I have been on the web for hours reading email postings about WINDBIND. Here is the scenario. Samba 2.27 on Redhat 8, installed via the redhat RPMs. the first interesting note was that there is no samba-winbind rpm. It is a part of the samba-common.rpm in redhat. I have been using Samba as a file server for quite some time. And 100% of my issues with it stem from permission problems. So I heard about winbind. And it is even more poorly documented than Samba. So I checked the resources on samba.org, I had the libraries in the right place in /lib. I had previously rejoined the domain using #smbpasswd -j DOMAIN -r PDC -U NTDOMAINADMINACCOUNT I got the successfully joined the domain message . I checked the active directory on the win2k domain controller and verified that the computer account had been created...enter winbind: I launch the winbindd daemon. I perform wbinfo -t and get "the secret is good". I perform wbinfo -u and get 0x0c00000022 or something like that. wbinfo -g yields the same results. After running the winbindd daemon in various levels of debug all day and searching the web for the results, I found the answer! performing the steps outlined in Tim Potter's email on the win2k domain controller resolves this issue. I am still unsure about which files to edit in /etc/pam.d The howto says to edit /etc/pam.d/* There are scores of files in there! Surely not. -----Original Message----- From: Tim Potter [ <mailto:tpot@samba.org> mailto:tpot@samba.org] Sent: 27 October 2001 02:29 To: samba-technical@lists.samba.org Cc: Roberto Sebastiano; Marc Anthony Pierre Barrette Subject: using winbind with Windows 2000 native mode I've just tracked down a problem running winbind against a Windows 2000 server running in native mode. Microsoft has added a security restriction which disallows anonymous access to user lists and groups. To fix this run the following from a command prompt and then reboot (yes the reboot is required - sheesh): net localgroup "Pre-Windows 2000 Compatible Access" everyone /add I couldn't figure out how to do this from the Active Directory Users and Groups MMC thingy. It didn't like the group Everyone for some reason. Tim. Peter S Scudamore CCNP, CCDP, MCP ATM/Fr Network Design TOUCHAMERICA off 720.493.2660 mbl 303.358.8760 efax 720.294.2363 scud@tamerica.com -------------- next part -------------- HTML attachment scrubbed and removed
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1> Message: 16 > Reply-To: <SCUD@GEEKSTUPH.COM> > From: "Peter S Scudamore" <scud@geekstuph.com> > To: <samba@lists.samba.org> > Date: Tue, 26 Nov 2002 01:06:23 -0700 > Subject: [Samba] Annoying winbind problem solved >> I launch the winbindd daemon. I perform wbinfo -t and get "the secret is > good". I perform wbinfo -u and get 0x0c00000022 or something like that. > wbinfo -g yields the same results. After running the winbindd daemon in > various levels of debug all day and searching the web for the results, I > found the answer! performing the steps outlined in Tim Potter's email on > the win2k domain controller resolves this issue. I am still unsure about > which files to edit in /etc/pam.d > > The howto says to edit /etc/pam.d/* > > There are scores of files in there! Surely not.I did a paper for a local linux conference, where I demoed winbind setup during Mandrake 9.0 installation. Afterwards, I made configs for RH 8.0, and they are all in the tarball: http://ranger.dnsalias.com/mandrake/samba/Integrating%20Linux%20into%20Windows%20Networks.tar.gz In the redhat directory is a file which can replace /etc/pam.d/system-auth, to do all authentication of all services that support pam via winbind. I also made some changes to RH's default smb.conf to make winbind work the way it was described in my paper. Regards, Buchan - -- |----------------Registered Linux User #182071-----------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9427arJK6UGDSBKcRArjJAJwLlnfw3tNddpd5tJGyfMibbwnZ0wCdEGG6 jz6CWsVJbBbSP3FQPKdtW4Q=thYN -----END PGP SIGNATURE-----
MessageYou don't need to mess with PAM unless you want people to log on
locally using their Domain l/p.
If you do you need to alter system-auth.
Shaolin - IT Systems
WB Ltd.
.: http://www.security-forums.com :.
----- Original Message -----
From: Peter S Scudamore
To: samba@lists.samba.org
Sent: Tuesday, November 26, 2002 8:06 AM
Subject: [Samba] Annoying winbind problem solved
I have been on the web for hours reading email postings about WINDBIND. Here
is the scenario. Samba 2.27 on Redhat 8, installed via the redhat RPMs. the
first interesting note was that there is no samba-winbind rpm. It is a part of
the samba-common.rpm in redhat. I have been using Samba as a file server for
quite some time. And 100% of my issues with it stem from permission problems. So
I heard about winbind. And it is even more poorly documented than Samba. So I
checked the resources on samba.org, I had the libraries in the right place in
/lib. I had previously rejoined the domain using #smbpasswd -j DOMAIN -r PDC -U
NTDOMAINADMINACCOUNT
I got the successfully joined the domain message . I checked the active
directory on the win2k domain controller and verified that the computer account
had been created...enter winbind:
I launch the winbindd daemon. I perform wbinfo -t and get "the secret is
good". I perform wbinfo -u and get 0x0c00000022 or something like that.
wbinfo -g yields the same results. After running the winbindd daemon in various
levels of debug all day and searching the web for the results, I found the
answer! performing the steps outlined in Tim Potter's email on the win2k
domain controller resolves this issue. I am still unsure about which files to
edit in /etc/pam.d
The howto says to edit /etc/pam.d/*
There are scores of files in there! Surely not.
-----Original Message-----
From: Tim Potter [mailto:tpot@samba.org]
Sent: 27 October 2001 02:29
To: samba-technical@lists.samba.org
Cc: Roberto Sebastiano; Marc Anthony Pierre Barrette
Subject: using winbind with Windows 2000 native mode
I've just tracked down a problem running winbind against a
Windows 2000 server running in native mode. Microsoft has added
a security restriction which disallows anonymous access to user
lists and groups.
To fix this run the following from a command prompt and then
reboot (yes the reboot is required - sheesh):
net localgroup "Pre-Windows 2000 Compatible Access" everyone /add
I couldn't figure out how to do this from the Active Directory
Users and Groups MMC thingy. It didn't like the group Everyone
for some reason.
Tim.
Peter S Scudamore CCNP, CCDP, MCP
ATM/Fr Network Design
TOUCHAMERICA
off 720.493.2660
mbl 303.358.8760
efax 720.294.2363
scud@tamerica.com
-------------- next part --------------
HTML attachment scrubbed and removed
On Tue, 26 Nov 2002, Peter S Scudamore wrote:> I have been on the web for hours reading email postings about WINDBIND. > Here is the scenario. Samba 2.27 on Redhat 8, installed via the redhat > RPMs. the first interesting note was that there is no samba-winbind rpm. > It is a part of the samba-common.rpm in redhat. I have been using Samba > as a file server for quite some time. And 100% of my issues with it stem > from permission problems. So I heard about winbind. And it is even more > poorly documented than Samba. So I checked the resources on samba.org, I > had the libraries in the right place in /lib. I had previously rejoined > the domain using #smbpasswd -j DOMAIN -r PDC -U NTDOMAINADMINACCOUNT > > I got the successfully joined the domain message . I checked the active > directory on the win2k domain controller and verified that the computer > account had been created...enter winbind: > > I launch the winbindd daemon. I perform wbinfo -t and get "the secret is > good". I perform wbinfo -u and get 0x0c00000022 or something like that. > wbinfo -g yields the same results. After running the winbindd daemon in > various levels of debug all day and searching the web for the results, I > found the answer! performing the steps outlined in Tim Potter's email on > the win2k domain controller resolves this issue. I am still unsure about > which files to edit in /etc/pam.d > > The howto says to edit /etc/pam.d/* > > There are scores of files in there! Surely not.Surely YES, but only for those files that you need to change/modify. For example for access using NT user credentials: To log in at the Linux console, or X-Windows: login To log on using FTP: wu_ftp Never modify any /etc/pam.d/* file unless you need to. For an example of various posibilities refer to the samba source tarball: ~samba/packaging/Caldera/OpenLinux/samba.pam The options there commented out can be applied to the above, and to other PAM config files as needed. - John T.> > > -----Original Message----- > From: Tim Potter [ <mailto:tpot@samba.org> mailto:tpot@samba.org] > Sent: 27 October 2001 02:29 > To: samba-technical@lists.samba.org > Cc: Roberto Sebastiano; Marc Anthony Pierre Barrette > Subject: using winbind with Windows 2000 native mode > > > I've just tracked down a problem running winbind against a > Windows 2000 server running in native mode. Microsoft has added > a security restriction which disallows anonymous access to user > lists and groups. > > To fix this run the following from a command prompt and then > reboot (yes the reboot is required - sheesh): > > net localgroup "Pre-Windows 2000 Compatible Access" everyone /add > > I couldn't figure out how to do this from the Active Directory > Users and Groups MMC thingy. It didn't like the group Everyone > for some reason. > > > Tim. > > > Peter S Scudamore CCNP, CCDP, MCP > ATM/Fr Network Design > TOUCHAMERICA > off 720.493.2660 > mbl 303.358.8760 > efax 720.294.2363 > scud@tamerica.com > > >-- John H Terpstra Email: jht@samba.org