Hello,
We have an E4500 running Solaris 2.6 that we wish to serve filesystems via Samba
with. I have compiled and installed Samba 2.2.2 on this machine.
The issue that we are having is with winbindd. We have an NT4 domain controller
that we want to authenticate users against for security and file-system lockdown
purposes, while inconveniencing the end users as little as possible. In my
/usr/local/samba/lib/smb.conf file I have the lines:
winbind uid = 20000-30000
winbind gid = 20000-30000
winbind separator = \
winbind cache time = 60
template homedir = /users/%U
template shell = /usr/bin/ksh
and /etc/nsswitch.conf contains the lines:
passwd: files winbind
group: files winbind
/etc/pam.conf looks like:
#ident "@(#)pam.conf 1.19 95/11/30 SMI"
#
# PAM configuration
#
# Authentication management
#
login auth sufficient /usr/lib/security/pam_winbind.so
login auth required /usr/lib/security/pam_unix.so.1 try_first_pass
login auth required /usr/lib/security/pam_dial_auth.so.1 try_first_pass
#
rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
rlogin auth sufficient /usr/lib/security/pam_winbind.so
rlogin auth required /usr/lib/security/pam_unix.so.1 try_first_pass
#
dtlogin auth sufficient /usr/lib/security/pam_winbind.so
dtlogin auth required /usr/lib/security/pam_unix.so.1 try_first_pass
#
rsh auth required /usr/lib/security/pam_rhosts_auth.so.1
other auth sufficient /usr/lib/security/pam_winbind.so
other auth required /usr/lib/security/pam_unix.so.1 try_first_pass
#
# Account management
#
login account sufficient /usr/lib/security/pam_winbind.so
login account required /usr/lib/security/pam_unix.so.1
dtlogin account sufficient /usr/lib/security/pam_winbind.so
dtlogin account required /usr/lib/security/pam_unix.so.1
#
other account sufficient /usr/lib/security/pam_winbind.so
other account required /usr/lib/security/pam_unix.so.1
#
# Session management
#
other session required /usr/lib/security/pam_unix.so.1
#
# Password management
#
other password sufficient /usr/lib/security/pam_winbind.so
other password required /usr/lib/security/pam_unix.so.1
#
# Solaris Resource Manager 1.0
#
login account requisite pam_srm.so.1 nolnode=/etc/srm/nolnode
other account requisite pam_srm.so.1 nolnode=/etc/srm/nolnode
other session requisite pam_srm.so.1
I have copied pam_winbind.so to /lib/security and libnss_winbind.so to /lib and
created 2 soft-links in ./lib to libnss_winbind.so named libnss_winbind.so.1 and
libnss_winbind.so.2.
When I try to run "/usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U
Administrator" (where DOMAIN and PDC is our domain name and Primary Domain
Controller respectively), I get the error messages:
INFO: Debug class all level = 3 (pid 3797 from pid 3797)
added interface ip=XXX.XXX.XXX.XXX bcast=XXX.XXX.XXX.XXX nmask=XXX.XXX.XXX.XXX
Password:
resolve_lmhosts: Attempting lmhosts lookup for name PDC<0x20>
resolve_hosts: Attempting host lookup for name PDC<0x20>
Connecting to XXX.XXX.XXX.XXX at port 139
session setup ok
Domain=[DOMAIN] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
Unable to join domain DOMAIN.
I know that the password used is valid and OK.
Has anyone gotten this to work? Management is really pushing for access control
for this.
Thanks!
Tom
On Tuesday 11 December 2001 15:49, knoxth@cch.com wrote:> When I try to run "/usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U > Administrator" (where DOMAIN and PDC is our domain name and Primary Domain > Controller respectively), I get the error messages: > > INFO: Debug class all level = 3 (pid 3797 from pid 3797) > added interface ip=XXX.XXX.XXX.XXX bcast=XXX.XXX.XXX.XXX > nmask=XXX.XXX.XXX.XXX Password: > resolve_lmhosts: Attempting lmhosts lookup for name PDC<0x20> > resolve_hosts: Attempting host lookup for name PDC<0x20> > Connecting to XXX.XXX.XXX.XXX at port 139 > session setup ok > Domain=[DOMAIN] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0] > Unable to join domain DOMAIN. > > I know that the password used is valid and OK.I down see a psswd prompt above. Probably you removed it? Try to add unix box to domain on the PDC in server manager, then issue join command on unix side.> Has anyone gotten this to work? Management is really pushing for access > control for this.Well, I have this working. -- vda