AW: AW: Winbind authenticatition of user accessing a share with e
ncry pted password.
Klein.Roman at Yamanouchi.de
Klein.Roman at Yamanouchi.de
Thu Jun 27 06:04:02 GMT 2002
Hi all,
sorry but I am not familiar in programming.
Maybe someone else could do that.
The patch I have referenced did not job at least to samba 2.2.4
Best Regards
Roman
> -----Ursprüngliche Nachricht-----
> Von: Mike Gerdts [SMTP:Michael.Gerdts at alcatel.com]
> Gesendet am: Donnerstag, 27. Juni 2002 15:11
> An: Klein.Roman at Yamanouchi.de
> Cc: ALLANN at dk.ibm.com; Samba Technical Mailing List
> Betreff: Re: AW: Winbind authenticatition of user accessing a share
> with encry pted password.
>
> I have not yet had the time to finish up the patch that is referred to
> below. If anyone else wants to move it forward, I would be more than
> happy. In addition to the patches at
> http://www.cae.wisc.edu/~gerdts/samba/ I have a private CVS repository
> that I would happily tar up and send to anyone that would put it up on a
> public CVS server.
>
> A "todo list" of sorts can be found at
> http://lists.samba.org/pipermail/samba-technical/2002-May/036877.html
>
> Mike
>
> On Thu, 2002-06-27 at 08:31, Klein.Roman at Yamanouchi.de wrote:
> > Hi,
> >
> > I have not installed samba until 2.2.5 now.
> >
> > But there is a bug in the winbindd code which has been fixed by Mike
> Gerdts,
> > see attached e-mail.
> > I assumed that this patch, wich works for me on samba 2.2.4 solaris 2.6,
> has
> > been added to the 2.2.5 release.
> >
> > Obviously not.
> >
> > <<Re: Samba, winbind, solaris and your patch>>
> >
> > Could you please give me feedback if this works for you an 2.2.5 also.
> >
> > Best Regards
> >
> > Roman
> >
> > > -----Ursprüngliche Nachricht-----
> > > Von: Allan Nielsen [SMTP:ALLANN at dk.ibm.com]
> > > Gesendet am: Donnerstag, 27. Juni 2002 09:53
> > > An: Klein.Roman at Yamanouchi.de
> > > Betreff: Winbind authenticatition of user accessing a share with
> > > encrypted password.
> > >
> > > Hi
> > >
> > > In relation to your posted message I have exactly the same problem on
> > > samba
> > > 2.2.5.
> > > Flags used are --with-winbind --with-winbind-auth-challenge
> > > --with-acl-support.
> > > After including --with-winbind-auth-challenge it is possible to get
> > > authentication with encrypted passwords from wbinfo -a user%password
> but
> > > when accessing a share as this user he is mapped to nobody.
> > >
> > > Did you succeed to solve your problem?
> > >
> > > I'm using samba now for 6-7 years starting with samba 1.9.18.
> > >
> > > I have 6 machines running samba v2.0.7 under linux and solaris
> > > I have upgraded one of the solaris machines to samba 2.2.3a including
> > > acl-support and winbind.
> > >
> > > I live in a win2k forest, so my domain has a trust relationship with
> an
> > > other win2k domain.
> > > My domain controllers are in mixed mode.
> > >
> > > In order to get winbindd and nsswitch up and running I had to adjust
> the
> > > Makefile as follows:
> > >
> > > nsswitch/libnss_winbind.so: $(WINBIND_NSS_PICOBJS)
> > > @echo "Linking $@"
> > > @$(SHLD) -h $@ -G -o $@ $(WINBIND_NSS_PICOBJS) $(LIBS)
> > >
> > > I added the $(LIBS) to the linker-line, without that I had errors when
> > > doing
> > > a 'ls -l' for a file which was owned by a DOMAIN+domuser account.
> > >
> > > Furthermore I had to copy the nsswitch/libnss_winbind.so as
> nss_winbind.so
> > > to /lib
> > > After configuring nsswitch.conf I can successfully do:
> > >
> > > wbinfo -u
> > > wbinfo -g
> > > getent passwd
> > > getent group
> > >
> > > From a NT4 or win2k-box I can modify acl an the samba-share as long as
> I
> > > use
> > > a useraccount which is not authenticated by winbind.
> > >
> > > when I use:
> > > wbinfo -a domain\\domuser%password (my winbind separator is '\')
> > >
> > > I'll get error:
> > >
> > > plaintext password authentication succeeded
> > > challenge/response password authentication failed
> > > Could not authenticate user domain\domuser%password with
> > > challenge/response
> > >
> > > Although encrypted passwords are enabled in smb.conf
> > >
> > > I can do a
> > >
> > > su - domain\\domuser%password
> > >
> > > on unix level
> > >
> > > When I do a smbclient //server/share -U domain\\domuser%password
> > >
> > > I'll get error:
> > >
> > > Domain=[DOMAIN] OS=[Unix] Server=[Samba 2.2.3a]
> > > tree connect failed: NT_STATUS_WRONG_PASSWORD
> > >
> > > I can not connect to that server using a winbind authenticated
> useraccount
> > > from neither NT4sp6 nor win2ksp2.
> > >
> > > In any case I can see in the winbindd-log that the demon is
> enumerating
> > > SID's to GID's and UID's, but it states that the password are not
> > > encrypted.
> > >
> > > I was reading through the docs and mailings for the last two days, but
> I
> > > did
> > > not get the proper advice in how to get it up and running.
> > >
> > > Can anybody help
> > >
> > > Best Regards
> > >
> > > Roman
> > >
> > > Med venlig hilsen / With kind Regards
> > >
> > > Allan Nielsen
> > > Advisory IT-Specialist
> > >
> > > IBM Danmark A/S - Sortemosevej 21 - 3450 Allerød - Phone:
> 4523
> > > 9595 - Mobil: 23325107 - Fax: 4523 6803 - E-mail:
> > > allann at dk.ibm.com
> > >
> > ----
> >
>
> > From: Michael.Gerdts at alcatel.com
> > To: Klein.Roman at Yamanouchi.de
> > Subject: Re: Samba, winbind, solaris and your patch
> > Date: 13 May 2002 19:59:46 +0200
> >
> > On Mon, 2002-05-13 at 11:20, Klein.Roman at Yamanouchi.de wrote:
> > > Hello Mike,
> > >
> > > I was veerrryyy interested in your work when I first saw your posting
> > > concerning winbind and the related problems when running it on more
> than
> > one
> > > machine.
> >
> > Glad to hear it. I was begininning to think that I was the only one
> > looking for this functionality.
> >
> > > I therefore immediately downloaded your patch and enhancements to
> winbind
> > > and applied it to samba 2.2.4.
> > >
> > > But when starting winbindd I get error messages in the log.winbindd
> > stating
> > > that the loader ld.so.1 can not find the symbol main in idmap_file.so.
> >
> > Hmmmm... not sure about that. Could you send me the version that you
> > compiled so that I can compare it against the one that works for me?
> > Also, please include any modifications that you did to the makefile to
> > get it to compile.
> >
> > > Any idea what could be wrong?
> >
> > Perhaps a different compiler and/or linker contributed to the problems.
> > I am using gcc 2.95.2 on Solaris 8.
> >
> > > My configuration is as follows:
> > >
> > > Solaris 2.6
> > > Samba 2.2.4
> > > gcc et al 2.95.3
> > >
> > >
> > > Besides the problem that winbindd, without your patch, causes trouble
> in
> > an
> > > multi-machine environment I face the following problem, with and
> without
> > > your patch, as well:
> > >
> > > - winbindd is running
> > > - wbinfo -u --> shows all domain users
> > > - wbinfo -g --> shows all domain groups
> > > - getent passwd --> shows all, local and domain, users
> > > - getent group --> shows all, local and domain, groups
> > > - getent passwd domain+domuser --> shows passwd entry for specified
> domain
> > > user
> > > - wbinfo -a domain+domuser%passwd --> both authentication methods
> succeed
> > > - when install pam_winbind --> login to solaris as domain+domuser and
> > > domain-passwd works
> > >
> > > BUT
> > >
> > > connecting from an windows-box in explorer to a share on that
> > > winbind-machine is not working.
> > > I tried to track it down and I think I found out that when winbind
> tries
> > to
> > > call the solaris function 'getpwnam' that function returns a
> null-pointer.
> >
> > This is likely the bug related to the passwd structure on Solaris having
> > pw_age and pw_comment fields. See
> > http://lists.samba.org/pipermail/samba-technical/2002-May/036614.html
> > for details. If you didn't remove that part from my patch, you should
> > be protected from this bug. You may want to take a look at
> > source/lib/system.c. In wsys_getpwnam() there is another function that
> > copies the passwd structure (wsys_getpwnam). It looks as though it is
> > not called by anything, but perhaps I am missing some funky macro or
> > define that comes out of configure somewhere.
> >
> > If there is another problem, I am not sure where exactly it would be
> > at. The bug I found was quite difficult to find until I recompiled nscd
> > with debugging symbols. Unfortunately, that is not an option for most
> > people, especially with Solaris 2.6. AFAIK, Sun only gave the Solaris
> > 2.5.1, 2.6, and 7 code to univerisities. The only Sun source that I
> > have access to for debugging things like this is Solaris 8.
> >
> > > I assume from your postings that you are familiar with c, solaris and
> have
> > a
> > > running winbind environment.
> >
> > I have tried minimal functionality of winbindd. I do not want to use
> > the winbind PAM module because UNIX users should authenticate against
> > NIS. getent passwd <domain\\user> and getent passwd <uid> work just
> > fine. Exporer on NT4 and Win2k is able to create files and display ACLs
> > consistent with what I expect, given the U/GIDs assigned by winbindd.
> > ls and getfacl concur with the results that Windows explorer show.
> > Also, I explorer on Windows 98 is able to create directories just fine
> > (that is all I tried from 98).
> >
> > > Any idea what causes that problem, when I posted this problem to the
> > > samba-technical mailing list no one was responding except some other
> > usesrs
> > > facing the same problem.
> > >
> > > Can you contribute in any matter to this problems?
> > >
> > > Would be veeerrryyyy helpful.
> > >
> > > Thanks in advance and best regards
> > >
> > > Roman
> >
> > If you don't have a reason for not Cc'ing the list, please do so in the
> > future so that others can benefit from your question and my response.
> > It helps the samba team know that there is more than one person that
> > would like this functionality and they are more likely to include it in
> > future releases.
> >
> > Please let me know if this does or does not help.
> > Mike
>
More information about the samba-technical
mailing list