Hi,
I've been trying to get windbind working on HP-UX for several years now, I
try for a while, with the new releases, then after I get stuck I give up.
I've tried posting several times on the net to different news groups but had
few responses.
Well, I'm trying again now, with the samba 2.7a release, and after spending
several days on it, I'm nearly ready to give up. I've gotton further
this
time than ever before but I've pretty much exhausted all options. I've
spent hours looking on the net for any help, and basically I'm totally
stuck.
I've actually managed to get it to compile, using
./configure \
--prefix=/usr/local/samba \
--localstatedir=/usr/local/samba \
--with-msdfs \
--with-winbind \
--with-pam \
--with-winbind-auth-challenge
modifing in configure
if test $ac_cv_prog_cc_Ae = yes; then
BLDSHARED="true"
SHLD="/usr/bin/ld"
LDSHFLAGS="-B symbolic -b -z"
PICFLAG="+z"
fi
change to
#if test $ac_cv_prog_cc_Ae = yes; then
BLDSHARED="true"
SHLD="/usr/bin/ld"
LDSHFLAGS="-B symbolic -b -z"
# PICFLAG="+z"
#fi
and in
/usr/local/lib/gcc-lib/hppa2.0n-hp-hpux11.00/3.1/include/stdio.h
BEFORE
extern int snprintf(char *, _hpux_size_t, char *,...);
AFTER
extern int snprintf(char *, _hpux_size_t, const char *,...);
I can do a wbinfo -u and get the user names, and a wbinfo -g returns the
groups. I had to specify the password to use first with
wbinfo -A user%password
I also joined the domain sucessfully with
smbpasswd -j DOMAIN -r PDC -U Administrator
Ok, here are my problems.
1), when I try to change the password of a NT user, using passwd, the OS
can't find the user id, ie
coastdr: /mnt/1/samba/samba-2.2.7a/source> passwd traininguser
Changing password for traininguser
(current) NT password:
Enter new NT password:
Retype new NT password:
Invalid login name.
If I use a invalid password I get in syslog
Jan 27 13:43:38 coastdr pam_winbind[3507]: request failed, PAM error was 9,
NT error was NT_STATUS_WRONG_PASSWORD
Jan 27 13:43:38 coastdr pam_winbind[3507]: user `traininguser' denied access
(incorrect password)
however, if I enter the correct (current) password
Jan 27 13:45:24 coastdr pam_winbind[3513]: user 'traininguser' granted
acces
Jan 27 13:45:28 coastdr pam_winbind[3513]: request failed, PAM error was 9,
NT error was NT_STATUS_WRONG_PASSWORD
Now, i've set
/etc/nsswitch.conf to
hosts: dns [NOTFOUND=continue UNAVAIL=continue TRYAGAIN=continue] files
[
passwd: files ldap
group: files ldap
notice it is ldap, rather than winbind. The reason for this is, if you set
it to winbind you get a error about not being a supported type, ie must be
nis, ldap or files.
i've set a link from symbolic link from /lib/libnss_ldap.1 to
/lib/libnss_winbind.1
2) I can't su
when I try to su from a comment line to a win 2k user using either
WESTCOASTDHB+traininguser or traininguser
Unknown id: WESTCOASTDHB+traininguser
or
Unknown id: traininguser
3) I can't log into the unix box as a win 2k user. When I try, the best I
get is it seems to accept the password, but doesn't actually log in. It
exits straight back out. If I enter a wrong user name or account it says
login incorrect, so it seems to work ok, and I'm getting this in syslog.
Jan 26 19:30:49 coastdr pam_winbind[3414]: Verify user `traininguser'
Jan 26 19:30:49 coastdr pam_winbind[3414]: user 'traininguser' granted
acces
Could it be because the home directory doesn't exist? I've actually
tried
setting it to a valid template homedir but still get the same problem. Does
the home directory need to be created each time with a PAM module, I've seen
one for Linux but had a brief attempt getting this to compile under hpux,
didn't work though. But I've seen no documentation about this so
thought
you must not need to.
my smb.conf file is as follows.
[global]
workgroup = WESTCOASTDHB
server string = Samba Server
log file = /usr/local/samba/log.%m
max log size = 1000
security = domain
password server = coastdb
encrypt passwords = yes
socket options = TCP_NODELAY
local master = no
username map = /usr/local/samba/lib/users.map
read only = no
preserve case = yes
short preserve case = no
dos filetime resolution = yes
syslog = 0
winbind uid = 10000-65000
winbind gid = 10000-65000
template homedir = /home/%U
template shell = /usr/bin/sh
winbind separator = +
winbind use default domain = true
[homes]
comment = Home Directories
browseable = yes
writable = yes
create mode = 0664
my pam.conf file is
#
# PAM configuration
#
# Authentication management
#
login auth sufficient /usr/lib/security/libpam_winbind.1
login auth required /usr/lib/security/libpam_unix.1 use_first_pass
su auth required /usr/lib/security/libpam_unix.1
su auth required /usr/lib/security/libpam_winbind.1 use_first_pass
dtlogin auth required /usr/lib/security/libpam_unix.1
dtaction auth required /usr/lib/security/libpam_unix.1
ftp auth required /usr/lib/security/libpam_unix.1
OTHER auth required /usr/lib/security/libpam_unix.1
#
# Account management
#
login account required /usr/lib/security/libpam_unix.1
login account sufficient /usr/lib/security/libpam_winbind.1
su account required /usr/lib/security/libpam_unix.1
su account required /usr/lib/security/libpam_winbind.1
dtlogin account required /usr/lib/security/libpam_unix.1
dtaction account required /usr/lib/security/libpam_unix.1
ftp account required /usr/lib/security/libpam_unix.1
#
OTHER account required /usr/lib/security/libpam_unix.1
#
# Session management
#
login session required /usr/lib/security/libpam_unix.1
dtlogin session required /usr/lib/security/libpam_unix.1
dtaction session required /usr/lib/security/libpam_unix.1
OTHER session required /usr/lib/security/libpam_unix.1
#
# Password management
#
login password required /usr/lib/security/libpam_unix.1
passwd password sufficient /usr/lib/security/libpam_winbind.1
passwd password required /usr/lib/security/libpam_unix.1
dtlogin password required /usr/lib/security/libpam_unix.1
dtaction password required /usr/lib/security/libpam_unix.1
OTHER password required /usr/lib/security/libpam_unix.1
So does anyone have any ideas?
Cheers
Miles
Jennifer Fountain
2003-Jan-27 01:08 UTC
[Samba] Winbind on HPUX11, Totally Stuck, Please Help
Skipped content of type multipart/alternative
/usr/local/samba/bin/wbinfo -g
I get all the groups
/usr/local/samba/bin/wbinfo -r user1
returns the all the guids for user1
/usr/local/samba/bin/wbinfo -g xxxx
doesn't seem to make any difference, returns all the groups.
-----Original Message-----
From: Jennifer Fountain [mailto:JFountain@rbinc.com]
Sent: Monday, 27 January 2003 02:05 p.m.
To: Miles Roper; samba@lists.samba.org; samba-technical@lists.samba.org
Subject: RE: [Samba] Winbind on HPUX11, Totally Stuck, Please Help
Miles,
I run samba (winbind) on hpux11 as well. do have this problem: when you
type $groups, you only get domain admins and no other groups or if you type
groups user1, you get no groups? but when you type ./wbinfo -g jfountain,
you get all the groups in the gid format? I am almost ready to give up and
install it on linux! :(
Jenn
-----Original Message-----
From: Miles Roper [mailto:mroper@westcoastdhb.org.nz]
Sent: Sun 1/26/2003 7:59 PM
To: 'samba@lists.samba.org'; 'samba-technical@lists.samba.org'
Cc:
Subject: [Samba] Winbind on HPUX11, Totally Stuck, Please Help
Hi,
I've been trying to get windbind working on HP-UX for several years now, I
try for a while, with the new releases, then after I get stuck I give up.
I've tried posting several times on the net to different news groups but had
few responses.
Well, I'm trying again now, with the samba 2.7a release, and after spending
several days on it, I'm nearly ready to give up. I've gotton further
this
time than ever before but I've pretty much exhausted all options. I've
spent hours looking on the net for any help, and basically I'm totally
stuck.
I've actually managed to get it to compile, using
./configure \
--prefix=/usr/local/samba \
--localstatedir=/usr/local/samba \
--with-msdfs \
--with-winbind \
--with-pam \
--with-winbind-auth-challenge
modifing in configure
if test $ac_cv_prog_cc_Ae = yes; then
BLDSHARED="true"
SHLD="/usr/bin/ld"
LDSHFLAGS="-B symbolic -b -z"
PICFLAG="+z"
fi
change to
#if test $ac_cv_prog_cc_Ae = yes; then
BLDSHARED="true"
SHLD="/usr/bin/ld"
LDSHFLAGS="-B symbolic -b -z"
# PICFLAG="+z"
#fi
and in
/usr/local/lib/gcc-lib/hppa2.0n-hp-hpux11.00/3.1/include/stdio.h
BEFORE
extern int snprintf(char *, _hpux_size_t, char *,...);
AFTER
extern int snprintf(char *, _hpux_size_t, const char *,...);
I can do a wbinfo -u and get the user names, and a wbinfo -g returns the
groups. I had to specify the password to use first with
wbinfo -A user%password
I also joined the domain sucessfully with
smbpasswd -j DOMAIN -r PDC -U Administrator
Ok, here are my problems.
1), when I try to change the password of a NT user, using passwd, the OS
can't find the user id, ie
coastdr: /mnt/1/samba/samba-2.2.7a/source> passwd traininguser
Changing password for traininguser
(current) NT password:
Enter new NT password:
Retype new NT password:
Invalid login name.
If I use a invalid password I get in syslog
Jan 27 13:43:38 coastdr pam_winbind[3507]: request failed, PAM error was 9,
NT error was NT_STATUS_WRONG_PASSWORD
Jan 27 13:43:38 coastdr pam_winbind[3507]: user `traininguser' denied access
(incorrect password)
however, if I enter the correct (current) password
Jan 27 13:45:24 coastdr pam_winbind[3513]: user 'traininguser' granted
acces
Jan 27 13:45:28 coastdr pam_winbind[3513]: request failed, PAM error was 9,
NT error was NT_STATUS_WRONG_PASSWORD
Now, i've set
/etc/nsswitch.conf to
hosts: dns [NOTFOUND=continue UNAVAIL=continue TRYAGAIN=continue] files
[
passwd: files ldap
group: files ldap
notice it is ldap, rather than winbind. The reason for this is, if you set
it to winbind you get a error about not being a supported type, ie must be
nis, ldap or files.
i've set a link from symbolic link from /lib/libnss_ldap.1 to
/lib/libnss_winbind.1
2) I can't su
when I try to su from a comment line to a win 2k user using either
WESTCOASTDHB+traininguser or traininguser
Unknown id: WESTCOASTDHB+traininguser
or
Unknown id: traininguser
3) I can't log into the unix box as a win 2k user. When I try, the best I
get is it seems to accept the password, but doesn't actually log in. It
exits straight back out. If I enter a wrong user name or account it says
login incorrect, so it seems to work ok, and I'm getting this in syslog.
Jan 26 19:30:49 coastdr pam_winbind[3414]: Verify user `traininguser'
Jan 26 19:30:49 coastdr pam_winbind[3414]: user 'traininguser' granted
acces
Could it be because the home directory doesn't exist? I've actually
tried
setting it to a valid template homedir but still get the same problem. Does
the home directory need to be created each time with a PAM module, I've seen
one for Linux but had a brief attempt getting this to compile under hpux,
didn't work though. But I've seen no documentation about this so
thought
you must not need to.
my smb.conf file is as follows.
[global]
workgroup = WESTCOASTDHB
server string = Samba Server
log file = /usr/local/samba/log.%m
max log size = 1000
security = domain
password server = coastdb
encrypt passwords = yes
socket options = TCP_NODELAY
local master = no
username map = /usr/local/samba/lib/users.map
read only = no
preserve case = yes
short preserve case = no
dos filetime resolution = yes
syslog = 0
winbind uid = 10000-65000
winbind gid = 10000-65000
template homedir = /home/%U
template shell = /usr/bin/sh
winbind separator = +
winbind use default domain = true
[homes]
comment = Home Directories
browseable = yes
writable = yes
create mode = 0664
my pam.conf file is
#
# PAM configuration
#
# Authentication management
#
login auth sufficient /usr/lib/security/libpam_winbind.1
login auth required /usr/lib/security/libpam_unix.1 use_first_pass
su auth required /usr/lib/security/libpam_unix.1
su auth required /usr/lib/security/libpam_winbind.1 use_first_pass
dtlogin auth required /usr/lib/security/libpam_unix.1
dtaction auth required /usr/lib/security/libpam_unix.1
ftp auth required /usr/lib/security/libpam_unix.1
OTHER auth required /usr/lib/security/libpam_unix.1
#
# Account management
#
login account required /usr/lib/security/libpam_unix.1
login account sufficient /usr/lib/security/libpam_winbind.1
su account required /usr/lib/security/libpam_unix.1
su account required /usr/lib/security/libpam_winbind.1
dtlogin account required /usr/lib/security/libpam_unix.1
dtaction account required /usr/lib/security/libpam_unix.1
ftp account required /usr/lib/security/libpam_unix.1
#
OTHER account required /usr/lib/security/libpam_unix.1
#
# Session management
#
login session required /usr/lib/security/libpam_unix.1
dtlogin session required /usr/lib/security/libpam_unix.1
dtaction session required /usr/lib/security/libpam_unix.1
OTHER session required /usr/lib/security/libpam_unix.1
#
# Password management
#
login password required /usr/lib/security/libpam_unix.1
passwd password sufficient /usr/lib/security/libpam_winbind.1
passwd password required /usr/lib/security/libpam_unix.1
dtlogin password required /usr/lib/security/libpam_unix.1
dtaction password required /usr/lib/security/libpam_unix.1
OTHER password required /usr/lib/security/libpam_unix.1
So does anyone have any ideas?
Cheers
Miles
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
<http://lists.samba.org/mailman/listinfo/samba>
Miles Roper
2003-Jan-27 01:44 UTC
[Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help
this is a email I was sent by a michael at hp on 23/1/2002, which is basically what I done. -------- In the meanwhile I got an additional hint about how to work around the libpam_unix.1 issue, which is not tolerating unknown nsswitch backends to be configured in /etc/nsswitch.conf when doing password management. This makes /usr/bin/passwd stop working. In case LDAP is not being used, one might move /usr/lib/libnss_ldap.1 aside (if present) and create a symbolic link from /usr/lib/libnss_ldap.1 to /usr/lib/libnss_winbind.1. Consequently, ldap should then be configured instead of winbind in /etc/nsswitch.conf. It's kind of ugly hack, but the only workaround available right now... -------- -----Original Message----- From: Richard Sharpe [mailto:rsharpe@richardsharpe.com] Sent: Monday, 27 January 2003 03:05 p.m. To: Miles Roper Cc: 'samba@lists.samba.org'; 'samba-technical@lists.samba.org' Subject: Re: Winbind on HPUX11, Totally Stuck, Please Help On Mon, 27 Jan 2003, Miles Roper wrote: Let me first say that I am no expert on HP-UX, maybe Tim Potter can help, now that he works for them.> I can do a wbinfo -u and get the user names, and a wbinfo -g returns the > groups. I had to specify the password to use first with > > wbinfo -A user%password > > I also joined the domain sucessfully withOK, this looks like winbindd is sort of works ...> /etc/nsswitch.conf to > > hosts: dns [NOTFOUND=continue UNAVAIL=continue TRYAGAIN=continue]files> [ > passwd: files ldap > group: files ldap > > notice it is ldap, rather than winbind. The reason for this is, if youset> it to winbind you get a error about not being a supported type, ie must be > nis, ldap or files.I think this is where your problem is. ldap is not winbindd. It looks like PAM on your version of HP-UX does not handle arbritrary NSS shared library stuff. Regards ----- Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
Michael Steffens
2003-Jan-27 07:37 UTC
[Samba] Winbind on HPUX11, Totally Stuck, Please Help
Hello Jennifer, Jennifer Fountain wrote:> Miles, > I run samba (winbind) on hpux11 as well. do have this problem: when you > type $groups, you only get domain admins and no other groups or if you > type groups user1, you get no groups? but when you type ./wbinfo -g > jfountain, you get all the groups in the gid format? I am almost ready > to give up and install it on linux! :(Just a wild guess: I seems that the groups command is trying to resolve group memberships using the setgrent/getgrent/endgrent combo of libc calls. The getgrent call will fail for all groups, where the result size exceeds the buffer provided by the groups command. Don't know how much this is precisely, but if it is _SC_GETGR_R_SIZE_MAX (2048), and taking into account the usual size of NT usernames including domain names, a group must have quite few members to get displayed. The "wbinfo -g" command does not use setgrent/getgrent/endgrent. I have actually disabled everything involving winbind user or group enumeration, as it exhausts resources very quickly in our environment. But I'm assuming it would do the same under Linux... Michael
Drew.Zeller@statcan.ca
2003-Jan-27 13:35 UTC
[Samba] Winbind on HPUX11, Totally Stuck, Please Help
Miles, Jennifer I am not currently using Winbind, but I did try testing with it on HPUX 1100 about a year ago. To get it to work I followed the instructions I found at the following web site : www.miratek.com/samba <www.miratek.com/samba> It might have some answers to your problems. Hope this helps. Cheers.
Hi Drew, No luck. Pretty much done all that, still get all the same problems. That site was pretty good though :o) Does anyone have an idea about the shell logging in? Why do I keep on getting logged out? Does the home directory need to be created, does it need a .profile? What about the permissions? I've tried creating one world writeable but no luck. Cheers Miles -----Original Message----- From: Drew.Zeller@statcan.ca [mailto:Drew.Zeller@statcan.ca] Sent: Tuesday, 28 January 2003 02:35 a.m. To: mroper@westcoastdhb.org.nz; JFountain@rbinc.com Cc: samba@lists.samba.org; samba-technical@lists.samba.org Subject: RE : [Samba] Winbind on HPUX11, Totally Stuck, Please Help Miles, Jennifer I am not currently using Winbind, but I did try testing with it on HPUX 1100 about a year ago. To get it to work I followed the instructions I found at the following web site : www.miratek.com/samba It might have some answers to your problems. Hope this helps. Cheers.
Michael Steffens
2003-Jan-28 08:34 UTC
[Samba] Winbind on HPUX11, Totally Stuck, Please Help
Hi Miles, Miles Roper wrote:> Hi Drew, > > No luck. > > Pretty much done all that, still get all the same problems > > That site was pretty good though :o)There is one thing missing, however. If you fake winbind NSS to be ldap, exported constructor names in winbind_nss_solaris.c also need to be adjusted: _nss_winbind_passwd_constr -> _nss_ldap_passwd_constr _nss_winbind_group_constr -> _nss_ldap_group_constr Just redirecting the symlink doesn't do. Hmm, this tweaking of winbind NSS constructors is awful, changing from correct to wrong. :( This is what I did: 1. Create a copy of winbind_nss_solaris.c with a descriptive name, like winbind_nss_solaris_fakeldap.c 2. Do constructor replacements descriped above in the copy 3. Build shared library with a descriptive name, like make nsswitch/winbind_nss_solaris_fakeldap.po \ nsswitch/winbind_nss.po nsswitch/wb_common.po ld -b -B symbolic +h libnss_winbind_fakeldap.1 -o nsswitch/libnss_winbind_fakeldap.1 \ nsswitch/winbind_nss_solaris_fakeldap.po nsswitch/winbind_nss.po \ nsswitch/wb_common.po -lc 4. Create symlink in /usr/lib libnss_ldap.1 -> libnss_winbind_fakeldap.1 and leave original libnss_winbind.1 as it is. This way gives a hint to administrators/supporters about what has been tweaked, and it allows to revert the hack easily once the conflict with libpam_unix.1 has been resolved.> Does anyone have an idea about the shell logging in? Why do I keep on > getting logged out? Does the home directory need to be created, does it > need a .profile? What about the permissions? I've tried creating one > world writeable but no luck.I did not see any dependeny to the home directory. If it doesn't exist, or is not accessible, the user just gets a warning and is being put to '/'. But the login shell is important ("template shell" parameter). If the shell doesn't exist, or happens to be /usr/bin/false, you will get logged off immediately. Cheers! Michael
What does the X flag mean in the smbpasswd file flags field? I know whgat the U, D N W means, but what about X ? [UX ]:LCT-3E367D48: Paul
Esh, Andrew
2003-Jan-28 15:49 UTC
[Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help
Did I miss something? Is LDAP supposed to replace winbindd in nsswitch.conf? If so, then what I've written below is not right, but read it anyway. Perhaps LDAP is not finding winbindd in it's list of things to query. My experience is not with HPUX, but I have been able to use "passwd: files winbindd" in /etc/nsswitch.conf on Linux. Perhaps the "not a supported type" problem is because "/lib/libnss_winbindd.so" hasn't been compiled and installed. (Compile it by doing a "make nsswitch" in the top level of samba source. Install it by copying from source/nsswitch to /lib, and running ldconfig.) Once that library is present in the "ldconfig -p" output, then the winbindd keyword in nsswitch.conf should work. That library provides connectivity from the name system to the winbind services which list Windows users and groups, and their assigned ID numbers. getent should work too. I don't have HPUX, so I don't know what to suggest for that. I just know getent won't work without winbindd in nsswitch.conf on Linux. I don't see how this would be solved with PAM. PAM uses the same service, but is not the solution to the problem. I did all the PAM/winbindd stuff as directed in a HOWTO, only to find out at the end that I don't need PAM unless I want Windows users to be able to telnet, FTP, or use other Unix services which require authentication. Assignment of user IDs is not done through PAM. Obligatory link fest: http://us3.samba.org/samba/ftp/docs/textdocs/Solaris-Winbind-HOWTO.txt http://archives.neohapsis.com/archives/pam-list/2001-10/0038.html http://nic-ks.greatplains.net/samba/winbind.html http://www.samba.org/samba/docs/Samba-HOWTO-Collection.html#WINBIND> -----Original Message----- > From: Richard Sharpe [mailto:rsharpe@richardsharpe.com] > Sent: Sunday, January 26, 2003 8:05 PM > To: Miles Roper > Cc: 'samba@lists.samba.org'; 'samba-technical@lists.samba.org' > Subject: Re: Winbind on HPUX11, Totally Stuck, Please Help > > > On Mon, 27 Jan 2003, Miles Roper wrote: > > Let me first say that I am no expert on HP-UX, maybe Tim > Potter can help, > now that he works for them. > > > I can do a wbinfo -u and get the user names, and a wbinfo > -g returns the > > groups. I had to specify the password to use first with > > > > wbinfo -A user%password > > > > I also joined the domain sucessfully with > > OK, this looks like winbindd is sort of works ... > > > /etc/nsswitch.conf to > > > > hosts: dns [NOTFOUND=continue UNAVAIL=continue > TRYAGAIN=continue] files > > [ > > passwd: files ldap > > group: files ldap > > > > notice it is ldap, rather than winbind. The reason for > this is, if you set > > it to winbind you get a error about not being a supported > type, ie must be > > nis, ldap or files. > > I think this is where your problem is. ldap is not winbindd. > > It looks like PAM on your version of HP-UX does not handle > arbritrary NSS > shared library stuff. > > Regards > ----- > Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, > sharpe[at]ethereal.com, http://www.richardsharpe.com >
MCCALL,DON (HP-USA,ex1)
2003-Jan-28 17:37 UTC
[Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help
Hi Everyone, Been following this a bit; faking out nsswitch with the ldap stuff seems like a HIGH and complicated price to pay for getting a passwd program that will work to change passwords for standard unix users. One of the other things I have seen is a simple script that moved and replaced the winbind enabled nsswitch.conf with a standard one before executing the passwd command, then moved it back. Or even hack a c program together that 'gets' the username,password from the user BEFORE it exec's the actual passwd program, so you could minimize the amount of time the nsswitch.conf file would be in place WITHOUT the winbind support. Either way, this is an issue both on SUN and HP-UX systems. For the HP-UX customers, I'd like to see them submit enhancement requests through their support channel tochange the behavior of the nsswitch stuff so that we could have a code change in the OS where it belongs to deal with this. It's the squeaky wheel that gets the grease.... Hope this helps, Don> -----Original Message----- > From: Michael Steffens [mailto:michael.steffens@hp.com] > Sent: Tuesday, January 28, 2003 11:52 > To: Ronan Waide > Cc: 'samba@lists.samba.org'; Esh, Andrew; Miles Roper; > 'samba-technical@lists.samba.org'; 'Richard Sharpe' > Subject: Re: [Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help > > > Ronan Waide wrote: > > On January 28, Andrew_Esh@adaptec.com said: > > > >>I don't have HPUX, so I don't know what to suggest for > that. I just know > >>getent won't work without winbindd in nsswitch.conf on Linux. > > > > > > I think the point that was being made is that NSS support > on HPUX only > > supports a few known types, of which one is LDAP. The discussion was > > basically about faking out the system so that what it thinks is LDAP > > is actually winbind. > > Yep. It's a HP-UX specific workaround. Please ignore it > everywhere else. > > Michael > >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 28 Jan 2003, paul.reilly@tcd.ie wrote:> > What does the X flag mean in the smbpasswd file flags field? > I know whgat the U, D N W means, but what about X ? > > [UX ]:LCT-3E367D48:password never expires. cheers, jerry ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "You can never go home again, Oatman, but I guess you can shop there." --John Cusack - "Grosse Point Blank" (1997) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+OCNUIR7qMdg1EfYRArQXAJ0c39A9AtFW7jcmIo4tjv5s1hi6lACgpGKL 4HROnS4qYy44jsUC/YgdDpM=6hcS -----END PGP SIGNATURE-----
MCCALL,DON (HP-USA,ex1)
2003-Jan-30 18:05 UTC
[Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help
Hi Everyone, This whole problem with the password command not working when winbind is included as a method in the nsswitch.conf can probably be worked around by simply using the -r files (or -r nis or -r nisplus) switch. Take a look at the man page for passwd on HP-UX 11.x and see if this won't help you out. Hope this helps, Don> -----Original Message----- > From: Michael Steffens [mailto:michael.steffens@hp.com] > Sent: Tuesday, January 28, 2003 11:52 > To: Ronan Waide > Cc: 'samba@lists.samba.org'; Esh, Andrew; Miles Roper; > 'samba-technical@lists.samba.org'; 'Richard Sharpe' > Subject: Re: [Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help > > > Ronan Waide wrote: > > On January 28, Andrew_Esh@adaptec.com said: > > > >>I don't have HPUX, so I don't know what to suggest for > that. I just know > >>getent won't work without winbindd in nsswitch.conf on Linux. > > > > > > I think the point that was being made is that NSS support > on HPUX only > > supports a few known types, of which one is LDAP. The discussion was > > basically about faking out the system so that what it thinks is LDAP > > is actually winbind. > > Yep. It's a HP-UX specific workaround. Please ignore it > everywhere else. > > Michael > >
Miles Roper
2003-Jan-31 03:54 UTC
[Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help
Hi Everyone, I'm forgetting about the password one at the moment, thanks for all your input :o) I still don't have a clue how to solve my main problem. I'm assuming that its not actually winbind related now, as I've recently tried pam_smb and get the same basic problem. Basically, when I log into the UNIX box, the username/password of a NT user is being authenticated, but doesn't actually log in. It doesn't get past the password line. I know it accepts the password. Its almost as if it can't find the shell. But the template variable is set within the smb.conf file. Permissions are fine. I have exactly the same problem with the pam_smb module. If there is any further information I can send let me know. Ideas? Thanks Miles -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Friday, 31 January 2003 07:06 a.m. To: STEFFENS,MICHAEL (HP-Germany,ex1); Ronan Waide Cc: 'samba@lists.samba.org'; Esh, Andrew; Miles Roper; 'samba-technical@lists.samba.org'; 'Richard Sharpe' Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help Hi Everyone, This whole problem with the password command not working when winbind is included as a method in the nsswitch.conf can probably be worked around by simply using the -r files (or -r nis or -r nisplus) switch. Take a look at the man page for passwd on HP-UX 11.x and see if this won't help you out. Hope this helps, Don> -----Original Message----- > From: Michael Steffens [mailto:michael.steffens@hp.com] > Sent: Tuesday, January 28, 2003 11:52 > To: Ronan Waide > Cc: 'samba@lists.samba.org'; Esh, Andrew; Miles Roper; > 'samba-technical@lists.samba.org'; 'Richard Sharpe' > Subject: Re: [Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help > > > Ronan Waide wrote: > > On January 28, Andrew_Esh@adaptec.com said: > > > >>I don't have HPUX, so I don't know what to suggest for > that. I just know > >>getent won't work without winbindd in nsswitch.conf on Linux. > > > > > > I think the point that was being made is that NSS support > on HPUX only > > supports a few known types, of which one is LDAP. The discussion was > > basically about faking out the system so that what it thinks is LDAP > > is actually winbind. > > Yep. It's a HP-UX specific workaround. Please ignore it > everywhere else. > > Michael > >
MCCALL,DON (HP-USA,ex1)
2003-Jan-31 15:53 UTC
[Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help
Hi, Miles,
Actually on HP-UX, you will need to add the word 'debug' at the end of
each
of
the lines in you /etc/pam.conf file, to enable more debugging to go into the
/var/adm/syslog/syslog.log file.
One thing that I have seen something like this happen on is if the
/etc/shells file is corrupt, or if the shell that is defined for the user
(since they don't have a /etc/passwd entry, this would be whatever you put
in
template in the smb.conf) does not exactly match one of the lines in
/etc/shells,
or the defaults, if this file does not exist.
The defaults for 11.0 are:
/sbin/sh
/usr/bin/sh
/usr/bin/rsh
/usr/bin/ksh
/usr/bin/rksh
/usr/bin/csh
/usr/bin/keysh
Hope this helps,
Don> -----Original Message-----
> From: John H Terpstra [mailto:jht@samba.org]
> Sent: Friday, January 31, 2003 1:36
> To: Miles Roper
> Cc: 'samba-technical@lists.samba.org';
'samba@lists.samba.org'; Esh,
> Andrew; Ronan Waide; STEFFENS,MICHAEL (HP-Germany,ex1); 'MCCALL,DON
> (HP-USA,ex1)'; 'Richard Sharpe'
> Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help
>
>
> On Fri, 31 Jan 2003, Miles Roper wrote:
>
> > Hi Everyone,
> >
> > I'm forgetting about the password one at the moment, thanks
> for all your
> > input :o)
> >
> > I still don't have a clue how to solve my main problem.
> I'm assuming that
> > its not actually winbind related now, as I've recently
> tried pam_smb and get
> > the same basic problem.
> >
> > Basically, when I log into the UNIX box, the
> username/password of a NT user
> > is being authenticated, but doesn't actually log in. It
> doesn't get past
> > the password line. I know it accepts the password. Its
> almost as if it
> > can't find the shell. But the template variable is set
> within the smb.conf
> > file. Permissions are fine. I have exactly the same
> problem with the
> > pam_smb module.
>
> So what does PAM report into your /var/log files?
>
> Have you tried adding to each line in your /etc/pam.d/login
> (after the .so
> file name) the word 'audit' - this will increase the volume
> of debugging
> info spit out into /var/log/messages, or wherever PAM send
> this on your
> distro.
>
> - John T.
>
> >
> > If there is any further information I can send let me know.
> >
> > Ideas?
> >
> > Thanks
> >
> > Miles
> >
> >
> > -----Original Message-----
> > From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
> > Sent: Friday, 31 January 2003 07:06 a.m.
> > To: STEFFENS,MICHAEL (HP-Germany,ex1); Ronan Waide
> > Cc: 'samba@lists.samba.org'; Esh, Andrew; Miles Roper;
> > 'samba-technical@lists.samba.org'; 'Richard Sharpe'
> > Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck,
> Please Help
> >
> >
> > Hi Everyone,
> > This whole problem with the password command not working
> when winbind
> > is included as a method in the nsswitch.conf can probably
> be worked around
> > by simply using the -r files (or -r nis or -r nisplus)
> switch. Take a look
> > at the man page for passwd on HP-UX 11.x and see if this
> won't help you
> > out.
> > Hope this helps,
> > Don
> >
> > > -----Original Message-----
> > > From: Michael Steffens [mailto:michael.steffens@hp.com]
> > > Sent: Tuesday, January 28, 2003 11:52
> > > To: Ronan Waide
> > > Cc: 'samba@lists.samba.org'; Esh, Andrew; Miles Roper;
> > > 'samba-technical@lists.samba.org'; 'Richard
Sharpe'
> > > Subject: Re: [Samba] RE: Winbind on HPUX11, Totally
> Stuck, Please Help
> > >
> > >
> > > Ronan Waide wrote:
> > > > On January 28, Andrew_Esh@adaptec.com said:
> > > >
> > > >>I don't have HPUX, so I don't know what to
suggest for
> > > that. I just know
> > > >>getent won't work without winbindd in nsswitch.conf
on Linux.
> > > >
> > > >
> > > > I think the point that was being made is that NSS support
> > > on HPUX only
> > > > supports a few known types, of which one is LDAP. The
> discussion was
> > > > basically about faking out the system so that what it
> thinks is LDAP
> > > > is actually winbind.
> > >
> > > Yep. It's a HP-UX specific workaround. Please ignore it
> > > everywhere else.
> > >
> > > Michael
> > >
> > >
> >
>
> --
> John H Terpstra
> Email: jht@samba.org
>
Miles Roper
2003-Feb-02 19:53 UTC
[Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help
Hi All,
Thanks for your help, still no luck though. More info for you.
with no debug statements in my /etc/pam.conf I get in sys log the following.
Feb 2 14:43:02 coastdr pam_winbind[2832]: user 'traininguser' granted
acces
with debug turned on I get
Feb 2 14:47:49 coastdr pam_winbind[2839]: Verify user `traininguser'
Feb 2 14:47:49 coastdr pam_winbind[2839]: user 'traininguser' granted
acces
the user is still logging out.
incidentlally, when I log in as a unix user, rather than a win2k user I
don't get anything in sys log. I've included my pam.conf below.
Also, I checked for /etc/shells, no such file, and I have set my smb.conf
shell line to
template shell = /sbin/sh
and also tried
template shell = /usr/bin/sh
both files exist.
#
# PAM configuration
#
# Authentication management
#
login auth sufficient /usr/lib/security/libpam_unix.1 debug
login auth sufficient /usr/lib/security/libpam_winbind.1
debug
#login auth sufficient /usr/lib/security/libpam_smb.1 nolocal
debug
su auth required /usr/lib/security/libpam_unix.1 debug
dtlogin auth required /usr/lib/security/libpam_unix.1 debug
dtaction auth required /usr/lib/security/libpam_unix.1 debug
ftp auth required /usr/lib/security/libpam_unix.1 debug
OTHER auth required /usr/lib/security/libpam_unix.1 debug
#
# Account management
#
login account sufficient /usr/lib/security/libpam_unix.1 debug
login account sufficient /usr/lib/security/libpam_winbind.1
debug
su account required /usr/lib/security/libpam_unix.1 debug
dtlogin account required /usr/lib/security/libpam_unix.1 debug
dtaction account required /usr/lib/security/libpam_unix.1 debug
ftp account required /usr/lib/security/libpam_unix.1 debug
#
OTHER account required /usr/lib/security/libpam_unix.1 debug
#
# Session management
#
login session sufficient /usr/lib/security/libpam_unix.1 debug
login session sufficient /usr/lib/security/libpam_winbind.1
debug
dtlogin session required /usr/lib/security/libpam_unix.1 debug
dtaction session required /usr/lib/security/libpam_unix.1 debug
OTHER session required /usr/lib/security/libpam_unix.1 debug
#
# Password management
#
login password sufficient /usr/lib/security/libpam_unix.1 debug
login password sufficient /usr/lib/security/libpam_winbind.1
debug
passwd password required /usr/lib/security/libpam_unix.1 debug
passwd password required /usr/lib/security/libpam_winbind.1
debug
dtlogin password required /usr/lib/security/libpam_unix.1 debug
dtaction password required /usr/lib/security/libpam_unix.1 debug
OTHER password required /usr/lib/security/libpam_unix.1 debug
Cheers
Miles
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Saturday, 1 February 2003 04:53 a.m.
To: 'John H Terpstra'; Miles Roper
Cc: 'samba-technical@lists.samba.org'; 'samba@lists.samba.org';
Esh,
Andrew; Ronan Waide; STEFFENS,MICHAEL (HP-Germany,ex1); MCCALL,DON
(HP-USA,ex1); 'Richard Sharpe'
Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help
Hi, Miles,
Actually on HP-UX, you will need to add the word 'debug' at the end of
each
of
the lines in you /etc/pam.conf file, to enable more debugging to go into the
/var/adm/syslog/syslog.log file.
One thing that I have seen something like this happen on is if the
/etc/shells file is corrupt, or if the shell that is defined for the user
(since they don't have a /etc/passwd entry, this would be whatever you put
in
template in the smb.conf) does not exactly match one of the lines in
/etc/shells,
or the defaults, if this file does not exist.
The defaults for 11.0 are:
/sbin/sh
/usr/bin/sh
/usr/bin/rsh
/usr/bin/ksh
/usr/bin/rksh
/usr/bin/csh
/usr/bin/keysh
Hope this helps,
Don> -----Original Message-----
> From: John H Terpstra [mailto:jht@samba.org]
> Sent: Friday, January 31, 2003 1:36
> To: Miles Roper
> Cc: 'samba-technical@lists.samba.org';
'samba@lists.samba.org'; Esh,
> Andrew; Ronan Waide; STEFFENS,MICHAEL (HP-Germany,ex1); 'MCCALL,DON
> (HP-USA,ex1)'; 'Richard Sharpe'
> Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help
>
>
> On Fri, 31 Jan 2003, Miles Roper wrote:
>
> > Hi Everyone,
> >
> > I'm forgetting about the password one at the moment, thanks
> for all your
> > input :o)
> >
> > I still don't have a clue how to solve my main problem.
> I'm assuming that
> > its not actually winbind related now, as I've recently
> tried pam_smb and get
> > the same basic problem.
> >
> > Basically, when I log into the UNIX box, the
> username/password of a NT user
> > is being authenticated, but doesn't actually log in. It
> doesn't get past
> > the password line. I know it accepts the password. Its
> almost as if it
> > can't find the shell. But the template variable is set
> within the smb.conf
> > file. Permissions are fine. I have exactly the same
> problem with the
> > pam_smb module.
>
> So what does PAM report into your /var/log files?
>
> Have you tried adding to each line in your /etc/pam.d/login
> (after the .so
> file name) the word 'audit' - this will increase the volume
> of debugging
> info spit out into /var/log/messages, or wherever PAM send
> this on your
> distro.
>
> - John T.
>
> >
> > If there is any further information I can send let me know.
> >
> > Ideas?
> >
> > Thanks
> >
> > Miles
> >
> >
> > -----Original Message-----
> > From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
> > Sent: Friday, 31 January 2003 07:06 a.m.
> > To: STEFFENS,MICHAEL (HP-Germany,ex1); Ronan Waide
> > Cc: 'samba@lists.samba.org'; Esh, Andrew; Miles Roper;
> > 'samba-technical@lists.samba.org'; 'Richard Sharpe'
> > Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck,
> Please Help
> >
> >
> > Hi Everyone,
> > This whole problem with the password command not working
> when winbind
> > is included as a method in the nsswitch.conf can probably
> be worked around
> > by simply using the -r files (or -r nis or -r nisplus)
> switch. Take a look
> > at the man page for passwd on HP-UX 11.x and see if this
> won't help you
> > out.
> > Hope this helps,
> > Don
> >
> > > -----Original Message-----
> > > From: Michael Steffens [mailto:michael.steffens@hp.com]
> > > Sent: Tuesday, January 28, 2003 11:52
> > > To: Ronan Waide
> > > Cc: 'samba@lists.samba.org'; Esh, Andrew; Miles Roper;
> > > 'samba-technical@lists.samba.org'; 'Richard
Sharpe'
> > > Subject: Re: [Samba] RE: Winbind on HPUX11, Totally
> Stuck, Please Help
> > >
> > >
> > > Ronan Waide wrote:
> > > > On January 28, Andrew_Esh@adaptec.com said:
> > > >
> > > >>I don't have HPUX, so I don't know what to
suggest for
> > > that. I just know
> > > >>getent won't work without winbindd in nsswitch.conf
on Linux.
> > > >
> > > >
> > > > I think the point that was being made is that NSS support
> > > on HPUX only
> > > > supports a few known types, of which one is LDAP. The
> discussion was
> > > > basically about faking out the system so that what it
> thinks is LDAP
> > > > is actually winbind.
> > >
> > > Yep. It's a HP-UX specific workaround. Please ignore it
> > > everywhere else.
> > >
> > > Michael
> > >
> > >
> >
>
> --
> John H Terpstra
> Email: jht@samba.org
>
I know I can restrict access to shares by using "valid users" but the share is still seen. Is there a way to only list the shares to which the user has access? ie - connect from windows to samba server => authenticate with unix password => list of shares displayed. I only wnat the user to see "his" shares... Paul
Dan Nuffer
2003-Aug-05 19:12 UTC
[Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help
I've been trying to find a solution to passwd not working on HPUX 11 with a modified nsswitch.conf. (Interestingly, using the -r files switch works on Solaris, but not HPUX.) The two proposed workarounds I have seen (naming the module ldap and replacing the system one, or creating a wrapper for passwd that fiddles with the nsswitch.conf) aren't acceptable. I'm really hoping that HP has fixed this, but I wasn't able to locate an applicable patch on their site. If anyone knows of one, please point me to it! Thanks, Dan Nuffer MCCALL, DON (HP-USA,ex1) wrote:> Hi Everyone, > This whole problem with the password command not working when winbind > is included as a method in the nsswitch.conf can probably be worked around > by simply using the -r files (or -r nis or -r nisplus) switch. Take a look > at the man page for passwd on HP-UX 11.x and see if this won't help you > out. > Hope this helps, > Don >
MCCALL,DON (HP-USA,ex1)
2003-Aug-06 13:26 UTC
[Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help
Hello Dan, Can you post the passwd line of your nsswitch.conf file? I am on 11.11, and passwd -r files username Works just fine for me, with winbind added to my passwd line in the /etc/nsswitch.conf file... Don> -----Original Message----- > From: Dan Nuffer [mailto:dnuffer@center7.com] > Sent: Tuesday, August 05, 2003 3:13 PM > To: samba@lists.samba.org > Cc: don_mccall@hp.com > Subject: [Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help > > > I've been trying to find a solution to passwd not working on > HPUX 11 with a modified nsswitch.conf. (Interestingly, using > the -r files switch works on Solaris, but not HPUX.) > > The two proposed workarounds I have seen (naming the module > ldap and replacing the system one, or creating a wrapper for > passwd that fiddles with the nsswitch.conf) aren't acceptable. > > I'm really hoping that HP has fixed this, but I wasn't able > to locate an applicable patch on their site. If anyone knows > of one, please point me to it! > > Thanks, > Dan Nuffer > > > MCCALL, DON (HP-USA,ex1) wrote: > > Hi Everyone, > > This whole problem with the password command not working > when winbind > > is included as a method in the nsswitch.conf can probably be worked > > around by simply using the -r files (or -r nis or -r > nisplus) switch. > > Take a look at the man page for passwd on HP-UX 11.x and > see if this > > won't help you out. Hope this helps, > > Don > > > > >
MCCALL,DON (HP-USA,ex1)
2003-Aug-06 15:41 UTC
[Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help
You got it. I had Passwd: compat winbind don> -----Original Message----- > From: Dan Nuffer [mailto:dnuffer@center7.com] > Sent: Wednesday, August 06, 2003 11:07 AM > To: MCCALL,DON (HP-USA,ex1) > Cc: samba@lists.samba.org > Subject: Re: [Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help > > > I think I've figured it out. > > It doesn't work if nsswitch.conf has got > > passwd: files nis winbind > or > passwd: files winbind nis > > But if it only has two modules listed: > > passwd: files winbind > > then passwd -r files works fine. > > -- > Dan Nuffer > > MCCALL,DON (HP-USA,ex1) wrote: > > >Hello Dan, > >Can you post the passwd line of your nsswitch.conf file? > >I am on 11.11, and passwd -r files username > >Works just fine for me, with winbind added to my passwd line in the > >/etc/nsswitch.conf file... Don > > > > > > > >>-----Original Message----- > >>From: Dan Nuffer [mailto:dnuffer@center7.com] > >>Sent: Tuesday, August 05, 2003 3:13 PM > >>To: samba@lists.samba.org > >>Cc: don_mccall@hp.com > >>Subject: [Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help > >> > >> > >>I've been trying to find a solution to passwd not working on > >>HPUX 11 with a modified nsswitch.conf. (Interestingly, using > >>the -r files switch works on Solaris, but not HPUX.) > >> > >>The two proposed workarounds I have seen (naming the module > >>ldap and replacing the system one, or creating a wrapper for > >>passwd that fiddles with the nsswitch.conf) aren't acceptable. > >> > >>I'm really hoping that HP has fixed this, but I wasn't able > >>to locate an applicable patch on their site. If anyone knows > >>of one, please point me to it! > >> > >>Thanks, > >>Dan Nuffer > >> > >> > >>MCCALL, DON (HP-USA,ex1) wrote: > >> > >> > >>>Hi Everyone, > >>>This whole problem with the password command not working > >>> > >>> > >>when winbind > >> > >> > >>>is included as a method in the nsswitch.conf can probably be worked > >>>around by simply using the -r files (or -r nis or -r > >>> > >>> > >>nisplus) switch. > >> > >> > >>>Take a look at the man page for passwd on HP-UX 11.x and > >>> > >>> > >>see if this > >> > >> > >>>won't help you out. Hope this helps, > >>>Don > >>> > >>> > >>> > >> > >> > >> > >