[Samba] passwd command problem with Solaris/winbind/pam

MCCALL,DON (HP-USA,ex1) don_mccall at hp.com
Fri Nov 8 18:40:02 GMT 2002

Hi Paul,
pretty neat.  HP-UX also has this issue; I think the real answer
is to get the vendor(s) to modify the code so that winbind is a 
'valid' source, same as 'files', 'nis' 'compat' etc...
For one thing, the interposititor solution doesn't take into account
someone on the Unix side doing a 'll' or 'ls -l' on the directory
with files owned by winbindd users, so all you get is the uid/gid
number for those files (since the standard ls, etc are going to use
calls that are going to be routed thru the 'real' nsswitch.conf file)...
Just something to keep in mind when implementing this particular
Hope this helps,

> -----Original Message-----
> From: DeStefano, Paul [mailto:Paul.DeStefano at nwdc.ibs-lmco.com]
> Sent: Friday, November 08, 2002 13:28
> To: 'samba at lists.samba.org.'
> Cc: 'samba-technical at lists.samba.org'
> Subject: RE: [Samba] passwd command problem with Solaris/winbind/pam
> Hello Stephen and All,
> Yes, I think so.  Someone I know had a good idea and it 
> worked out pretty
> well.
> My understanding of the problem:  Solaris /usr/bin/passwd 
> doesn't tolerate
> the "winbind" nameservice in /etc/nsswitch.conf.
> His solution:  Only use winbind resolution for samba, and 
> leave passwd and
> the rest of Solaris alone.  We can accomplish this using library
> interposition on samba (and any process which requires 
> winbind resolution).
> Like overloading operators, you can override the normal 
> system calls linked
> when smbd loads.  (I'd never heard of interposers before, but always
> wondered when I'd get to use LD_PRELOAD.  Whee.)  Some info:
> http://www.itworld.com/AppDev/1006/UIR000929interposers/.
> Here's the skinny.  He wrote an interposer library for 
> fopen(2) that opens
> /usr/local/samba/lib/nsswitch.conf instead of /etc/nsswitch.conf.  So,
> basically, if arg=/etc/nsswitch.conf, return this other file 
> instead.  We
> LD_PRELOAD-ed it for smbd and winbindd, and removed winbind 
> from the "real"
> nsswitch.conf.  Now, smbd (and winbindd, though I don't think 
> it needs it)
> gets name resolution through winbind because it thinks winbind is in
> nsswitch.conf, BUT NOTHING ELSE does.  This has the side 
> benefit that logins
> and utilities like 'finger' do not have to perform winbind resolution
> either, so they're fast, again.  (We're not using the Samba 
> PAM module; we
> don't let Windows Domain users login to our Solaris box, so 
> we don't need to
> have winbind resolution in the normal utilities.  We just use 
> winbind to
> authenticate users when accessing samba shares.)
> Now, one problem.  nscd (Name Service Caching Daemon) will 
> now run!  That
> sounds good, right, because normally when winbind is in 
> nsswitch.conf, nscd
> bails?  Well, when nscd is running, name resolution is done 
> by nscd, NOT the
> application, so our fopen(2) override is ineffective.  nscd 
> doesn't crash,
> but doesn't resolve through winbind either, so smbd fails to 
> lookup Windows
> Domain accounts.  Solution: turn off nscd, easy as that.
> Okay, so that's what we did.  We're satisfied with it.  If 
> you don't need
> nscd, I think you will be too.  Your reactions are eagerly 
> anticipated!
> I bet I can convince my friend to post the source, if you 
> really want it.
> But I encourage you to write your own interposer; it's pretty 
> easy and maybe
> you'll notice something we didn't.
> __
> Paul DeStefano
> -----Original Message-----
> From: Michaels, Stephen P. [mailto:Steve.Michaels at jhuapl.edu]
> Sent: November 04, 2002 9:45 AM
> To: 'samba at lists.samba.org.'
> Subject: [Samba] passwd command problem with Solaris/winbind/pam
> Hi-
> I am running Samba 2.2.5 on Solaris 8 with winbind and pam 
> configured. I
> have the following in my nsswitch.conf:
> passwd:     files winbind
> group:      files winbind
> Now local users on the Solaris 8 machine cannot change there 
> password using
> the passwd command:
> Here is the sample output:
> # passwd michasp1
> Enter new password: 
> Enter new password again: 
> Supported configurations for passwd management are as follows:
>     passwd: files
>     passwd: files ldap
>     passwd: files nis
>     passwd: files nisplus
>     passwd: compat
>     passwd: compat AND
>     passwd_compat: ldap OR
>     passwd_compat: nisplus
> Please check your /etc/nsswitch.conf file
> Permission denied
> #
> Does anybody have a workaround solution for this or I am 
> doing something
> wrong?
> Thanks
> Stephen P. Michaels
> ISS-1 Server Systems Group
> The Johns Hopkins University Applied Physics Laboratory
> 11100 Johns Hopkins Rd. 
> Laurel, MD. 20723-6099
> (443) 778-7527
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba-technical mailing list