Samuel Partida
2006-Jul-25 11:02 UTC
[Samba] Strange problem - Samba 3.0.23 on Solaris 9 Sparc
Hi, we have deployed successfully Linux clients to an Active Directory domain with Samba 3.0.23. We had no problem with the ads authentication, winbind, kerberos, and id resolutions. Late we did the same on a test Solaris 9 x86 server, with a successful result again. Our problem begins with a production Solaris 9 Sparc server, everything runs succesful, but there is just one user on the Active Directory that when we change some group membership, the changes are not reflected on the Solaris 9 server (verifying with groups command)... is very strange because for other users it is working perfectly. We thought that the winbind cache was implicated so we deleted the files and ran the daemon in no-caching mode, without success.... ?Does someone has any clue? Thanks! P.D.: Attached are the config files. -- --- Samuel Partida Amores ISOTROL. ?rea de Seguridad. samuel.partida@isotrol.com Tfno. 955 036 836 --- -------------- next part -------------- [libdefaults] default_realm = SEGURIDAD.RED.ISOTROL.COM [realms] SEGURIDAD.RED.ISOTROL.COM = { kdc = 192.168.101.138:88 } -------------- next part -------------- # #ident "@(#)pam.conf 1.20 02/01/23 SMI" # # Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the "other" section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth sufficient pam_dhkeys.so.1 login auth sufficient pam_unix_auth.so.1 login auth sufficient pam_dial_auth.so.1 login auth sufficient /usr/lib/security/pam_winbind.so.1 debug try_first_pass # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth sufficient pam_dhkeys.so.1 rlogin auth sufficient pam_unix_auth.so.1 rlogin auth sufficient /usr/lib/security/pam_winbind.so.1 debug try_first_pass # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth sufficient pam_unix_auth.so.1 rsh auth sufficient /usr/lib/security/pam_winbind.so.1 debug try_first_pass # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authenctication # other auth requisite pam_authtok_get.so.1 other auth sufficient pam_dhkeys.so.1 other auth sufficient pam_unix_auth.so.1 other auth sufficient /usr/lib/security/pam_winbind.so.1 debug try_first_pass # # passwd command (explicit because of a different authentication module) # passwd auth required pam_passwd_auth.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_projects.so.1 cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account sufficient pam_projects.so.1 other account sufficient pam_unix_account.so.1 other account sufficient /usr/lib/security/pam_winbind.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session sufficient pam_unix_session.so.1 other session sufficient /usr/lib/security/pam_winbind.so # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 # # Support for Kerberos V5 authentication (uncomment to use Kerberos) # #rlogin auth optional pam_krb5.so.1 try_first_pass #login auth optional pam_krb5.so.1 try_first_pass #other auth optional pam_krb5.so.1 try_first_pass #cron account optional pam_krb5.so.1 #other account optional pam_krb5.so.1 #other session optional pam_krb5.so.1 #other password optional pam_krb5.so.1 try_first_pass -------------- next part -------------- [global] workgroup = SEGURIDAD log file = /var/log/samba/log.%m max log size = 1000 security = ads password server = 192.168.101.138 realm = SEGURIDAD.RED.ISOTROL.COM socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind nss info = template sfu winbind separator = '\' template shell = /bin/bash template homedir = /export/home/%U idmap backend = rid:SEGURIDAD=10000-20000 allow trusted domains = no winbind uid = 10000-20000 winbind gid = 10000-20000 restrict anonymous = no domain master = no preferred master = no server signing = Auto [Temporal] case sensitive = no msdfs proxy = no path = /tmp [LiveState] case sensitive = no guest ok = yes msdfs proxy = no read only = no hosts allow = 192.168.101.138 path = /LiveState -------------- next part -------------- # # /etc/nsswitch.files: # # An example file that could be copied over to /etc/nsswitch.conf; it # does not use any naming service. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports. passwd: files winbind group: files winbind hosts: files ipnodes: files networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files # At present there isn't a 'files' backend for netgroup; the system will # figure it out pretty quickly, and won't use netgroups at all. netgroup: files automount: files aliases: files services: files sendmailvars: files printers: user files auth_attr: files prof_attr: files project: files
Gerald (Jerry) Carter
2006-Jul-26 11:39 UTC
[Samba] Strange problem - Samba 3.0.23 on Solaris 9 Sparc
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Samuel Partida wrote:> Our problem begins with a production Solaris 9 Sparc > server, everything runs succesful, but there is just one > user on the Active Directory that when we change some > group membership, the changes are not reflected on the > Solaris 9 server (verifying with groups command)... is > very strange because for other users it is working perfectly.new group membership is guaranteed to be available when a user logins in. When you say you are using the 'groups' command to verify membership, is the user actually logging in? And 'su - $User' doesn't count here. cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEx1RRIR7qMdg1EfYRAmgEAKDo2Q2jja2rDCQVSzcSGp2WqhywjQCfcSC4 0HoiE5rtGK3fuzlgujQwB5U=vyWQ -----END PGP SIGNATURE-----