samba - Dec 2002 - Problem with winbind (is this the right list?)

I'm running a RedHat 8.0 system.  Pretty much stock.  But I uninstalled 
the version of samba, samba-common and samba-client that came with it. 
 Instead I downloaded a tarball from samba.org.  I have just finished 
compiling and installing samba 2.2.7 using the --with-pam 
--with-smbmount --with-winbind options during configure.  I also made 
the necessary changes to smb.conf, /etc/pam.d/login, 
/etc/pam.d/system-auth.  The system has been added to my NT 4 domain 
with the smbpasswd command.  If I test using the following commands:

wbinfo -u
wbinfo -g

I get lists of the NT domain users and groups, respectively.

Also, if I do:

wbinfo -a DOMAIN+username%password

I get the following message:

plaintext password authentication succeeded

So... it looks like my system is communicating with the NT PDC.  But... 
if I try these commands:

getent passwd
getent group

I only see the local users and groups listed, respectively.

Also, when I try to log into the console with DOMAIN+username and then 
the password
I get the following message briefly, then I am thrown back to the login 
prompt:

user not known to any authentication module

Anyone else here have winbind working?

If this is the wrong place to post this, please let me know.

Thanks,
George

This is the right list.  I'm having similar problems with getent not
working properly.  Wbinfo -u / -g / -a work, but getent stopped showing
anything but local users, though it USED to work.  I wonder if it has
anything to do with the upgrade to the errata glibc which provides
getent?  Or it could be any number of things, like in my situation the
PDC was moved to a different server, and I'd done a few upgrades of
samba along the way.  The fact that you are having getent problems too
is a good sign for me, maybe an answer will come.

As far as your "user not known to any authentication module" problem,
despite my getent problems I have no problems logging in to samba for
file/print services.  Maybe posting the changes you made to pam.d/login
and pam.d/system-auth will help some to fix that problem, or maybe
logging into those services won't work until your getent starts
behaving?

Sorry I couldn't be of more help, but hopefully it's a start.
~ Daniel


George Lenzer wrote:

I'm running a RedHat 8.0 system.  Pretty much stock.  But I uninstalled 
the version of samba, samba-common and samba-client that came with it. 
 Instead I downloaded a tarball from samba.org.  I have just finished 
compiling and installing samba 2.2.7 using the --with-pam 
--with-smbmount --with-winbind options during configure.  I also made 
the necessary changes to smb.conf, /etc/pam.d/login, 
/etc/pam.d/system-auth.  The system has been added to my NT 4 domain 
with the smbpasswd command.  If I test using the following commands:

wbinfo -u
wbinfo -g

I get lists of the NT domain users and groups, respectively.

Also, if I do:

wbinfo -a DOMAIN+username%password

I get the following message:

plaintext password authentication succeeded

So... it looks like my system is communicating with the NT PDC.  But... 
if I try these commands:

getent passwd
getent group

I only see the local users and groups listed, respectively.

Also, when I try to log into the console with DOMAIN+username and then 
the password
I get the following message briefly, then I am thrown back to the login 
prompt:

user not known to any authentication module

Anyone else here have winbind working?

If this is the wrong place to post this, please let me know.

Thanks,
George

-----------------------------------------------------------------------

This message is the property of Time Inc. or its affiliates. It may be
legally privileged and/or confidential and is intended only for the use
of the addressee(s). No addressee should forward, print, copy, or
otherwise reproduce this message in any manner that would allow it to be
viewed by any individual not originally listed as a recipient. If the
reader of this message is not the intended recipient, you are hereby
notified that any unauthorized disclosure, dissemination, distribution,
copying or the taking of any action in reliance on the information
herein is strictly prohibited. If you have received this communication
in error, please immediately notify the sender and delete this message.
Thank you.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 4 Dec 2002 daniel.jarboe@custserv.com wrote:
> So... it looks like my system is communicating with the NT PDC.  But... 
> if I try these commands:
> 
> getent passwd
> getent group
> 
> I only see the local users and groups listed, respectively.
Make sure the 

	/lib/libnss_winbind.so.2 -> /lib/libnss_winbind.so*

link exists.





cheers, jerry
 ----------------------------------------------------------------------
 Hewlett-Packard            ------------------------- http://www.hp.com
 SAMBA Team                 ---------------------- http://www.samba.org
 GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
 ISBN 0-672-32269-2         "SAMS Teach Yourself Samba in 24 Hours"
2ed
 "You can never go home again, Oatman, but I guess you can shop
there."
                            --John Cusack - "Grosse Point Blank"
(1997)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE97gthIR7qMdg1EfYRAsg2AKCBnh6bDSjFZ0SzZ7CuUtdlHf9HwwCgk9JN
7asVtf5XAsBPNUs54riXvok=QpG/
-----END PGP SIGNATURE-----

Something more than that Jerry, the symlink is there :(.

$ ls -l /lib/libnss_winbind*
-rwxr-xr-x    1 root     root        18727 Nov 21 11:45
/lib/libnss_winbind.so
lrwxrwxrwx    1 root     root           22 Nov 21 12:25
/lib/libnss_winbind.so.2 -> /lib/libnss_winbind.so


Stab in the dark, does this look right?
$ ldd `which getent`
        libc.so.6 => /lib/libc.so.6 (0x40024000)
        /lib/ld.so.1 => /lib/ld.so.1 (0x40000000)


Also, any idea why after wbinfo -u / -g lists users / groups in the
domain I get a 0xc0000233?  Googling showed
STATUS_DOMAIN_CONTROLLER_NOT_FOUND.


I was hoping to get the getent stuff straightened out before trying 3.x.
:(

~ Daniel


----------
> So... it looks like my system is communicating with the NT PDC.
But... 
> if I try these commands:
> 
> getent passwd
> getent group
> 
> I only see the local users and groups listed, respectively.
Make sure the 

	/lib/libnss_winbind.so.2 -> /lib/libnss_winbind.so*

link exists.





-----------------------------------------------------------------------

This message is the property of Time Inc. or its affiliates. It may be
legally privileged and/or confidential and is intended only for the use
of the addressee(s). No addressee should forward, print, copy, or
otherwise reproduce this message in any manner that would allow it to be
viewed by any individual not originally listed as a recipient. If the
reader of this message is not the intended recipient, you are hereby
notified that any unauthorized disclosure, dissemination, distribution,
copying or the taking of any action in reliance on the information
herein is strictly prohibited. If you have received this communication
in error, please immediately notify the sender and delete this message.
Thank you.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 4 Dec 2002 daniel.jarboe@custserv.com wrote:
> Stab in the dark, does this look right?
> $ ldd `which getent`
>         libc.so.6 => /lib/libc.so.6 (0x40024000)
>         /lib/ld.so.1 => /lib/ld.so.1 (0x40000000)
Looks fine.  What are the values for "winbind enum user" and
"winbind enum
group"?  What happens when you run `strace getent passwd`?
> Also, any idea why after wbinfo -u / -g lists users / groups in the
> domain I get a 0xc0000233?  Googling showed
> STATUS_DOMAIN_CONTROLLER_NOT_FOUND.
Possible for a trusted domain controller (since it listed all the 
users/groups in your domain).  I would need to check the code to be 
certain.





cheers, jerry
 ----------------------------------------------------------------------
 Hewlett-Packard            ------------------------- http://www.hp.com
 SAMBA Team                 ---------------------- http://www.samba.org
 GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
 ISBN 0-672-32269-2         "SAMS Teach Yourself Samba in 24 Hours"
2ed
 "You can never go home again, Oatman, but I guess you can shop
there."
                            --John Cusack - "Grosse Point Blank"
(1997)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE97hEEIR7qMdg1EfYRArXGAKDOl3CXdCP3ri+cdHIVGu+Ic50s5QCgy9x3
O6e0ukJzZX+WqHfXL82k6Cc=vn0H
-----END PGP SIGNATURE-----

Thanks!  wbinfo -m returned 3 domains, none of which I should be
concerned with :), so that sets my mind at ease.

Oddly enough, wbinfo -u returns the users in 1 of the 3 domains, but not
the other 2.  Wonder if they misconfigured?

~ Daniel

>
>From: Herb Lewis
>
>The 0xc0000233 is most likely because a trusted domain controller
>is not reachable. run the command
>
>wbinfo -m
>
>to see the list of domains that are trusted. I'll bet you will not
>see a listing of any groups or users from one of those.
>



-----------------------------------------------------------------------

This message is the property of Time Inc. or its affiliates. It may be
legally privileged and/or confidential and is intended only for the use
of the addressee(s). No addressee should forward, print, copy, or
otherwise reproduce this message in any manner that would allow it to be
viewed by any individual not originally listed as a recipient. If the
reader of this message is not the intended recipient, you are hereby
notified that any unauthorized disclosure, dissemination, distribution,
copying or the taking of any action in reliance on the information
herein is strictly prohibited. If you have received this communication
in error, please immediately notify the sender and delete this message.
Thank you.

> Looks fine.  What are the values for "winbind enum user" and
"winbind
enum 
> group"?  What happens when you run `strace getent passwd`?
Argh.  Of course it would be the simplest answer, winbind enum user and
winbind enum group were set to No after reading "On large installations
it may be necessary to suppress the enumeration of users...", and
forgotten about.

Thank you for your help.  George did not include his smb.conf, maybe
this is the root of his problems too.

~ Daniel







-----------------------------------------------------------------------

This message is the property of Time Inc. or its affiliates. It may be
legally privileged and/or confidential and is intended only for the use
of the addressee(s). No addressee should forward, print, copy, or
otherwise reproduce this message in any manner that would allow it to be
viewed by any individual not originally listed as a recipient. If the
reader of this message is not the intended recipient, you are hereby
notified that any unauthorized disclosure, dissemination, distribution,
copying or the taking of any action in reliance on the information
herein is strictly prohibited. If you have received this communication
in error, please immediately notify the sender and delete this message.
Thank you.

First, I want to thank folks for replying. :)  When I did an strace the
first time it pointed out that I created the symlink with the wrong
name.  After deleting and recreating the symlink, I got this:

List of local users first...

read(3, "", 4096)                       = 0
open("/etc/ld.so.cache", O_RDONLY)      = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=62728, ...}) = 0
old_mmap(NULL, 62728, PROT_READ, MAP_PRIVATE, 4, 0) = 0x401ed000
close(4)                                = 0
open("/lib/libnss_winbind.so.2", O_RDONLY) = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\17"...,
1024) = 1024
fstat64(4, {st_mode=S_IFREG|0755, st_size=16033, ...}) = 0
old_mmap(NULL, 23536, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) 0x40015000
mprotect(0x40018000, 11248, PROT_NONE)  = 0
old_mmap(0x40018000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED,
4, 0x2000) = 0x40018000
old_mmap(0x40019000, 7152, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40019000
close(4)                                = 0
munmap(0x401ed000, 62728)               = 0
getpid()                                = 2675
getpid()                                = 2675
getpid()                                = 2675
lstat64("/tmp/.winbindd", {st_mode=S_IFDIR|0755, st_size=4096, ...}) =
0
lstat64("/tmp/.winbindd/pipe", 0xbffff430) = -1 ENOENT (No such file
or
directory)
close(3)                                = 0
munmap(0x40013000, 4096)                = 0
getpid()                                = 2675
getpid()                                = 2675
lstat64("/tmp/.winbindd", {st_mode=S_IFDIR|0755, st_size=4096, ...}) =
0
lstat64("/tmp/.winbindd/pipe", 0xbffff4d0) = -1 ENOENT (No such file
or
directory)
munmap(0x40014000, 4096)                = 0
_exit(0)                                = ?

It looks like the libnss_winbind.so lib is complaining about a file not
existing.  I checked and found that there is a /tmp/.winbindd  but it
doesn't contain a file in it called 'pipe'

Daniel said:
> Argh.  Of course it would be the simplest answer, winbind enum user
and
> winbind enum group were set to No after reading "On large
installations
> it may be necessary to suppress the enumeration of users...", and
> forgotten about.
Hmmm...  Are you saying it should be set to Yes, or to No?

Here is my smb.conf:

[global]

# WinBind stuff
   winbind separator = +
   winbind uid = 10000-20000
   winbind gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes
   template homedir = /home/winnt/%D/%U
   template shell = /bin/bash

# Set the Windows name of your workstation
   netbios name = 0000s035

# workgroup = NT-Domain-Name or Workgroup-Name
   workgroup = CPLIBRARY

# server string is the equivalent of the NT Description field
   server string = RedHat 8.0 Workstation

# Printer settings
   printcap name = /etc/printcap
   load printers = yes
   printing = lprng

# this tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/%m.log

# Put a capping on the size of the log files (in Kb).
   max log size = 100

# Logging level
   log level = 1

# Security mode. Most people will want user level security.
   security = domain

# Use password server option only with security = server
   password server = *

# Use encryption
   encrypt passwords = yes

# Where is the smbpasswd file?
   smb passwd file = /etc/samba/smbpasswd

#      UNIX pw  to be kept in sync with the SMB password.
   unix password sync = Yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*

#  PAM pw
   pam password change = yes

# Samba should obey PAM's account and session management directives.
  obey pam restrictions = yes

# Most people will find that this option gives better performance.
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Browser Control Options:
   local master = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
   wins server = 10.0.1.15

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
via DNS nslookups.    dns proxy = no 

# Case Preservation can be handy - system default is _no_
  preserve case = yes
  short preserve case = yes
  default case = lower
  case sensitive = no

# Share Definitions =============================[homes]
   comment = Home Directories
   browseable = no
   writable = yes
   valid users = %D+%S
   create mode = 0664
   directory mode = 0775

[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
   guest ok = no
   writable = no
   printable = yes

[testshare$]
   comment = Testing
   path = /shares/test
   valid users = root deckard
   public = no
   writable = yes
   printable = no
   create mask = 0765

One more thing...  After I fixed the symlink to it had the right name
(libnss_winbind.so.2  instead of libnss_winbind.2) wbinfo broke.  Now, I
can't get users, groups or verify plaintext authentication.  An strace
of wbinfo -u also gives me the same thing that getent did.  The file
'pipe' is missing from /tmp/.winbindd.  Why did wbinfo work in the first
place if I had the wrong symlink?

winbind enum users = yes
   winbind enum groups = yes

Is the way it should be.  You are fine in that respect.
Did you restart winbind after fixing the symlinks?  It might help.

<snip>
>lstat64("/tmp/.winbindd", {st_mode=S_IFDIR|0755, st_size=4096,
...}) 0
>lstat64("/tmp/.winbindd/pipe", 0xbffff430) = -1 ENOENT (No such
file or
>directory)
>close(3)                                = 0
<snip>
>Hmmm...  Are you saying it should be set to Yes, or to No?






-----------------------------------------------------------------------

This message is the property of Time Inc. or its affiliates. It may be
legally privileged and/or confidential and is intended only for the use
of the addressee(s). No addressee should forward, print, copy, or
otherwise reproduce this message in any manner that would allow it to be
viewed by any individual not originally listed as a recipient. If the
reader of this message is not the intended recipient, you are hereby
notified that any unauthorized disclosure, dissemination, distribution,
copying or the taking of any action in reliance on the information
herein is strictly prohibited. If you have received this communication
in error, please immediately notify the sender and delete this message.
Thank you.