[csw-users] Odd Samba/winbind issue

Jan Holzhueter jh at opencsw.org
Fri Jun 21 11:20:40 CEST 2013


Ok I'm not an ads samba expert but I found this:


[global]
  security = ads
  realm = EXAMPLE.COM
  password server = IPADRESSE     #IP of Domain Controller dns probably
works too
  workgroup = EXAMPLE
  idmap uid = 10000-20000
  idmap gid = 10000-20000
  winbind enum users = yes
  winbind enum groups = yes
  winbind cache time = 10
  winbind use default domain = yes
  template homedir = /home/%U
  template shell = /bin/bash
  client use spnego = yes
  client ntlmv2 auth = yes
  encrypt passwords = yes
  restrict anonymous = 2
  domain master = no
  local master = no
  preferred master = no
  os level = 0


Which looks more or less like yours.
I might have the time next week to try to get it to work
Greetings
Jan

Am 21.06.13 11:05, schrieb James Relph:
> Hi Jan,
> 
> Basically the second situation there, pam authentication via winbind
> (eg. netatalk or SSH) is working OK.
> 
> My smb.conf file is:
> 
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.CORP
> security = ads
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> template shell = /usr/bin/bash
> map untrusted to domain = yes
> load printers = no
> server string = server01
> dns proxy = no
> winbind cache time = 300
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind trusted domains only = No
> winbind nested groups = Yes
> winbind expand groups = 5
> winbind refresh tickets = No
> winbind offline logon = No
> winbind normalize names = No
> password server = server03.domain.corp
> template homedir = /export/home/%U
> log file = /var/samba/samba.log
> log level = 5
> 
> [FileShare]
> path = /shared/FileShare
> comment = FileShare
> read only = No
> 
> [STUDIO]
> path = /shared/STUDIO
> comment = STUDIO
> read only = No
> 
> 
> Thanks very much
> 
> James
> 
> On 21 Jun 2013, at 09:54, Jan Holzhueter <jh at opencsw.org
> <mailto:jh at opencsw.org>> wrote:
> 
>>
>> Hi,
>> just do make sure what are you trying:
>>
>> login with an AD user as in ssh username at whatever.
>> Or mount a share from the OI sever via smb?
>>
>> For first one please post /etc/pam.conf
>>
>> for the second please post /etc/opt/csw/samba/smb.conf
>>
>> Greetings
>> Jan
>>
>>
>>
>> Am 21.06.13 10:43, schrieb James Relph:
>>> Hi Jan,
>>>
>>> Yes, that's the one I had found, and I already have that link there.  I
>>> don't think winbind worked at all until that was in place.  It's samba
>>> that doesn't seem to be working with winbind properly.
>>>
>>> James
>>>
>>> On 21 Jun 2013, at 09:00, Jan Holzhueter <jh at opencsw.org
>>> <mailto:jh at opencsw.org>
>>> <mailto:jh at opencsw.org>> wrote:
>>>
>>>> Hi,
>>>> ok I looked up the old bug about that:
>>>> https://www.opencsw.org/mantis/view.php?id=5020
>>>>
>>>> acroding to this you need this:
>>>> ln -s /opt/csw/lib/libnss_winbind.so.1 /lib/nss_winbind.so.1
>>>>
>>>> Greetings
>>>> Jan
>>>>
>>>>
>>>> Am 21.06.13 07:30, schrieb James Relph:
>>>>> Thanks for the speedy reply.  I think I found where you'd already
>>>>> mentioned that online anyway, I've got:
>>>>>
>>>>> libnss_winbind.so -> /opt/csw/lib/libnss_winbind.so.1
>>>>> nss_winbind.so.1 -> /opt/csw/lib/libnss_winbind.so.1
>>>>>
>>>>> In /lib.  Winbind itself seems to be working fine, I've got netatalk
>>>>> using that happily, it's the cswsamba version that won't seem to use
>>>>> winbind (it's either not using it properly, or it's using the wrong
>>>>> winbind somehow).  Netatalk, using winbind, is fine.
>>>>>
>>>>> Best regards,
>>>>>
>>>>> James.
>>>>>
>>>>>
>>>>> On 21 Jun 2013, at 06:24, Jan Holzhueter <jh at opencsw.org
>>>>> <mailto:jh at opencsw.org>
>>>>> <mailto:jh at opencsw.org>
>>>>> <mailto:jh at opencsw.org>> wrote:
>>>>>
>>>>>> Hi,
>>>>>> if you use the auth via pam you must symlink the nss_winbind to a
>>>>>> special place. I'm not sure which one atm. Check the orginal OI samba
>>>>>> package that should put it in the right place.
>>>>>> We can't add this to our package as this would brake install on sparse
>>>>>> zones.
>>>>>> I wanted to write a short notice about it put did not have the
>>>>>> time yet.
>>>>>> It might be that you even need to copy and not symlink the lib.
>>>>>> Not sure
>>>>>> here.
>>>>>>
>>>>>> Greetings
>>>>>> Jan
>>>>>>
>>>>>>
>>>>>>
>>>>>> Am 21.06.13 07:15, schrieb James Relph:
>>>>>>> Hi,
>>>>>>>
>>>>>>> Apologies for cross posting, but I'm not sure if this is an Oi
>>>>>>> issue or
>>>>>>> a cswsamba issue.  I've installed cswsamba (3.6.15) and
>>>>>>> cswsamba_winbind
>>>>>>> on an OI box (151a7).  I've got it bound to AD fine, and winbind
>>>>>>> itself
>>>>>>> seems to be operating perfectly (I've actually got netatalk happily
>>>>>>> authenticating AD users via winbind).  If I run wbinfo -u or getent
>>>>>>> passwd, I get the expected information back.
>>>>>>>
>>>>>>> Oddly though Samba itself isn't authenticating users.  If I try and
>>>>>>> login (with a few variations of DOMAIN\username or
>>>>>>> username at DOMAIN) it
>>>>>>> just kicks it back as an unknown user (see below).  The only
>>>>>>> thing that
>>>>>>> I can think of is that the cswsamba is actually still calling the
>>>>>>> previously installed (but turned off) winbind that I installed
>>>>>>> with the
>>>>>>> original OI samba install.  With that not running though I wouldn't
>>>>>>> have
>>>>>>> thought that would have happened (but if that could be it - how do I
>>>>>>> make sure that cswsamba uses  cswsamba_winbind).  I have
>>>>>>> symlinked the
>>>>>>> csw nss_winbind libraries into /lib, I just don't know if there's
>>>>>>> anything else that could cause this.
>>>>>>>
>>>>>>> Thanks for any help.
>>>>>>>
>>>>>>> James
>>>>>>>
>>>>>>> Principal Consultant
>>>>>>>
>>>>>>>
>>>>>>> Mapping user [DOMAIN]\[james] from workstation [server03]
>>>>>>> attempting to make a user_info for james (james)
>>>>>>> making strings for james's user_info struct
>>>>>>> making blobs for james's user_info struct
>>>>>>> check_ntlm_password:  Checking password for unmapped user
>>>>>>> [DOMAIN]\[james]@[server03] with the new password interface
>>>>>>> check_ntlm_password:  mapped user is: [DOMAIN]\[james]@[server03]
>>>>>>> Finding user DOMAIN\james
>>>>>>> Trying _Get_Pwnam(), username as lowercase is DOMAIN\james
>>>>>>> Trying _Get_Pwnam(), username as given is DOMAIN\james
>>>>>>> Checking combinations of 0 uppercase letters in DOMAIN\james
>>>>>>> Get_Pwnam_internals didn't find user [DOMAIN\james]!
>>>>>>> Finding user james
>>>>>>> Trying _Get_Pwnam(), username as lowercase is james
>>>>>>> Checking combinations of 0 uppercase letters in james
>>>>>>> Get_Pwnam_internals didn't find user [james]!
>>>>>>> Failed to find authenticated user DOMAIN\james via getpwnam(),
>>>>>>> denying
>>>>>>> access.
>>>>>>> check_ntlm_password: winbind authentication for user [james] FAILED
>>>>>>> with error NT_STATUS_NO_SUCH_USER
>>>>>>> check_ntlm_password:  Authentication for user [james] -> [james]
>>>>>>> FAILED with error NT_STATUS_NO_SUCH_USER
>>>>>>> Got user=[james at DOMAIN.CORP
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>]
>>>>>>> domain=[DOMAIN] workstation=[server03] len1=24 len2=124
>>>>>>> Mapping user [DOMAIN]\[james at DOMAIN.CORP
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>]
>>>>>>> from workstation [server03]
>>>>>>> attempting to make a user_info for james at DOMAIN.CORP
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP> (james at DOMAIN.CORP
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>)
>>>>>>> making strings for james at DOMAIN.CORP
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>'s
>>>>>>> user_info struct
>>>>>>> making blobs for james at DOMAIN.CORP
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>'s
>>>>>>> user_info struct
>>>>>>> check_ntlm_password:  Checking password for unmapped user
>>>>>>> [DOMAIN]\[james at DOMAIN.CORP
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>]@[server03]
>>>>>>> with
>>>>>>> the new password interface
>>>>>>> check_ntlm_password:  mapped user is: [DOMAIN]\[james at DOMAIN.CORP
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP>]@[server03]
>>>>>>> check_ntlm_password: winbind authentication for user
>>>>>>> [james at DOMAIN.CORP
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>] FAILED with
>>>>>>> error
>>>>>>> NT_STATUS_NO_SUCH_USER
>>>>>>> check_ntlm_password:  Authentication for user [james at DOMAIN.CORP
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP>] -> [james at DOMAIN.CORP
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP>] FAILED with error NT_STATUS_NO_SUCH_USER
>>>>>>> Got user=[james at DOMAIN.CORP
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>]
>>>>>>> domain=[DOMAIN] workstation=[server03] len1=24 len2=124
>>>>>>> Mapping user [DOMAIN]\[james at DOMAIN.CORP
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>]
>>>>>>> from workstation [server03]
>>>>>>> attempting to make a user_info for james at DOMAIN.CORP
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP> (james at DOMAIN.CORP
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>)
>>>>>>> making strings for james at DOMAIN.CORP
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>'s
>>>>>>> user_info struct
>>>>>>> making blobs for james at DOMAIN.CORP
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>'s
>>>>>>> user_info struct
>>>>>>> check_ntlm_password:  Checking password for unmapped user
>>>>>>> [DOMAIN]\[james at DOMAIN.CORP
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>]@[server03]
>>>>>>> with
>>>>>>> the new password interface
>>>>>>> check_ntlm_password:  mapped user is: [DOMAIN]\[james at DOMAIN.CORP
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP>]@[server03]
>>>>>>> check_ntlm_password: winbind authentication for user
>>>>>>> [james at DOMAIN.CORP
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>] FAILED with
>>>>>>> error
>>>>>>> NT_STATUS_NO_SUCH_USER
>>>>>>> check_ntlm_password:  Authentication for user [james at DOMAIN.CORP
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP>] -> [james at DOMAIN.CORP
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>> <mailto:james at DOMAIN.CORP>] FAILED with error NT_STATUS_NO_SUCH_USER
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> users mailing list
>>>>>>> users at lists.opencsw.org <mailto:users at lists.opencsw.org>
>>>>>>> <mailto:users at lists.opencsw.org> <mailto:users at lists.opencsw.org>
>>>>>>> https://lists.opencsw.org/mailman/listinfo/users
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> users mailing list
>>>>>> users at lists.opencsw.org <mailto:users at lists.opencsw.org>
>>>>>> <mailto:users at lists.opencsw.org> <mailto:users at lists.opencsw.org>
>>>>>> https://lists.opencsw.org/mailman/listinfo/users
>>>>>
>>>>
>>>> _______________________________________________
>>>> users mailing list
>>>> users at lists.opencsw.org
>>>> <mailto:users at lists.opencsw.org> <mailto:users at lists.opencsw.org>
>>>> https://lists.opencsw.org/mailman/listinfo/users
>>>
>>
>> _______________________________________________
>> users mailing list
>> users at lists.opencsw.org <mailto:users at lists.opencsw.org>
>> https://lists.opencsw.org/mailman/listinfo/users
> 



More information about the users mailing list