samba - Jul 2002 - Winbind trouble. Wbinfo see's users, "getent passwd" doesn't

I'm trying to set up a new fileshare, to replace an aging NT4 machine
we've
been using for far too long.
I'd like to run Linux (RedHat 7.3) on the machine.

Basically, I'm trying to create a fileshare "files" that people
can
transparently log in to from NT4 and Windows 2000 workstations. My boss has
approved the use of Linux for the server, but only if I can make it
transparent to the users.
(which means that they shouldn't need to enter anything special to use it.
just the standard domain username/password)

Our workstations are authenticating off of the domain, which has a Primary
Domain Controller of HOTT-Main. I want to create several shared folders that
any one can write to, for dumping files, but also several directories that
are user-specific.
This means that I need to import the NT4 domain list. I'm using winbind to
try to do this, but having some trouble. 

I set up both Samba and Winbind, but I don't think that winbind is working
correctly, and I'm trying to figure out what I missed.
when I do a "wbinfo -u" 
I get a list get a list of domain users, but "getent passwd" it just
lists
the unix users, and not the NT users.
What adds to my confusion is that the groups (including the domain groups!)
can be listed with "getent group"

Do you have any suggestions on why this might be happening? Could it be
because I'm using shadow passwords?
I'd appreciate any advice you could offer.

(I'm having a hard time figuring out what is wrong, and it's starting 
to
become tempting to just write a perl script to parse the "wbinfo -u"
info,
and put it into the /etc/passwd file, but that seems unnecessarily messy)

My smb.conf looks like the following 

[global]
        password server = *
        wins server = {ip address of wins server}
        remote announce = {ip address of wins server}
        winbind uid = 10000-20000
        security = domain
        encrypt passwords = Yes
        winbind separator = +
        template shell = /bin/bash
        server string = Fileshare
        workgroup = DOMAINNAME
        winbind gid = 10000-20000
        winbind enum groups = yes
        netbios name = Files
        winbind enum users = yes

{shares go here}

/etc/nsswitch.conf contains

passwd:     files windbind
shadow:     files  nisplus
group:      files winbind

/etc/pam.d/login looks like
#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so
account   sufficient /lib/security/pam_winbind.so
session   required   /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0022

finally, /etc/pam.d/samba

#%PAM-1.0
auth       required     pam_securetty.so
auth       required     pam_nologin.so
auth       sufficient   pam_winbind.so
auth       required     pam_pwdb.so use_first_pass shadow nullok
account    required     pam_winbind.so  service=system-auth
session    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth

On Wed, 24 Jul 2002, Colin Davis wrote:
> Our workstations are authenticating off of the domain, which has a Primary
> Domain Controller of HOTT-Main. I want to create several shared folders
that
> any one can write to, for dumping files, but also several directories that
> are user-specific.
> This means that I need to import the NT4 domain list. I'm using winbind
to
> try to do this, but having some trouble.
>
> I set up both Samba and Winbind, but I don't think that winbind is
working
> correctly, and I'm trying to figure out what I missed.
> when I do a "wbinfo -u"
> I get a list get a list of domain users, but "getent passwd" it
just lists
> the unix users, and not the NT users.
> What adds to my confusion is that the groups (including the domain groups!)
> can be listed with "getent group"
If you get the users using wbinfo but not using getent then there is
something wrong with the nis part of winbind. Winbind itself
(smb.conf,...) is working.
> Do you have any suggestions on why this might be happening? Could it be
> because I'm using shadow passwords?
No, the use of shadow passwords or not should not matter. For the linux
system it is a extra way to find users, not changing the exsisting one.
> (I'm having a hard time figuring out what is wrong, and it's
starting  to
> become tempting to just write a perl script to parse the "wbinfo
-u" info,
> and put it into the /etc/passwd file, but that seems unnecessarily messy)
There should be no need of this.
> My smb.conf looks like the following
>
> [global]
>         password server = *
>         wins server = {ip address of wins server}
>         remote announce = {ip address of wins server}
>         winbind uid = 10000-20000
>         security = domain
>         encrypt passwords = Yes
>         winbind separator = +
>         template shell = /bin/bash
>         server string = Fileshare
>         workgroup = DOMAINNAME
>         winbind gid = 10000-20000
>         winbind enum groups = yes
>         netbios name = Files
>         winbind enum users = yes
>
> {shares go here}
Looks ok and probably is because wbinfo works.
> /etc/nsswitch.conf contains
>
> passwd:     files windbind
> shadow:     files  nisplus
> group:      files winbind
Also ok, checked it with a working wibind system
> /etc/pam.d/login looks like
> #%PAM-1.0
> auth       required     /lib/security/pam_securetty.so
> auth       required     /lib/security/pam_stack.so service=system-auth
> auth       required     /lib/security/pam_nologin.so
> account    required     /lib/security/pam_stack.so service=system-auth
> password   required     /lib/security/pam_stack.so service=system-auth
> session    required     /lib/security/pam_stack.so service=system-auth
> session    optional     /lib/security/pam_console.so
> account   sufficient /lib/security/pam_winbind.so
> session   required   /lib/security/pam_mkhomedir.so skel=/etc/skel/
> umask=0022
>
> finally, /etc/pam.d/samba
>
> #%PAM-1.0
> auth       required     pam_securetty.so
> auth       required     pam_nologin.so
> auth       sufficient   pam_winbind.so
> auth       required     pam_pwdb.so use_first_pass shadow nullok
> account    required     pam_winbind.so  service=system-auth
> session    required     pam_stack.so service=system-auth
> password   required     pam_stack.so service=system-auth
For the getent part not working PAM is not involved, so it shouldn't
matter. But the account line in /etc/pam.d/samba is wrong. Either only
pam.winbind.so or pam_stack.so service=system-auth.

I could make out from your mail what Linux distro you are using and how
you installed samba. But it looks like there is something wrong with
winbind nss library.

Check if both
/lib/libnss_winbind.so
/lib/libnss_winbind.so.2
are present on your system.

Regards,
Tim

-- 
==========================================================================Tim
Verhoeven
                                Linux & Open Source Specialist
GSM : 0496 / 693 453                          + e-business solutions
Email : dj@4ict.com                           + consulting
URL : www.sin.khk.be/~dj/                     + Server consolidation
===========================================================================

Hey, 
On Wed, 24 Jul 2002 10:46:11 -0400
Colin Davis <ColinD@traininghott.com> wrote:

I have just a few comments.
> I set up both Samba and Winbind, but I don't think that winbind is
> working correctly, and I'm trying to figure out what I missed.
> when I do a "wbinfo -u" 
> I get a list get a list of domain users, but "getent passwd" it
just
> lists the unix users, and not the NT users.
Have you joined your NT-Domain with the Samba-box? Did you install from
rpm or did you build Samba by yourself? In the latter case, have you
copied libnss_winbind.so to lib and have you linked it to
libnss_winbind.so.1 and .2 (according to your library)?

I would suggest using the latest version of Samba, not the rpm from your
distri.

If you have users which access your server only via Samba, you don?t have
to fiddle with the pam-modules, which can be pretty exhausting...;-) nor
do you have to think about shadow, because these users don?t need valid
Linux PWs. 
> (I'm having a hard time figuring out what is wrong, and it's
starting
> to become tempting to just write a perl script to parse the "wbinfo
-u"
> info, and put it into the /etc/passwd file, but that seems unnecessarily
> messy)
Yeah! Great! I would like to hear from that ;-)
> passwd:     files windbind
And surely you noticed the typo?
> shadow:     files  nisplus
> group:      files winbind
Goetz

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

| Message: 8
| From: Colin Davis <ColinD@traininghott.com>
| To: "'samba@lists.samba.org'" <samba@lists.samba.org>
| Date: Wed, 24 Jul 2002 10:46:11 -0400
| Subject: [Samba] Winbind trouble. Wbinfo see's users,  "getent
passwd"
doesn't
|
| I'm trying to set up a new fileshare, to replace an aging NT4 machine
we've
| been using for far too long.
| I'd like to run Linux (RedHat 7.3) on the machine.
|
| Basically, I'm trying to create a fileshare "files" that people
can
| transparently log in to from NT4 and Windows 2000 workstations. My
boss has
| approved the use of Linux for the server, but only if I can make it
| transparent to the users.
| (which means that they shouldn't need to enter anything special to use it.
| just the standard domain username/password)

Well, even that shouldn't be necessary.

|
| Our workstations are authenticating off of the domain, which has a Primary
| Domain Controller of HOTT-Main. I want to create several shared
folders that
| any one can write to, for dumping files, but also several directories that
| are user-specific.
| This means that I need to import the NT4 domain list. I'm using winbind to
| try to do this, but having some trouble.
|
| I set up both Samba and Winbind, but I don't think that winbind is working
| correctly, and I'm trying to figure out what I missed.
| when I do a "wbinfo -u"
| I get a list get a list of domain users, but "getent passwd" it just
lists
| the unix users, and not the NT users.

That narrows it down to either your nsswitch.conf file, or your
libnss_winbind.so* files

| What adds to my confusion is that the groups (including the domain
groups!)
| can be listed with "getent group"

That narrows it down to your nsswitch.conf file.

|
| Do you have any suggestions on why this might be happening? Could it be
| because I'm using shadow passwords?
| I'd appreciate any advice you could offer.
|
| (I'm having a hard time figuring out what is wrong, and it's starting 
to
| become tempting to just write a perl script to parse the "wbinfo -u"
info,
| and put it into the /etc/passwd file, but that seems unnecessarily messy)
|
| My smb.conf looks like the following
|
| [global]
|         password server = *
|         wins server = {ip address of wins server}
|         remote announce = {ip address of wins server}
|         winbind uid = 10000-20000service=system-auth
|         security = domain
|         encrypt passwords = Yes
|         winbind separator = +

For a file server, you may want to comment out "winbind seperator =",
so
that it uses the default of "\", and will be totally transparent. You
may also want to try "winbind use default domain = yes" if you have
2.2.4 or later.

|         template shell = /bin/bash
|         server string = Fileshare
|         workgroup = DOMAINNAME
|         winbind gid = 10000-20000
|         winbind enum groups = yes
|         netbios name = Files
|         winbind enum users = yes
|
| {shares go here}
|
| /etc/nsswitch.conf contains
|
| passwd:     files windbind
~                       ^
It should be:
passwd:     files winbind

| shadow:     files  nisplus
| group:      files winbind
~                    ^^^^^^^
That's why your groups work, but users don't.

|
| /etc/pam.d/login looks like
| #%PAM-1.0
| auth       required     /lib/security/pam_securetty.so
| auth       required     /lib/security/pam_stack.so service=system-auth
| auth       required     /lib/security/pam_nologin.so
| account    required     /lib/security/pam_stack.so service=system-auth
| password   required     /lib/security/pam_stack.so service=system-auth
| session    required     /lib/security/pam_stack.so service=system-auth
| session    optional     /lib/security/pam_console.so
| account   sufficient /lib/security/pam_winbind.so
| session   required   /lib/security/pam_mkhomedir.so skel=/etc/skel/
| umask=0022

If you need login to work also, you have a tough choice between using +
and \ as winbind seperator ...

|
| finally, /etc/pam.d/samba
|
| #%PAM-1.0
| auth       required     pam_securetty.so
| auth       required     pam_nologin.so
| auth       sufficient   pam_winbind.so
| auth       required     pam_pwdb.so use_first_pass shadow nullok
| account    required     pam_winbind.so  service=system-auth
~                                          ^^^^^^^^^^^^^^^^^^^
This is not going to do anything useful! (although it shouldn't be a
problem.

| session    required     pam_stack.so service=system-auth
| password   required     pam_stack.so service=system-auth

You could also do better to try the system-auth-winbind.pamd file that
is in packaging/Mandrake, and either use it to replace
/etc/pam.d/system-auth, or copy it to /etc/pam.d/system-auth-winbind,
and replace the "service=system-auth" with
"service=system-auth-winbind"

And finally, if your /etc/pam.d/samba file uses pam_mkhomedir (either
directly or via pam_stack), you will probably want to have "obey pam
restrictions = yes" in your smb.conf, so that samba can create home
directories when users connect the first time (just remember to make the
parent directory of the homes specified in your template). This will
give you instant personal shares like you mentioned above.

Of course, you may rather just want to spare yourself the effort, and
install Mandrake 8.2 with the updated samba RPMs for Mandrake from
ftp.samba.org, since installing samba-winbind will do most of this for
you, and there is a surprise coming in Mandrake 9.0!

Buchan

- --
|----------------Registered Linux User #182071-----------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x121
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE9P95jrJK6UGDSBKcRAuI8AJ9FCNWTOot8EPnctecl1yIlm4DkGwCaAz/i
bvXz54HNbqGicV9salFzB8o=AeA8
-----END PGP SIGNATURE-----

> | /etc/nsswitch.conf contains
> |
> | passwd:     files windbind
> ~                       ^
> It should be:
> passwd:     files winbind
> 
> | shadow:     files  nisplus
> | group:      files winbind
> ~                    ^^^^^^^
> That's why your groups work, but users don't.
Ok. I am a complete and total moron! ;)
> If you need login to work also, you have a tough choice 
> between using + and \ as winbind seperator ...
I'm taking your advice and going with \. Easier is better. I can manually
create login accounts.
> And finally, if your /etc/pam.d/samba file uses pam_mkhomedir 
> (either directly or via pam_stack), you will probably want to 
> have "obey pam restrictions = yes" in your smb.conf, so that 
> samba can create home directories when users connect the 
> first time (just remember to make the parent directory of the 
> homes specified in your template). This will give you instant 
> personal shares like you mentioned above.
Thank you, I'll work on this next ;)

Thank you very much for your time and patience,
Colin Davis

> 
> Buchan
> 
> - --
> |----------------Registered Linux User #182071-----------------|
> Buchan Milne                Mechanical Engineer, Network Manager
> Cellphone * Work            +27 82 472 2231 * +27 21 8828820x121
> Stellenbosch Automotive Engineering         http://www.cae.co.za
> GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
> 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 
> 04A7 -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQE9P95jrJK6UGDSBKcRAuI8AJ9FCNWTOot8EPnctecl1yIlm4DkGwCaAz/i
> bvXz54HNbqGicV9salFzB8o> =AeA8
> -----END PGP SIGNATURE-----
>