AW: Winbind authenticatition of user accessing a share with
encry pted password.
Mike Gerdts
Michael.Gerdts at alcatel.com
Thu Jun 27 05:59:01 GMT 2002
I have not yet had the time to finish up the patch that is referred to
below. If anyone else wants to move it forward, I would be more than
happy. In addition to the patches at
http://www.cae.wisc.edu/~gerdts/samba/ I have a private CVS repository
that I would happily tar up and send to anyone that would put it up on a
public CVS server.
A "todo list" of sorts can be found at
http://lists.samba.org/pipermail/samba-technical/2002-May/036877.html
Mike
On Thu, 2002-06-27 at 08:31, Klein.Roman at Yamanouchi.de wrote:
> Hi,
>
> I have not installed samba until 2.2.5 now.
>
> But there is a bug in the winbindd code which has been fixed by Mike Gerdts,
> see attached e-mail.
> I assumed that this patch, wich works for me on samba 2.2.4 solaris 2.6, has
> been added to the 2.2.5 release.
>
> Obviously not.
>
> <<Re: Samba, winbind, solaris and your patch>>
>
> Could you please give me feedback if this works for you an 2.2.5 also.
>
> Best Regards
>
> Roman
>
> > -----Ursprüngliche Nachricht-----
> > Von: Allan Nielsen [SMTP:ALLANN at dk.ibm.com]
> > Gesendet am: Donnerstag, 27. Juni 2002 09:53
> > An: Klein.Roman at Yamanouchi.de
> > Betreff: Winbind authenticatition of user accessing a share with
> > encrypted password.
> >
> > Hi
> >
> > In relation to your posted message I have exactly the same problem on
> > samba
> > 2.2.5.
> > Flags used are --with-winbind --with-winbind-auth-challenge
> > --with-acl-support.
> > After including --with-winbind-auth-challenge it is possible to get
> > authentication with encrypted passwords from wbinfo -a user%password but
> > when accessing a share as this user he is mapped to nobody.
> >
> > Did you succeed to solve your problem?
> >
> > I'm using samba now for 6-7 years starting with samba 1.9.18.
> >
> > I have 6 machines running samba v2.0.7 under linux and solaris
> > I have upgraded one of the solaris machines to samba 2.2.3a including
> > acl-support and winbind.
> >
> > I live in a win2k forest, so my domain has a trust relationship with an
> > other win2k domain.
> > My domain controllers are in mixed mode.
> >
> > In order to get winbindd and nsswitch up and running I had to adjust the
> > Makefile as follows:
> >
> > nsswitch/libnss_winbind.so: $(WINBIND_NSS_PICOBJS)
> > @echo "Linking $@"
> > @$(SHLD) -h $@ -G -o $@ $(WINBIND_NSS_PICOBJS) $(LIBS)
> >
> > I added the $(LIBS) to the linker-line, without that I had errors when
> > doing
> > a 'ls -l' for a file which was owned by a DOMAIN+domuser account.
> >
> > Furthermore I had to copy the nsswitch/libnss_winbind.so as nss_winbind.so
> > to /lib
> > After configuring nsswitch.conf I can successfully do:
> >
> > wbinfo -u
> > wbinfo -g
> > getent passwd
> > getent group
> >
> > From a NT4 or win2k-box I can modify acl an the samba-share as long as I
> > use
> > a useraccount which is not authenticated by winbind.
> >
> > when I use:
> > wbinfo -a domain\\domuser%password (my winbind separator is '\')
> >
> > I'll get error:
> >
> > plaintext password authentication succeeded
> > challenge/response password authentication failed
> > Could not authenticate user domain\domuser%password with
> > challenge/response
> >
> > Although encrypted passwords are enabled in smb.conf
> >
> > I can do a
> >
> > su - domain\\domuser%password
> >
> > on unix level
> >
> > When I do a smbclient //server/share -U domain\\domuser%password
> >
> > I'll get error:
> >
> > Domain=[DOMAIN] OS=[Unix] Server=[Samba 2.2.3a]
> > tree connect failed: NT_STATUS_WRONG_PASSWORD
> >
> > I can not connect to that server using a winbind authenticated useraccount
> > from neither NT4sp6 nor win2ksp2.
> >
> > In any case I can see in the winbindd-log that the demon is enumerating
> > SID's to GID's and UID's, but it states that the password are not
> > encrypted.
> >
> > I was reading through the docs and mailings for the last two days, but I
> > did
> > not get the proper advice in how to get it up and running.
> >
> > Can anybody help
> >
> > Best Regards
> >
> > Roman
> >
> > Med venlig hilsen / With kind Regards
> >
> > Allan Nielsen
> > Advisory IT-Specialist
> >
> > IBM Danmark A/S - Sortemosevej 21 - 3450 Allerød - Phone: 4523
> > 9595 - Mobil: 23325107 - Fax: 4523 6803 - E-mail:
> > allann at dk.ibm.com
> >
> ----
>
> From: Michael.Gerdts at alcatel.com
> To: Klein.Roman at Yamanouchi.de
> Subject: Re: Samba, winbind, solaris and your patch
> Date: 13 May 2002 19:59:46 +0200
>
> On Mon, 2002-05-13 at 11:20, Klein.Roman at Yamanouchi.de wrote:
> > Hello Mike,
> >
> > I was veerrryyy interested in your work when I first saw your posting
> > concerning winbind and the related problems when running it on more than
> one
> > machine.
>
> Glad to hear it. I was begininning to think that I was the only one
> looking for this functionality.
>
> > I therefore immediately downloaded your patch and enhancements to winbind
> > and applied it to samba 2.2.4.
> >
> > But when starting winbindd I get error messages in the log.winbindd
> stating
> > that the loader ld.so.1 can not find the symbol main in idmap_file.so.
>
> Hmmmm... not sure about that. Could you send me the version that you
> compiled so that I can compare it against the one that works for me?
> Also, please include any modifications that you did to the makefile to
> get it to compile.
>
> > Any idea what could be wrong?
>
> Perhaps a different compiler and/or linker contributed to the problems.
> I am using gcc 2.95.2 on Solaris 8.
>
> > My configuration is as follows:
> >
> > Solaris 2.6
> > Samba 2.2.4
> > gcc et al 2.95.3
> >
> >
> > Besides the problem that winbindd, without your patch, causes trouble in
> an
> > multi-machine environment I face the following problem, with and without
> > your patch, as well:
> >
> > - winbindd is running
> > - wbinfo -u --> shows all domain users
> > - wbinfo -g --> shows all domain groups
> > - getent passwd --> shows all, local and domain, users
> > - getent group --> shows all, local and domain, groups
> > - getent passwd domain+domuser --> shows passwd entry for specified domain
> > user
> > - wbinfo -a domain+domuser%passwd --> both authentication methods succeed
> > - when install pam_winbind --> login to solaris as domain+domuser and
> > domain-passwd works
> >
> > BUT
> >
> > connecting from an windows-box in explorer to a share on that
> > winbind-machine is not working.
> > I tried to track it down and I think I found out that when winbind tries
> to
> > call the solaris function 'getpwnam' that function returns a null-pointer.
>
> This is likely the bug related to the passwd structure on Solaris having
> pw_age and pw_comment fields. See
> http://lists.samba.org/pipermail/samba-technical/2002-May/036614.html
> for details. If you didn't remove that part from my patch, you should
> be protected from this bug. You may want to take a look at
> source/lib/system.c. In wsys_getpwnam() there is another function that
> copies the passwd structure (wsys_getpwnam). It looks as though it is
> not called by anything, but perhaps I am missing some funky macro or
> define that comes out of configure somewhere.
>
> If there is another problem, I am not sure where exactly it would be
> at. The bug I found was quite difficult to find until I recompiled nscd
> with debugging symbols. Unfortunately, that is not an option for most
> people, especially with Solaris 2.6. AFAIK, Sun only gave the Solaris
> 2.5.1, 2.6, and 7 code to univerisities. The only Sun source that I
> have access to for debugging things like this is Solaris 8.
>
> > I assume from your postings that you are familiar with c, solaris and have
> a
> > running winbind environment.
>
> I have tried minimal functionality of winbindd. I do not want to use
> the winbind PAM module because UNIX users should authenticate against
> NIS. getent passwd <domain\\user> and getent passwd <uid> work just
> fine. Exporer on NT4 and Win2k is able to create files and display ACLs
> consistent with what I expect, given the U/GIDs assigned by winbindd.
> ls and getfacl concur with the results that Windows explorer show.
> Also, I explorer on Windows 98 is able to create directories just fine
> (that is all I tried from 98).
>
> > Any idea what causes that problem, when I posted this problem to the
> > samba-technical mailing list no one was responding except some other
> usesrs
> > facing the same problem.
> >
> > Can you contribute in any matter to this problems?
> >
> > Would be veeerrryyyy helpful.
> >
> > Thanks in advance and best regards
> >
> > Roman
>
> If you don't have a reason for not Cc'ing the list, please do so in the
> future so that others can benefit from your question and my response.
> It helps the samba team know that there is more than one person that
> would like this functionality and they are more likely to include it in
> future releases.
>
> Please let me know if this does or does not help.
> Mike
More information about the samba-technical
mailing list