Hello once again,
I've got winbind doing authentication not just for the samba service but
also sshd and login. It's great. However, I have to give a fully-qualified
username (e.g. "GENEEDINC+chris.palmer") as the username when logging
in via these methods. I wondered, Is there any way to get winbindd to insert the
domain and the separator for the user, when none is provided?
I checked winbindd(8). There is $WINBINDD_DOMAIN, but my expectations about what
it provides appear to be wrong -- it's a security restriction and not a
user-friendly helper.
== Client processes resolving names through the winbindd nss-
witch module read an environment variable named $WIN-
BINDD_DOMAIN. If this variable contains a comma separated
list of Windows NT domain names, then winbindd will only
resolve users and groups within those Windows NT domains.
==
Figuring sshd was the client of winbindd, I tried this:
==# WINBINDD_DOMAIN=GENEEDINC sshd
# ssh -l chris.palmer localhost
chris.palmer@localhost's password:
Permission denied, please try again.
chris.palmer@localhost's password:
Permission denied, please try again.
chris.palmer@localhost's password:
Permission denied (publickey,password,keyboard-interactive).
==
The contents of /var/log/secure ("sshd[15753]: input_userauth_request:
illegal user chris.palmer") suggest that it didn't assume
"GENEEDINC+" at the beginning of my username like I'd hoped.
It'd be nice if there were an smb.conf option for [global] like
"default winbind domain = WHATEVER". Is there a plan to include such a
feature in the future, or does this feature exist and I just haven't found
it?
Thanks again,
--
Chris Palmer Systems Programmer GeneEd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1> Message: 18 > Date: Tue, 7 Jan 2003 16:47:44 -0800 > From: "Chris Palmer" <chris.palmer@geneed.com> > To: <samba@lists.samba.org> > Subject: [Samba] Default domain for winbindd?[...]> It'd be nice if there were an smb.conf option for [global] like "default > winbind domain =3D WHATEVER". Is there a plan to include such a feature > in the future, or does this feature exist and I just haven't found it? > >Try 'winbind use default domain' in the global section of smb.conf, and it will use the default domain (the one which is already listed in 'workgroup'). It's not supported by the samba team on 2.2.x, but it works quite well for authentication via pam (there are apparently issues with samba, specifically ACLs). We (Mandrake 9.0) use it when selecting "Windows Domain" as the authentication method during installation (out-the-box winbind works on it ...), but our config for that setup doesn't have any file shares enabled to ensure people don't have problems which aren't of their own making ... Buchan - -- |--------------Another happy Mandrake Club member--------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+G/QqrJK6UGDSBKcRAufdAKCzENIXCPasg35OhM9nd8LD8gpZLgCgrfG7 XJvdL64iqOqD+0JBuF6lp24=XJGD -----END PGP SIGNATURE-----
The reason why your line was badly formed was because it sounds like you used the name of the paramater without specifying any value... so the badly formed line gets ignored and the default (= no) used instead. What you were looking for was 'winbind use default domain = yes' ... That being said, do not use this in 2.x because it was meant for 3.x and has problems in 2.x releases ( http://marc.theaimsgroup.com/?l=samba&m=103608357527005&w=2 , http://marc.theaimsgroup.com/?l=samba&m=103238578221048&w=2 ). You can try it, but if you need to use this then you should really be in 3.x. ~ Daniel> -----Original Message----- > From: Chris Palmer > Sent: Thursday, January 09, 2003 3:04 PM > To: Buchan Milne; samba@lists.samba.org > Subject: Re: [Samba] Default domain for winbindd? > > > Buchan Milne writes: > > > > It'd be nice if there were an smb.conf option for [global] like > > > "default = winbind domain =3D WHATEVER". Is there a plan > to include > > > such a feature = in the future, or does this feature exist and I > > > just haven't found it? > > > > Try 'winbind use default domain' in the global section of smb.conf, > > and it will use the default domain (the one which is > already listed in > > 'workgroup'). > > I added that and restarted winbindd (and Samba just for good luck). It > didn't seem to help; I could not log in via SSH as merely > chris.palmer. > I had to do the full GENEEDINC+chris.palmer as before. Also, > I get this > error: > > ==> params.c:Parameter() - Ignoring badly formed line in > configuration file: winbind use default domain > ==> > So it looks like my version of winbind (from Samba 2.2.7) doesn't have > support for this feature. > > > It's not supported by the samba team on 2.2.x, but it works > quite well > > for authentication via pam (there are apparently issues with samba, > > specifically ACLs). > > Yeah; doesn't seem to work for me at all. > > Well, thanks for the tip. Will I just have to wait for Samba > 3 for this > feature? Its lack is hardly a deal-breaker, so I can wait. > > > -- > Chris Palmer Systems Programmer GeneEd > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > >----------------------------------------------------------------------- This message is the property of Time Inc. or its affiliates. It may be legally privileged and/or confidential and is intended only for the use of the addressee(s). No addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as a recipient. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is strictly prohibited. If you have received this communication in error, please immediately notify the sender and delete this message. Thank you.
> Message: 16 > Subject: RE: [Samba] Default domain for winbindd? > Date: Fri, 10 Jan 2003 11:50:30 -0500 > From: daniel.jarboe@custserv.com > To: chris.palmer@geneed.com, samba@lists.samba.org > > The reason why your line was badly formed was because it sounds like you > used the name of the paramater without specifying any value... so the > badly formed line gets ignored and the default (= no) used instead. > What you were looking for was 'winbind use default domain = yes' ...Should have put in a real entry instead of assuming people would read a man page ...> > That being said, do not use this in 2.x because it was meant for 3.x and > has problems in 2.x releases ( > http://marc.theaimsgroup.com/?l=samba&m=103608357527005&w=2 , > http://marc.theaimsgroup.com/?l=samba&m=103238578221048&w=2 ). You can > try it, but if you need to use this then you should really be in 3.x.I think it's a bit suspect to suggest 3.0alpha over 2.2.x, depending on the application. For plain authentication use (ie desktops, ssh, cvs over ssh, pop/imap etc), it seems to work very well. I have a production server at a client, that I have never had problems with, service 600+ mailboxes to 60+ concurrent users. I am quite sure 3.0alpha isn't supported yet either (which is the gist of the messages regarding winbind use default domain = yes). Regards, Buchan -- |--------------Another happy Mandrake Club member--------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
> From: daniel.jarboe@custserv.com [mailto:daniel.jarboe@custserv.com]> The reason why your line was badly formed was because it > sounds like you used the name of the paramater without specifying > any value... so the badly formed line gets ignored and the default > (= no) used instead. What you were looking for was 'winbind use > default domain = yes' ...heh! Yes, it works now.> That being said, do not use this in 2.x because it was meant > for 3.x and has problems in 2.x releasesOkay, thanks. -- Chris Palmer Systems Programmer GeneEd
> Should have put in a real entry instead of assuming people > would read a man page ...;) Actually, looking back now, he did reference the winbindd man page in his first post, and looked through logs. Maybe just ran out of steam at that stage of the process?> > http://marc.theaimsgroup.com/?l=samba&m=103608357527005&w=2 , > > http://marc.theaimsgroup.com/?l=samba&m=103238578221048&w=2 > > I think it's a bit suspect to suggest 3.0alpha over 2.2.x, > depending on > the application. For plain authentication use (ie desktops, ssh, cvs > over ssh, pop/imap etc), it seems to work very well. I have a > production server at a client, that I have never had problems with, > service 600+ mailboxes to 60+ concurrent users.I had similar success when I tried it... the only "problems" I experienced were logs getting winbind errors for system accounts. But Jerry and Andrew both say don't use it in 2.x, and have said it more than once on this list.> I am quite sure 3.0alpha isn't supported yet either (which is the > gist of the messages regarding winbind use default domain = yes).Well, if he has winbind problems in 2.x with use default domain, I suspect the samba team would say it got placed in 2.x to satisfy a dependency of a code merge, has known flaws, and should not be used. If he has problems in 3.x with winbind use default domain = yes, he's likely to get more eyes. That's my best guess, at least, and I welcomed him to try it in 2.x, but suggested 3.x was the way to go if he really needed it. ~ Daniel ----------------------------------------------------------------------- This message is the property of Time Inc. or its affiliates. It may be legally privileged and/or confidential and is intended only for the use of the addressee(s). No addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as a recipient. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is strictly prohibited. If you have received this communication in error, please immediately notify the sender and delete this message. Thank you.