solaris and /etc/nsswitch.conf and winbind (copy of nsswitch. conf in body of text)

MCCALL,DON (HP-USA,ex1) don_mccall at hp.com
Mon Mar 4 06:08:05 GMT 2002


Hello David,
Same thing happens on HP-UX 11.x.
The problem is in the /usr/lib/security/libpam_unix.1 (on hpux, anyway -
don't know about solaris), which is the module used (among other things) to
change the unix password.  In order to do this, it has to go thru the
nsswitch mech to determine the user info store (where to get the user entry
from), and has a check in it that specifically excludes all but a finite
list of authentication stores, like ldap, compat, files, etc...  
I SPECULATE that this was put there as an attempt to 
   1. avoid security risks where an nss method could be inserted to redirect
to a 'fake' authentication store, and allow access to the system.
   2. attempt to keep sysadmins from locking themselves out of their own
system by specifying methods in nsswitch.conf that were misspelled, etc,
such that no one (not even root) could log in...

But I'm just guessing on the reasoning.

I haven't had a chance to follow up on the HP-UX side yet, but perhaps David
C-B might comment on the Solaris side...
Hope this helps,
Don

-----Original Message-----
From: David Edward Shapiro [mailto:David.Edward.Shapiro at btitele.com]
Sent: Monday, March 04, 2002 8:01 AM
To: 'Esh, Andrew'
Cc: 'samba-technical at lists.samba.org'
Subject: RE: solaris and /etc/nsswitch.conf and winbind (copy of
nsswitch. conf in body of text)



"/etc/nsswitch.conf" 37 lines, 1156 characters 
#
# /etc/nsswitch.files:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# does not use any naming service.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
 
passwd:     files winbind
group:      files winbind
hosts:      files dns wins
ipnodes:    files
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes:      files dns
 
networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
# At present there isn't a 'files' backend for netgroup;  the system will
#   figure it out pretty quickly, and won't use netgroups at all.
netgroup:   files
automount:  files
aliases:    files
services:   files
sendmailvars:   files
printers:       user files
auth_attr:      files
prof_attr:      files

The error:
 
#passwd davidsh
Supported configurations for passwd management are as follows:
    passwd: files
    passwd: files ldap
    passwd: files nis
    passwd: files nisplus
    passwd: compat
    passwd: compat AND
    passwd_compat: ldap OR
    passwd_compat: nisplus
Please check your /etc/nsswitch.conf file
Permission denied 
 
 
 -----Original Message-----
From: Esh, Andrew [mailto:AEsh at tricord.com]
Sent: Friday, March 01, 2002 6:56 PM
To: 'David Edward Shapiro'; 'samba-technical at lists.samba.org'
Subject: RE: solaris and /etc/nsswitch.conf and winbind



Could you show us what is in nsswitch.conf? This looks like a syntax error.
Here's what the relevant section of mine looks like:

passwd:     files nisplus nis winbind 
group:      files nisplus nis winbind 

(Double checked this message for NOT being HTML. Let's see how it goes.) 

-----Original Message----- 
From: David Edward Shapiro [ mailto:David.Edward.Shapiro at btitele.com
<mailto:David.Edward.Shapiro at btitele.com> ] 
Sent: Friday, March 01, 2002 10:40 AM 
To: 'samba-technical at lists.samba.org' 
Subject: solaris and /etc/nsswitch.conf and winbind 


Solaris does not seem to like the option winbind in /etc/nsswitch.conf.  If 
I put it there and then try to run passwd, passwd complains and displays the

options that it thinks are suitable to exist in the /etc/nsswitch.conf. 
What's the best way to work with this? 

David 

David E. Shapiro 
Senior Unix Admin 
BTi - the future of communications 
4300 Six Forks Road, Raleigh, NC 27609 
Office # 1-919-865-6955 
Pager # 1-800520-2354 
Fax    # 1-919-863-7340 








More information about the samba-technical mailing list