[Samba] Strange behaviour of winbind on solaris 8
Oliver Weinmann
oliver.weinmann at googlemail.com
Tue Apr 29 11:42:08 GMT 2008
It's the latest stable.
# smbd -V
Version 3.0.28a
[global]
netbios name = rose8
realm = VEGAGROUP.NET
workgroup = VEGA
security = ADS
encrypt passwords = yes
password server = *
os level = 20
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 1100-200000
idmap gid = 1100-200000
idmap backend = rid:VEGA=1100-200000
allow trusted domains = no
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/sh
preferred master = no
winbind nested groups = Yes
winbind use default domain = Yes
#winbind separator = +
#winbind normalize names = yes
log level = 10
max log size = 50
log file = /var/log/samba/log.%m
dns proxy = no
wins server = 172.20.205.1
allow trusted domains = No
client use spnego = Yes
use kerberos keytab = true
winbind offline logon = yes
I really appreciate your big effort. Thanks!
On 4/29/08, Dietrich Streifert <dietrich.streifert at visionet.de> wrote:
>
> Which samba version do you use?
>
> Please post the global configuration section of smb.conf.
>
>
> Oliver Weinmann schrieb:
>
> Here could be a problem. I could not change our win 2k3 schema. They were
> afraid it could break something... tsss. So i had to use the idmap_rid
> module. Which does a good job actually. It uses the last portion of the AD
> users SID and adds it to a base set in smb.conf. I issued your commands:
>
> bash-2.03# getent passwd | grep oweinmann
> oweinmann2:*:15042:1613:Oliver Weinmann2:/home/oweinmann2:/bin/sh
> oweinmann:*:11611:1613:Oliver Weinmann:/home/oweinmann:/bin/sh
> oweinmann1:*:15041:1613:Oliver Weinmann1:/home/oweinmann1:/bin/sh
> bash-2.03# id -a oweinmann
> uid=11611(oweinmann) gid=1613(domain users) groups=10(staff)
> bash-2.03# su oweinmann
> $ id
> uid=11611(oweinmann) gid=1613(domain users)
> $ id -a
>
> the "id -a" as user "oweinmann" seems to get stuck. It just sits there. I
> noticed when issuing "groups oweinmann" as root it also gets stuck. On some
> users the "groups" command seems to be working on some other don't.
>
>
> On 4/29/08, Dietrich Streifert <dietrich.streifert at visionet.de> wrote:
> >
> > We have several installations where we use the two different AD schema
> > extensions (SFU from Windows Services for Unix and rfc2307bis from Windows
> > Server 2003R2) to put the needed information in.
> >
> > We are using the idmap_ad module to map the uid, gid, home etc.
> > information from the AD.
> >
> > The local users and the AD users are completely separated. We do not mix
> > up local users and AD users.
> >
> > The first basic test if the AD user information retreival is working is
> > to use the getent command:
> >
> > getent <someADUser>
> >
> > So for a test user account I get:
> >
> > korund{root}[/]: getent passwd testuser
> > testuser:*:1004:1000:Lastname, Firstname:/home/testuser:/bin/tcsh
> >
> > If this works the first step is done.
> >
> > The second test is to get all related Information for one user:
> >
> > korund{root}[/]: id -a testuser
> > uid=1004(testuser) gid=1000(visionet) groups=1033(devjavalib)
> >
> > The third test is to su - testuser and again try to issue both commands
> > obove. If the retreived information is the same you should all be done
> > (except from pam.conf which is another story).
> >
> >
> >
> >
> >
> >
> > Oliver Weinmann schrieb:
> >
> > Could the problem be that the AD users are not in any of the local
> > groups on the machine? How do you manage your AD users to be members of
> > local groups e.g. staff, sys etc.? pam_groups?
> >
> > On 4/29/08, Oliver Weinmann <oliver.weinmann at googlemail.com> wrote:
> > >
> > > there is nothing in /etc/profile and the user oweinmann has no
> > > .bashrc. The problem seems to be related to nscd. When nscd is turned on i
> > > can login and issue commands and I don't get kicked out of the ssh login.
> > > There is no idle session timeout set. If there was I would get kicked out
> > > when nscd is turned on as well. Only when logged in as an AD user I get
> > > kicked out...
> > >
> > > On 4/29/08, Dietrich Streifert <dietrich.streifert at visionet.de> wrote:
> > > >
> > > > So there must be something in your bash init files, /etc/profile or
> > > > ~/.bashrc (sorry I'm not a bash user) which causes the problem.
> > > >
> > > > Maybe something which forms the shell prompt like whoami etc.
> > > >
> > > > Maybe there is something like a autologout set for the csh or in
> > > > sshd with idle session timeout.
> > > >
> > > >
> > > > Oliver Weinmann schrieb:
> > > >
> > > > Hi,
> > > >
> > > > no, there was nothing in /var/adm/messages, but guess what with the
> > > > csh ls -alrt and such commands work fine... But i get kicked out of the ssh
> > > > session after 2 minutes... :(
> > > >
> > > >
> > > > On 4/29/08, Dietrich Streifert <dietrich.streifert at visionet.de>
> > > > wrote:
> > > > >
> > > > > Are there any messages in /var/adm/messages which are related to
> > > > > nss ?
> > > > >
> > > > > As I can see you are using bash as your shell.
> > > > >
> > > > > Try using csh. Does something change?
> > > > >
> > > > > Oliver Weinmann schrieb:
> > > > >
> > > > > su to user oweinmann works but when i ussie the ldd -r
> > > > > /usr/lib/nss_winbind.so command it gets put in the background.. :( i then do
> > > > > fg 2 and this is the output:
> > > > >
> > > > > bash-2.03$ ldd -r /usr/lib/nss_winbind.so
> > > > >
> > > > > [2]+ Stopped ldd -r /usr/lib/nss_winbind.so
> > > > > bash-2.03$ fg 2
> > > > > ldd -r /usr/lib/nss_winbind.so
> > > > > libthread.so.1 => /usr/lib/libthread.so.1
> > > > > libsocket.so.1 => /usr/lib/libsocket.so.1
> > > > > libdl.so.1 => /usr/lib/libdl.so.1
> > > > > libc.so.1 => /usr/lib/libc.so.1
> > > > > libnsl.so.1 => /usr/lib/libnsl.so.1
> > > > > libmp.so.2 => /usr/lib/libmp.so.2
> > > > > /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
> > > > >
> > > > > bash-2.03$ ls -alrt /etc/nsswitch.conf
> > > > >
> > > > > [2]+ Stopped ls -alrt /etc/nsswitch.conf
> > > > > bash-2.03$ fg 2
> > > > > ls -alrt /etc/nsswitch.conf
> > > > > -rw-r--r-- 1 root sys 1320 Apr 28 13:19
> > > > > /etc/nsswitch.conf
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On 4/29/08, Dietrich Streifert <dietrich.streifert at visionet.de>
> > > > > wrote:
> > > > > >
> > > > > > Please try to login (or su) to the user oweinmann and issue then
> > > > > > ldd -r /usr/lib/nss_winbind.so
> > > > > >
> > > > > > For some reason I think that non root users are not able to read
> > > > > > one of the involved files.
> > > > > >
> > > > > > This could be
> > > > > >
> > > > > > /etc/nsswitch.conf
> > > > > > /usr/lib/nss_winbind.so
> > > > > >
> > > > > > or some of the files found by the ldd -r command. The fact that
> > > > > > you can issue commands while nscd is running points to this fact becaus nscd
> > > > > > is running as root and has permissions to read all of those files.
> > > > > >
> > > > > > /etc/nsswitch.conf should be readable by everyone.
> > > > > >
> > > > > > I compiled samba myself with a full stack of openssl, iconv,
> > > > > > heimdal kerberos, cyrus-sasl, openldap and samba. While people often speak
> > > > > > of the Windows DLL hell this is the Solaris shared library hell :-( But it
> > > > > > works.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Oliver Weinmann schrieb:
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > bash-2.03# ldd -r /usr/lib/nss_winbind.so
> > > > > > libthread.so.1 => /usr/lib/libthread.so.1
> > > > > > libsocket.so.1 => /usr/lib/libsocket.so.1
> > > > > > libdl.so.1 => /usr/lib/libdl.so.1
> > > > > > libc.so.1 => /usr/lib/libc.so.1
> > > > > > libnsl.so.1 => /usr/lib/libnsl.so.1
> > > > > > libmp.so.2 => /usr/lib/libmp.so.2
> > > > > > /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
> > > > > >
> > > > > > I changed the permissions and files exactly to be the same but i
> > > > > > still cant issue commands... :(
> > > > > >
> > > > > > bash-2.03# ls -alrt /usr/lib/nss_winbind.so*
> > > > > > -rwxr-xr-x 1 root other 74744 Apr 29 09:03
> > > > > > /usr/lib/nss_winbind.so.1
> > > > > > lrwxrwxrwx 1 root other 25 Apr 29 09:04
> > > > > > /usr/lib/nss_winbind.so -> /usr/lib/nss_winbind.so.1
> > > > > >
> > > > > > Could this also be a problem of a compiling? Have you compiled
> > > > > > the samba yourself or are you using prebuilt packages?
> > > > > >
> > > > > > On 4/29/08, Dietrich Streifert <dietrich.streifert at visionet.de>
> > > > > > wrote:
> > > > > > >
> > > > > > > which output gives ldd -r /usr/lib/nss_winbind.so ?
> > > > > > >
> > > > > > > I have the following naming and permission for nss_winbind:
> > > > > > >
> > > > > > > lrwxrwxrwx 1 root other 16 Jan 15 2004
> > > > > > > nss_winbind.so -> nss_winbind.so.1
> > > > > > > -rwxr-xr-x 1 root other 44540 Apr 28 17:35
> > > > > > > nss_winbind.so.1
> > > > > > >
> > > > > > > Please try with the exactly same naming and permissions of
> > > > > > > your files.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Oliver Weinmann schrieb:
> > > > > > >
> > > > > > > > I will try to get hands on the latest patches for solaris 8
> > > > > > > > and see if that
> > > > > > > > fixes the nscd problems. I can't believe that samba-winbind
> > > > > > > > is not running
> > > > > > > > 100% well on a Solaris 8 machine.
> > > > > > > >
> > > > > > > >
> > > > > > > > On 4/28/08, Oliver Weinmann <oliver.weinmann at googlemail.com>
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > >
> > > > > > > > > Just for fun i changed the perms of
> > > > > > > > > /usr/lib/libnss_winbind.so to 777
> > > > > > > > >
> > > > > > > > > bash-2.03# chmod 777 /usr/lib/libnss_winbind.so
> > > > > > > > > bash-2.03# ls -alrt /usr/lib/libnss_winbind.so
> > > > > > > > > -rwxrwxrwx 1 root other 74744 Apr 28 13:32
> > > > > > > > > /usr/lib/libnss_winbind.so
> > > > > > > > >
> > > > > > > > > nscd is turned off. I can login as an AD users but I cant
> > > > > > > > > start any
> > > > > > > > > command. :(
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > login as: oweinmann
> > > > > > > > > Using keyboard-interactive authentication.
> > > > > > > > > Password:
> > > > > > > > > Last login: Mon Apr 28 15:17:11 2008 from vb8860.vegagrou
> > > > > > > > > bash-2.03$ ls -alrt
> > > > > > > > >
> > > > > > > > > [1]+ Stopped ls -alrt
> > > > > > > > > bash-2.03$ id
> > > > > > > > >
> > > > > > > > > [2]+ Stopped id
> > > > > > > > > bash-2.03$ group
> > > > > > > > >
> > > > > > > > > [3]+ Stopped group
> > > > > > > > > bash-2.03$ echo "TEST"
> > > > > > > > > TEST
> > > > > > > > > bash-2.03$
> > > > > > > > > Some commands are working and some others are put in
> > > > > > > > > background and the
> > > > > > > > > session closes after one or two minutes?
> > > > > > > > >
> > > > > > > > > When I turn on nscd everything is fine, except ls -alrt
> > > > > > > > > not working.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On 4/28/08, Gerald (Jerry) Carter <jerry at samba.org> wrote:
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > > > > > > > Hash: SHA1
> > > > > > > > > >
> > > > > > > > > > Oliver Weinmann wrote:
> > > > > > > > > > | forgot to mention that the nss_winbind links are
> > > > > > > > > > there:
> > > > > > > > > > |
> > > > > > > > > > | bash-2.03# ls -alrt /usr/lib/nss_w*
> > > > > > > > > > | lrwxrwxrwx 1 root other 28 Apr 23 14:30
> > > > > > > > > > | /usr/lib/nss_winbind.so.2 ->
> > > > > > > > > > /usr/lib/libnss_winbind.so.1
> > > > > > > > > > | lrwxrwxrwx 1 root other 28 Apr 23 14:30
> > > > > > > > > > | /usr/lib/nss_winbind.so.1 ->
> > > > > > > > > > /usr/lib/libnss_winbind.so.1
> > > > > > > > > > | lrwxrwxrwx 1 root other 28 Apr 23 14:30
> > > > > > > > > > | /usr/lib/nss_winbind.so ->
> > > > > > > > > > /usr/lib/libnss_winbind.so.1
> > > > > > > > > >
> > > > > > > > > > Check the perms on /usr/lib/libnss_winbind.so.1. Sounds
> > > > > > > > > > like it might be rwx for root only.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > cheers, jerry
> > > > > > > > > > - --
> > > > > > > > > >
> > > > > > > > > > =====================================================================
> > > > > > > > > > Samba -------
> > > > > > > > > > http://www.samba.org
> > > > > > > > > > Likewise Software ---------
> > > > > > > > > > http://www.likewisesoftware.com
> > > > > > > > > > "What man is a man who does not make the world better?"
> > > > > > > > > > --Balian
> > > > > > > > > > -----BEGIN PGP SIGNATURE-----
> > > > > > > > > > Version: GnuPG v1.4.2.2 (Darwin)
> > > > > > > > > > Comment: Using GnuPG with Mozilla -
> > > > > > > > > > http://enigmail.mozdev.org
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > iD8DBQFIFcnJIR7qMdg1EfYRAp+uAKCoT5s9gRV+x0M+PUrFnYWVRtqmcwCg293J
> > > > > > > > > > 0OxWwTr/wJPDW67YmZCAfQo=
> > > > > > > > > > =6S2v
> > > > > > > > > > -----END PGP SIGNATURE-----
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > --
> > > > > > > Mit freundlichen Grüßen
> > > > > > > Dietrich Streifert
> > > > > > > --
> > > > > > > Visionet GmbH
> > > > > > > Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> > > > > > > Registergericht: Handelsregister Fürth, HRB 6573
> > > > > > > Geschäftsführer: Stefan Lindner
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > > --
> > > > > > Mit freundlichen Grüßen
> > > > > > Dietrich Streifert
> > > > > > --
> > > > > > Visionet GmbH
> > > > > > Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> > > > > > Registergericht: Handelsregister Fürth, HRB 6573
> > > > > > Geschäftsführer: Stefan Lindner
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > > --
> > > > > Mit freundlichen Grüßen
> > > > > Dietrich Streifert
> > > > > --
> > > > > Visionet GmbH
> > > > > Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> > > > > Registergericht: Handelsregister Fürth, HRB 6573
> > > > > Geschäftsführer: Stefan Lindner
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > > --
> > > > Mit freundlichen Grüßen
> > > > Dietrich Streifert
> > > > --
> > > > Visionet GmbH
> > > > Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> > > > Registergericht: Handelsregister Fürth, HRB 6573
> > > > Geschäftsführer: Stefan Lindner
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> >
> > --
> > Mit freundlichen Grüßen
> > Dietrich Streifert
> > --
> > Visionet GmbH
> > Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> > Registergericht: Handelsregister Fürth, HRB 6573
> > Geschäftsführer: Stefan Lindner
> >
> >
> >
> >
> >
>
> --
> Mit freundlichen Grüßen
> Dietrich Streifert
> --
> Visionet GmbH
> Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> Registergericht: Handelsregister Fürth, HRB 6573
> Geschäftsführer: Stefan Lindner
>
>
>
>
More information about the samba
mailing list