I'm trying to setup a Solaris 10 Sparc station to authenticate users on
login with Windows ADS. I have found the documentation for this but
having no luck in getting the pam modules to work. Here is what I have
done so far:
Compiling Kerberos MIT5-1.8.3:
cd into the src directory
./configure --prefix=/opt/local
gmake
gmake install
Compiling Samba 3.5.6:
setenv CFLAGS "-O2"
setenv LDFLAGS "-L/opt/local/lib -Wl,-R/opt/local/lib"
setenv CPPFLAGS "-I/opt/local/include"
./configure --prefix=/opt/local --with-pam --with-ads --with-winbind
--with-krb5=/opt/local
gmake
gmake install
Compiles and installs with no errors. Here is my samba conf. file:
[global]
workgroup = DOMAINNAME
realm = DOMINNAME.EDU
security = ADS
password server = domainname.edu
log file = /var/samba/log/log.%m
max log size = 50
load printers = No
utmp = Yes
idmap backend = idmap_rid:DOMAINNAME=100000-500000
idmap uid = 100000-500000
idmap gid = 100000-500000
template homedir = /home/%U
template shell = /bin/tcsh
winbind cache time = 1800
winbind enum users = No
winbind enum groups = No
winbind use default domain = Yes
winbind separator = /
create krb5 conf = No
Krb5.conf:
[libdefaults]
default_realm = DOMAINNAME.EDU
[realms]
DOMAINNAME.EDU = {
kdc = server.domainname.edu
}
[domain_realm]
.server.domainname.edu = DOMAINNAME.EDU
server.domainname.edu = DOMAINNAME.EDU
Then I was able to join okay:
# ./net ads join -U user
Enter user's password:
Using short domain name -- DOMAINNAME
Joined 'SUNTEST1' to realm 'DomainName.EDU'
# ./net ads testjoin
Join is OK
I can get info from the ADS from wbinfo command just fine. But I cannot get
anything via
getent passwd user_name or getent group group_name
I did copy the libnss_winbind.so from the samba build and have the
pam_winbind.so linked in as well:
# cd /usr/lib
# ls -l *winbind*
-r-xr-xr-x 1 root root 50880 Dec 20 13:07 libnss_winbind.so
lrwxrwxrwx 1 root root 17 Dec 17 15:29
libnss_winbind.so.1 -> libnss_winbind.so
lrwxrwxrwx 1 root root 17 Dec 17 15:30
libnss_winbind.so.2 -> libnss_winbind.so
lrwxrwxrwx 1 root root 17 Dec 20 13:41 nss_winbind.so.1
-> libnss_winbind.so
lrwxrwxrwx 1 root root 17 Dec 20 13:41 nss_winbind.so.2
-> libnss_winbind.so
# cd /usr/lib/security/
# ls -l *winbind*
lrwxrwxrwx 1 root root 38 Dec 20 13:04 pam_winbind.so ->
/opt/local/lib/security/pam_winbind.so
lrwxrwxrwx 1 root root 38 Dec 20 13:05 pam_winbind.so.1
-> /opt/local/lib/security/pam_winbind.so
My pam.conf:
login auth sufficient /opt/local/lib/security/pam_winbind.so
try_first_pass
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
other auth sufficient /opt/local/lib/security/pam_winbind.so
try_first_pass
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
other session sufficient /opt/local/lib/security/pam_winbind.so
try_first
_pass
other session required pam_unix_session.so.1
What am I missing????
--
C. J. Keist Email: cj.keist at colostate.edu
Systems Group Manager Phone: 970-491-0630
Engineering Network Services Fax: 970-491-5569
College of Engineering, CSU
Ft. Collins, CO 80523-1301
All I want is a chance to prove 'Money can't buy happiness'
Forgot to add, my nsswitch.conf file has the winbind option added to the
end of the passwd and group lines:
passwd: files winbind
group: files winbind
------------------------------------
I'm trying to setup a Solaris 10 Sparc station to authenticate users on
login with Windows ADS. I have found the documentation for this but
having no luck in getting the pam modules to work. Here is what I have
done so far:
Compiling Kerberos MIT5-1.8.3:
cd into the src directory
./configure --prefix=/opt/local
gmake
gmake install
Compiling Samba 3.5.6:
setenv CFLAGS "-O2"
setenv LDFLAGS "-L/opt/local/lib -Wl,-R/opt/local/lib"
setenv CPPFLAGS "-I/opt/local/include"
./configure --prefix=/opt/local --with-pam --with-ads --with-winbind
--with-krb5=/opt/local
gmake
gmake install
Compiles and installs with no errors. Here is my samba conf. file:
[global]
workgroup = DOMAINNAME
realm = DOMINNAME.EDU
security = ADS
password server = domainname.edu
log file = /var/samba/log/log.%m
max log size = 50
load printers = No
utmp = Yes
idmap backend = idmap_rid:DOMAINNAME=100000-500000
idmap uid = 100000-500000
idmap gid = 100000-500000
template homedir = /home/%U
template shell = /bin/tcsh
winbind cache time = 1800
winbind enum users = No
winbind enum groups = No
winbind use default domain = Yes
winbind separator = /
create krb5 conf = No
Krb5.conf:
[libdefaults]
default_realm = DOMAINNAME.EDU
[realms]
DOMAINNAME.EDU = {
kdc = server.domainname.edu
}
[domain_realm]
.server.domainname.edu = DOMAINNAME.EDU
server.domainname.edu = DOMAINNAME.EDU
Then I was able to join okay:
# ./net ads join -U user
Enter user's password:
Using short domain name -- DOMAINNAME
Joined 'SUNTEST1' to realm 'DomainName.EDU'
# ./net ads testjoin
Join is OK
I can get info from the ADS from wbinfo command just fine. But I cannot
get anything via
getent passwd user_name or getent group group_name
I did copy the libnss_winbind.so from the samba build and have the
pam_winbind.so linked in as well:
# cd /usr/lib
# ls -l *winbind*
-r-xr-xr-x 1 root root 50880 Dec 20 13:07 libnss_winbind.so
lrwxrwxrwx 1 root root 17 Dec 17 15:29
libnss_winbind.so.1 -> libnss_winbind.so
lrwxrwxrwx 1 root root 17 Dec 17 15:30
libnss_winbind.so.2 -> libnss_winbind.so
lrwxrwxrwx 1 root root 17 Dec 20 13:41 nss_winbind.so.1
-> libnss_winbind.so
lrwxrwxrwx 1 root root 17 Dec 20 13:41 nss_winbind.so.2
-> libnss_winbind.so
# cd /usr/lib/security/
# ls -l *winbind*
lrwxrwxrwx 1 root root 38 Dec 20 13:04 pam_winbind.so ->
/opt/local/lib/security/pam_winbind.so
lrwxrwxrwx 1 root root 38 Dec 20 13:05 pam_winbind.so.1
-> /opt/local/lib/security/pam_winbind.so
My pam.conf:
login auth sufficient /opt/local/lib/security/pam_winbind.so
try_first_pass
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
other auth sufficient /opt/local/lib/security/pam_winbind.so
try_first_pass
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
other session sufficient /opt/local/lib/security/pam_winbind.so
try_first
_pass
other session required pam_unix_session.so.1
What am I missing????
--
C. J. Keist Email: cj.keist at colostate.edu
Systems Group Manager Phone: 970-491-0630
Engineering Network Services Fax: 970-491-5569
College of Engineering, CSU
Ft. Collins, CO 80523-1301
All I want is a chance to prove 'Money can't buy happiness'
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
On Tue, Dec 21, 2010 at 10:35:58AM -0700, CJ Keist wrote:> getent passwd user_name or getent group group_nameTry wbinfo -i user_name or wbinfo -i domain\\user_name That is a direct path without NSS intervention. This way you can reduce the problem to either winbind proper or nss problems. With best regards, Volker Lendecke -- SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen
Made some progress here. I saw from the log files that samba couldn't
find the /opt/local/lib/idmap/rid.so module. So I added
--with-shared-modules=idmap_rid to my configure options. That got the
rid.so to get installed and now the "getent passwd login" works! But
getent passwd by itself doesn't?? Could there be a limit on what the
getent will spit out? We have 30k+ accounts in our windows domain. But
I still cannot ssh into this server.
--------------------------------------
Forgot to add, my nsswitch.conf file has the winbind option added to the
end of the passwd and group lines:
passwd: files winbind
group: files winbind
------------------------------------
I'm trying to setup a Solaris 10 Sparc station to authenticate users on
login with Windows ADS. I have found the documentation for this but
having no luck in getting the pam modules to work. Here is what I have
done so far:
Compiling Kerberos MIT5-1.8.3:
cd into the src directory
./configure --prefix=/opt/local
gmake
gmake install
Compiling Samba 3.5.6:
setenv CFLAGS "-O2"
setenv LDFLAGS "-L/opt/local/lib -Wl,-R/opt/local/lib"
setenv CPPFLAGS "-I/opt/local/include"
./configure --prefix=/opt/local --with-pam --with-ads --with-winbind
--with-krb5=/opt/local
gmake
gmake install
Compiles and installs with no errors. Here is my samba conf. file:
[global]
workgroup = DOMAINNAME
realm = DOMINNAME.EDU
security = ADS
password server = domainname.edu
log file = /var/samba/log/log.%m
max log size = 50
load printers = No
utmp = Yes
idmap backend = idmap_rid:DOMAINNAME=100000-500000
idmap uid = 100000-500000
idmap gid = 100000-500000
template homedir = /home/%U
template shell = /bin/tcsh
winbind cache time = 1800
winbind enum users = No
winbind enum groups = No
winbind use default domain = Yes
winbind separator = /
create krb5 conf = No
Krb5.conf:
[libdefaults]
default_realm = DOMAINNAME.EDU
[realms]
DOMAINNAME.EDU = {
kdc = server.domainname.edu
}
[domain_realm]
.server.domainname.edu = DOMAINNAME.EDU
server.domainname.edu = DOMAINNAME.EDU
Then I was able to join okay:
# ./net ads join -U user
Enter user's password:
Using short domain name -- DOMAINNAME
Joined 'SUNTEST1' to realm 'DomainName.EDU'
# ./net ads testjoin
Join is OK
I can get info from the ADS from wbinfo command just fine. But I cannot
get anything via
getent passwd user_name or getent group group_name
I did copy the libnss_winbind.so from the samba build and have the
pam_winbind.so linked in as well:
# cd /usr/lib
# ls -l *winbind*
-r-xr-xr-x 1 root root 50880 Dec 20 13:07 libnss_winbind.so
lrwxrwxrwx 1 root root 17 Dec 17 15:29
libnss_winbind.so.1 -> libnss_winbind.so
lrwxrwxrwx 1 root root 17 Dec 17 15:30
libnss_winbind.so.2 -> libnss_winbind.so
lrwxrwxrwx 1 root root 17 Dec 20 13:41 nss_winbind.so.1
-> libnss_winbind.so
lrwxrwxrwx 1 root root 17 Dec 20 13:41 nss_winbind.so.2
-> libnss_winbind.so
# cd /usr/lib/security/
# ls -l *winbind*
lrwxrwxrwx 1 root root 38 Dec 20 13:04 pam_winbind.so ->
/opt/local/lib/security/pam_winbind.so
lrwxrwxrwx 1 root root 38 Dec 20 13:05 pam_winbind.so.1
-> /opt/local/lib/security/pam_winbind.so
My pam.conf:
login auth sufficient /opt/local/lib/security/pam_winbind.so
try_first_pass
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
other auth sufficient /opt/local/lib/security/pam_winbind.so
try_first_pass
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
other session sufficient /opt/local/lib/security/pam_winbind.so
try_first
_pass
other session required pam_unix_session.so.1
What am I missing????
--
C. J. Keist Email: cj.keist at colostate.edu
Systems Group Manager Phone: 970-491-0630
Engineering Network Services Fax: 970-491-5569
College of Engineering, CSU
Ft. Collins, CO 80523-1301
All I want is a chance to prove 'Money can't buy happiness'
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Well,
I did smart thing and upgraded my Solaris box to Solaris 10 update
9. And now my winbind authentication has broken. I have checked all my
/usr/lib/*winbind* and /usr/lib/security/*winbind* libs and all are
still good from my last install. /etc/pam.conf, nsswitch.conf are still
intact. wbinfo seems to work fine. getent passwd username just returns
empty.
This is what I'm getting in my /var/samba/log/log.winbindd file:
[2011/01/05 16:04:00.061446, 2]
winbindd/winbindd.c:819(winbind_client_request_read)
Could not read client request from fd 22: I/O error
Anyone have any ideas what broke?
# ./testparm
Load smb config files from /opt/local/lib/smb.conf
rlimit_max: rlimit_max (256) below minimum Windows limit (16384)
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
workgroup = DOMAIN
realm = DOMAIN.EDU
interfaces = eri0
security = ADS
password server = domain.edu
log level = 10 winbind:10
log file = /var/samba/log/log.%m
max log size = 50
load printers = No
utmp = Yes
idmap backend = rid:DOMAIN=100000-500000
idmap uid = 100000-500000
idmap gid = 100000-500000
template homedir = /home/%U
template shell = /bin/tcsh
winbind separator = /
winbind cache time = 1800
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
create krb5 conf = No
--
C. J. Keist Email: cj.keist at colostate.edu
Systems Group Manager Phone: 970-491-0630
Engineering Network Services Fax: 970-491-5569
College of Engineering, CSU
Ft. Collins, CO 80523-1301
All I want is a chance to prove 'Money can't buy happiness'
So, no one has a clue here?
------------------------------
Well,
I did smart thing and upgraded my Solaris box to Solaris 10 update
9. And now my winbind authentication has broken. I have checked all my
/usr/lib/*winbind* and /usr/lib/security/*winbind* libs and all are
still good from my last install. /etc/pam.conf, nsswitch.conf are still
intact. wbinfo seems to work fine. getent passwd username just returns
empty.
This is what I'm getting in my /var/samba/log/log.winbindd file:
[2011/01/05 16:04:00.061446, 2]
winbindd/winbindd.c:819(winbind_client_request_read)
Could not read client request from fd 22: I/O error
Anyone have any ideas what broke?
# ./testparm
Load smb config files from /opt/local/lib/smb.conf
rlimit_max: rlimit_max (256) below minimum Windows limit (16384)
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
workgroup = DOMAIN
realm = DOMAIN.EDU
interfaces = eri0
security = ADS
password server = domain.edu
log level = 10 winbind:10
log file = /var/samba/log/log.%m
max log size = 50
load printers = No
utmp = Yes
idmap backend = rid:DOMAIN=100000-500000
idmap uid = 100000-500000
idmap gid = 100000-500000
template homedir = /home/%U
template shell = /bin/tcsh
winbind separator = /
winbind cache time = 1800
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
create krb5 conf = No
--
C. J. Keist Email: cj.keist at colostate.edu
Systems Group Manager Phone: 970-491-0630
Engineering Network Services Fax: 970-491-5569
College of Engineering, CSU
Ft. Collins, CO 80523-1301
All I want is a chance to prove 'Money can't buy happiness'