Stewart, Eric
2003-Jul-17 16:46 UTC
[Samba] Samba 2.2.8a/winbindd - 2K Domain users passwordchallenged
Okay okay - forgive me for being a whiney itchbay. But the fix was (when discussing *nix systems) quite counter intuitive ... I noticed that, even after using chmod #uid file, that the system was not returning the string name for the appropriate numerical uid. So, since I was headed out to lunch, I went ahead and rebooted the server. Lo and behold it all appears to work now. Correctly even. I'm guessing that changes to /etc/nsswitch.conf may not necessarily register immediately and that's where I was running into trouble. That or something to do with files moving into place (like /lib/libnss_winbind.so) and not being "seen". Now if I could only be sure of what service it was that need restarting ... Eric Stewart - Network Admin - USF Tampa Library - eric@lib.usf.edu SCUBA Diver: 220 Dives Most Recent: 05/10/03 Chankanaab Park, Cozumel GeoCacher: 58 Found Most Recent: 07/04/03 GCGBHE - Fun in the Sun http://www.scubadiving.com/talk/ and http://www.geocaching.com/> -----Original Message----- > From: Stewart, Eric > Sent: Thursday, July 17, 2003 10:42 AM > To: samba@lists.samba.org > Subject: RE: [Samba] Samba 2.2.8a/winbindd - 2K Domain users > passwordchallenged > > > I know it's been less than a day but I'm kind of > surprised that I > haven't gotten an answer on this one way or the other ... so > let me ask a > simpler question: > > Are winbind served users of a Linux machine supposed to > have access > to the samba shares served by that Linux machine? If so, > please provide > sample smb.conf's (if they differ from mine below) and > pam.d/* files. As > my users only need access to the samba shares, and not login > access, I'm > hesitant to change any /etc/pam.d/ file aside from > /etc/pam.d/samba ... > > A bit of further testing has shown that at the very least, samba > continues to attempt to look for "user" instead of "DOM+user" > when trying > to validate. Please! This is the last step I *must* get > past before I > can move mission critical services from a Sun Solaris 8 box > to this Redhat > Linux 9 machine ... > > Eric Stewart - Network Admin - USF Tampa Library - eric@lib.usf.edu > SCUBA Diver: 220 Dives Most Recent: 05/10/03 Chankanaab Park, Cozumel > GeoCacher: 58 Found Most Recent: 07/04/03 GCGBHE - Fun in the Sun > http://www.scubadiving.com/talk/ and http://www.geocaching.com/ > > > -----Original Message----- > > From: Stewart, Eric > > Sent: Wednesday, July 16, 2003 3:21 PM > > To: samba@lists.samba.org > > Subject: [Samba] Samba 2.2.8a/winbindd - 2K Domain users password > > challenged > > > > > > I have a RedHat Linux 9 server that I would like to > > allow users in my Windows 2000 domain to be able to map > > shares from without actually having an account on the system. > > Compiled samba, configured with "./configure --with-pam". > > Got the server into the domain, and regular "security = > > domain" seems to be working appropriately - providing there's > > a local account with the same username as the 2K Domain user. > > winbind appears to be providing the accounts > > appropriately - both wbinfo and getent return what you'd > > expect them to; a wbinfo -a with a user on the domain (the > > one trying to connect, in fact) gets: > > > > plaintext password authentication succeeded > > > > It simply appears as if, when a user attempts to > > connect to the share, it fails to try to match the W2K > > account (IE, DOM\user) to the winbind account (DOM+user) and > > near as I can tell, fails since there isn't an account on the > > system under "user". > > Here are the relevant smb.conf lines: > > > > [global] > > netbios name = newweb > > load printers = no > > guest account = nobody > > workgroup = LIB > > security = domain > > password server = * > > encrypt passwords = yes > > local master = no > > os level = 1 > > wins server = 131.247.112.6 > > server string = LIB309 -Sys-Library Web Server > > preserve case = yes > > invalid users = root mail daemon > > log level = 3 > > debug uid = yes > > debug pid = yes > > log file = /usr/local/samba/logs/log.%m > > lock directory = /usr/local/samba/var/locks > > share modes = yes > > winbind separator = + > > winbind uid = 12500-19999 > > winbind gid = 12500-19999 > > winbind enum users = yes > > winbind enum groups = yes > > template homedir = /dev/null > > > > [webdocs] > > comment = Webdocs Share > > browseable = yes > > force create mode = 0664 > > force directory mode = 0775 > > path = /data1/webdocs > > valid users = @web,@wheel,@LIB+Technology > > read only = yes > > locking = no > > > > Not sure that this is set up right, or that I might be > > missing something else: > > > > /etc/pam.d/samba > > auth sufficient /lib/security/pam_winbind.so > > auth required /lib/security/pam_pwdb.so > > use_first_pass > > shadow nullok > > account required /lib/security/pam_winbind.so > > session required /lib/security/pam_pwdb.so > > password required /lib/security/pam_pwdb.so # > shadow md5 > > nullok audit > > > > When a user that doesn't have a matching Linux account > > tries to access the share, they get challenged. > > Please let me know what I'm missing - either in my > > Samba configuration or in the information I've attempted to > > provide to you.` > > Thanks muchly in advance for your assistance. > > > > Eric Stewart - Network Admin - USF Tampa Library - eric@lib.usf.edu > > SCUBA Diver: 220 Dives Most Recent: 05/10/03 Chankanaab > Park, Cozumel > > GeoCacher: 58 Found Most Recent: 07/04/03 GCGBHE - Fun > in the Sun > > http://www.scubadiving.com/talk/ and http://www.geocaching.com/ > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > >