Ganguly, Sapan
2004-Feb-05 10:57 UTC
[Samba] idmap uid range 10000-20000: pam_winbind does NOT wor k ?
Mike, I got it working!! Have a look at what I have, here is my smb.conf and my pam.conf. # Global parameters [global] workgroup = RRLNTD01 server string = SUN001 security = DOMAIN password server = nts009 log level = 10 syslog = 7 log file = /var/log/samba/log.%m max log size = 50 name resolve order = wins lmhosts bcast socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = /etc/printcap local master = No dns proxy = No wins server = 192.168.224.25 ldap suffix = dc=uk,dc=trt,dc=thales ldap idmap suffix = ou=idmap ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales idmap backend = ldap:ldap://lnxs001 idmap uid = 10000-20000 idmap gid = 10000-20000 template homedir = /mnt/spare/%U template shell = /bin/bash winbind separator = - winbind use default domain = Yes # #ident "@(#)pam.conf 1.20 02/01/23 SMI" # # Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the "other" section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth required pam_winbind.so login auth requisite pam_authtok_get.so.1 debug #login auth sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass debug login auth sufficient pam_dhkeys.so.1 debug login auth sufficient pam_unix_auth.so.1 debug login auth sufficient pam_dial_auth.so.1 debug #login auth sufficient /usr/lib/security/pam_winbind.so.1 debug try_first_pass # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth required pam_winbind.so rlogin auth sufficient pam_rhosts_auth.so.1 debug rlogin auth requisite pam_authtok_get.so.1 debug rlogin auth sufficient pam_dhkeys.so.1 debug rlogin auth sufficient pam_unix_auth.so.1 debug #rlogin auth sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass debug # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 debug rsh auth required pam_unix_auth.so.1 debug # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 debug ppp auth required pam_dhkeys.so.1 debug ppp auth required pam_unix_auth.so.1 debug ppp auth required pam_dial_auth.so.1 debug # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authenctication # other auth sufficient pam_winbind.so other auth requisite pam_authtok_get.so.1 debug other auth sufficient pam_dhkeys.so.1 debug other auth sufficient pam_unix_auth.so.1 debug #other auth sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass debug # # passwd command (explicit because of a different authentication module) # passwd auth required pam_passwd_auth.so.1 debug # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_projects.so.1 debug cron account required pam_unix_account.so.1 debug # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account sufficient pam_winbind.so other account requisite pam_roles.so.1 debug other account sufficient pam_projects.so.1 debug other account sufficient pam_unix_account.so.1 debug #other account sufficient /usr/lib/security/pam_winbind.so.1 debug # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_mkhomedir.so skel=/etc/skel umask=0022 other session required pam_unix_session.so.1 debug other session sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass debug #other session required pam_mkhomedir.so.1 debug skel=/etc/skel umask=0022 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 debug other password requisite pam_authtok_get.so.1 debug other password requisite pam_authtok_check.so.1 debug other password required pam_authtok_store.so.1 debug # # Support for Kerberos V5 authentication (uncomment to use Kerberos) # #rlogin auth optional pam_krb5.so.1 try_first_pass #login auth optional pam_krb5.so.1 try_first_pass #other auth optional pam_krb5.so.1 try_first_pass #cron account optional pam_krb5.so.1 #other account optional pam_krb5.so.1 #other session optional pam_krb5.so.1 #other password optional pam_krb5.so.1 try_first_pass Also this is what Andy from the BBC told me to do - Hi Sapan, I've also got winbind authentication working with my Solaris 9. Just looked through the truss output from your su command and noticed that your library search path seems to be /usr/local/lib:/usr/lib. Now I can't think that should cause a problem but it is the only difference I can see between my system and yours. Can you try setting the search path as follows and see if that helps, crle -C /var/ld/ld.config -l /usr/lib:/usr/local/lib Also can you confirm you have all of the following files present? /usr/lib/security/pam_winbind.c /usr/lib/security/pam_winbind.h /usr/lib/security/pam_winbind.po /usr/lib/security/pam_winbind.so /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1 /usr/lib/libnss_winbind.so.2 /usr/lib/nss_winbind.so.1 /usr/lib/nss_winbind.so.2 cheers Andy. -----Original Message----- From: DorofeevMS@tmn.transneft.ru [mailto:DorofeevMS@tmn.transneft.ru] Sent: 05 February 2004 04:12 To: samba@lists.samba.org Subject: [Samba] idmap uid range 10000-20000: pam_winbind does NOT work ? Hi all! Again, unexpected behaviour! When I set in smb.conf idmap uid = 10000-20000 idmap gid = 10000-20000 I CAN change and SEE domain users ang groups as I change the owner of a file on Unix: chown domain+user ./test.txt chgrp domain+group ./test.txt ls -l /tmp -rw-r--r-- 1 user group 0 Feb 4 20:25 test.txt <- I SEE DOMAIN USER AND GROUP BUT I'm NOT able to telnet or ftp to my Unix server!!! Otherwise, when I set idmap uid = 1000-2000 idmap gid = 1000-2000 I CAN telnet or FTP to my Unix server using domain accounts but if I chown or chgrp I DO NOT see domain users an groups... In debug.log I see: ...................... Feb 5 08:42:30 as08-tmn smbd[20403]: [ID 702911 daemon.warning] [2004/02/05 08:42:30, 1] smbd/service.c:make_connection_snum(705) Feb 5 08:42:30 as08-tmn smbd[20403]: [ID 702911 daemon.warning] wxpdorofeevms (10.81.1.254) connect to service tmp initially as user TMN+dorofeevms (uid=10000, gid=10000) (pid 20403) Feb 5 08:42:31 as08-tmn named[144]: [ID 873579 daemon.debug] clientmgr @18d098: createclients Feb 5 08:42:31 as08-tmn named[144]: [ID 873579 daemon.debug] clientmgr @18d098: recycle Feb 5 08:42:37 as08-tmn winbindd[20354]: [ID 702911 daemon.info] [2004/02/05 08:42:37, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(232) Feb 5 08:42:37 as08-tmn winbindd[20354]: [ID 702911 daemon.info] [20407]: request interface version Feb 5 08:42:37 as08-tmn winbindd[20354]: [ID 702911 daemon.info] [2004/02/05 08:42:37, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(268) Feb 5 08:42:37 as08-tmn winbindd[20354]: [ID 702911 daemon.info] [20407]: request location of privileged pipe Feb 5 08:42:37 as08-tmn winbindd[20354]: [ID 702911 daemon.debug] [2004/02/05 08:42:37, 5] nsswitch/winbindd.c:winbind_client_read(464) Feb 5 08:42:37 as08-tmn winbindd[20354]: [ID 702911 daemon.debug] read failed on sock 22, pid 20407: EOF Feb 5 08:42:37 as08-tmn winbindd[20354]: [ID 702911 daemon.info] [2004/02/05 08:42:37, 3] nsswitch/winbindd_group.c:winbindd_getgrgid(339) Feb 5 08:42:37 as08-tmn winbindd[20354]: [ID 702911 daemon.info] [20407]: getgrgid 10000 Feb 5 08:42:37 as08-tmn winbindd[20354]: [ID 702911 daemon.debug] [2004/02/05 08:42:37, 5] nsswitch/winbindd.c:winbind_client_read(464) Feb 5 08:42:37 as08-tmn winbindd[20354]: [ID 702911 daemon.debug] read failed on sock 23, pid 20407: EOF ...................... What might be the problem ? Sincerely yours, Mike -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Possibly Parallel Threads
- idmap uid range 10000-20000: pam_winbind does NOT work ?
- PAM (winbind?) auth still does NOT work on Solaris 9
- user granted access, but still no shell prompt
- RE: Back to 3.0.1, Winbind and Solaris 9 (Mike Dorofe ev )
- PAM winbind auth (ADS) WORKS! (Solaris 9) THANKS ALOT!