/samba/winbindd_privileged, which I found was a directory created
by the samba-common package, with 750 permissions and a winbind_var_run_t
context.
I would like to know if I did the right thing or not. Or if I should have
put the secrets.tdb in a directory other than that one. What would be the
recommended configuration?
Thanks!
Filipe
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20080110/9e84522b/attachment-0003.html>
