samba - Sep 2005 - getent & winbindd on FreeBSD 5.4

I'm trying to get a FreeBSD 5.4 server to join a NT4 domain as a member
domain server using winbindd. I've compiled Samba with WinBIND support, ACL
Support, Syslog support, UTMP support, SMB PAM module, and with installed
POPT library.

I've reviewed Chapter 20 of TOSHARG and implemented a good portion of it
into our smb.conf file but am having trouble making the 'getent' command
work. Running Samba 3.0.20.1. The 'getent' command is found in
/usr/compat/linux/usr/bin/.

I can join the domain fine and execute 'wbinfo -u' with the expected
domain
user listing as well as with the 'wbinfo -g' command. However when I
attempt
to execute 'getent passwd' it shows only the local user accounts.
Executing
'getent group' also produces only the local groups.

It seems the getent command that comes with the linux_base port on FreeBSD
5.4 may or may not be working. I am unable to verify it though. Doing a
'tdbdump winbind_cache.tdb' reveals that the users are being enumerated
but
without a corresponding *nix user id. I don't know if the tdbsam is supposed
to reveal such information. TOSHARG states that for getent to work, the
nsswitch.conf must be properly configured. Mine is as follows:

# /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
hosts: files winbind wins dns
networks: files
shells: files


NSSwitch depends on PAM modules for authentications so here's my login file:

#
# $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $
#
# PAM configuration for the "login" service
#

# auth
auth		sufficient	pam_winbind.so
auth		sufficient	pam_unix.so		use_first_pass
auth		required	pam_stack.so	service=system-auth
auth		required	pam_nologin.so	no_warn
auth		sufficient	pam_self.so		no_warn
auth		include	system

# account
account	sufficient	pam_winbind.so
account	required	pam_stack.so	service=system-auth
account	include	system

# session
session	required	pam_stack.so	service=system-auth	
session	include	system

# password
password	required	pam_stack.so	service=system-auth	
password	include	system


# smb.conf
[global]
        workgroup = DSP
        server string = Samba Server
        security = DOMAIN
        passdb backend = tdbsam
        log file = /var/log/samba/log.%m
        max log size = 50
        os level = 33
        local master = No
        dns proxy = No
        wins server = 192.168.1.1
        idmap uid = 15000-20000
        idmap gid = 15000-20000
        template homedir = /usr/home/%D/%U
        template shell = /bin/bash
        winbind separator = +
        hosts allow = 192.168.1., 192.168.2., 127.

[homes]
        comment = Home Directories
        read only = No
        browseable = No

[MacData]
        comment = Production Data
        path = /data
        valid users = @DSP+PRODUCTION
        read only = No
        create mask = 0765


The odd thing is- there's no /etc/pam.d/samba file even though I specified
that the PAM samba module be installed. Is my PAM whacked?

Also, I am unsure if I need to map users to NT account using a text file
similar to /etc/smb/smbusers or some file similar to that? When I execute
'pw groupshow DSP+PRODUCTION', the log.smbd shows this:
[2005/09/15 16:17:24, 0] passdb/pdb_tdb.c:tdbsam_tdbopen(195)
  Unable to open/create TDB passwd
[2005/09/15 16:17:24, 0] passdb/pdb_tdb.c:tdbsam_getsampwrid(488)
  pdb_getsampwrid: Unable to open TDB rid database!

log.wb-DSP shows this:
[2005/09/15 16:17:24, 0] rpc_client/cli_pipe.c:cli_rpc_open_noauth(1700)
  rpc_pipe_bind failed

I'm a newb so would appreciate any advice!

~Doug

On Thursday 15 September 2005 17:44, Doug Sampson wrote:
...
> # /etc/nsswitch.conf
> passwd: compat winbind
> group: compat winbind
> hosts: files winbind wins dns
Change to:

hosts: fils dns wins
> networks: files
> shells: files
>
...
> # smb.conf
> [global]
>         workgroup = DSP
>         server string = Samba Server
>         security = DOMAIN
>         passdb backend = tdbsam
Remove the "passdb backend = tdbsam" parameter - this is a domain
member and
will obtain SAM information using MS RPC via winbind.
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         os level = 33
>         local master = No
>         dns proxy = No
>         wins server = 192.168.1.1
>         idmap uid = 15000-20000
>         idmap gid = 15000-20000
>         template homedir = /usr/home/%D/%U
>         template shell = /bin/bash
>         winbind separator = +
>         hosts allow = 192.168.1., 192.168.2., 127.
>
> [homes]
>         comment = Home Directories
>         read only = No
>         browseable = No
>
> [MacData]
>         comment = Production Data
>         path = /data
>         valid users = @DSP+PRODUCTION
>         read only = No
>         create mask = 0765
>
>
> The odd thing is- there's no /etc/pam.d/samba file even though I
specified
> that the PAM samba module be installed. Is my PAM whacked?
You need PAM only to log into your BSD system using a Windows account - if 
that is what you want to do.
>
> Also, I am unsure if I need to map users to NT account using a text file
You do not need to map NT accounts to UNIX local accounts. That is all handled 
by winbind.
> similar to /etc/smb/smbusers or some file similar to that? When I execute
> 'pw groupshow DSP+PRODUCTION', the log.smbd shows this:
> [2005/09/15 16:17:24, 0] passdb/pdb_tdb.c:tdbsam_tdbopen(195)
>   Unable to open/create TDB passwd
> [2005/09/15 16:17:24, 0] passdb/pdb_tdb.c:tdbsam_getsampwrid(488)
>   pdb_getsampwrid: Unable to open TDB rid database!
This will go away when you get rid of "passdb backend = tdbsam".

- John T.
-- 
John H Terpstra, CTO
PrimaStasys Inc.
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, 2 Ed., ISBN: 0131882228
Samba-3 by Example, 2 Ed., ISBN: 0131882221X
Hardening Linux, ISBN: 0072254971
Other books in production.

> I'm trying to get a FreeBSD 5.4 server to join a NT4 domain as a member
> domain server using winbindd. I've compiled Samba with WinBIND support,
ACL
> Support, Syslog support, UTMP support, SMB PAM module, and with installed
> POPT library.
>
> I've reviewed Chapter 20 of TOSHARG and implemented a good portion of
it
> into our smb.conf file but am having trouble making the 'getent'
command
> work. Running Samba 3.0.20.1. The 'getent' command is found in
> /usr/compat/linux/usr/bin/.
getent is linux thing and for FreeBSD You'd better to use "id"
for instance,

$ id ilia
>
> I can join the domain fine and execute 'wbinfo -u' with the
expected domain
> user listing as well as with the 'wbinfo -g' command. However when
I attempt
> to execute 'getent passwd' it shows only the local user accounts.
Executing
> 'getent group' also produces only the local groups.
>
> It seems the getent command that comes with the linux_base port on FreeBSD
> 5.4 may or may not be working. I am unable to verify it though. Doing a
> 'tdbdump winbind_cache.tdb' reveals that the users are being
enumerated but
> without a corresponding *nix user id. I don't know if the tdbsam is
supposed
> to reveal such information. TOSHARG states that for getent to work, the
> nsswitch.conf must be properly configured. Mine is as follows:
>
> # /etc/nsswitch.conf
> passwd: compat winbind
> group: compat winbind
> hosts: files winbind wins dns
> networks: files
> shells: files
>
>
> NSSwitch depends on PAM modules for authentications so here's my login
file:
>
> #
> # $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $
> #
> # PAM configuration for the "login" service
> #
>
> # auth
> auth		sufficient	pam_winbind.so
> auth		sufficient	pam_unix.so		use_first_pass
> auth		required	pam_stack.so	service=system-auth
> auth		required	pam_nologin.so	no_warn
> auth		sufficient	pam_self.so		no_warn
> auth		include	system
>
> # account
> account	sufficient	pam_winbind.so
> account	required	pam_stack.so	service=system-auth
> account	include	system
>
> # session
> session	required	pam_stack.so	service=system-auth
> session	include	system
>
> # password
> password	required	pam_stack.so	service=system-auth
> password	include	system
>
>
> # smb.conf
> [global]
>        workgroup = DSP
>        server string = Samba Server
>        security = DOMAIN
>        passdb backend = tdbsam
>        log file = /var/log/samba/log.%m
>        max log size = 50
>        os level = 33
>        local master = No
>        dns proxy = No
>        wins server = 192.168.1.1
>        idmap uid = 15000-20000
>        idmap gid = 15000-20000
>        template homedir = /usr/home/%D/%U
>        template shell = /bin/bash
>        winbind separator = +
>        hosts allow = 192.168.1., 192.168.2., 127.
>
> [homes]
>        comment = Home Directories
>        read only = No
>        browseable = No
>
> [MacData]
>        comment = Production Data
>        path = /data
>        valid users = @DSP+PRODUCTION
>        read only = No
>        create mask = 0765
>
>
> The odd thing is- there's no /etc/pam.d/samba file even though I
specified
> that the PAM samba module be installed. Is my PAM whacked?
>
> Also, I am unsure if I need to map users to NT account using a text file
> similar to /etc/smb/smbusers or some file similar to that? When I execute
> 'pw groupshow DSP+PRODUCTION', the log.smbd shows this:
> [2005/09/15 16:17:24, 0] passdb/pdb_tdb.c:tdbsam_tdbopen(195)
>  Unable to open/create TDB passwd
> [2005/09/15 16:17:24, 0] passdb/pdb_tdb.c:tdbsam_getsampwrid(488)
>  pdb_getsampwrid: Unable to open TDB rid database!
>
> log.wb-DSP shows this:
> [2005/09/15 16:17:24, 0] rpc_client/cli_pipe.c:cli_rpc_open_noauth(1700)
>  rpc_pipe_bind failed
>
> I'm a newb so would appreciate any advice!
>
> ~Doug
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>