solaris and /etc/nsswitch.conf and winbind (copy of nsswitch.
conf in body of text)
don_mccall at hp.com
Mon Mar 4 06:08:05 GMT 2002
Same thing happens on HP-UX 11.x.
The problem is in the /usr/lib/security/libpam_unix.1 (on hpux, anyway -
don't know about solaris), which is the module used (among other things) to
change the unix password. In order to do this, it has to go thru the
nsswitch mech to determine the user info store (where to get the user entry
from), and has a check in it that specifically excludes all but a finite
list of authentication stores, like ldap, compat, files, etc...
I SPECULATE that this was put there as an attempt to
1. avoid security risks where an nss method could be inserted to redirect
to a 'fake' authentication store, and allow access to the system.
2. attempt to keep sysadmins from locking themselves out of their own
system by specifying methods in nsswitch.conf that were misspelled, etc,
such that no one (not even root) could log in...
But I'm just guessing on the reasoning.
I haven't had a chance to follow up on the HP-UX side yet, but perhaps David
C-B might comment on the Solaris side...
Hope this helps,
From: David Edward Shapiro [mailto:David.Edward.Shapiro at btitele.com]
Sent: Monday, March 04, 2002 8:01 AM
To: 'Esh, Andrew'
Cc: 'samba-technical at lists.samba.org'
Subject: RE: solaris and /etc/nsswitch.conf and winbind (copy of
nsswitch. conf in body of text)
"/etc/nsswitch.conf" 37 lines, 1156 characters
# An example file that could be copied over to /etc/nsswitch.conf; it
# does not use any naming service.
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
passwd: files winbind
group: files winbind
hosts: files dns wins
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes: files dns
# At present there isn't a 'files' backend for netgroup; the system will
# figure it out pretty quickly, and won't use netgroups at all.
printers: user files
Supported configurations for passwd management are as follows:
passwd: files ldap
passwd: files nis
passwd: files nisplus
passwd: compat AND
passwd_compat: ldap OR
Please check your /etc/nsswitch.conf file
From: Esh, Andrew [mailto:AEsh at tricord.com]
Sent: Friday, March 01, 2002 6:56 PM
To: 'David Edward Shapiro'; 'samba-technical at lists.samba.org'
Subject: RE: solaris and /etc/nsswitch.conf and winbind
Could you show us what is in nsswitch.conf? This looks like a syntax error.
Here's what the relevant section of mine looks like:
passwd: files nisplus nis winbind
group: files nisplus nis winbind
(Double checked this message for NOT being HTML. Let's see how it goes.)
From: David Edward Shapiro [ mailto:David.Edward.Shapiro at btitele.com
<mailto:David.Edward.Shapiro at btitele.com> ]
Sent: Friday, March 01, 2002 10:40 AM
To: 'samba-technical at lists.samba.org'
Subject: solaris and /etc/nsswitch.conf and winbind
Solaris does not seem to like the option winbind in /etc/nsswitch.conf. If
I put it there and then try to run passwd, passwd complains and displays the
options that it thinks are suitable to exist in the /etc/nsswitch.conf.
What's the best way to work with this?
David E. Shapiro
Senior Unix Admin
BTi - the future of communications
4300 Six Forks Road, Raleigh, NC 27609
Office # 1-919-865-6955
Pager # 1-800520-2354
Fax # 1-919-863-7340
More information about the samba-technical