Dear All, I came across a really strange behaviour when using winbind on solaris 8. Normally "nscd" should be turned off because it's causing problems in the username resolution etc. When I turn it off I can login e.g. using ssh as an AD users but when i start a command like "ls" it gets put in the background immediately? When "nscd" is turn on and login again I can issue commands with no problems, but doing an ls -alrt on a directory gets stuck if a file is owned by user that is not a AD user. my /etc/nsswitch.conf # # /etc/nsswitch.dns: # # An example file that could be copied over to /etc/nsswitch.conf; it uses # DNS for hosts lookups, otherwise it does not use any other naming service. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports. passwd: files [NOTFOUND=CONTINUE] winbind [NOTFOUND=return] group: files [NOTFOUND=CONTINUE] winbind [NOTFOUND=return] # You must also set up the /etc/resolv.conf file for DNS name # server lookup. See resolv.conf(4). hosts: files dns ipnodes: files # Uncomment the following line and comment out the above to resolve # both IPv4 and IPv6 addresses from the ipnodes databases. Note that # IPv4 addresses are searched in all of the ipnodes databases before # searching the hosts databases. Before turning this option on, consult # the Network Administration Guide for more details on using IPv6. #ipnodes: files dns networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files # At present there isn't a 'files' backend for netgroup; the system will # figure it out pretty quickly, and won't use netgroups at all. netgroup: files automount: files aliases: files services: files sendmailvars: files printers: user files auth_attr: files prof_attr: files project: files
Oliver Weinmann wrote:> Dear All, > > I came across a really strange behaviour when using winbind on solaris 8. > Normally "nscd" should be turned off because it's causing problems in the > username resolution etc. When I turn it off I can login e.g. using ssh as an > AD users but when i start a command like "ls" it gets put in the background > immediately? When "nscd" is turn on and login again I can issue commands > with no problems, but doing an ls -alrt on a directory gets stuck if a file > is owned by user that is not a AD user. > > my /etc/nsswitch.conf > > > # > # /etc/nsswitch.dns: > # > # An example file that could be copied over to /etc/nsswitch.conf; it uses > # DNS for hosts lookups, otherwise it does not use any other naming service. > # > # "hosts:" and "services:" in this file are used only if the > # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports. > > passwd: files [NOTFOUND=CONTINUE] winbind [NOTFOUND=return] > group: files [NOTFOUND=CONTINUE] winbind [NOTFOUND=return] > > # You must also set up the /etc/resolv.conf file for DNS name > # server lookup. See resolv.conf(4). > hosts: files dns > ipnodes: files > # Uncomment the following line and comment out the above to resolve > # both IPv4 and IPv6 addresses from the ipnodes databases. Note that > # IPv4 addresses are searched in all of the ipnodes databases before > # searching the hosts databases. Before turning this option on, consult > # the Network Administration Guide for more details on using IPv6. > #ipnodes: files dns > > networks: files > protocols: files > rpc: files > ethers: files > netmasks: files > bootparams: files > publickey: files > # At present there isn't a 'files' backend for netgroup; the system will > # figure it out pretty quickly, and won't use netgroups at all. > netgroup: files > automount: files > aliases: files > services: files > sendmailvars: files > printers: user files > > auth_attr: files > prof_attr: files > project: files >Can you get the ls to work with numeric uids? And, I noticed that you don't have any entries for shadow... you're not using shadow passwords, right?
forgot to mention that the nss_winbind links are there: bash-2.03# ls -alrt /usr/lib/nss_w* lrwxrwxrwx 1 root other 28 Apr 23 14:30 /usr/lib/nss_winbind.so.2 -> /usr/lib/libnss_winbind.so.1 lrwxrwxrwx 1 root other 28 Apr 23 14:30 /usr/lib/nss_winbind.so.1 -> /usr/lib/libnss_winbind.so.1 lrwxrwxrwx 1 root other 28 Apr 23 14:30 /usr/lib/nss_winbind.so -> /usr/lib/libnss_winbind.so.1 Changed the crle to only /usr/lib:/opt/csw/lib and disabled nscd at boot. After reboot i can no longer resolve usernames, wbinfo -t/-g/-u work fine. getent passwd and getent group are not showing AD users. when logging in as an AD users i can see the following in the /var/adm/messages logfile: Apr 28 13:20:09 rose8 sshd[516]: [ID 129890 auth.error] pam_winbind(sshd): request failed: No such user, PAM error was No account present for user (13), NT error was NT_STATUS_NO_SUCH_USER Apr 28 13:20:18 rose8 sshd[524]: [ID 800047 auth.error] error: PAM: No account present for user for illegal user oweinmann from vb8860.vegagroup.net On 4/28/08, Oliver Weinmann <oliver.weinmann@googlemail.com> wrote:> > I got: > > > bash-2.03# ls -alrt /usr/lib/libnss_winbind.so* > -rwxr-xr-x 1 root bin 74744 Apr 21 14:45 > /usr/lib/libnss_winbind.so.1 > lrwxrwxrwx 1 root other 28 Apr 23 14:30 > /usr/lib/libnss_winbind.so.2 -> /usr/lib/libnss_winbind.so.1 > lrwxrwxrwx 1 root other 28 Apr 23 14:30 > /usr/lib/libnss_winbind.so -> /usr/lib/libnss_winbind.so.1 > > so that's fine. > > i didn't have crle setup correctly since i have build against libraries > from blastwave and they reside under /opt/csw/lib > > so i did: > > > bash-2.03# crle -u -l /usr/lib:/usr/local/lib:/opt/csw/lib > bash-2.03# crle > > Configuration file [version 4]: /var/ld/ld.config > Default Library Path (ELF): /usr/lib:/usr/local/lib:/opt/csw/lib > Trusted Directories (ELF): /usr/lib/secure (system default) > > Command line: > crle -c /var/ld/ld.config -l /usr/lib:/usr/local/lib:/opt/csw/lib > > and I did change my nsswitch.conf to reflect the shadow entry. Still not > working without nscd. :( I had no problems under Linux at all but under > Solaris I'm lost. > > > > On 4/28/08, Scott Lovenberg <scott.lovenberg@gmail.com> wrote: > > > > Oliver Weinmann wrote: > > > > > > > > On 4/28/08, Scott Lovenberg <scott.lovenberg@gmail.com> wrote: > > > > > > Oliver Weinmann wrote: > > > > > > > Dear All, > > > > > > > > I came across a really strange behaviour when using winbind on > > > > solaris 8. > > > > Normally "nscd" should be turned off because it's causing problems > > > > in the > > > > username resolution etc. When I turn it off I can login e.g. using > > > > ssh as an > > > > AD users but when i start a command like "ls" it gets put in the > > > > background > > > > immediately? When "nscd" is turn on and login again I can issue > > > > commands > > > > with no problems, but doing an ls -alrt on a directory gets stuck if > > > > a file > > > > is owned by user that is not a AD user. > > > > > > > > my /etc/nsswitch.conf > > > > > > > > > > > > # > > > > # /etc/nsswitch.dns: > > > > # > > > > # An example file that could be copied over to /etc/nsswitch.conf; > > > > it uses > > > > # DNS for hosts lookups, otherwise it does not use any other naming > > > > service. > > > > # > > > > # "hosts:" and "services:" in this file are used only if the > > > > # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" > > > > transports. > > > > > > > > passwd: files [NOTFOUND=CONTINUE] winbind [NOTFOUND=return] > > > > group: files [NOTFOUND=CONTINUE] winbind [NOTFOUND=return] > > > > > > > > # You must also set up the /etc/resolv.conf file for DNS name > > > > # server lookup. See resolv.conf(4). > > > > hosts: files dns > > > > ipnodes: files > > > > # Uncomment the following line and comment out the above to resolve > > > > # both IPv4 and IPv6 addresses from the ipnodes databases. Note that > > > > # IPv4 addresses are searched in all of the ipnodes databases before > > > > # searching the hosts databases. Before turning this option on, > > > > consult > > > > # the Network Administration Guide for more details on using IPv6. > > > > #ipnodes: files dns > > > > > > > > networks: files > > > > protocols: files > > > > rpc: files > > > > ethers: files > > > > netmasks: files > > > > bootparams: files > > > > publickey: files > > > > # At present there isn't a 'files' backend for netgroup; the system > > > > will > > > > # figure it out pretty quickly, and won't use netgroups at all. > > > > netgroup: files > > > > automount: files > > > > aliases: files > > > > services: files > > > > sendmailvars: files > > > > printers: user files > > > > > > > > auth_attr: files > > > > prof_attr: files > > > > project: files > > > > > > > > > > > Can you get the ls to work with numeric uids? And, I noticed that you > > > don't have any entries for shadow... you're not using shadow passwords, > > > right? > > > > > > I have no entry in nsswitch.conf for shadow. I'm mainly using AD users > > so I didn't add an entry for shadow pw's. I turned off nscd now and logged > > in as an AD user. The problem is not only when running ls. It happens on > > many commands: > > > > e.g. > > > > > > bash-2.03$ ls -alrt > > > > [1]+ Stopped ls -alrt > > bash-2.03$ pwd > > /home/oweinmann > > bash-2.03$ grep home /etc/passwd > > > > [2]+ Stopped grep home /etc/passwd > > bash-2.03$ > > > > the commands gets put in the background immidiately. I have no clue why? > > When i turn nscd back on this works fine: > > > > bash-2.03$ ls -alrt > > total 8 > > -rw-r--r-- 1 oweinmann domain users 0 Apr 28 08:57 test1 > > -rw-r--r-- 1 oweinmann domain users 0 Apr 28 08:57 test2 > > -rw-r--r-- 1 oweinmann domain users 0 Apr 28 08:57 test3 > > -rw-r--r-- 1 oweinmann domain users 0 Apr 28 08:57 test4 > > > > but the command then hangs because it can't lookup the user of a file. > > > > > > > > And you've got proper library links and all? > > > > Chapter 24. Winbind: Use of Domain Accounts<http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#id431926> > > <quote> > > The libraries needed to run the winbindd daemon through nsswitch need to > > be copied to their proper locations: > > [...] > > > > And, in the case of Sun Solaris: > > > > root# *ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1*root# *ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1*root# *ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2* > > > > As root, edit /etc/nsswitch.conf to allow user and group entries to be > > visible from the winbindd daemon. My /etc/nsswitch.conf file looked like > > this after editing: > > > > passwd: files winbind > > shadow: files > > group: files winbind > > > > The libraries needed by the winbindd daemon will be automatically > > entered into the ldconfig cache the next time your system reboots, but > > it is faster (and you do not need to reboot) if you do it manually: > > > > The Sun Solaris dynamic link loader management tool is called crle. The > > use of this tool is necessary to instruct the dynamic link loader to search > > directories that contain library files that were not supplied as part of the > > original operating system platform. The following example shows how to use > > this tool to add the directory /usr/local/lib to the dynamic link > > loader's search path: > > > > root# crle -u -l /usr/lib:/usr/local/lib > > > > When executed without arguments, crle reports the current dynamic link > > loader configuration. This is demonstrated here: > > > > root# crle > > > > Configuration file [version 4]: /var/ld/ld.config > > Default Library Path (ELF): /lib:/usr/lib:/usr/local/lib > > Trusted Directories (ELF): /lib/secure:/usr/lib/secure (system default) > > > > Command line: > > crle -c /var/ld/ld.config -l /lib:/usr/lib:/usr/local/lib > > > > From this it is apparent that the /usr/local/lib directory is included > > in the search dynamic link libraries in order to satisfy object module > > dependencies. > > </quote> > > > > > >
Gerald (Jerry) Carter
2008-Apr-28 12:58 UTC
[Samba] Strange behaviour of winbind on solaris 8
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Oliver Weinmann wrote: | forgot to mention that the nss_winbind links are there: | | bash-2.03# ls -alrt /usr/lib/nss_w* | lrwxrwxrwx 1 root other 28 Apr 23 14:30 | /usr/lib/nss_winbind.so.2 -> /usr/lib/libnss_winbind.so.1 | lrwxrwxrwx 1 root other 28 Apr 23 14:30 | /usr/lib/nss_winbind.so.1 -> /usr/lib/libnss_winbind.so.1 | lrwxrwxrwx 1 root other 28 Apr 23 14:30 | /usr/lib/nss_winbind.so -> /usr/lib/libnss_winbind.so.1 Check the perms on /usr/lib/libnss_winbind.so.1. Sounds like it might be rwx for root only. cheers, jerry - -- ====================================================================Samba ------- http://www.samba.org Likewise Software --------- http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIFcnJIR7qMdg1EfYRAp+uAKCoT5s9gRV+x0M+PUrFnYWVRtqmcwCg293J 0OxWwTr/wJPDW67YmZCAfQo=6S2v -----END PGP SIGNATURE-----
Just for fun i changed the perms of /usr/lib/libnss_winbind.so to 777 bash-2.03# chmod 777 /usr/lib/libnss_winbind.so bash-2.03# ls -alrt /usr/lib/libnss_winbind.so -rwxrwxrwx 1 root other 74744 Apr 28 13:32 /usr/lib/libnss_winbind.so nscd is turned off. I can login as an AD users but I cant start any command. :( login as: oweinmann Using keyboard-interactive authentication. Password: Last login: Mon Apr 28 15:17:11 2008 from vb8860.vegagrou bash-2.03$ ls -alrt [1]+ Stopped ls -alrt bash-2.03$ id [2]+ Stopped id bash-2.03$ group [3]+ Stopped group bash-2.03$ echo "TEST" TEST bash-2.03$ Some commands are working and some others are put in background and the session closes after one or two minutes? When I turn on nscd everything is fine, except ls -alrt not working. On 4/28/08, Gerald (Jerry) Carter <jerry@samba.org> wrote:> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Oliver Weinmann wrote: > | forgot to mention that the nss_winbind links are there: > | > | bash-2.03# ls -alrt /usr/lib/nss_w* > | lrwxrwxrwx 1 root other 28 Apr 23 14:30 > | /usr/lib/nss_winbind.so.2 -> /usr/lib/libnss_winbind.so.1 > | lrwxrwxrwx 1 root other 28 Apr 23 14:30 > | /usr/lib/nss_winbind.so.1 -> /usr/lib/libnss_winbind.so.1 > | lrwxrwxrwx 1 root other 28 Apr 23 14:30 > | /usr/lib/nss_winbind.so -> /usr/lib/libnss_winbind.so.1 > > Check the perms on /usr/lib/libnss_winbind.so.1. Sounds > like it might be rwx for root only. > > > > > > > > cheers, jerry > - -- > ====================================================================> Samba ------- http://www.samba.org > Likewise Software --------- http://www.likewisesoftware.com > "What man is a man who does not make the world better?" --Balian > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2.2 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFIFcnJIR7qMdg1EfYRAp+uAKCoT5s9gRV+x0M+PUrFnYWVRtqmcwCg293J > 0OxWwTr/wJPDW67YmZCAfQo> =6S2v > -----END PGP SIGNATURE----- >
Dietrich Streifert
2008-Apr-29 07:20 UTC
[Samba] Strange behaviour of winbind on solaris 8
Please try to login (or su) to the user oweinmann and issue then ldd -r
/usr/lib/nss_winbind.so
For some reason I think that non root users are not able to read one of
the involved files.
This could be
/etc/nsswitch.conf
/usr/lib/nss_winbind.so
or some of the files found by the ldd -r command. The fact that you can
issue commands while nscd is running points to this fact becaus nscd is
running as root and has permissions to read all of those files.
/etc/nsswitch.conf should be readable by everyone.
I compiled samba myself with a full stack of openssl, iconv, heimdal
kerberos, cyrus-sasl, openldap and samba. While people often speak of
the Windows DLL hell this is the Solaris shared library hell :-( But it
works.
Oliver Weinmann schrieb:> Hi,
>
> bash-2.03# ldd -r /usr/lib/nss_winbind.so
> libthread.so.1 => /usr/lib/libthread.so.1
> libsocket.so.1 => /usr/lib/libsocket.so.1
> libdl.so.1 => /usr/lib/libdl.so.1
> libc.so.1 => /usr/lib/libc.so.1
> libnsl.so.1 => /usr/lib/libnsl.so.1
> libmp.so.2 => /usr/lib/libmp.so.2
> /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
>
> I changed the permissions and files exactly to be the same but i still
> cant issue commands... :(
>
> bash-2.03# ls -alrt /usr/lib/nss_winbind.so*
> -rwxr-xr-x 1 root other 74744 Apr 29 09:03
> /usr/lib/nss_winbind.so.1
> lrwxrwxrwx 1 root other 25 Apr 29 09:04
> /usr/lib/nss_winbind.so -> /usr/lib/nss_winbind.so.1
>
> Could this also be a problem of a compiling? Have you compiled the
> samba yourself or are you using prebuilt packages?
>
> On 4/29/08, *Dietrich Streifert* <dietrich.streifert@visionet.de
> <mailto:dietrich.streifert@visionet.de>> wrote:
>
> which output gives ldd -r /usr/lib/nss_winbind.so ?
>
> I have the following naming and permission for nss_winbind:
>
> lrwxrwxrwx 1 root other 16 Jan 15 2004
> nss_winbind.so -> nss_winbind.so.1
> -rwxr-xr-x 1 root other 44540 Apr 28 17:35 nss_winbind.so.1
>
> Please try with the exactly same naming and permissions of your files.
>
>
>
> Oliver Weinmann schrieb:
>
> I will try to get hands on the latest patches for solaris 8
> and see if that
> fixes the nscd problems. I can't believe that samba-winbind is
> not running
> 100% well on a Solaris 8 machine.
>
>
> On 4/28/08, Oliver Weinmann <oliver.weinmann@googlemail.com
> <mailto:oliver.weinmann@googlemail.com>> wrote:
>
>
> Just for fun i changed the perms of
> /usr/lib/libnss_winbind.so to 777
>
> bash-2.03# chmod 777 /usr/lib/libnss_winbind.so
> bash-2.03# ls -alrt /usr/lib/libnss_winbind.so
> -rwxrwxrwx 1 root other 74744 Apr 28 13:32
> /usr/lib/libnss_winbind.so
>
> nscd is turned off. I can login as an AD users but I cant
> start any
> command. :(
>
>
> login as: oweinmann
> Using keyboard-interactive authentication.
> Password:
> Last login: Mon Apr 28 15:17:11 2008 from vb8860.vegagrou
> bash-2.03$ ls -alrt
>
> [1]+ Stopped ls -alrt
> bash-2.03$ id
>
> [2]+ Stopped id
> bash-2.03$ group
>
> [3]+ Stopped group
> bash-2.03$ echo "TEST"
> TEST
> bash-2.03$
> Some commands are working and some others are put in
> background and the
> session closes after one or two minutes?
>
> When I turn on nscd everything is fine, except ls -alrt
> not working.
>
>
>
> On 4/28/08, Gerald (Jerry) Carter <jerry@samba.org
> <mailto:jerry@samba.org>> wrote:
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Oliver Weinmann wrote:
> | forgot to mention that the nss_winbind links are there:
> |
> | bash-2.03# ls -alrt /usr/lib/nss_w*
> | lrwxrwxrwx 1 root other 28 Apr 23 14:30
> | /usr/lib/nss_winbind.so.2 ->
> /usr/lib/libnss_winbind.so.1
> | lrwxrwxrwx 1 root other 28 Apr 23 14:30
> | /usr/lib/nss_winbind.so.1 ->
> /usr/lib/libnss_winbind.so.1
> | lrwxrwxrwx 1 root other 28 Apr 23 14:30
> | /usr/lib/nss_winbind.so ->
/usr/lib/libnss_winbind.so.1
>
> Check the perms on /usr/lib/libnss_winbind.so.1. Sounds
> like it might be rwx for root only.
>
>
>
>
>
>
>
> cheers, jerry
> - --
>
====================================================================>
Samba -------
> http://www.samba.org <http://www.samba.org/>
> Likewise Software ---------
> http://www.likewisesoftware.com
> <http://www.likewisesoftware.com/>
> "What man is a man who does not make the world
> better?" --Balian
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (Darwin)
> Comment: Using GnuPG with Mozilla -
> http://enigmail.mozdev.org
<http://enigmail.mozdev.org/>
>
>
iD8DBQFIFcnJIR7qMdg1EfYRAp+uAKCoT5s9gRV+x0M+PUrFnYWVRtqmcwCg293J
> 0OxWwTr/wJPDW67YmZCAfQo> =6S2v
> -----END PGP SIGNATURE-----
>
>
>
>
>
>
> --
> Mit freundlichen Gr??en
> Dietrich Streifert
> --
> Visionet GmbH
> Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> Registergericht: Handelsregister F?rth, HRB 6573
> Gesch?ftsf?hrer: Stefan Lindner
>
>
>
>
--
Mit freundlichen Gr??en
Dietrich Streifert
--
Visionet GmbH
Firmensitz: Am Weichselgarten 7, 91058 Erlangen
Registergericht: Handelsregister F?rth, HRB 6573
Gesch?ftsf?hrer: Stefan Lindner
Dietrich Streifert
2008-Apr-29 12:03 UTC
[Samba] Strange behaviour of winbind on solaris 8
I wonder why oweinmann is member of the group staff. Maybe there is an entry for oweinmann in /etc/passwd? So I'm running out of ideas :-( Mabye someone out there can take over. Good luck and report back what you have found. Oliver Weinmann schrieb:> I changed both groups and users to "no". Still no difference. Another > strange thing i came across. > > as user "oweinmann" > > $ id > uid=11611(oweinmann) gid=1613(domain users) > $ id -a oweinmann > uid=11611(oweinmann) gid=1613(domain users) groups=10(staff) > $ id -a > > why is the id -a oweinmann working as user "oweinmann" but not id -a???? > > > On 4/29/08, *Dietrich Streifert* <dietrich.streifert@visionet.de > <mailto:dietrich.streifert@visionet.de>> wrote: > > Please try to set combinations of > > winbind enum groups = No > > and test again. > > This could be the reason why getent groups never ends. This is > known to be a problem with big AD user/groups databases. > > Have a look at this and related paramters in <samba installation > path>/swat/help/manpages/smb.conf.5.html > > > > Oliver Weinmann schrieb: >> It's the latest stable. >> >> # smbd -V >> Version 3.0.28a >> >> [global] >> netbios name = rose8 >> realm = VEGAGROUP.NET <http://vegagroup.net/> >> workgroup = VEGA >> security = ADS >> encrypt passwords = yes >> password server = * >> os level = 20 >> socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 >> idmap uid = 1100-200000 >> idmap gid = 1100-200000 >> idmap backend = rid:VEGA=1100-200000 >> allow trusted domains = no >> winbind enum users = yes >> winbind enum groups = yes >> template homedir = /home/%U >> template shell = /bin/sh >> preferred master = no >> winbind nested groups = Yes >> winbind use default domain = Yes >> #winbind separator = + >> #winbind normalize names = yes >> log level = 10 >> max log size = 50 >> log file = /var/log/samba/log.%m >> dns proxy = no >> wins server = 172.20.205.1 <http://172.20.205.1/> >> allow trusted domains = No >> client use spnego = Yes >> use kerberos keytab = true >> winbind offline logon = yes >> >> I really appreciate your big effort. Thanks! >> >> On 4/29/08, *Dietrich Streifert* <dietrich.streifert@visionet.de >> <mailto:dietrich.streifert@visionet.de>> wrote: >> >> Which samba version do you use? >> >> Please post the global configuration section of smb.conf. >> >> >> Oliver Weinmann schrieb: >>> Here could be a problem. I could not change our win 2k3 >>> schema. They were afraid it could break something... tsss. >>> So i had to use the idmap_rid module. Which does a good job >>> actually. It uses the last portion of the AD users SID and >>> adds it to a base set in smb.conf. I issued your commands: >>> >>> bash-2.03# getent passwd | grep oweinmann >>> oweinmann2:*:15042:1613:Oliver >>> Weinmann2:/home/oweinmann2:/bin/sh >>> oweinmann:*:11611:1613:Oliver Weinmann:/home/oweinmann:/bin/sh >>> oweinmann1:*:15041:1613:Oliver >>> Weinmann1:/home/oweinmann1:/bin/sh >>> bash-2.03# id -a oweinmann >>> uid=11611(oweinmann) gid=1613(domain users) groups=10(staff) >>> bash-2.03# su oweinmann >>> $ id >>> uid=11611(oweinmann) gid=1613(domain users) >>> $ id -a >>> >>> the "id -a" as user "oweinmann" seems to get stuck. It just >>> sits there. I noticed when issuing "groups oweinmann" as >>> root it also gets stuck. On some users the "groups" command >>> seems to be working on some other don't. >>> >>> >>> On 4/29/08, *Dietrich Streifert* >>> <dietrich.streifert@visionet.de >>> <mailto:dietrich.streifert@visionet.de>> wrote: >>> >>> We have several installations where we use the two >>> different AD schema extensions (SFU from Windows >>> Services for Unix and rfc2307bis from Windows Server >>> 2003R2) to put the needed information in. >>> >>> We are using the idmap_ad module to map the uid, gid, >>> home etc. information from the AD. >>> >>> The local users and the AD users are completely >>> separated. We do not mix up local users and AD users. >>> >>> The first basic test if the AD user information >>> retreival is working is to use the getent command: >>> >>> getent <someADUser> >>> >>> So for a test user account I get: >>> >>> korund{root}[/]: getent passwd testuser >>> testuser:*:1004:1000:Lastname, >>> Firstname:/home/testuser:/bin/tcsh >>> >>> If this works the first step is done. >>> >>> The second test is to get all related Information for >>> one user: >>> >>> korund{root}[/]: id -a testuser >>> uid=1004(testuser) gid=1000(visionet) >>> groups=1033(devjavalib) >>> >>> The third test is to su - testuser and again try to >>> issue both commands obove. If the retreived information >>> is the same you should all be done (except from pam.conf >>> which is another story). >>> >>> >>> >>> >>> >>> >>> Oliver Weinmann schrieb: >>>> Could the problem be that the AD users are not in any >>>> of the local groups on the machine? How do you manage >>>> your AD users to be members of local groups e.g. staff, >>>> sys etc.? pam_groups? >>>> >>>> On 4/29/08, *Oliver Weinmann* >>>> <oliver.weinmann@googlemail.com >>>> <mailto:oliver.weinmann@googlemail.com>> wrote: >>>> >>>> there is nothing in /etc/profile and the user >>>> oweinmann has no .bashrc. The problem seems to be >>>> related to nscd. When nscd is turned on i can login >>>> and issue commands and I don't get kicked out of >>>> the ssh login. There is no idle session timeout >>>> set. If there was I would get kicked out when nscd >>>> is turned on as well. Only when logged in as an AD >>>> user I get kicked out... >>>> >>>> >>>> On 4/29/08, *Dietrich Streifert* >>>> <dietrich.streifert@visionet.de >>>> <mailto:dietrich.streifert@visionet.de>> wrote: >>>> >>>> So there must be something in your bash init >>>> files, /etc/profile or ~/.bashrc (sorry I'm not >>>> a bash user) which causes the problem. >>>> >>>> Maybe something which forms the shell prompt >>>> like whoami etc. >>>> >>>> Maybe there is something like a autologout set >>>> for the csh or in sshd with idle session timeout. >>>> >>>> >>>> Oliver Weinmann schrieb: >>>>> Hi, >>>>> >>>>> no, there was nothing in /var/adm/messages, >>>>> but guess what with the csh ls -alrt and such >>>>> commands work fine... But i get kicked out of >>>>> the ssh session after 2 minutes... :( >>>>> >>>>> >>>>> On 4/29/08, *Dietrich Streifert* >>>>> <dietrich.streifert@visionet.de >>>>> <mailto:dietrich.streifert@visionet.de>> wrote: >>>>> >>>>> Are there any messages in >>>>> /var/adm/messages which are related to nss ? >>>>> >>>>> As I can see you are using bash as your shell. >>>>> >>>>> Try using csh. Does something change? >>>>> >>>>> Oliver Weinmann schrieb: >>>>>> su to user oweinmann works but when i >>>>>> ussie the ldd -r /usr/lib/nss_winbind.so >>>>>> command it gets put in the background.. >>>>>> :( i then do fg 2 and this is the output: >>>>>> >>>>>> bash-2.03$ ldd -r /usr/lib/nss_winbind.so >>>>>> >>>>>> [2]+ Stopped ldd -r >>>>>> /usr/lib/nss_winbind.so >>>>>> bash-2.03$ fg 2 >>>>>> ldd -r /usr/lib/nss_winbind.so >>>>>> libthread.so.1 => >>>>>> /usr/lib/libthread.so.1 >>>>>> libsocket.so.1 => >>>>>> /usr/lib/libsocket.so.1 >>>>>> libdl.so.1 => /usr/lib/libdl.so.1 >>>>>> libc.so.1 => /usr/lib/libc.so.1 >>>>>> libnsl.so.1 => /usr/lib/libnsl.so.1 >>>>>> libmp.so.2 => /usr/lib/libmp.so.2 >>>>>> >>>>>> /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 >>>>>> >>>>>> bash-2.03$ ls -alrt /etc/nsswitch.conf >>>>>> >>>>>> [2]+ Stopped ls -alrt >>>>>> /etc/nsswitch.conf >>>>>> bash-2.03$ fg 2 >>>>>> ls -alrt /etc/nsswitch.conf >>>>>> -rw-r--r-- 1 root sys 1320 >>>>>> Apr 28 13:19 /etc/nsswitch.conf >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On 4/29/08, *Dietrich Streifert* >>>>>> <dietrich.streifert@visionet.de >>>>>> <mailto:dietrich.streifert@visionet.de>> >>>>>> wrote: >>>>>> >>>>>> Please try to login (or su) to the >>>>>> user oweinmann and issue then ldd -r >>>>>> /usr/lib/nss_winbind.so >>>>>> >>>>>> For some reason I think that non root >>>>>> users are not able to read one of the >>>>>> involved files. >>>>>> >>>>>> This could be >>>>>> >>>>>> /etc/nsswitch.conf >>>>>> /usr/lib/nss_winbind.so >>>>>> >>>>>> or some of the files found by the ldd >>>>>> -r command. The fact that you can >>>>>> issue commands while nscd is running >>>>>> points to this fact becaus nscd is >>>>>> running as root and has permissions >>>>>> to read all of those files. >>>>>> >>>>>> /etc/nsswitch.conf should be readable >>>>>> by everyone. >>>>>> >>>>>> I compiled samba myself with a full >>>>>> stack of openssl, iconv, heimdal >>>>>> kerberos, cyrus-sasl, openldap and >>>>>> samba. While people often speak of >>>>>> the Windows DLL hell this is the >>>>>> Solaris shared library hell :-( But >>>>>> it works. >>>>>> >>>>>> >>>>>> >>>>>> Oliver Weinmann schrieb: >>>>>>> Hi, >>>>>>> >>>>>>> bash-2.03# ldd -r >>>>>>> /usr/lib/nss_winbind.so >>>>>>> libthread.so.1 => >>>>>>> /usr/lib/libthread.so.1 >>>>>>> libsocket.so.1 => >>>>>>> /usr/lib/libsocket.so.1 >>>>>>> libdl.so.1 => >>>>>>> /usr/lib/libdl.so.1 >>>>>>> libc.so.1 => >>>>>>> /usr/lib/libc.so.1 >>>>>>> libnsl.so.1 => >>>>>>> /usr/lib/libnsl.so.1 >>>>>>> libmp.so.2 => >>>>>>> /usr/lib/libmp.so.2 >>>>>>> >>>>>>> /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 >>>>>>> >>>>>>> I changed the permissions and files >>>>>>> exactly to be the same but i still >>>>>>> cant issue commands... :( >>>>>>> >>>>>>> bash-2.03# ls -alrt >>>>>>> /usr/lib/nss_winbind.so* >>>>>>> -rwxr-xr-x 1 root other >>>>>>> 74744 Apr 29 09:03 >>>>>>> /usr/lib/nss_winbind.so.1 >>>>>>> lrwxrwxrwx 1 root >>>>>>> other 25 Apr 29 09:04 >>>>>>> /usr/lib/nss_winbind.so -> >>>>>>> /usr/lib/nss_winbind.so.1 >>>>>>> >>>>>>> Could this also be a problem of a >>>>>>> compiling? Have you compiled the >>>>>>> samba yourself or are you using >>>>>>> prebuilt packages? >>>>>>> >>>>>>> On 4/29/08, *Dietrich Streifert* >>>>>>> <dietrich.streifert@visionet.de >>>>>>> <mailto:dietrich.streifert@visionet.de>> >>>>>>> wrote: >>>>>>> >>>>>>> which output gives ldd -r >>>>>>> /usr/lib/nss_winbind.so ? >>>>>>> >>>>>>> I have the following naming and >>>>>>> permission for nss_winbind: >>>>>>> >>>>>>> lrwxrwxrwx 1 root other >>>>>>> 16 Jan 15 2004 >>>>>>> nss_winbind.so -> nss_winbind.so.1 >>>>>>> -rwxr-xr-x 1 root other >>>>>>> 44540 Apr 28 17:35 >>>>>>> nss_winbind.so.1 >>>>>>> >>>>>>> Please try with the exactly same >>>>>>> naming and permissions of your >>>>>>> files. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Oliver Weinmann schrieb: >>>>>>> >>>>>>> I will try to get hands on >>>>>>> the latest patches for >>>>>>> solaris 8 and see if that >>>>>>> fixes the nscd problems. I >>>>>>> can't believe that >>>>>>> samba-winbind is not running >>>>>>> 100% well on a Solaris 8 >>>>>>> machine. >>>>>>> >>>>>>> >>>>>>> On 4/28/08, Oliver Weinmann >>>>>>> <oliver.weinmann@googlemail.com >>>>>>> <mailto:oliver.weinmann@googlemail.com>> >>>>>>> wrote: >>>>>>> >>>>>>> >>>>>>> Just for fun i changed >>>>>>> the perms of >>>>>>> /usr/lib/libnss_winbind.so >>>>>>> to 777 >>>>>>> >>>>>>> bash-2.03# chmod 777 >>>>>>> /usr/lib/libnss_winbind.so >>>>>>> bash-2.03# ls -alrt >>>>>>> /usr/lib/libnss_winbind.so >>>>>>> -rwxrwxrwx 1 root >>>>>>> other 74744 Apr 28 >>>>>>> 13:32 >>>>>>> /usr/lib/libnss_winbind.so >>>>>>> >>>>>>> nscd is turned off. I >>>>>>> can login as an AD users >>>>>>> but I cant start any >>>>>>> command. :( >>>>>>> >>>>>>> >>>>>>> login as: oweinmann >>>>>>> Using >>>>>>> keyboard-interactive >>>>>>> authentication. >>>>>>> Password: >>>>>>> Last login: Mon Apr 28 >>>>>>> 15:17:11 2008 from >>>>>>> vb8860.vegagrou >>>>>>> bash-2.03$ ls -alrt >>>>>>> >>>>>>> [1]+ Stopped >>>>>>> ls -alrt >>>>>>> bash-2.03$ id >>>>>>> >>>>>>> [2]+ Stopped >>>>>>> id >>>>>>> bash-2.03$ group >>>>>>> >>>>>>> [3]+ Stopped >>>>>>> group >>>>>>> bash-2.03$ echo "TEST" >>>>>>> TEST >>>>>>> bash-2.03$ >>>>>>> Some commands are >>>>>>> working and some others >>>>>>> are put in background >>>>>>> and the >>>>>>> session closes after one >>>>>>> or two minutes? >>>>>>> >>>>>>> When I turn on nscd >>>>>>> everything is fine, >>>>>>> except ls -alrt not working. >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 4/28/08, Gerald >>>>>>> (Jerry) Carter >>>>>>> <jerry@samba.org >>>>>>> <mailto:jerry@samba.org>> >>>>>>> wrote: >>>>>>> >>>>>>> >>>>>>> -----BEGIN PGP >>>>>>> SIGNED MESSAGE----- >>>>>>> Hash: SHA1 >>>>>>> >>>>>>> Oliver Weinmann wrote: >>>>>>> | forgot to mention >>>>>>> that the nss_winbind >>>>>>> links are there: >>>>>>> | >>>>>>> | bash-2.03# ls >>>>>>> -alrt /usr/lib/nss_w* >>>>>>> | lrwxrwxrwx 1 >>>>>>> root other >>>>>>> 28 Apr 23 14:30 >>>>>>> | >>>>>>> /usr/lib/nss_winbind.so.2 >>>>>>> -> >>>>>>> /usr/lib/libnss_winbind.so.1 >>>>>>> | lrwxrwxrwx 1 >>>>>>> root other >>>>>>> 28 Apr 23 14:30 >>>>>>> | >>>>>>> /usr/lib/nss_winbind.so.1 >>>>>>> -> >>>>>>> /usr/lib/libnss_winbind.so.1 >>>>>>> | lrwxrwxrwx 1 >>>>>>> root other >>>>>>> 28 Apr 23 14:30 >>>>>>> | >>>>>>> /usr/lib/nss_winbind.so >>>>>>> -> >>>>>>> /usr/lib/libnss_winbind.so.1 >>>>>>> >>>>>>> Check the perms on >>>>>>> /usr/lib/libnss_winbind.so.1. >>>>>>> Sounds >>>>>>> like it might be rwx >>>>>>> for root only. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> cheers, jerry >>>>>>> - -- >>>>>>> ====================================================================>>>>>>> Samba >>>>>>> >>>>>>> ------- >>>>>>> http://www.samba.org >>>>>>> <http://www.samba.org/> >>>>>>> Likewise Software >>>>>>> --------- >>>>>>> http://www.likewisesoftware.com >>>>>>> <http://www.likewisesoftware.com/> >>>>>>> "What man is a man >>>>>>> who does not make >>>>>>> the world better?" >>>>>>> --Balian >>>>>>> -----BEGIN PGP >>>>>>> SIGNATURE----- >>>>>>> Version: GnuPG >>>>>>> v1.4.2.2 (Darwin) >>>>>>> Comment: Using GnuPG >>>>>>> with Mozilla - >>>>>>> http://enigmail.mozdev.org >>>>>>> <http://enigmail.mozdev.org/> >>>>>>> >>>>>>> iD8DBQFIFcnJIR7qMdg1EfYRAp+uAKCoT5s9gRV+x0M+PUrFnYWVRtqmcwCg293J >>>>>>> 0OxWwTr/wJPDW67YmZCAfQo>>>>>>> =6S2v >>>>>>> -----END PGP >>>>>>> SIGNATURE----- >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Mit freundlichen Gr??en >>>>>>> Dietrich Streifert >>>>>>> -- >>>>>>> Visionet GmbH >>>>>>> Firmensitz: Am Weichselgarten 7, >>>>>>> 91058 Erlangen >>>>>>> Registergericht: Handelsregister >>>>>>> F?rth, HRB 6573 >>>>>>> Gesch?ftsf?hrer: Stefan Lindner >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> Mit freundlichen Gr??en >>>>>> Dietrich Streifert >>>>>> -- >>>>>> Visionet GmbH >>>>>> Firmensitz: Am Weichselgarten 7, 91058 Erlangen >>>>>> Registergericht: Handelsregister F?rth, HRB 6573 >>>>>> Gesch?ftsf?hrer: Stefan Lindner >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Mit freundlichen Gr??en >>>>> Dietrich Streifert >>>>> -- >>>>> Visionet GmbH >>>>> Firmensitz: Am Weichselgarten 7, 91058 Erlangen >>>>> Registergericht: Handelsregister F?rth, HRB 6573 >>>>> Gesch?ftsf?hrer: Stefan Lindner >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> -- >>>> Mit freundlichen Gr??en >>>> Dietrich Streifert >>>> -- >>>> Visionet GmbH >>>> Firmensitz: Am Weichselgarten 7, 91058 Erlangen >>>> Registergericht: Handelsregister F?rth, HRB 6573 >>>> Gesch?ftsf?hrer: Stefan Lindner >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> -- >>> Mit freundlichen Gr??en >>> Dietrich Streifert >>> -- >>> Visionet GmbH >>> Firmensitz: Am Weichselgarten 7, 91058 Erlangen >>> Registergericht: Handelsregister F?rth, HRB 6573 >>> Gesch?ftsf?hrer: Stefan Lindner >>> >>> >>> >>> >>> >> >> -- >> Mit freundlichen Gr??en >> Dietrich Streifert >> -- >> Visionet GmbH >> Firmensitz: Am Weichselgarten 7, 91058 Erlangen >> Registergericht: Handelsregister F?rth, HRB 6573 >> Gesch?ftsf?hrer: Stefan Lindner >> >> >> >> >> > > -- > Mit freundlichen Gr??en > Dietrich Streifert > -- > Visionet GmbH > Firmensitz: Am Weichselgarten 7, 91058 Erlangen > Registergericht: Handelsregister F?rth, HRB 6573 > Gesch?ftsf?hrer: Stefan Lindner > > > > >-- Mit freundlichen Gr??en Dietrich Streifert -- Visionet GmbH Firmensitz: Am Weichselgarten 7, 91058 Erlangen Registergericht: Handelsregister F?rth, HRB 6573 Gesch?ftsf?hrer: Stefan Lindner
Seemingly Similar Threads
- wbinfo -g gives no output , ndr_pull_error
- Samba 3.0.0: option admin user not working in smb.conf?
- samba-3.0.22 -> samba-3.0.23 pam_winbind issue(s)
- Samba 3.0.23 winbind use default domain = yes behaviour
- Samba 3.0.28a under Solaris 8 + libnss_winbind.so problem?