I'm trying to setup a Solaris 10 Sparc station to authenticate users on login with Windows ADS. I have found the documentation for this but having no luck in getting the pam modules to work. Here is what I have done so far: Compiling Kerberos MIT5-1.8.3: cd into the src directory ./configure --prefix=/opt/local gmake gmake install Compiling Samba 3.5.6: setenv CFLAGS "-O2" setenv LDFLAGS "-L/opt/local/lib -Wl,-R/opt/local/lib" setenv CPPFLAGS "-I/opt/local/include" ./configure --prefix=/opt/local --with-pam --with-ads --with-winbind --with-krb5=/opt/local gmake gmake install Compiles and installs with no errors. Here is my samba conf. file: [global] workgroup = DOMAINNAME realm = DOMINNAME.EDU security = ADS password server = domainname.edu log file = /var/samba/log/log.%m max log size = 50 load printers = No utmp = Yes idmap backend = idmap_rid:DOMAINNAME=100000-500000 idmap uid = 100000-500000 idmap gid = 100000-500000 template homedir = /home/%U template shell = /bin/tcsh winbind cache time = 1800 winbind enum users = No winbind enum groups = No winbind use default domain = Yes winbind separator = / create krb5 conf = No Krb5.conf: [libdefaults] default_realm = DOMAINNAME.EDU [realms] DOMAINNAME.EDU = { kdc = server.domainname.edu } [domain_realm] .server.domainname.edu = DOMAINNAME.EDU server.domainname.edu = DOMAINNAME.EDU Then I was able to join okay: # ./net ads join -U user Enter user's password: Using short domain name -- DOMAINNAME Joined 'SUNTEST1' to realm 'DomainName.EDU' # ./net ads testjoin Join is OK I can get info from the ADS from wbinfo command just fine. But I cannot get anything via getent passwd user_name or getent group group_name I did copy the libnss_winbind.so from the samba build and have the pam_winbind.so linked in as well: # cd /usr/lib # ls -l *winbind* -r-xr-xr-x 1 root root 50880 Dec 20 13:07 libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 17 15:29 libnss_winbind.so.1 -> libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 17 15:30 libnss_winbind.so.2 -> libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 20 13:41 nss_winbind.so.1 -> libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 20 13:41 nss_winbind.so.2 -> libnss_winbind.so # cd /usr/lib/security/ # ls -l *winbind* lrwxrwxrwx 1 root root 38 Dec 20 13:04 pam_winbind.so -> /opt/local/lib/security/pam_winbind.so lrwxrwxrwx 1 root root 38 Dec 20 13:05 pam_winbind.so.1 -> /opt/local/lib/security/pam_winbind.so My pam.conf: login auth sufficient /opt/local/lib/security/pam_winbind.so try_first_pass login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 other auth sufficient /opt/local/lib/security/pam_winbind.so try_first_pass other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth required pam_unix_auth.so.1 other session sufficient /opt/local/lib/security/pam_winbind.so try_first _pass other session required pam_unix_session.so.1 What am I missing???? -- C. J. Keist Email: cj.keist at colostate.edu Systems Group Manager Phone: 970-491-0630 Engineering Network Services Fax: 970-491-5569 College of Engineering, CSU Ft. Collins, CO 80523-1301 All I want is a chance to prove 'Money can't buy happiness'
Forgot to add, my nsswitch.conf file has the winbind option added to the end of the passwd and group lines: passwd: files winbind group: files winbind ------------------------------------ I'm trying to setup a Solaris 10 Sparc station to authenticate users on login with Windows ADS. I have found the documentation for this but having no luck in getting the pam modules to work. Here is what I have done so far: Compiling Kerberos MIT5-1.8.3: cd into the src directory ./configure --prefix=/opt/local gmake gmake install Compiling Samba 3.5.6: setenv CFLAGS "-O2" setenv LDFLAGS "-L/opt/local/lib -Wl,-R/opt/local/lib" setenv CPPFLAGS "-I/opt/local/include" ./configure --prefix=/opt/local --with-pam --with-ads --with-winbind --with-krb5=/opt/local gmake gmake install Compiles and installs with no errors. Here is my samba conf. file: [global] workgroup = DOMAINNAME realm = DOMINNAME.EDU security = ADS password server = domainname.edu log file = /var/samba/log/log.%m max log size = 50 load printers = No utmp = Yes idmap backend = idmap_rid:DOMAINNAME=100000-500000 idmap uid = 100000-500000 idmap gid = 100000-500000 template homedir = /home/%U template shell = /bin/tcsh winbind cache time = 1800 winbind enum users = No winbind enum groups = No winbind use default domain = Yes winbind separator = / create krb5 conf = No Krb5.conf: [libdefaults] default_realm = DOMAINNAME.EDU [realms] DOMAINNAME.EDU = { kdc = server.domainname.edu } [domain_realm] .server.domainname.edu = DOMAINNAME.EDU server.domainname.edu = DOMAINNAME.EDU Then I was able to join okay: # ./net ads join -U user Enter user's password: Using short domain name -- DOMAINNAME Joined 'SUNTEST1' to realm 'DomainName.EDU' # ./net ads testjoin Join is OK I can get info from the ADS from wbinfo command just fine. But I cannot get anything via getent passwd user_name or getent group group_name I did copy the libnss_winbind.so from the samba build and have the pam_winbind.so linked in as well: # cd /usr/lib # ls -l *winbind* -r-xr-xr-x 1 root root 50880 Dec 20 13:07 libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 17 15:29 libnss_winbind.so.1 -> libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 17 15:30 libnss_winbind.so.2 -> libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 20 13:41 nss_winbind.so.1 -> libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 20 13:41 nss_winbind.so.2 -> libnss_winbind.so # cd /usr/lib/security/ # ls -l *winbind* lrwxrwxrwx 1 root root 38 Dec 20 13:04 pam_winbind.so -> /opt/local/lib/security/pam_winbind.so lrwxrwxrwx 1 root root 38 Dec 20 13:05 pam_winbind.so.1 -> /opt/local/lib/security/pam_winbind.so My pam.conf: login auth sufficient /opt/local/lib/security/pam_winbind.so try_first_pass login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 other auth sufficient /opt/local/lib/security/pam_winbind.so try_first_pass other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth required pam_unix_auth.so.1 other session sufficient /opt/local/lib/security/pam_winbind.so try_first _pass other session required pam_unix_session.so.1 What am I missing???? -- C. J. Keist Email: cj.keist at colostate.edu Systems Group Manager Phone: 970-491-0630 Engineering Network Services Fax: 970-491-5569 College of Engineering, CSU Ft. Collins, CO 80523-1301 All I want is a chance to prove 'Money can't buy happiness' -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On Tue, Dec 21, 2010 at 10:35:58AM -0700, CJ Keist wrote:> getent passwd user_name or getent group group_nameTry wbinfo -i user_name or wbinfo -i domain\\user_name That is a direct path without NSS intervention. This way you can reduce the problem to either winbind proper or nss problems. With best regards, Volker Lendecke -- SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen
Made some progress here. I saw from the log files that samba couldn't find the /opt/local/lib/idmap/rid.so module. So I added --with-shared-modules=idmap_rid to my configure options. That got the rid.so to get installed and now the "getent passwd login" works! But getent passwd by itself doesn't?? Could there be a limit on what the getent will spit out? We have 30k+ accounts in our windows domain. But I still cannot ssh into this server. -------------------------------------- Forgot to add, my nsswitch.conf file has the winbind option added to the end of the passwd and group lines: passwd: files winbind group: files winbind ------------------------------------ I'm trying to setup a Solaris 10 Sparc station to authenticate users on login with Windows ADS. I have found the documentation for this but having no luck in getting the pam modules to work. Here is what I have done so far: Compiling Kerberos MIT5-1.8.3: cd into the src directory ./configure --prefix=/opt/local gmake gmake install Compiling Samba 3.5.6: setenv CFLAGS "-O2" setenv LDFLAGS "-L/opt/local/lib -Wl,-R/opt/local/lib" setenv CPPFLAGS "-I/opt/local/include" ./configure --prefix=/opt/local --with-pam --with-ads --with-winbind --with-krb5=/opt/local gmake gmake install Compiles and installs with no errors. Here is my samba conf. file: [global] workgroup = DOMAINNAME realm = DOMINNAME.EDU security = ADS password server = domainname.edu log file = /var/samba/log/log.%m max log size = 50 load printers = No utmp = Yes idmap backend = idmap_rid:DOMAINNAME=100000-500000 idmap uid = 100000-500000 idmap gid = 100000-500000 template homedir = /home/%U template shell = /bin/tcsh winbind cache time = 1800 winbind enum users = No winbind enum groups = No winbind use default domain = Yes winbind separator = / create krb5 conf = No Krb5.conf: [libdefaults] default_realm = DOMAINNAME.EDU [realms] DOMAINNAME.EDU = { kdc = server.domainname.edu } [domain_realm] .server.domainname.edu = DOMAINNAME.EDU server.domainname.edu = DOMAINNAME.EDU Then I was able to join okay: # ./net ads join -U user Enter user's password: Using short domain name -- DOMAINNAME Joined 'SUNTEST1' to realm 'DomainName.EDU' # ./net ads testjoin Join is OK I can get info from the ADS from wbinfo command just fine. But I cannot get anything via getent passwd user_name or getent group group_name I did copy the libnss_winbind.so from the samba build and have the pam_winbind.so linked in as well: # cd /usr/lib # ls -l *winbind* -r-xr-xr-x 1 root root 50880 Dec 20 13:07 libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 17 15:29 libnss_winbind.so.1 -> libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 17 15:30 libnss_winbind.so.2 -> libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 20 13:41 nss_winbind.so.1 -> libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 20 13:41 nss_winbind.so.2 -> libnss_winbind.so # cd /usr/lib/security/ # ls -l *winbind* lrwxrwxrwx 1 root root 38 Dec 20 13:04 pam_winbind.so -> /opt/local/lib/security/pam_winbind.so lrwxrwxrwx 1 root root 38 Dec 20 13:05 pam_winbind.so.1 -> /opt/local/lib/security/pam_winbind.so My pam.conf: login auth sufficient /opt/local/lib/security/pam_winbind.so try_first_pass login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 other auth sufficient /opt/local/lib/security/pam_winbind.so try_first_pass other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth required pam_unix_auth.so.1 other session sufficient /opt/local/lib/security/pam_winbind.so try_first _pass other session required pam_unix_session.so.1 What am I missing???? -- C. J. Keist Email: cj.keist at colostate.edu Systems Group Manager Phone: 970-491-0630 Engineering Network Services Fax: 970-491-5569 College of Engineering, CSU Ft. Collins, CO 80523-1301 All I want is a chance to prove 'Money can't buy happiness' -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Well, I did smart thing and upgraded my Solaris box to Solaris 10 update 9. And now my winbind authentication has broken. I have checked all my /usr/lib/*winbind* and /usr/lib/security/*winbind* libs and all are still good from my last install. /etc/pam.conf, nsswitch.conf are still intact. wbinfo seems to work fine. getent passwd username just returns empty. This is what I'm getting in my /var/samba/log/log.winbindd file: [2011/01/05 16:04:00.061446, 2] winbindd/winbindd.c:819(winbind_client_request_read) Could not read client request from fd 22: I/O error Anyone have any ideas what broke? # ./testparm Load smb config files from /opt/local/lib/smb.conf rlimit_max: rlimit_max (256) below minimum Windows limit (16384) Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = DOMAIN realm = DOMAIN.EDU interfaces = eri0 security = ADS password server = domain.edu log level = 10 winbind:10 log file = /var/samba/log/log.%m max log size = 50 load printers = No utmp = Yes idmap backend = rid:DOMAIN=100000-500000 idmap uid = 100000-500000 idmap gid = 100000-500000 template homedir = /home/%U template shell = /bin/tcsh winbind separator = / winbind cache time = 1800 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes create krb5 conf = No -- C. J. Keist Email: cj.keist at colostate.edu Systems Group Manager Phone: 970-491-0630 Engineering Network Services Fax: 970-491-5569 College of Engineering, CSU Ft. Collins, CO 80523-1301 All I want is a chance to prove 'Money can't buy happiness'
So, no one has a clue here? ------------------------------ Well, I did smart thing and upgraded my Solaris box to Solaris 10 update 9. And now my winbind authentication has broken. I have checked all my /usr/lib/*winbind* and /usr/lib/security/*winbind* libs and all are still good from my last install. /etc/pam.conf, nsswitch.conf are still intact. wbinfo seems to work fine. getent passwd username just returns empty. This is what I'm getting in my /var/samba/log/log.winbindd file: [2011/01/05 16:04:00.061446, 2] winbindd/winbindd.c:819(winbind_client_request_read) Could not read client request from fd 22: I/O error Anyone have any ideas what broke? # ./testparm Load smb config files from /opt/local/lib/smb.conf rlimit_max: rlimit_max (256) below minimum Windows limit (16384) Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = DOMAIN realm = DOMAIN.EDU interfaces = eri0 security = ADS password server = domain.edu log level = 10 winbind:10 log file = /var/samba/log/log.%m max log size = 50 load printers = No utmp = Yes idmap backend = rid:DOMAIN=100000-500000 idmap uid = 100000-500000 idmap gid = 100000-500000 template homedir = /home/%U template shell = /bin/tcsh winbind separator = / winbind cache time = 1800 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes create krb5 conf = No -- C. J. Keist Email: cj.keist at colostate.edu Systems Group Manager Phone: 970-491-0630 Engineering Network Services Fax: 970-491-5569 College of Engineering, CSU Ft. Collins, CO 80523-1301 All I want is a chance to prove 'Money can't buy happiness'