samba - Mar 2006 - Solaris winbind with password aging (workaround inside)

A few days back, I asked whether it was possible to have winbind co-exist with
password aging on a Solaris system.  Seems like there is no easy way around
this.

After a few more days of frantic poking and truss-ing around, I found a crude
but seemingly workable workaround.
It seems the the library /usr/lib/passwdutil.so.1 is the one
responsible for checking that the passwd entry in /etc/nsswitch.conf has the
"allowed" values like files, nis, nisplus and ldap.  Both passwd and
telnet/rlogin will eventually call passwdutil.so.1 indirectly. The crude hack,
which relies on the lucky coincidence that the words "nisplus" and
"winbind" both have 7 chararcters, is to use a hex-editor to replace a
couple of the "nisplus" strings inside passwdutil.so.1 binary file
with "winbind".  After that, did some testing with telnet, rlogin,
ftp, passwd, password expiring as well as winbind, all seem to work ok.
At this point, the nsswitch.conf has "files winbind" for both passwd
and group. YMMV.

L8r,
Mike


----- Forwarded message from Mike <mseow@singnet.com.sg> -----
Date: Mon, 27 Feb 2006 17:16:40 +0800 (SGT)
From: Mike <mseow@singnet.com.sg>
Reply-To: mseow@singnet.com.sg
Subject: Solaris nsswitch.conf with winbind
To: samba@lists.samba.org

Hi,

I have the exact same problem (described in this archived mail below) but
couldn't find any solution in the archives or on google.

So far, I have tried renaming one of the "allowed" libraries like ldap
and then
creating a symlink named nss_ldap.so.1 to point to nss_winbind.so.1 and also
tried renaming in different versions of the /etc/nsswitch.conf file before and
after starting winbindd but none of these work.

Can any Solaris admin who also uses Winbind with password aging let me know of
any workarounds for this problem ?

thanks,
Mike

(the exact problem is described below)
=======================================================>From David.Legge at
dier.tas.gov.au  Sun Jan  4 23:49:02 2004
From: David.Legge at dier.tas.gov.au (David Legge)
Date: Sun Jan  4 23:49:26 2004
Subject: [Samba] Problem with winbind and nsswitch.conf on Solaris 8 server
Message-ID: <2E2D9E4E474FD14C9F9A76B3A2EF61B7048917@MURR-MAIL.core.agency>

Hello,

I'm having some problems using winbind on Samba 3.0.1 with
/etc/nsswitch.conf on
a Solaris 8 server. The Solaris 8 release is 10/00.

The basic problem that I have is that there are restrictions on what
nsswitch.conf can contain if password ageing is used. 

My setup is that users connecting to shares on the Solaris samba server are
authenticated against a accounts on a Windows Active Directory Domain. (That
is, smb.conf is configured to use "security = ADS"). I am using
winbind on the
Solaris samba server to enumerate Active Directory Domain users and groups as
standard unix groups and users.

I have installed the winbind libraries thus:

cp libnss_winbind.so /lib
ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1
ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1
ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2

I have also edited /etc/nsswitch.conf from using 

passwd:     files
group:      files

to

passwd:     files winbind
group:      files winbind


The problem that I have is that there are restrictions on what nsswitch.conf can
contain if password ageing is used.

This is indicated in the Solaris 8 man page for nsswitch.conf(4), which says:

  Interaction with Password Aging
     When password aging is turned on, only a limited set of pos-
     sible  name  services are permitted for the passwd: database
     in the /etc/nsswitch.conf file:

          passwd:
                files

          passwd:
                files nis

          passwd:
                files nisplus

          passwd:
                files ldap

          passwd:
                compat

          passwd_compat:
                nisplus

          passwd_compat:

                ldap

     Any other settings will cause the passwd(1) command to  fail
     when it attempts to change the password after expiration and
     will prevent the user from logging in. These  are  the  only
     permitted  settings  when password aging has been turned on.
     Otherwise, you can work around incorrect  passwd:  lines  by
     using  the  -r  repository argument to the passwd(1) command
     and using passwd -r repository to override the nsswitch.conf
     settings  and  specify  in  which  name  service you want to
     modify your password.


So, using winbind like this forces me to use `passwd -r files` to do operations
using the passwd command.

If I don't use the "-r" switch on the password command, an error
is produced due
to the presense of winbind in the nsswitch.conf file. The error is

passwd: Unsupported nsswitch entry for "passwd:". Use "-r
repository ".


We have some applications that will break because of this and we have to use
password ageing because of our security policy.

Is there any way of overcoming this limitation with nsswitch.conf and winbind on
Solaris 8?

Thanks,

David Legge


David Legge Ph.D.
Corporate Applications Server Support Officer
Information Management Branch
Department of Infrastructure, Energy and Resources

10 Murray Street, Hobart

GPO Box 936, Hobart, 7001
Tasmania, Australia

Telephone:  (03) 62337148
Facsimile:  (03) 62332573
==============================================----- End forwarded message -----