[csw-users] Odd Samba/winbind issue
Jan Holzhueter
jh at opencsw.org
Mon Jun 24 12:54:34 CEST 2013
Hi,
ok I do have it working:
Here is what I did some steps might not be needed not sure:
!!! BE SURE TO USE CSW TOOLS!!!!
Make sure your time is right so configure ntp or at least use ntpdate
First install samba and samba_winbind
there is a dir missing that winbind still uses so create it
mkdir /var/opt/csw/samba/log
create /etc/opt/csw/krb5.conf (not sure if needed. It could be that it's
determent via dns if your dns is the AD)
My looked like this:
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
ticket_lifetime = 24000
clock_skew = 300
default_realm = TEST.BALTIC-ONLINE.DE
[realms]
TEST.BALTIC-ONLINE.DE = {
kdc = testwin.test.baltic-online.de:88
admin_server = testwin.test.baltic-online.de:464
default_domain = TEST.BALTIC-ONLINE.DE
}
[domain_realm]
.test.baltic-online.de = TEST.BALTIC-ONLINE.DE
test.baltic-online.de = TEST.BALTIC-ONLINE.DE
To help to start over remove /etc/opt/csw/samba/private/*
edit /etc/opt/csw/samba/smb.conf my looks like this:
[global]
security = ads
realm = TEST.BALTIC-ONLINE.DE
password server = testwin.test.baltic-online.de
workgroup = TEST
netbios name = testnw
name resolve order = host wins
winbind enum users = yes
winbind enum groups = yes
idmap config * : range = 10000-20000
winbind cache time = 10
winbind use default domain = yes
template homedir = /export/home/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
log file = /var/samba/samba.log
log level = 5
[public]
comment = Public halt
path = /export/share
browseable = yes
valid users = "@Domain Users"
guest ok = no
force group = "@Domain Users"
I then joined it to the domain:
/opt/csw/bin/net join -U Administrator
run /opt/csw/sbin/winbindd -FS to see if it starts correctly.
If it does ctrl-c and start the service.
create symlink:
ln -s /opt/csw/lib/libnss_winbind.so.1 /lib/nss_winbind.so.1
enable service svcadm enable cswwinbind
edit /etc/nsswitch.conf
passwd: files winbind
group: files winbind
restart name cache service:
svcadm restart svc:/system/name-service-cache:default
check user and groups are working:
getent passwd
getent group
fire up samba
svcadm enable cswsamba.
Connect :)
few notes:
since winbind use default domain = yes is set no domain name is needed
for connecting.
the domain separator is \ by default so DOMAINNAME\user
hope that helps.
So you must have getent passwd /group working otherwise it will not
work. At least not for me :)
Greetings
Jan
Am 21.06.13 11:20, schrieb Jan Holzhueter:
> Ok I'm not an ads samba expert but I found this:
>
>
> [global]
> security = ads
> realm = EXAMPLE.COM
> password server = IPADRESSE #IP of Domain Controller dns probably
> works too
> workgroup = EXAMPLE
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> winbind cache time = 10
> winbind use default domain = yes
> template homedir = /home/%U
> template shell = /bin/bash
> client use spnego = yes
> client ntlmv2 auth = yes
> encrypt passwords = yes
> restrict anonymous = 2
> domain master = no
> local master = no
> preferred master = no
> os level = 0
>
>
> Which looks more or less like yours.
> I might have the time next week to try to get it to work
> Greetings
> Jan
>
> Am 21.06.13 11:05, schrieb James Relph:
>> Hi Jan,
>>
>> Basically the second situation there, pam authentication via winbind
>> (eg. netatalk or SSH) is working OK.
>>
>> My smb.conf file is:
>>
>> [global]
>> workgroup = DOMAIN
>> realm = DOMAIN.CORP
>> security = ads
>> idmap uid = 16777216-33554431
>> idmap gid = 16777216-33554431
>> template shell = /usr/bin/bash
>> map untrusted to domain = yes
>> load printers = no
>> server string = server01
>> dns proxy = no
>> winbind cache time = 300
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> winbind trusted domains only = No
>> winbind nested groups = Yes
>> winbind expand groups = 5
>> winbind refresh tickets = No
>> winbind offline logon = No
>> winbind normalize names = No
>> password server = server03.domain.corp
>> template homedir = /export/home/%U
>> log file = /var/samba/samba.log
>> log level = 5
>>
>> [FileShare]
>> path = /shared/FileShare
>> comment = FileShare
>> read only = No
>>
>> [STUDIO]
>> path = /shared/STUDIO
>> comment = STUDIO
>> read only = No
>>
>>
>> Thanks very much
>>
>> James
>>
>> On 21 Jun 2013, at 09:54, Jan Holzhueter <jh at opencsw.org
>> <mailto:jh at opencsw.org>> wrote:
>>
>>>
>>> Hi,
>>> just do make sure what are you trying:
>>>
>>> login with an AD user as in ssh username at whatever.
>>> Or mount a share from the OI sever via smb?
>>>
>>> For first one please post /etc/pam.conf
>>>
>>> for the second please post /etc/opt/csw/samba/smb.conf
>>>
>>> Greetings
>>> Jan
>>>
>>>
>>>
>>> Am 21.06.13 10:43, schrieb James Relph:
>>>> Hi Jan,
>>>>
>>>> Yes, that's the one I had found, and I already have that link there. I
>>>> don't think winbind worked at all until that was in place. It's samba
>>>> that doesn't seem to be working with winbind properly.
>>>>
>>>> James
>>>>
>>>> On 21 Jun 2013, at 09:00, Jan Holzhueter <jh at opencsw.org
>>>> <mailto:jh at opencsw.org>
>>>> <mailto:jh at opencsw.org>> wrote:
>>>>
>>>>> Hi,
>>>>> ok I looked up the old bug about that:
>>>>> https://www.opencsw.org/mantis/view.php?id=5020
>>>>>
>>>>> acroding to this you need this:
>>>>> ln -s /opt/csw/lib/libnss_winbind.so.1 /lib/nss_winbind.so.1
>>>>>
>>>>> Greetings
>>>>> Jan
>>>>>
>>>>>
>>>>> Am 21.06.13 07:30, schrieb James Relph:
>>>>>> Thanks for the speedy reply. I think I found where you'd already
>>>>>> mentioned that online anyway, I've got:
>>>>>>
>>>>>> libnss_winbind.so -> /opt/csw/lib/libnss_winbind.so.1
>>>>>> nss_winbind.so.1 -> /opt/csw/lib/libnss_winbind.so.1
>>>>>>
>>>>>> In /lib. Winbind itself seems to be working fine, I've got netatalk
>>>>>> using that happily, it's the cswsamba version that won't seem to use
>>>>>> winbind (it's either not using it properly, or it's using the wrong
>>>>>> winbind somehow). Netatalk, using winbind, is fine.
>>>>>>
>>>>>> Best regards,
>>>>>>
>>>>>> James.
>>>>>>
>>>>>>
>>>>>> On 21 Jun 2013, at 06:24, Jan Holzhueter <jh at opencsw.org
>>>>>> <mailto:jh at opencsw.org>
>>>>>> <mailto:jh at opencsw.org>
>>>>>> <mailto:jh at opencsw.org>> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>> if you use the auth via pam you must symlink the nss_winbind to a
>>>>>>> special place. I'm not sure which one atm. Check the orginal OI samba
>>>>>>> package that should put it in the right place.
>>>>>>> We can't add this to our package as this would brake install on sparse
>>>>>>> zones.
>>>>>>> I wanted to write a short notice about it put did not have the
>>>>>>> time yet.
>>>>>>> It might be that you even need to copy and not symlink the lib.
>>>>>>> Not sure
>>>>>>> here.
>>>>>>>
>>>>>>> Greetings
>>>>>>> Jan
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Am 21.06.13 07:15, schrieb James Relph:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Apologies for cross posting, but I'm not sure if this is an Oi
>>>>>>>> issue or
>>>>>>>> a cswsamba issue. I've installed cswsamba (3.6.15) and
>>>>>>>> cswsamba_winbind
>>>>>>>> on an OI box (151a7). I've got it bound to AD fine, and winbind
>>>>>>>> itself
>>>>>>>> seems to be operating perfectly (I've actually got netatalk happily
>>>>>>>> authenticating AD users via winbind). If I run wbinfo -u or getent
>>>>>>>> passwd, I get the expected information back.
>>>>>>>>
>>>>>>>> Oddly though Samba itself isn't authenticating users. If I try and
>>>>>>>> login (with a few variations of DOMAIN\username or
>>>>>>>> username at DOMAIN) it
>>>>>>>> just kicks it back as an unknown user (see below). The only
>>>>>>>> thing that
>>>>>>>> I can think of is that the cswsamba is actually still calling the
>>>>>>>> previously installed (but turned off) winbind that I installed
>>>>>>>> with the
>>>>>>>> original OI samba install. With that not running though I wouldn't
>>>>>>>> have
>>>>>>>> thought that would have happened (but if that could be it - how do I
>>>>>>>> make sure that cswsamba uses cswsamba_winbind). I have
>>>>>>>> symlinked the
>>>>>>>> csw nss_winbind libraries into /lib, I just don't know if there's
>>>>>>>> anything else that could cause this.
>>>>>>>>
>>>>>>>> Thanks for any help.
>>>>>>>>
>>>>>>>> James
>>>>>>>>
>>>>>>>> Principal Consultant
>>>>>>>>
>>>>>>>>
>>>>>>>> Mapping user [DOMAIN]\[james] from workstation [server03]
>>>>>>>> attempting to make a user_info for james (james)
>>>>>>>> making strings for james's user_info struct
>>>>>>>> making blobs for james's user_info struct
>>>>>>>> check_ntlm_password: Checking password for unmapped user
>>>>>>>> [DOMAIN]\[james]@[server03] with the new password interface
>>>>>>>> check_ntlm_password: mapped user is: [DOMAIN]\[james]@[server03]
>>>>>>>> Finding user DOMAIN\james
>>>>>>>> Trying _Get_Pwnam(), username as lowercase is DOMAIN\james
>>>>>>>> Trying _Get_Pwnam(), username as given is DOMAIN\james
>>>>>>>> Checking combinations of 0 uppercase letters in DOMAIN\james
>>>>>>>> Get_Pwnam_internals didn't find user [DOMAIN\james]!
>>>>>>>> Finding user james
>>>>>>>> Trying _Get_Pwnam(), username as lowercase is james
>>>>>>>> Checking combinations of 0 uppercase letters in james
>>>>>>>> Get_Pwnam_internals didn't find user [james]!
>>>>>>>> Failed to find authenticated user DOMAIN\james via getpwnam(),
>>>>>>>> denying
>>>>>>>> access.
>>>>>>>> check_ntlm_password: winbind authentication for user [james] FAILED
>>>>>>>> with error NT_STATUS_NO_SUCH_USER
>>>>>>>> check_ntlm_password: Authentication for user [james] -> [james]
>>>>>>>> FAILED with error NT_STATUS_NO_SUCH_USER
>>>>>>>> Got user=[james at DOMAIN.CORP
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>]
>>>>>>>> domain=[DOMAIN] workstation=[server03] len1=24 len2=124
>>>>>>>> Mapping user [DOMAIN]\[james at DOMAIN.CORP
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>]
>>>>>>>> from workstation [server03]
>>>>>>>> attempting to make a user_info for james at DOMAIN.CORP
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP> (james at DOMAIN.CORP
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>)
>>>>>>>> making strings for james at DOMAIN.CORP
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>'s
>>>>>>>> user_info struct
>>>>>>>> making blobs for james at DOMAIN.CORP
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>'s
>>>>>>>> user_info struct
>>>>>>>> check_ntlm_password: Checking password for unmapped user
>>>>>>>> [DOMAIN]\[james at DOMAIN.CORP
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>]@[server03]
>>>>>>>> with
>>>>>>>> the new password interface
>>>>>>>> check_ntlm_password: mapped user is: [DOMAIN]\[james at DOMAIN.CORP
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP>]@[server03]
>>>>>>>> check_ntlm_password: winbind authentication for user
>>>>>>>> [james at DOMAIN.CORP
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>] FAILED with
>>>>>>>> error
>>>>>>>> NT_STATUS_NO_SUCH_USER
>>>>>>>> check_ntlm_password: Authentication for user [james at DOMAIN.CORP
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP>] -> [james at DOMAIN.CORP
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP>] FAILED with error NT_STATUS_NO_SUCH_USER
>>>>>>>> Got user=[james at DOMAIN.CORP
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>]
>>>>>>>> domain=[DOMAIN] workstation=[server03] len1=24 len2=124
>>>>>>>> Mapping user [DOMAIN]\[james at DOMAIN.CORP
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>]
>>>>>>>> from workstation [server03]
>>>>>>>> attempting to make a user_info for james at DOMAIN.CORP
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP> (james at DOMAIN.CORP
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>)
>>>>>>>> making strings for james at DOMAIN.CORP
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>'s
>>>>>>>> user_info struct
>>>>>>>> making blobs for james at DOMAIN.CORP
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>'s
>>>>>>>> user_info struct
>>>>>>>> check_ntlm_password: Checking password for unmapped user
>>>>>>>> [DOMAIN]\[james at DOMAIN.CORP
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>]@[server03]
>>>>>>>> with
>>>>>>>> the new password interface
>>>>>>>> check_ntlm_password: mapped user is: [DOMAIN]\[james at DOMAIN.CORP
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP>]@[server03]
>>>>>>>> check_ntlm_password: winbind authentication for user
>>>>>>>> [james at DOMAIN.CORP
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>] FAILED with
>>>>>>>> error
>>>>>>>> NT_STATUS_NO_SUCH_USER
>>>>>>>> check_ntlm_password: Authentication for user [james at DOMAIN.CORP
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP>] -> [james at DOMAIN.CORP
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>>>> <mailto:james at DOMAIN.CORP>] FAILED with error NT_STATUS_NO_SUCH_USER
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> users mailing list
>>>>>>>> users at lists.opencsw.org <mailto:users at lists.opencsw.org>
>>>>>>>> <mailto:users at lists.opencsw.org> <mailto:users at lists.opencsw.org>
>>>>>>>> https://lists.opencsw.org/mailman/listinfo/users
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> users mailing list
>>>>>>> users at lists.opencsw.org <mailto:users at lists.opencsw.org>
>>>>>>> <mailto:users at lists.opencsw.org> <mailto:users at lists.opencsw.org>
>>>>>>> https://lists.opencsw.org/mailman/listinfo/users
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> users mailing list
>>>>> users at lists.opencsw.org
>>>>> <mailto:users at lists.opencsw.org> <mailto:users at lists.opencsw.org>
>>>>> https://lists.opencsw.org/mailman/listinfo/users
>>>>
>>>
>>> _______________________________________________
>>> users mailing list
>>> users at lists.opencsw.org <mailto:users at lists.opencsw.org>
>>> https://lists.opencsw.org/mailman/listinfo/users
>>
>
More information about the users
mailing list