winbind network authentication troubleshooting
C.J. Adams-Collier KF7BMP
cjac at colliertech.org
Mon May 6 20:04:52 MDT 2013
Hello folks,
I'm working on a project to replace NIS with winbind on FreeBSD 6.3.
I've not worked with nss before, as all of my own systems authenticate
against local files, so both NIS and winbind are relatively new to me.
I have built samba 3.5.21 for the target environment and am currently
exercising the ssh use case. You can also assume that I'm new to
FreeBSD.
I have modified /etc/nsswitch.conf to query libnss_winbind.so after
files:
# grep -E '^(group|passwd):' /etc/nsswitch.conf
group: files winbind
passwd: files winbind
I have also modified /etc/pam.d/sshd to make use of the functions in
pam_winbind.so:
# grep -E '^(auth|account|session|password)' /etc/pam.d/sshd
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth required pam_unix.so no_warn try_first_pass
auth sufficient pam_winbind.so try_first_pass
account required pam_nologin.so
account required pam_login_access.so
account required pam_unix.so
account sufficient pam_winbind.so try_first_pass
session required pam_permit.so
session sufficient pam_winbind.so mkhomedir
session sufficient pam_winbind.so
password sufficient pam_winbind.so try_first_pass
password required pam_unix.so no_warn try_first_pass
From what I have observed with gdb, based on the nsswitch.conf changes,
libc will dlopen /lib/nss_winbind.so.1 (not /lib/libnss_winbind.so.2)
and (eventually) call the _nss_winbind_getpwnam_r, which is defined in
nsswitch/winbind_nss_linux.[co] and extern defined in
nsswitch/winbind_nss_freebsd.c. gdb 6.1.1 doesn't much like the
indirect way we get to winbind_nss_freebsd.c, so it's a bit difficult
for me to step through the code once it gets to this point.
Anybody got any tips?
Cheers,
C.J.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130506/860a6657/attachment.pgp>
More information about the samba-technical
mailing list