<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Hi Jan,<div><br></div><div>Basically the second situation there, pam authentication via winbind (eg. netatalk or SSH) is working OK.</div><div><br></div><div>My smb.conf file is:</div><div><br>[global]<br>workgroup = DOMAIN<br>realm = DOMAIN.CORP<br>security = ads<br>idmap uid = 16777216-33554431<br>idmap gid = 16777216-33554431<br>template shell = /usr/bin/bash<br>map untrusted to domain = yes<br>load printers = no<br>server string = server01<br>dns proxy = no<br>winbind cache time = 300<br>winbind enum users = Yes<br>winbind enum groups = Yes<br>winbind use default domain = Yes<br>winbind trusted domains only = No<br>winbind nested groups = Yes<br>winbind expand groups = 5<br>winbind refresh tickets = No<br>winbind offline logon = No<br>winbind normalize names = No<br>password server = server03.domain.corp<br>template homedir = /export/home/%U<br>log file = /var/samba/samba.log<br>log level = 5<br><br>[FileShare]<br>path = /shared/FileShare<br>comment = FileShare<br>read only = No<br><br>[STUDIO]<br>path = /shared/STUDIO<br>comment = STUDIO<br>read only = No<br><br></div><div><br></div><div>Thanks very much</div><div><br><div apple-content-edited="true">
<div style="color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><span class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px;">James<br><br></span></div></div><div><div>On 21 Jun 2013, at 09:54, Jan Holzhueter <<a href="mailto:jh@opencsw.org">jh@opencsw.org</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><br>Hi,<br>just do make sure what are you trying:<br><br>login with an AD user as in ssh username@whatever.<br>Or mount a share from the OI sever via smb?<br><br>For first one please post /etc/pam.conf<br><br>for the second please post /etc/opt/csw/samba/smb.conf<br><br>Greetings<br>Jan<br><br><br><br>Am 21.06.13 10:43, schrieb James Relph:<br><blockquote type="cite">Hi Jan,<br><br>Yes, that's the one I had found, and I already have that link there. I<br>don't think winbind worked at all until that was in place. It's samba<br>that doesn't seem to be working with winbind properly.<br><br>James<br><br>On 21 Jun 2013, at 09:00, Jan Holzhueter <<a href="mailto:jh@opencsw.org">jh@opencsw.org</a><br><<a href="mailto:jh@opencsw.org">mailto:jh@opencsw.org</a>>> wrote:<br><br><blockquote type="cite">Hi,<br>ok I looked up the old bug about that:<br><a href="https://www.opencsw.org/mantis/view.php?id=5020">https://www.opencsw.org/mantis/view.php?id=5020</a><br><br>acroding to this you need this:<br>ln -s /opt/csw/lib/libnss_winbind.so.1 /lib/nss_winbind.so.1<br><br>Greetings<br>Jan<br><br><br>Am 21.06.13 07:30, schrieb James Relph:<br><blockquote type="cite">Thanks for the speedy reply. I think I found where you'd already<br>mentioned that online anyway, I've got:<br><br>libnss_winbind.so -> /opt/csw/lib/libnss_winbind.so.1<br>nss_winbind.so.1 -> /opt/csw/lib/libnss_winbind.so.1<br><br>In /lib. Winbind itself seems to be working fine, I've got netatalk<br>using that happily, it's the cswsamba version that won't seem to use<br>winbind (it's either not using it properly, or it's using the wrong<br>winbind somehow). Netatalk, using winbind, is fine.<br><br>Best regards,<br><br>James.<br><br><br>On 21 Jun 2013, at 06:24, Jan Holzhueter <<a href="mailto:jh@opencsw.org">jh@opencsw.org</a><br><<a href="mailto:jh@opencsw.org">mailto:jh@opencsw.org</a>><br><<a href="mailto:jh@opencsw.org">mailto:jh@opencsw.org</a>>> wrote:<br><br><blockquote type="cite">Hi,<br>if you use the auth via pam you must symlink the nss_winbind to a<br>special place. I'm not sure which one atm. Check the orginal OI samba<br>package that should put it in the right place.<br>We can't add this to our package as this would brake install on sparse<br>zones.<br>I wanted to write a short notice about it put did not have the time yet.<br>It might be that you even need to copy and not symlink the lib. Not sure<br>here.<br><br>Greetings<br>Jan<br><br><br><br>Am 21.06.13 07:15, schrieb James Relph:<br><blockquote type="cite">Hi,<br><br>Apologies for cross posting, but I'm not sure if this is an Oi issue or<br>a cswsamba issue. I've installed cswsamba (3.6.15) and<br>cswsamba_winbind<br>on an OI box (151a7). I've got it bound to AD fine, and winbind itself<br>seems to be operating perfectly (I've actually got netatalk happily<br>authenticating AD users via winbind). If I run wbinfo -u or getent<br>passwd, I get the expected information back.<br><br>Oddly though Samba itself isn't authenticating users. If I try and<br>login (with a few variations of DOMAIN\username or username@DOMAIN) it<br>just kicks it back as an unknown user (see below). The only thing that<br>I can think of is that the cswsamba is actually still calling the<br>previously installed (but turned off) winbind that I installed with the<br>original OI samba install. With that not running though I wouldn't<br>have<br>thought that would have happened (but if that could be it - how do I<br>make sure that cswsamba uses cswsamba_winbind). I have symlinked the<br>csw nss_winbind libraries into /lib, I just don't know if there's<br>anything else that could cause this.<br><br>Thanks for any help.<br><br>James<br><br>Principal Consultant<br><br><br>Mapping user [DOMAIN]\[james] from workstation [server03]<br>attempting to make a user_info for james (james)<br>making strings for james's user_info struct<br>making blobs for james's user_info struct<br>check_ntlm_password: Checking password for unmapped user<br>[DOMAIN]\[james]@[server03] with the new password interface<br>check_ntlm_password: mapped user is: [DOMAIN]\[james]@[server03]<br>Finding user DOMAIN\james<br>Trying _Get_Pwnam(), username as lowercase is DOMAIN\james<br>Trying _Get_Pwnam(), username as given is DOMAIN\james<br>Checking combinations of 0 uppercase letters in DOMAIN\james<br>Get_Pwnam_internals didn't find user [DOMAIN\james]!<br>Finding user james<br>Trying _Get_Pwnam(), username as lowercase is james<br>Checking combinations of 0 uppercase letters in james<br>Get_Pwnam_internals didn't find user [james]!<br>Failed to find authenticated user DOMAIN\james via getpwnam(), denying<br>access.<br>check_ntlm_password: winbind authentication for user [james] FAILED<br>with error NT_STATUS_NO_SUCH_USER<br>check_ntlm_password: Authentication for user [james] -> [james]<br>FAILED with error NT_STATUS_NO_SUCH_USER<br>Got user=[<a href="mailto:james@DOMAIN.CORP">james@DOMAIN.CORP</a><span class="Apple-converted-space"> </span><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>> <<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>>]<br>domain=[DOMAIN] workstation=[server03] len1=24 len2=124<br>Mapping user [DOMAIN]\[<a href="mailto:james@DOMAIN.CORP">james@DOMAIN.CORP</a><span class="Apple-converted-space"> </span><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>> <<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>>]<br>from workstation [server03]<br>attempting to make a user_info for<span class="Apple-converted-space"> </span><a href="mailto:james@DOMAIN.CORP">james@DOMAIN.CORP</a><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>> (<a href="mailto:james@DOMAIN.CORP">james@DOMAIN.CORP</a><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>> <<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>>)<br>making strings for<span class="Apple-converted-space"> </span><a href="mailto:james@DOMAIN.CORP">james@DOMAIN.CORP</a><span class="Apple-converted-space"> </span><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>> <<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>>'s<br>user_info struct<br>making blobs for<span class="Apple-converted-space"> </span><a href="mailto:james@DOMAIN.CORP">james@DOMAIN.CORP</a><span class="Apple-converted-space"> </span><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>> <<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>>'s<br>user_info struct<br>check_ntlm_password: Checking password for unmapped user<br>[DOMAIN]\[<a href="mailto:james@DOMAIN.CORP">james@DOMAIN.CORP</a><span class="Apple-converted-space"> </span><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>> <<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>>]@[server03] with<br>the new password interface<br>check_ntlm_password: mapped user is: [DOMAIN]\[<a href="mailto:james@DOMAIN.CORP">james@DOMAIN.CORP</a><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>>]@[server03]<br>check_ntlm_password: winbind authentication for user<br>[<a href="mailto:james@DOMAIN.CORP">james@DOMAIN.CORP</a><span class="Apple-converted-space"> </span><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>> <<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>>] FAILED with<br>error<br>NT_STATUS_NO_SUCH_USER<br>check_ntlm_password: Authentication for user [<a href="mailto:james@DOMAIN.CORP">james@DOMAIN.CORP</a><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>>] -> [<a href="mailto:james@DOMAIN.CORP">james@DOMAIN.CORP</a><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>>] FAILED with error NT_STATUS_NO_SUCH_USER<br>Got user=[<a href="mailto:james@DOMAIN.CORP">james@DOMAIN.CORP</a><span class="Apple-converted-space"> </span><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>> <<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>>]<br>domain=[DOMAIN] workstation=[server03] len1=24 len2=124<br>Mapping user [DOMAIN]\[<a href="mailto:james@DOMAIN.CORP">james@DOMAIN.CORP</a><span class="Apple-converted-space"> </span><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>> <<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>>]<br>from workstation [server03]<br>attempting to make a user_info for<span class="Apple-converted-space"> </span><a href="mailto:james@DOMAIN.CORP">james@DOMAIN.CORP</a><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>> (<a href="mailto:james@DOMAIN.CORP">james@DOMAIN.CORP</a><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>> <<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>>)<br>making strings for<span class="Apple-converted-space"> </span><a href="mailto:james@DOMAIN.CORP">james@DOMAIN.CORP</a><span class="Apple-converted-space"> </span><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>> <<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>>'s<br>user_info struct<br>making blobs for<span class="Apple-converted-space"> </span><a href="mailto:james@DOMAIN.CORP">james@DOMAIN.CORP</a><span class="Apple-converted-space"> </span><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>> <<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>>'s<br>user_info struct<br>check_ntlm_password: Checking password for unmapped user<br>[DOMAIN]\[<a href="mailto:james@DOMAIN.CORP">james@DOMAIN.CORP</a><span class="Apple-converted-space"> </span><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>> <<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>>]@[server03] with<br>the new password interface<br>check_ntlm_password: mapped user is: [DOMAIN]\[<a href="mailto:james@DOMAIN.CORP">james@DOMAIN.CORP</a><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>>]@[server03]<br>check_ntlm_password: winbind authentication for user<br>[<a href="mailto:james@DOMAIN.CORP">james@DOMAIN.CORP</a><span class="Apple-converted-space"> </span><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>> <<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>>] FAILED with<br>error<br>NT_STATUS_NO_SUCH_USER<br>check_ntlm_password: Authentication for user [<a href="mailto:james@DOMAIN.CORP">james@DOMAIN.CORP</a><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>>] -> [<a href="mailto:james@DOMAIN.CORP">james@DOMAIN.CORP</a><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>><br><<a href="mailto:james@DOMAIN.CORP">mailto:james@DOMAIN.CORP</a>>] FAILED with error NT_STATUS_NO_SUCH_USER<br><br><br>_______________________________________________<br>users mailing list<br><a href="mailto:users@lists.opencsw.org">users@lists.opencsw.org</a><br><<a href="mailto:users@lists.opencsw.org">mailto:users@lists.opencsw.org</a>> <<a href="mailto:users@lists.opencsw.org">mailto:users@lists.opencsw.org</a>><br><a href="https://lists.opencsw.org/mailman/listinfo/users">https://lists.opencsw.org/mailman/listinfo/users</a><br><br></blockquote><br>_______________________________________________<br>users mailing list<br><a href="mailto:users@lists.opencsw.org">users@lists.opencsw.org</a><br><<a href="mailto:users@lists.opencsw.org">mailto:users@lists.opencsw.org</a>> <<a href="mailto:users@lists.opencsw.org">mailto:users@lists.opencsw.org</a>><br><a href="https://lists.opencsw.org/mailman/listinfo/users">https://lists.opencsw.org/mailman/listinfo/users</a><br></blockquote><br></blockquote><br>_______________________________________________<br>users mailing list<br><a href="mailto:users@lists.opencsw.org">users@lists.opencsw.org</a><span class="Apple-converted-space"> </span><<a href="mailto:users@lists.opencsw.org">mailto:users@lists.opencsw.org</a>><br><a href="https://lists.opencsw.org/mailman/listinfo/users">https://lists.opencsw.org/mailman/listinfo/users</a><br></blockquote><br></blockquote><br>_______________________________________________<br>users mailing list<br><a href="mailto:users@lists.opencsw.org">users@lists.opencsw.org</a><br><a href="https://lists.opencsw.org/mailman/listinfo/users">https://lists.opencsw.org/mailman/listinfo/users</a></div></blockquote></div><br></div></body></html>