AW: Winbind authenticatition of user accessing a share with encry pted password.

Mike Gerdts Michael.Gerdts at alcatel.com
Thu Jun 27 05:59:01 GMT 2002 

I have not yet had the time to finish up the patch that is referred to
below.  If anyone else wants to move it forward, I would be more than
happy.  In addition to the patches at
http://www.cae.wisc.edu/~gerdts/samba/ I have a private CVS repository
that I would happily tar up and send to anyone that would put it up on a
public CVS server.

A "todo list" of sorts can be found at
http://lists.samba.org/pipermail/samba-technical/2002-May/036877.html

Mike

On Thu, 2002-06-27 at 08:31, Klein.Roman at Yamanouchi.de wrote:
> Hi,
> 
> I have not installed samba until 2.2.5 now.
> 
> But there is a bug in the winbindd code which has been fixed by Mike Gerdts,
> see attached e-mail.
> I assumed that this patch, wich works for me on samba 2.2.4 solaris 2.6, has
> been added to the 2.2.5 release.
> 
> Obviously not.
> 
>  <<Re: Samba, winbind, solaris and your patch>> 
> 
> Could you please give me feedback if this works for you an 2.2.5 also.
> 
> Best Regards
> 
> Roman
> 
> > -----Ursprüngliche Nachricht-----
> > Von:	Allan Nielsen [SMTP:ALLANN at dk.ibm.com]
> > Gesendet am:	Donnerstag, 27. Juni 2002 09:53
> > An:	Klein.Roman at Yamanouchi.de
> > Betreff:	Winbind authenticatition of user accessing a share with
> > encrypted password.
> > 
> > Hi
> > 
> > In relation to your posted message I have exactly the same problem on
> > samba
> > 2.2.5.
> > Flags used are --with-winbind --with-winbind-auth-challenge
> > --with-acl-support.
> > After including  --with-winbind-auth-challenge it is possible to get
> > authentication with encrypted passwords from wbinfo -a user%password but
> > when accessing a share as this user he is mapped to nobody.
> > 
> > Did you succeed to solve your problem?
> > 
> > I'm using samba now for 6-7 years starting with samba 1.9.18.
> > 
> > I have 6 machines running samba v2.0.7 under linux and solaris
> > I have upgraded one of the solaris machines to samba 2.2.3a including
> > acl-support and winbind.
> > 
> > I live in a win2k forest, so my domain has a trust relationship with an
> > other win2k domain.
> > My domain controllers are in mixed mode.
> > 
> > In order to get winbindd and nsswitch up and running I had to adjust the
> > Makefile as follows:
> > 
> > nsswitch/libnss_winbind.so: $(WINBIND_NSS_PICOBJS)
> >         @echo "Linking $@"
> >         @$(SHLD) -h $@ -G -o $@ $(WINBIND_NSS_PICOBJS) $(LIBS)
> > 
> > I added the $(LIBS) to the linker-line, without that I had errors when
> > doing
> > a 'ls -l' for a file which was owned by a DOMAIN+domuser account.
> > 
> > Furthermore I had to copy the nsswitch/libnss_winbind.so as nss_winbind.so
> > to /lib
> > After configuring nsswitch.conf I can successfully do:
> > 
> > wbinfo -u
> > wbinfo -g
> > getent passwd
> > getent group
> > 
> > From a NT4 or win2k-box I can modify acl an the samba-share as long as I
> > use
> > a useraccount which is not authenticated by winbind.
> > 
> > when I use:
> > wbinfo -a domain\\domuser%password (my winbind separator is '\')
> > 
> > I'll get error:
> > 
> > plaintext password authentication succeeded
> > challenge/response password authentication failed
> > Could not authenticate user domain\domuser%password with
> > challenge/response
> > 
> > Although encrypted passwords are enabled in smb.conf
> > 
> > I can do a
> > 
> > su - domain\\domuser%password
> > 
> > on unix level
> > 
> > When I do a smbclient //server/share -U domain\\domuser%password
> > 
> > I'll get error:
> > 
> > Domain=[DOMAIN] OS=[Unix] Server=[Samba 2.2.3a]
> > tree connect failed: NT_STATUS_WRONG_PASSWORD
> > 
> > I can not connect to that server using a winbind authenticated useraccount
> > from neither NT4sp6 nor win2ksp2.
> > 
> > In any case I can see in the winbindd-log that the demon is enumerating
> > SID's to GID's and UID's, but it states that the password are not
> > encrypted.
> > 
> > I was reading through the docs and mailings for the last two days, but I
> > did
> > not get the proper advice in how to get it up and running.
> > 
> > Can anybody help
> > 
> > Best Regards
> > 
> > Roman
> > 
> > Med venlig hilsen / With kind Regards
> > 
> > Allan Nielsen
> > Advisory   IT-Specialist
> > 
> > IBM Danmark A/S   -   Sortemosevej 21   -   3450 Allerød   -   Phone: 4523
> > 9595   -   Mobil: 23325107   -   Fax: 4523 6803   -   E-mail:
> > allann at dk.ibm.com
> > 
> ----
> 

> From: Michael.Gerdts at alcatel.com
> To: Klein.Roman at Yamanouchi.de
> Subject: Re: Samba, winbind, solaris and your patch
> Date: 13 May 2002 19:59:46 +0200
> 
> On Mon, 2002-05-13 at 11:20, Klein.Roman at Yamanouchi.de wrote:
> > Hello Mike,
> > 
> > I was veerrryyy interested in your work when I first saw your posting
> > concerning winbind and the related problems when running it on more than
> one
> > machine.
> 
> Glad to hear it.  I was begininning to think that I was the only one
> looking for this functionality.
>  
> > I therefore immediately downloaded your patch and enhancements to winbind
> > and applied it to samba 2.2.4.
> > 
> > But when starting winbindd I get error messages in the log.winbindd
> stating
> > that the loader ld.so.1 can not find the symbol main in idmap_file.so.
> 
> Hmmmm... not sure about that.  Could you send me the version that you
> compiled so that I can compare it against the one that works for me? 
> Also, please include any modifications that you did to the makefile to
> get it to compile.
> 
> > Any idea what could be wrong?
> 
> Perhaps a different compiler and/or linker contributed to the problems. 
> I am using gcc 2.95.2 on Solaris 8.
> 
> > My configuration is as follows:
> > 
> > Solaris 2.6
> > Samba 2.2.4
> > gcc et al 2.95.3
> > 
> > 
> > Besides the problem that winbindd, without your patch, causes trouble in
> an
> > multi-machine environment I face the following problem, with and without
> > your patch, as well:
> > 
> > - winbindd is running
> > - wbinfo -u --> shows all domain users
> > - wbinfo -g --> shows all domain groups
> > - getent passwd --> shows all, local and domain, users
> > - getent group --> shows all, local and domain, groups
> > - getent passwd domain+domuser --> shows passwd entry for specified domain
> > user
> > - wbinfo -a domain+domuser%passwd --> both authentication methods succeed
> > - when install pam_winbind --> login to solaris as domain+domuser and
> > domain-passwd works
> > 
> > BUT
> > 
> > connecting from an windows-box in explorer to a share on that
> > winbind-machine is not working.
> > I tried to track it down and I think I found out that when winbind tries
> to
> > call the solaris function 'getpwnam' that function returns a null-pointer.
> 
> This is likely the bug related to the passwd structure on Solaris having
> pw_age and pw_comment fields.  See
> http://lists.samba.org/pipermail/samba-technical/2002-May/036614.html
> for details.  If you didn't remove that part from my patch, you should
> be protected from this bug.  You may want to take a look at
> source/lib/system.c.  In wsys_getpwnam() there is another function that
> copies the passwd structure (wsys_getpwnam).  It looks as though it is
> not called by anything, but perhaps I am missing some funky macro or
> define that comes out of configure somewhere.
> 
> If there is another problem, I am not sure where exactly it would be
> at.  The bug I found was quite difficult to find until I recompiled nscd
> with debugging symbols.  Unfortunately, that is not an option for most
> people, especially with Solaris 2.6.  AFAIK, Sun only gave the Solaris
> 2.5.1, 2.6, and 7 code to univerisities.  The only Sun source that I
> have access to for debugging things like this is Solaris 8.
> 
> > I assume from your postings that you are familiar with c, solaris and have
> a
> > running winbind environment.
> 
> I have tried minimal functionality of winbindd.  I do not want to use
> the winbind PAM module because UNIX users should authenticate against
> NIS.  getent passwd <domain\\user> and getent passwd <uid> work just
> fine.  Exporer on NT4 and Win2k is able to create files and display ACLs
> consistent with what I expect, given the U/GIDs assigned by winbindd. 
> ls and getfacl concur with the results that Windows explorer show. 
> Also, I explorer on Windows 98 is able to create directories just fine
> (that is all I tried from 98).
> 
> > Any idea what causes that problem, when I posted this problem to the
> > samba-technical mailing list no one was responding except some other
> usesrs
> > facing the same problem.
> > 
> > Can you contribute in any matter to this problems?
> > 
> > Would be veeerrryyyy helpful.
> > 
> > Thanks in advance and best regards
> > 
> > Roman
> 
> If you don't have a reason for not Cc'ing the list, please do so in the
> future so that others can benefit from your question and my response. 
> It helps the samba team know that there is more than one person that
> would like this functionality and they are more likely to include it in
> future releases.
> 
> Please let me know if this does or does not help.
> Mike

More information about the samba-technical mailing list