[csw-users] Odd Samba/winbind issue
James Relph
james at themacplace.co.uk
Fri Jun 21 11:05:40 CEST 2013
Hi Jan,
Basically the second situation there, pam authentication via winbind (eg. netatalk or SSH) is working OK.
My smb.conf file is:
[global]
workgroup = DOMAIN
realm = DOMAIN.CORP
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /usr/bin/bash
map untrusted to domain = yes
load printers = no
server string = server01
dns proxy = no
winbind cache time = 300
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind trusted domains only = No
winbind nested groups = Yes
winbind expand groups = 5
winbind refresh tickets = No
winbind offline logon = No
winbind normalize names = No
password server = server03.domain.corp
template homedir = /export/home/%U
log file = /var/samba/samba.log
log level = 5
[FileShare]
path = /shared/FileShare
comment = FileShare
read only = No
[STUDIO]
path = /shared/STUDIO
comment = STUDIO
read only = No
Thanks very much
James
On 21 Jun 2013, at 09:54, Jan Holzhueter <jh at opencsw.org> wrote:
>
> Hi,
> just do make sure what are you trying:
>
> login with an AD user as in ssh username at whatever.
> Or mount a share from the OI sever via smb?
>
> For first one please post /etc/pam.conf
>
> for the second please post /etc/opt/csw/samba/smb.conf
>
> Greetings
> Jan
>
>
>
> Am 21.06.13 10:43, schrieb James Relph:
>> Hi Jan,
>>
>> Yes, that's the one I had found, and I already have that link there. I
>> don't think winbind worked at all until that was in place. It's samba
>> that doesn't seem to be working with winbind properly.
>>
>> James
>>
>> On 21 Jun 2013, at 09:00, Jan Holzhueter <jh at opencsw.org
>> <mailto:jh at opencsw.org>> wrote:
>>
>>> Hi,
>>> ok I looked up the old bug about that:
>>> https://www.opencsw.org/mantis/view.php?id=5020
>>>
>>> acroding to this you need this:
>>> ln -s /opt/csw/lib/libnss_winbind.so.1 /lib/nss_winbind.so.1
>>>
>>> Greetings
>>> Jan
>>>
>>>
>>> Am 21.06.13 07:30, schrieb James Relph:
>>>> Thanks for the speedy reply. I think I found where you'd already
>>>> mentioned that online anyway, I've got:
>>>>
>>>> libnss_winbind.so -> /opt/csw/lib/libnss_winbind.so.1
>>>> nss_winbind.so.1 -> /opt/csw/lib/libnss_winbind.so.1
>>>>
>>>> In /lib. Winbind itself seems to be working fine, I've got netatalk
>>>> using that happily, it's the cswsamba version that won't seem to use
>>>> winbind (it's either not using it properly, or it's using the wrong
>>>> winbind somehow). Netatalk, using winbind, is fine.
>>>>
>>>> Best regards,
>>>>
>>>> James.
>>>>
>>>>
>>>> On 21 Jun 2013, at 06:24, Jan Holzhueter <jh at opencsw.org
>>>> <mailto:jh at opencsw.org>
>>>> <mailto:jh at opencsw.org>> wrote:
>>>>
>>>>> Hi,
>>>>> if you use the auth via pam you must symlink the nss_winbind to a
>>>>> special place. I'm not sure which one atm. Check the orginal OI samba
>>>>> package that should put it in the right place.
>>>>> We can't add this to our package as this would brake install on sparse
>>>>> zones.
>>>>> I wanted to write a short notice about it put did not have the time yet.
>>>>> It might be that you even need to copy and not symlink the lib. Not sure
>>>>> here.
>>>>>
>>>>> Greetings
>>>>> Jan
>>>>>
>>>>>
>>>>>
>>>>> Am 21.06.13 07:15, schrieb James Relph:
>>>>>> Hi,
>>>>>>
>>>>>> Apologies for cross posting, but I'm not sure if this is an Oi issue or
>>>>>> a cswsamba issue. I've installed cswsamba (3.6.15) and
>>>>>> cswsamba_winbind
>>>>>> on an OI box (151a7). I've got it bound to AD fine, and winbind itself
>>>>>> seems to be operating perfectly (I've actually got netatalk happily
>>>>>> authenticating AD users via winbind). If I run wbinfo -u or getent
>>>>>> passwd, I get the expected information back.
>>>>>>
>>>>>> Oddly though Samba itself isn't authenticating users. If I try and
>>>>>> login (with a few variations of DOMAIN\username or username at DOMAIN) it
>>>>>> just kicks it back as an unknown user (see below). The only thing that
>>>>>> I can think of is that the cswsamba is actually still calling the
>>>>>> previously installed (but turned off) winbind that I installed with the
>>>>>> original OI samba install. With that not running though I wouldn't
>>>>>> have
>>>>>> thought that would have happened (but if that could be it - how do I
>>>>>> make sure that cswsamba uses cswsamba_winbind). I have symlinked the
>>>>>> csw nss_winbind libraries into /lib, I just don't know if there's
>>>>>> anything else that could cause this.
>>>>>>
>>>>>> Thanks for any help.
>>>>>>
>>>>>> James
>>>>>>
>>>>>> Principal Consultant
>>>>>>
>>>>>>
>>>>>> Mapping user [DOMAIN]\[james] from workstation [server03]
>>>>>> attempting to make a user_info for james (james)
>>>>>> making strings for james's user_info struct
>>>>>> making blobs for james's user_info struct
>>>>>> check_ntlm_password: Checking password for unmapped user
>>>>>> [DOMAIN]\[james]@[server03] with the new password interface
>>>>>> check_ntlm_password: mapped user is: [DOMAIN]\[james]@[server03]
>>>>>> Finding user DOMAIN\james
>>>>>> Trying _Get_Pwnam(), username as lowercase is DOMAIN\james
>>>>>> Trying _Get_Pwnam(), username as given is DOMAIN\james
>>>>>> Checking combinations of 0 uppercase letters in DOMAIN\james
>>>>>> Get_Pwnam_internals didn't find user [DOMAIN\james]!
>>>>>> Finding user james
>>>>>> Trying _Get_Pwnam(), username as lowercase is james
>>>>>> Checking combinations of 0 uppercase letters in james
>>>>>> Get_Pwnam_internals didn't find user [james]!
>>>>>> Failed to find authenticated user DOMAIN\james via getpwnam(), denying
>>>>>> access.
>>>>>> check_ntlm_password: winbind authentication for user [james] FAILED
>>>>>> with error NT_STATUS_NO_SUCH_USER
>>>>>> check_ntlm_password: Authentication for user [james] -> [james]
>>>>>> FAILED with error NT_STATUS_NO_SUCH_USER
>>>>>> Got user=[james at DOMAIN.CORP <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>]
>>>>>> domain=[DOMAIN] workstation=[server03] len1=24 len2=124
>>>>>> Mapping user [DOMAIN]\[james at DOMAIN.CORP <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>]
>>>>>> from workstation [server03]
>>>>>> attempting to make a user_info for james at DOMAIN.CORP
>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP> (james at DOMAIN.CORP
>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>)
>>>>>> making strings for james at DOMAIN.CORP <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>'s
>>>>>> user_info struct
>>>>>> making blobs for james at DOMAIN.CORP <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>'s
>>>>>> user_info struct
>>>>>> check_ntlm_password: Checking password for unmapped user
>>>>>> [DOMAIN]\[james at DOMAIN.CORP <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>]@[server03] with
>>>>>> the new password interface
>>>>>> check_ntlm_password: mapped user is: [DOMAIN]\[james at DOMAIN.CORP
>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP>]@[server03]
>>>>>> check_ntlm_password: winbind authentication for user
>>>>>> [james at DOMAIN.CORP <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>] FAILED with
>>>>>> error
>>>>>> NT_STATUS_NO_SUCH_USER
>>>>>> check_ntlm_password: Authentication for user [james at DOMAIN.CORP
>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP>] -> [james at DOMAIN.CORP
>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP>] FAILED with error NT_STATUS_NO_SUCH_USER
>>>>>> Got user=[james at DOMAIN.CORP <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>]
>>>>>> domain=[DOMAIN] workstation=[server03] len1=24 len2=124
>>>>>> Mapping user [DOMAIN]\[james at DOMAIN.CORP <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>]
>>>>>> from workstation [server03]
>>>>>> attempting to make a user_info for james at DOMAIN.CORP
>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP> (james at DOMAIN.CORP
>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>)
>>>>>> making strings for james at DOMAIN.CORP <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>'s
>>>>>> user_info struct
>>>>>> making blobs for james at DOMAIN.CORP <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>'s
>>>>>> user_info struct
>>>>>> check_ntlm_password: Checking password for unmapped user
>>>>>> [DOMAIN]\[james at DOMAIN.CORP <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>]@[server03] with
>>>>>> the new password interface
>>>>>> check_ntlm_password: mapped user is: [DOMAIN]\[james at DOMAIN.CORP
>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP>]@[server03]
>>>>>> check_ntlm_password: winbind authentication for user
>>>>>> [james at DOMAIN.CORP <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP> <mailto:james at DOMAIN.CORP>] FAILED with
>>>>>> error
>>>>>> NT_STATUS_NO_SUCH_USER
>>>>>> check_ntlm_password: Authentication for user [james at DOMAIN.CORP
>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP>] -> [james at DOMAIN.CORP
>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP>
>>>>>> <mailto:james at DOMAIN.CORP>] FAILED with error NT_STATUS_NO_SUCH_USER
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> users mailing list
>>>>>> users at lists.opencsw.org
>>>>>> <mailto:users at lists.opencsw.org> <mailto:users at lists.opencsw.org>
>>>>>> https://lists.opencsw.org/mailman/listinfo/users
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> users mailing list
>>>>> users at lists.opencsw.org
>>>>> <mailto:users at lists.opencsw.org> <mailto:users at lists.opencsw.org>
>>>>> https://lists.opencsw.org/mailman/listinfo/users
>>>>
>>>
>>> _______________________________________________
>>> users mailing list
>>> users at lists.opencsw.org <mailto:users at lists.opencsw.org>
>>> https://lists.opencsw.org/mailman/listinfo/users
>>
>
> _______________________________________________
> users mailing list
> users at lists.opencsw.org
> https://lists.opencsw.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opencsw.org/pipermail/users/attachments/20130621/0d2b904b/attachment-0001.html>
More information about the users
mailing list