solaris and /etc/nsswitch.conf and winbind (copy of nsswitch. conf in body of text)

David Edward Shapiro David.Edward.Shapiro at
Mon Mar 4 06:34:05 GMT 2002

I agree that the 2 reasons listed are why the message pops up.  My concern
is that it is highly unlikely they will change this for things like samba.
I have a temporary work around by creating a password wrapper that comments
out the winbind lines and replaces it with lines that do not have winbind,
runs passwd, and then puts winbind back.  This kind of sucks and has its own
security problems as well as problems when the user interrupts the script.
A better method would be desireable.


-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall at]
Sent: Monday, March 04, 2002 9:02 AM
To: 'David Edward Shapiro'; 'Esh, Andrew'
Cc: 'samba-technical at'
Subject: RE: solaris and /etc/nsswitch.conf and winbind (copy of
nsswitch. conf in body of text)

Hello David,
Same thing happens on HP-UX 11.x.
The problem is in the /usr/lib/security/libpam_unix.1 (on hpux, anyway -
don't know about solaris), which is the module used (among other things) to
change the unix password.  In order to do this, it has to go thru the
nsswitch mech to determine the user info store (where to get the user entry
from), and has a check in it that specifically excludes all but a finite
list of authentication stores, like ldap, compat, files, etc...  
I SPECULATE that this was put there as an attempt to 
   1. avoid security risks where an nss method could be inserted to redirect
to a 'fake' authentication store, and allow access to the system.
   2. attempt to keep sysadmins from locking themselves out of their own
system by specifying methods in nsswitch.conf that were misspelled, etc,
such that no one (not even root) could log in...

But I'm just guessing on the reasoning.

I haven't had a chance to follow up on the HP-UX side yet, but perhaps David
C-B might comment on the Solaris side...
Hope this helps,

-----Original Message-----
From: David Edward Shapiro [mailto:David.Edward.Shapiro at]
Sent: Monday, March 04, 2002 8:01 AM
To: 'Esh, Andrew'
Cc: 'samba-technical at'
Subject: RE: solaris and /etc/nsswitch.conf and winbind (copy of
nsswitch. conf in body of text)

"/etc/nsswitch.conf" 37 lines, 1156 characters 
# /etc/nsswitch.files:
# An example file that could be copied over to /etc/nsswitch.conf; it
# does not use any naming service.
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
passwd:     files winbind
group:      files winbind
hosts:      files dns wins
ipnodes:    files
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes:      files dns
networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
# At present there isn't a 'files' backend for netgroup;  the system will
#   figure it out pretty quickly, and won't use netgroups at all.
netgroup:   files
automount:  files
aliases:    files
services:   files
sendmailvars:   files
printers:       user files
auth_attr:      files
prof_attr:      files

The error:
#passwd davidsh
Supported configurations for passwd management are as follows:
    passwd: files
    passwd: files ldap
    passwd: files nis
    passwd: files nisplus
    passwd: compat
    passwd: compat AND
    passwd_compat: ldap OR
    passwd_compat: nisplus
Please check your /etc/nsswitch.conf file
Permission denied 
 -----Original Message-----
From: Esh, Andrew [mailto:AEsh at]
Sent: Friday, March 01, 2002 6:56 PM
To: 'David Edward Shapiro'; 'samba-technical at'
Subject: RE: solaris and /etc/nsswitch.conf and winbind

Could you show us what is in nsswitch.conf? This looks like a syntax error.
Here's what the relevant section of mine looks like:

passwd:     files nisplus nis winbind 
group:      files nisplus nis winbind 

(Double checked this message for NOT being HTML. Let's see how it goes.) 

-----Original Message----- 
From: David Edward Shapiro [ mailto:David.Edward.Shapiro at
<mailto:David.Edward.Shapiro at> ] 
Sent: Friday, March 01, 2002 10:40 AM 
To: 'samba-technical at' 
Subject: solaris and /etc/nsswitch.conf and winbind 

Solaris does not seem to like the option winbind in /etc/nsswitch.conf.  If 
I put it there and then try to run passwd, passwd complains and displays the

options that it thinks are suitable to exist in the /etc/nsswitch.conf. 
What's the best way to work with this? 


David E. Shapiro 
Senior Unix Admin 
BTi - the future of communications 
4300 Six Forks Road, Raleigh, NC 27609 
Office # 1-919-865-6955 
Pager # 1-800520-2354 
Fax    # 1-919-863-7340 

More information about the samba-technical mailing list