PLEASE HELP! samba2.2.6rc2cvs - solaris winbind pam - using user
"nobody" instead of domain user (additional info at top of this message)
David Shapiro
David.Edward.Shapiro at bti.com
Tue Nov 5 15:11:50 GMT 2002
Sorry,
I forgot to mention that getent passwd and getent group do work (i.e.,
winbind answers). Of course, the problem where large groups like "Domain
Users" do not return users or even mention of the existence of the group
still exists.
-----Original Message-----
From: David Shapiro
Sent: Tuesday, November 05, 2002 9:45 AM
To: 'samba-technical at lists.samba.org'
Subject: PLEASE HELP! samba2.2.6rc2cvs - solaris winbind pam - using
user "nobody" instead of domain user
Hello,
Used /usr/ccs/bin ld, as, make (solaris 8) and 2.95.3 20010315 (release)
I installed samba 2.2.6rc2cvs with
cd /usr/local/samba/source
env CFLAGS="-Wall -m32 -g" ./configure \
--with-winbind \
--with-winbind-auth-challenge \
--with-acl-support \
--with-ssl \
--without-sendfile-support \
--with-included-popt \
--with-pam \
--with-smbwrapper
make && make install
ln -s /usr/local/samba/source/nsswitch/libnss_winbind.so
/usr/lib/libnss_winbind.so.1
ln -s /usr/local/samba/source/nsswitch/libnss_winbind.so
/usr/lib/libnss_winbind.so.2
ln -s /usr/local/samba/source/nsswitch/libnss_winbind.so
/usr/lib/nss_winbind.so.1
ln -s /usr/local/samba/source/nsswitch/libnss_winbind.so
/usr/lib/nss_winbind.so.2
ln -s /usr/local/samba/source/nsswitch/pam_winbind.so
/usr/lib/security/pam_winbind.so
crle -l /usr/j2se/jre/lib/sparc -i /usr/j2se/lib/sparc -l /usr/lib -i
/usr/lib -l /usr/local/lib -i /usr/local/lib -l /usr/local/ssl/lib -i
/usr/local/ssl/lib -i /usr/lib/security -s /usr/lib/security -i
/usr/lib/secure -s /usr/lib/security
crle -64 -l /usr/lib/64 -i /usr/lib/64 -s /usr/lib/64/secure
pam.conf:
login auth sufficient /usr/lib/security/$ISA/pam_winbind.so
login auth required /usr/lib/security/$ISA/pam_unix.so.1
login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1
#
rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1
#
dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1
#
rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1
other auth required /usr/lib/security/$ISA/pam_unix.so.1
#
# Account management
#
login account sufficient /usr/lib/security/$ISA/pam_winbind.so
login account requisite /usr/lib/security/$ISA/pam_roles.so.1
login account required /usr/lib/security/$ISA/pam_projects.so.1
login account required /usr/lib/security/$ISA/pam_unix.so.1
#
dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
dtlogin account required /usr/lib/security/$ISA/pam_projects.so.1
dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1
#
other account sufficient /usr/lib/security/$ISA/pam_winbind.so
other account requisite /usr/lib/security/$ISA/pam_roles.so.1
other account required /usr/lib/security/$ISA/pam_projects.so.1
wbinfo -a INS+DavidSha%password (password was my password) returns:
plaintext password authentication succeeded
However,
smbclient //optimus/samba-lib -UINS+DavidSha%password fails:
added interface ip=10.1.1.234 bcast=10.1.1.255 nmask=255.255.255.0
added interface ip=127.0.0.1 bcast=127.0.0.255 nmask=255.255.255.0
Got a positive name query response from 10.1.4.11 ( 10.1.1.234 )
Domain=[INS] OS=[Unix] Server=[Samba 2.2.6rc2cvs]
tree connect failed: NT_STATUS_WRONG_PASSWORD
log.optimus shows it tryint to log in with the user nobody:
er_in_list: checking user nobody in list INS+JamesF INS+DavidSha nobody
[2002/11/05 09:39:24, 10] lib/username.c:user_in_list(460)
user_in_list: checking user |nobody| against |INS+JamesF|
[2002/11/05 09:39:24, 10] lib/username.c:user_in_list(460)
user_in_list: checking user |nobody| against |INS+DavidSha|
[2002/11/05 09:39:24, 10] lib/username.c:user_in_list(460)
user_in_list: checking user |nobody| against |nobody|
[2002/11/05 09:39:24, 10] lib/username.c:user_in_list(466)
user_in_list: user |nobody| matches |nobody|
[2002/11/05 09:39:24, 2] smbd/service.c:make_connection(331)
Invalid username/password for samba-lib [nobody]
[2002/11/05 09:39:24, 3] smbd/error.c:error_packet(110)
error packet at smbd/reply.c(166) cmd=117 (SMBtconX)
NT_STATUS_WRONG_PASSWORD
The smb.conf:
Global parameters
[global]
coding system =
client code page = 850
code page directory = /usr/local/samba/lib/codepages
workgroup = INS
netbios name = OPTIMUS
netbios aliases =
netbios scope =
server string = Samba %v on (%L)
interfaces = 10.1.1.234/24 127.0.0.1/24
bind interfaces only = Yes
security = DOMAIN
encrypt passwords = Yes
update encrypted = No
allow trusted domains = Yes
hosts equiv =
min passwd length = 5
map to guest = Never
null passwords = No
obey pam restrictions = Yes
password server = PDC,EXCHANGE_CORP
smb passwd file = /usr/local/samba/private/smbpasswd
root directory =
pam password change = No
passwd program = /usr/bin/passwd
passwd chat = *new*password* %n\n *new*password* %n\n *changed*
passwd chat debug = No
username map =
password level = 0
username level = 0
unix password sync = No
restrict anonymous = No
lanman auth = Yes
use rhosts = No
admin log = No
log level = 10
syslog = 1
syslog only = No
log file = /usr/local/samba/var/log.%m
max log size = 50
timestamp logs = Yes
debug hires timestamp = No
debug pid = No
debug uid = No
protocol = NT1
large readwrite = No
max protocol = NT1
min protocol = CORE
read bmpx = No
read raw = Yes
write raw = Yes
nt smb support = Yes
nt pipe support = Yes
nt status support = Yes
announce version = 4.5
announce as = NT
max mux = 50
max xmit = 65535
name resolve order = wins lmhosts hosts bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = No
unix extensions = No
change notify timeout = 60
deadtime = 0
getwd cache = Yes
keepalive = 300
lpq cache time = 10
max smbd processes = 0
max disk size = 0
max open files = 10000
name cache timeout = 660
read size = 16384
socket options = SO_SNDBUF=65536 SO_RCVBUF=65536
stat cache size = 50
use mmap = Yes
total print jobs = 0
load printers = No
printcap name = /etc/printcap
disable spoolss = No
enumports command =
addprinter command =
deleteprinter command =
show add printer wizard = Yes
os2 driver map =
strip dot = No
mangling method = hash
character set =
mangled stack = 50
stat cache = Yes
domain admin group =
domain guest group =
machine password timeout = 604800
add user script =
delete user script =
logon script =
logon path = \\%N\%U\profile
logon drive =
logon home = \\%N\%U
domain logons = No
os level = 31
lm announce = Auto
lm interval = 60
preferred master = Yes
local master = Yes
domain master = No
browse list = Yes
enhanced browsing = Yes
dns proxy = Yes
wins proxy = No
wins server = 10.1.4.11
wins support = No
wins hook =
kernel oplocks = Yes
lock spin count = 3
lock spin time = 10
oplock break wait time = 0
add share command =
change share command =
delete share command =
config file =
preload =
lock dir = /usr/local/samba/var/locks
pid directory = /usr/local/samba/var/locks
default service =
message command =
dfree command =
valid chars =
remote announce = 10.1.4.255/INS
remote browse sync = 10.1.1.236 10.1.1.223 10.1.2.20
socket address = 0.0.0.0
homedir map = auto.home
time offset = 0
NIS homedir = No
source environment =
panic action = 'echo %d; sleep 10000'
hide local users = No
winbind uid = 10000-20000
winbind gid = 10000-20000
template homedir = /export/home/%D/%U
template shell = /bin/ksh
winbind separator = +
winbind cache time = 15
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = No
comment =
path =
alternate permissions = No
username =
guest account = nobody
invalid users =
valid users =
admin users =
read list =
write list =
printer admin =
force user =
force group =
read only = Yes
create mask = 0744
force create mode = 00
security mask = 0777
force security mode = 00
directory mask = 0755
force directory mode = 00
directory security mask = 0777
force directory security mode = 00
force unknown acl user = 00
inherit permissions = No
inherit acls = No
guest only = No
guest ok = No
only user = No
hosts allow = 10. 127.
hosts deny = ALL
status = Yes
nt acl support = Yes
profile acls = No
block size = 1024
max connections = 0
min print space = 0
strict allocate = No
strict sync = No
sync always = No
write cache size = 0
max print jobs = 1000
printable = No
postscript = No
printing = bsd
print command = lpr -r -P%p %s
lpq command = lpq -P%p
lprm command = lprm -P%p %j
lppause command = lp -i %p-%j -H hold
lpresume command = lp -i %p-%j -H resume
queuepause command = disable %p
queueresume command = enable %p
printer name =
use client driver = No
default devmode = No
printer driver =
printer driver file = /usr/local/samba/lib/printers.def
printer driver location =
default case = lower
case sensitive = No
preserve case = Yes
short preserve case = Yes
mangle case = Yes
mangling char = ~
hide dot files = Yes
hide unreadable = No
delete veto files = No
veto files =
hide files =
veto oplock files =
map system = No
map hidden = No
map archive = Yes
mangled names = Yes
mangled map =
browseable = Yes
blocking locks = Yes
csc policy = manual
fake oplocks = No
locking = Yes
oplocks = Yes
level2 oplocks = Yes
oplock contention limit = 2
posix locking = Yes
strict locking = Yes
share modes = Yes
copy =
include =
exec =
preexec close = No
postexec =
root preexec =
root preexec close = No
root postexec =
available = Yes
volume =
fstype = NTFS
set directory = No
wide links = Yes
follow symlinks = Yes
dont descend =
magic script =
magic output =
delete readonly = No
dos filemode = No
dos filetimes = No
dos filetime resolution = No
fake directory create times = No
vfs object =
vfs options =
[homes]
comment = Home Directories
invalid users = root bin daemon nobody named sys tty disk mem kmem
users
read only = No
browseable = No
[samba-lib]
comment = Samba lib
path = /usr/local/samba/lib
valid users = INS+JamesF INS+DavidSha
force group = users
read only = No
Note: samba-lib was set up just for testing
I created a group called users with gid of 10000. The directory
/usr/local/samba/lib is chgrp -R users.
David
More information about the samba-technical
mailing list