[csw-users] Odd Samba/winbind issue

[Jan Holzhueter]

Hi,
just do make sure what are you trying:

login with an AD user as in ssh username at whatever.
Or mount a share from the OI sever via smb?

For first one please post /etc/pam.conf

for the second please post /etc/opt/csw/samba/smb.conf

Greetings
Jan



Am 21.06.13 10:43, schrieb James Relph:
> Hi Jan,
> 
> Yes, that's the one I had found, and I already have that link there.  I
> don't think winbind worked at all until that was in place.  It's samba
>  that doesn't seem to be working with winbind properly.
> 
> James
> 
> On 21 Jun 2013, at 09:00, Jan Holzhueter <jh at opencsw.org
> <mailto:jh at opencsw.org>> wrote:
> 
>> Hi,
>> ok I looked up the old bug about that:
>> https://www.opencsw.org/mantis/view.php?id=5020
>>
>> acroding to this you need this:
>> ln -s /opt/csw/lib/libnss_winbind.so.1 /lib/nss_winbind.so.1
>>
>> Greetings
>> Jan
>>
>>
>> Am 21.06.13 07:30, schrieb James Relph:
>>> Thanks for the speedy reply.  I think I found where you'd already
>>> mentioned that online anyway, I've got:
>>>
>>> libnss_winbind.so -> /opt/csw/lib/libnss_winbind.so.1
>>> nss_winbind.so.1 -> /opt/csw/lib/libnss_winbind.so.1
>>>
>>> In /lib.  Winbind itself seems to be working fine, I've got netatalk
>>> using that happily, it's the cswsamba version that won't seem to use
>>> winbind (it's either not using it properly, or it's using the wrong
>>> winbind somehow).  Netatalk, using winbind, is fine.
>>>
>>> Best regards,
>>>
>>> James.
>>>
>>>
>>> On 21 Jun 2013, at 06:24, Jan Holzhueter <jh at opencsw.org
>>> <mailto:jh at opencsw.org>
>>> <mailto:jh at opencsw.org>> wrote:
>>>
>>>> Hi,
>>>> if you use the auth via pam you must symlink the nss_winbind to a
>>>> special place. I'm not sure which one atm. Check the orginal OI samba
>>>> package that should put it in the right place.
>>>> We can't add this to our package as this would brake install on sparse
>>>> zones.
>>>> I wanted to write a short notice about it put did not have the time yet.
>>>> It might be that you even need to copy and not symlink the lib. Not sure
>>>> here.
>>>>
>>>> Greetings
>>>> Jan
>>>>
>>>>
>>>>
>>>> Am 21.06.13 07:15, schrieb James Relph:
>>>>> Hi,
>>>>>
>>>>> Apologies for cross posting, but I'm not sure if this is an Oi issue or
>>>>> a cswsamba issue.  I've installed cswsamba (3.6.15) and
>>>>> cswsamba_winbind
>>>>> on an OI box (151a7).  I've got it bound to AD fine, and winbind itself
>>>>> seems to be operating perfectly (I've actually got netatalk happily
>>>>> authenticating AD users via winbind).  If I run wbinfo -u or getent
>>>>> passwd, I get the expected information back.
>>>>>
>>>>> Oddly though Samba itself isn't authenticating users.  If I try and
>>>>> login (with a few variations of DOMAIN\username or username at DOMAIN) it
>>>>> just kicks it back as an unknown user (see below).  The only thing that
>>>>> I can think of is that the cswsamba is actually still calling the
>>>>> previously installed (but turned off) winbind that I installed with the
>>>>> original OI samba install.  With that not running though I wouldn't
>>>>> have
>>>>> thought that would have happened (but if that could be it - how do I
>>>>> make sure that cswsamba uses  cswsamba_winbind).  I have symlinked the
>>>>> csw nss_winbind libraries into /lib, I just don't know if there's
>>>>> anything else that could cause this.
>>>>>
>>>>> Thanks for any help.
>>>>>
>>>>> James
>>>>>
>>>>> Principal Consultant
>>>>>
>>>>>
>>>>> Mapping user [DOMAIN]\[james] from workstation [server03]
>>>>> attempting to make a user_info for james (james)
>>>>> making strings for james's user_info struct
>>>>> making blobs for james's user_info struct
>>>>> check_ntlm_password:  Checking password for unmapped user
>>>>> [DOMAIN]\[james]@[server03] with the new password interface
>>>>> check_ntlm_password:  mapped user is: [DOMAIN]\[james]@[server03]
>>>>> Finding user DOMAIN\james
>>>>> Trying _Get_Pwnam(), username as lowercase is DOMAIN\james
>>>>> Trying _Get_Pwnam(), username as given is DOMAIN\james
>>>>> Checking combinations of 0 uppercase letters in DOMAIN\james
>>>>> Get_Pwnam_internals didn't find user [DOMAIN\james]!
>>>>> Finding user james
>>>>> Trying _Get_Pwnam(), username as lowercase is james
>>>>> Checking combinations of 0 uppercase letters in james
>>>>> Get_Pwnam_internals didn't find user [james]!
>>>>> Failed to find authenticated user DOMAIN\james via getpwnam(), denying
>>>>> access.
>>>>> check_ntlm_password: winbind authentication for user [james] FAILED
>>>>> with error NT_STATUS_NO_SUCH_USER
>>>>> check_ntlm_password:  Authentication for user [james] -> [james]
>>>>> FAILED with error NT_STATUS_NO_SUCH_USER
>>>>> Got user=[james at DOMAIN.CORP <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>]
>>>>> domain=[DOMAIN] workstation=[server03] len1=24 len2=124
>>>>> Mapping user [DOMAIN]\[james at DOMAIN.CORP <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>]
>>>>> from workstation [server03]
>>>>> attempting to make a user_info for james at DOMAIN.CORP
>>>>> <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP> (james at DOMAIN.CORP
>>>>> <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>)
>>>>> making strings for james at DOMAIN.CORP <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>'s
>>>>> user_info struct
>>>>> making blobs for james at DOMAIN.CORP <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>'s
>>>>> user_info struct
>>>>> check_ntlm_password:  Checking password for unmapped user
>>>>> [DOMAIN]\[james at DOMAIN.CORP <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>]@[server03] with
>>>>> the new password interface
>>>>> check_ntlm_password:  mapped user is: [DOMAIN]\[james at DOMAIN.CORP
>>>>> <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP>]@[server03]
>>>>> check_ntlm_password: winbind authentication for user
>>>>> [james at DOMAIN.CORP <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>] FAILED with
>>>>> error
>>>>> NT_STATUS_NO_SUCH_USER
>>>>> check_ntlm_password:  Authentication for user [james at DOMAIN.CORP
>>>>> <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP>] -> [james at DOMAIN.CORP
>>>>> <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP>] FAILED with error NT_STATUS_NO_SUCH_USER
>>>>> Got user=[james at DOMAIN.CORP <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>]
>>>>> domain=[DOMAIN] workstation=[server03] len1=24 len2=124
>>>>> Mapping user [DOMAIN]\[james at DOMAIN.CORP <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>]
>>>>> from workstation [server03]
>>>>> attempting to make a user_info for james at DOMAIN.CORP
>>>>> <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP> (james at DOMAIN.CORP
>>>>> <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>)
>>>>> making strings for james at DOMAIN.CORP <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>'s
>>>>> user_info struct
>>>>> making blobs for james at DOMAIN.CORP <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>'s
>>>>> user_info struct
>>>>> check_ntlm_password:  Checking password for unmapped user
>>>>> [DOMAIN]\[james at DOMAIN.CORP <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>]@[server03] with
>>>>> the new password interface
>>>>> check_ntlm_password:  mapped user is: [DOMAIN]\[james at DOMAIN.CORP
>>>>> <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP>]@[server03]
>>>>> check_ntlm_password: winbind authentication for user
>>>>> [james at DOMAIN.CORP <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>] FAILED with
>>>>> error
>>>>> NT_STATUS_NO_SUCH_USER
>>>>> check_ntlm_password:  Authentication for user [james at DOMAIN.CORP
>>>>> <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP>] -> [james at DOMAIN.CORP
>>>>> <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP>
>>>>> <mailto:james at DOMAIN.CORP>] FAILED with error NT_STATUS_NO_SUCH_USER
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> users mailing list
>>>>> users at lists.opencsw.org
>>>>> <mailto:users at lists.opencsw.org> <mailto:users at lists.opencsw.org>
>>>>> https://lists.opencsw.org/mailman/listinfo/users
>>>>>
>>>>
>>>> _______________________________________________
>>>> users mailing list
>>>> users at lists.opencsw.org
>>>> <mailto:users at lists.opencsw.org> <mailto:users at lists.opencsw.org>
>>>> https://lists.opencsw.org/mailman/listinfo/users
>>>
>>
>> _______________________________________________
>> users mailing list
>> users at lists.opencsw.org <mailto:users at lists.opencsw.org>
>> https://lists.opencsw.org/mailman/listinfo/users
>