samba - Dec 2010 - solaris 10 winbind authentication with ADS

I'm trying to setup a Solaris 10 Sparc station to authenticate users on 
login with Windows ADS.  I have found the documentation for this but 
having no luck in getting the pam modules to work.  Here is what I have 
done so far:

Compiling Kerberos MIT5-1.8.3:
cd into the src directory
./configure --prefix=/opt/local
gmake
gmake install

Compiling Samba 3.5.6:
setenv CFLAGS "-O2"
setenv LDFLAGS "-L/opt/local/lib -Wl,-R/opt/local/lib"
setenv CPPFLAGS "-I/opt/local/include"

./configure --prefix=/opt/local --with-pam --with-ads --with-winbind 
--with-krb5=/opt/local
gmake
gmake install

Compiles and installs with no errors.  Here is my samba conf. file:

[global]
     workgroup = DOMAINNAME
     realm = DOMINNAME.EDU
     security = ADS
     password server = domainname.edu
     log file = /var/samba/log/log.%m
     max log size = 50
     load printers = No
     utmp = Yes
     idmap backend = idmap_rid:DOMAINNAME=100000-500000
     idmap uid = 100000-500000
     idmap gid = 100000-500000
     template homedir = /home/%U
     template shell = /bin/tcsh
     winbind cache time = 1800
     winbind enum users = No
     winbind enum groups = No
     winbind use default domain = Yes
     winbind separator = /
     create krb5 conf = No

Krb5.conf:
[libdefaults]
     default_realm = DOMAINNAME.EDU

[realms]
     DOMAINNAME.EDU = {
     kdc = server.domainname.edu
     }

[domain_realm]
     .server.domainname.edu = DOMAINNAME.EDU
     server.domainname.edu = DOMAINNAME.EDU

Then I was able to join okay:

# ./net ads join -U user
Enter user's password:
Using short domain name -- DOMAINNAME
Joined 'SUNTEST1' to realm 'DomainName.EDU'
# ./net ads testjoin
Join is OK

I can get info from the ADS from wbinfo command just fine.  But I cannot get
anything via

getent passwd user_name or getent group group_name

I did copy the libnss_winbind.so from the samba build and have the 
pam_winbind.so linked in as well:

# cd /usr/lib
# ls -l *winbind*
-r-xr-xr-x   1 root     root       50880 Dec 20 13:07 libnss_winbind.so
lrwxrwxrwx   1 root     root          17 Dec 17 15:29 
libnss_winbind.so.1 -> libnss_winbind.so
lrwxrwxrwx   1 root     root          17 Dec 17 15:30 
libnss_winbind.so.2 -> libnss_winbind.so
lrwxrwxrwx   1 root     root          17 Dec 20 13:41 nss_winbind.so.1 
-> libnss_winbind.so
lrwxrwxrwx   1 root     root          17 Dec 20 13:41 nss_winbind.so.2 
-> libnss_winbind.so

# cd /usr/lib/security/
# ls -l *winbind*
lrwxrwxrwx   1 root     root          38 Dec 20 13:04 pam_winbind.so -> 
/opt/local/lib/security/pam_winbind.so
lrwxrwxrwx   1 root     root          38 Dec 20 13:05 pam_winbind.so.1 
-> /opt/local/lib/security/pam_winbind.so


My pam.conf:

login    auth sufficient    /opt/local/lib/security/pam_winbind.so 
try_first_pass
login    auth requisite        pam_authtok_get.so.1
login    auth required        pam_dhkeys.so.1
login    auth required        pam_unix_cred.so.1
login    auth required        pam_unix_auth.so.1
login    auth required        pam_dial_auth.so.1

other    auth sufficient    /opt/local/lib/security/pam_winbind.so 
try_first_pass
other    auth requisite        pam_authtok_get.so.1
other    auth required        pam_dhkeys.so.1
other    auth required        pam_unix_cred.so.1
other    auth required        pam_unix_auth.so.1

other    session sufficient    /opt/local/lib/security/pam_winbind.so 
try_first
_pass
other    session required    pam_unix_session.so.1

What am I missing????

-- 
C. J. Keist                     Email: cj.keist at colostate.edu
Systems Group Manager           Phone: 970-491-0630
Engineering Network Services    Fax:   970-491-5569
College of Engineering, CSU
Ft. Collins, CO 80523-1301

All I want is a chance to prove 'Money can't buy happiness'

Forgot to add, my nsswitch.conf file has the winbind option added to the 
end of the passwd and group lines:

passwd:     files winbind
group:      files winbind

------------------------------------

I'm trying to setup a Solaris 10 Sparc station to authenticate users on 
login with Windows ADS.  I have found the documentation for this but 
having no luck in getting the pam modules to work.  Here is what I have 
done so far:

Compiling Kerberos MIT5-1.8.3:
cd into the src directory
./configure --prefix=/opt/local
gmake
gmake install

Compiling Samba 3.5.6:
setenv CFLAGS "-O2"
setenv LDFLAGS "-L/opt/local/lib -Wl,-R/opt/local/lib"
setenv CPPFLAGS "-I/opt/local/include"

./configure --prefix=/opt/local --with-pam --with-ads --with-winbind 
--with-krb5=/opt/local
gmake
gmake install

Compiles and installs with no errors.  Here is my samba conf. file:

[global]
     workgroup = DOMAINNAME
     realm = DOMINNAME.EDU
     security = ADS
     password server = domainname.edu
     log file = /var/samba/log/log.%m
     max log size = 50
     load printers = No
     utmp = Yes
     idmap backend = idmap_rid:DOMAINNAME=100000-500000
     idmap uid = 100000-500000
     idmap gid = 100000-500000
     template homedir = /home/%U
     template shell = /bin/tcsh
     winbind cache time = 1800
     winbind enum users = No
     winbind enum groups = No
     winbind use default domain = Yes
     winbind separator = /
     create krb5 conf = No

Krb5.conf:
[libdefaults]
     default_realm = DOMAINNAME.EDU

[realms]
     DOMAINNAME.EDU = {
     kdc = server.domainname.edu
     }

[domain_realm]
     .server.domainname.edu = DOMAINNAME.EDU
     server.domainname.edu = DOMAINNAME.EDU

Then I was able to join okay:

# ./net ads join -U user
Enter user's password:
Using short domain name -- DOMAINNAME
Joined 'SUNTEST1' to realm 'DomainName.EDU'
# ./net ads testjoin
Join is OK

I can get info from the ADS from wbinfo command just fine.  But I cannot 
get anything via

getent passwd user_name or getent group group_name

I did copy the libnss_winbind.so from the samba build and have the 
pam_winbind.so linked in as well:

# cd /usr/lib
# ls -l *winbind*
-r-xr-xr-x   1 root     root       50880 Dec 20 13:07 libnss_winbind.so
lrwxrwxrwx   1 root     root          17 Dec 17 15:29 
libnss_winbind.so.1 -> libnss_winbind.so
lrwxrwxrwx   1 root     root          17 Dec 17 15:30 
libnss_winbind.so.2 -> libnss_winbind.so
lrwxrwxrwx   1 root     root          17 Dec 20 13:41 nss_winbind.so.1 
-> libnss_winbind.so
lrwxrwxrwx   1 root     root          17 Dec 20 13:41 nss_winbind.so.2 
-> libnss_winbind.so

# cd /usr/lib/security/
# ls -l *winbind*
lrwxrwxrwx   1 root     root          38 Dec 20 13:04 pam_winbind.so -> 
/opt/local/lib/security/pam_winbind.so
lrwxrwxrwx   1 root     root          38 Dec 20 13:05 pam_winbind.so.1 
-> /opt/local/lib/security/pam_winbind.so


My pam.conf:

login    auth sufficient    /opt/local/lib/security/pam_winbind.so 
try_first_pass
login    auth requisite        pam_authtok_get.so.1
login    auth required        pam_dhkeys.so.1
login    auth required        pam_unix_cred.so.1
login    auth required        pam_unix_auth.so.1
login    auth required        pam_dial_auth.so.1

other    auth sufficient    /opt/local/lib/security/pam_winbind.so 
try_first_pass
other    auth requisite        pam_authtok_get.so.1
other    auth required        pam_dhkeys.so.1
other    auth required        pam_unix_cred.so.1
other    auth required        pam_unix_auth.so.1

other    session sufficient    /opt/local/lib/security/pam_winbind.so 
try_first
_pass
other    session required    pam_unix_session.so.1

What am I missing????

-- 
C. J. Keist                     Email: cj.keist at colostate.edu
Systems Group Manager           Phone: 970-491-0630
Engineering Network Services    Fax:   970-491-5569
College of Engineering, CSU
Ft. Collins, CO 80523-1301

All I want is a chance to prove 'Money can't buy happiness'

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Tue, Dec 21, 2010 at 10:35:58AM -0700, CJ Keist
wrote:
> getent passwd user_name or getent group group_name
Try

wbinfo -i user_name

or

wbinfo -i domain\\user_name

That is a direct path without NSS intervention. This way you
can reduce the problem to either winbind proper or nss
problems.

With best regards,

Volker Lendecke

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen

Made some progress here.   I saw from the log files that samba couldn't 
find the /opt/local/lib/idmap/rid.so module.  So I added 
--with-shared-modules=idmap_rid to my configure options.  That got the 
rid.so to get installed and now the "getent passwd login" works!  But 
getent passwd by itself doesn't??  Could there be a limit on what the 
getent will spit out?  We have 30k+ accounts in our windows domain. But 
I still cannot ssh into this server.


--------------------------------------

Forgot to add, my nsswitch.conf file has the winbind option added to the 
end of the passwd and group lines:

passwd:     files winbind
group:      files winbind

------------------------------------

I'm trying to setup a Solaris 10 Sparc station to authenticate users on 
login with Windows ADS.  I have found the documentation for this but 
having no luck in getting the pam modules to work.  Here is what I have 
done so far:

Compiling Kerberos MIT5-1.8.3:
cd into the src directory
./configure --prefix=/opt/local
gmake
gmake install

Compiling Samba 3.5.6:
setenv CFLAGS "-O2"
setenv LDFLAGS "-L/opt/local/lib -Wl,-R/opt/local/lib"
setenv CPPFLAGS "-I/opt/local/include"

./configure --prefix=/opt/local --with-pam --with-ads --with-winbind 
--with-krb5=/opt/local
gmake
gmake install

Compiles and installs with no errors.  Here is my samba conf. file:

[global]
     workgroup = DOMAINNAME
     realm = DOMINNAME.EDU
     security = ADS
     password server = domainname.edu
     log file = /var/samba/log/log.%m
     max log size = 50
     load printers = No
     utmp = Yes
     idmap backend = idmap_rid:DOMAINNAME=100000-500000
     idmap uid = 100000-500000
     idmap gid = 100000-500000
     template homedir = /home/%U
     template shell = /bin/tcsh
     winbind cache time = 1800
     winbind enum users = No
     winbind enum groups = No
     winbind use default domain = Yes
     winbind separator = /
     create krb5 conf = No

Krb5.conf:
[libdefaults]
     default_realm = DOMAINNAME.EDU

[realms]
     DOMAINNAME.EDU = {
     kdc = server.domainname.edu
     }

[domain_realm]
     .server.domainname.edu = DOMAINNAME.EDU
     server.domainname.edu = DOMAINNAME.EDU

Then I was able to join okay:

# ./net ads join -U user
Enter user's password:
Using short domain name -- DOMAINNAME
Joined 'SUNTEST1' to realm 'DomainName.EDU'
# ./net ads testjoin
Join is OK

I can get info from the ADS from wbinfo command just fine.  But I cannot 
get anything via

getent passwd user_name or getent group group_name

I did copy the libnss_winbind.so from the samba build and have the 
pam_winbind.so linked in as well:

# cd /usr/lib
# ls -l *winbind*
-r-xr-xr-x   1 root     root       50880 Dec 20 13:07 libnss_winbind.so
lrwxrwxrwx   1 root     root          17 Dec 17 15:29 
libnss_winbind.so.1 -> libnss_winbind.so
lrwxrwxrwx   1 root     root          17 Dec 17 15:30 
libnss_winbind.so.2 -> libnss_winbind.so
lrwxrwxrwx   1 root     root          17 Dec 20 13:41 nss_winbind.so.1 
-> libnss_winbind.so
lrwxrwxrwx   1 root     root          17 Dec 20 13:41 nss_winbind.so.2 
-> libnss_winbind.so

# cd /usr/lib/security/
# ls -l *winbind*
lrwxrwxrwx   1 root     root          38 Dec 20 13:04 pam_winbind.so -> 
/opt/local/lib/security/pam_winbind.so
lrwxrwxrwx   1 root     root          38 Dec 20 13:05 pam_winbind.so.1 
-> /opt/local/lib/security/pam_winbind.so


My pam.conf:

login    auth sufficient    /opt/local/lib/security/pam_winbind.so 
try_first_pass
login    auth requisite        pam_authtok_get.so.1
login    auth required        pam_dhkeys.so.1
login    auth required        pam_unix_cred.so.1
login    auth required        pam_unix_auth.so.1
login    auth required        pam_dial_auth.so.1

other    auth sufficient    /opt/local/lib/security/pam_winbind.so 
try_first_pass
other    auth requisite        pam_authtok_get.so.1
other    auth required        pam_dhkeys.so.1
other    auth required        pam_unix_cred.so.1
other    auth required        pam_unix_auth.so.1

other    session sufficient    /opt/local/lib/security/pam_winbind.so 
try_first
_pass
other    session required    pam_unix_session.so.1

What am I missing????

-- 
C. J. Keist                     Email: cj.keist at colostate.edu
Systems Group Manager           Phone: 970-491-0630
Engineering Network Services    Fax:   970-491-5569
College of Engineering, CSU
Ft. Collins, CO 80523-1301

All I want is a chance to prove 'Money can't buy happiness'

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Well,
      I did smart thing and upgraded my Solaris box to Solaris 10 update 
9.  And now my winbind authentication has broken.  I have checked all my 
/usr/lib/*winbind* and /usr/lib/security/*winbind* libs and all are 
still good from my last install.  /etc/pam.conf, nsswitch.conf are still 
intact.  wbinfo seems to work fine.  getent passwd username just returns 
empty.

This is what I'm getting in my /var/samba/log/log.winbindd file:

[2011/01/05 16:04:00.061446,  2] 
winbindd/winbindd.c:819(winbind_client_request_read)
   Could not read client request from fd 22: I/O error

Anyone have any ideas what broke?

# ./testparm
Load smb config files from /opt/local/lib/smb.conf
rlimit_max: rlimit_max (256) below minimum Windows limit (16384)
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
         workgroup = DOMAIN
         realm = DOMAIN.EDU
         interfaces = eri0
         security = ADS
         password server = domain.edu
         log level = 10 winbind:10
         log file = /var/samba/log/log.%m
         max log size = 50
         load printers = No
         utmp = Yes
         idmap backend = rid:DOMAIN=100000-500000
         idmap uid = 100000-500000
         idmap gid = 100000-500000
         template homedir = /home/%U
         template shell = /bin/tcsh
         winbind separator = /
         winbind cache time = 1800
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = Yes
         create krb5 conf = No

-- 
C. J. Keist                     Email: cj.keist at colostate.edu
Systems Group Manager           Phone: 970-491-0630
Engineering Network Services    Fax:   970-491-5569
College of Engineering, CSU
Ft. Collins, CO 80523-1301

All I want is a chance to prove 'Money can't buy happiness'

So, no one has a clue here?

------------------------------

Well,
      I did smart thing and upgraded my Solaris box to Solaris 10 update 
9.  And now my winbind authentication has broken.  I have checked all my 
/usr/lib/*winbind* and /usr/lib/security/*winbind* libs and all are 
still good from my last install.  /etc/pam.conf, nsswitch.conf are still 
intact.  wbinfo seems to work fine.  getent passwd username just returns 
empty.

This is what I'm getting in my /var/samba/log/log.winbindd file:

[2011/01/05 16:04:00.061446,  2] 
winbindd/winbindd.c:819(winbind_client_request_read)
   Could not read client request from fd 22: I/O error

Anyone have any ideas what broke?

# ./testparm
Load smb config files from /opt/local/lib/smb.conf
rlimit_max: rlimit_max (256) below minimum Windows limit (16384)
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
         workgroup = DOMAIN
         realm = DOMAIN.EDU
         interfaces = eri0
         security = ADS
         password server = domain.edu
         log level = 10 winbind:10
         log file = /var/samba/log/log.%m
         max log size = 50
         load printers = No
         utmp = Yes
         idmap backend = rid:DOMAIN=100000-500000
         idmap uid = 100000-500000
         idmap gid = 100000-500000
         template homedir = /home/%U
         template shell = /bin/tcsh
         winbind separator = /
         winbind cache time = 1800
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = Yes
         create krb5 conf = No

-- 
C. J. Keist                     Email: cj.keist at colostate.edu
Systems Group Manager           Phone: 970-491-0630
Engineering Network Services    Fax:   970-491-5569
College of Engineering, CSU
Ft. Collins, CO 80523-1301

All I want is a chance to prove 'Money can't buy happiness'