Winbind on HPUX 11, some small progress
Miles Roper
mroper at westcoastdhb.org.nz
Thu Feb 6 20:30:56 GMT 2003
Hi Don,
Michael Steffens a while back sent me a compiled version of getent which I
couldn't get to work.
I compiled your version and it doesn't seem to produce any result either,
seems to return immeditaly without doing anything.
ie
coastdr: /mnt/1/samba/test> ./getent passwd WESTCOASTDHB+mroper
coastdr: /mnt/1/samba/test>
If I run it without any parameters I get a core dump :o)
Better tell you that I'm compiling winbind with gcc 3.01 on hpux. I
compiled the getent program you sent me with.
gcc -c -I. -g -O2 getent.c
gcc -g getent.o -o getent
>From what you have said it would seem like libnss_winbind.so itsn't working.
Anyway to get any debug output?
Here is my /usr/lib/libnss*
-r-xr-xr-x 1 bin bin 28672 Mar 13 2001 libnss_compat.1
-r-xr-xr-x 1 bin bin 104536 Nov 6 1997 libnss_dns.1
-r-xr-xr-x 1 bin bin 40960 Mar 7 2001 libnss_files.1
lrwxrwxrwx 1 root sys 17 Jan 27 09:49 libnss_ldap.1 ->
libns
s_winbind.so
-r-xr-xr-x 1 bin bin 40960 Mar 13 2001 libnss_nis.1
-r-xr-xr-x 1 bin bin 57344 Mar 13 2001 libnss_nisplus.1
-r-xr-xr-x 1 bin bin 28672 Jan 24 15:23 libnss_winbind.so
lrwxrwxrwx 1 root sys 17 Jan 27 11:51
libnss_winbind.so.1 ->
libnss_winbind.so
lrwxrwxrwx 1 root sys 17 Oct 15 16:14
libnss_winbind.so.2 ->
libnss_winbind.so
Here is my /etc/nsswitch.conf
hosts: dns [NOTFOUND=continue UNAVAIL=continue TRYAGAIN=continue] files
[N
OTFOUND=return UNAVAIL=continue TRYAGAIN=return]
passwd: files winbind
group: files winbind
Here is the compile output from libnss_winbind.so
Compiling nsswitch/winbind_nss.c with -fpic
nsswitch/winbind_nss.c: In function `fill_pwent':
nsswitch/winbind_nss.c:600: warning: passing arg 2 of `get_static' from
incompatible pointer type
nsswitch/winbind_nss.c:612: warning: passing arg 2 of `get_static' from
incompatible pointer type
nsswitch/winbind_nss.c:629: warning: passing arg 2 of `get_static' from
incompatible pointer type
nsswitch/winbind_nss.c:641: warning: passing arg 2 of `get_static' from
incompatible pointer type
nsswitch/winbind_nss.c:653: warning: passing arg 2 of `get_static' from
incompatible pointer type
nsswitch/winbind_nss.c: In function `fill_grent':
nsswitch/winbind_nss.c:690: warning: passing arg 2 of `get_static' from
incompatible pointer type
nsswitch/winbind_nss.c:702: warning: passing arg 2 of `get_static' from
incompatible pointer type
nsswitch/winbind_nss.c:728: warning: passing arg 2 of `get_static' from
incompatible pointer type
nsswitch/winbind_nss.c:753: warning: passing arg 2 of `get_static' from
incompatible pointer type
nsswitch/winbind_nss.c: In function `_nss_winbind_getpwent_r':
nsswitch/winbind_nss.c:870: warning: passing arg 4 of `fill_pwent' from
incompatible pointer type
nsswitch/winbind_nss.c: In function `_nss_winbind_getpwuid_r':
nsswitch/winbind_nss.c:920: warning: passing arg 4 of `fill_pwent' from
incompatible pointer type
nsswitch/winbind_nss.c:933: warning: passing arg 4 of `fill_pwent' from
incompatible pointer type
nsswitch/winbind_nss.c: In function `_nss_winbind_getpwnam_r':
nsswitch/winbind_nss.c:982: warning: passing arg 4 of `fill_pwent' from
incompatible pointer type
nsswitch/winbind_nss.c:995: warning: passing arg 4 of `fill_pwent' from
incompatible pointer type
nsswitch/winbind_nss.c: In function `_nss_winbind_getgrent_r':
nsswitch/winbind_nss.c:1119: warning: passing arg 5 of `fill_grent' from
incompatible pointer type
nsswitch/winbind_nss.c: In function `_nss_winbind_getgrnam_r':
nsswitch/winbind_nss.c:1179: warning: passing arg 5 of `fill_grent' from
incompatible pointer type
nsswitch/winbind_nss.c:1193: warning: passing arg 5 of `fill_grent' from
incompatible pointer type
nsswitch/winbind_nss.c: In function `_nss_winbind_getgrgid_r':
nsswitch/winbind_nss.c:1242: warning: passing arg 5 of `fill_grent' from
incompatible pointer type
nsswitch/winbind_nss.c:1256: warning: passing arg 5 of `fill_grent' from
incompatible pointer type
Compiling nsswitch/winbind_nss_solaris.c with -fpic
Linking nsswitch/libnss_winbind.so
Any idea where to go from here?
Cheers
Miles
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall at hp.com]
Sent: Thursday, 6 February 2003 05:53 a.m.
To: 'Miles Roper'; MCCALL,DON (HP-USA,ex1);
samba-technical at lists.samba.org; 'samba at lists.samba.org'; 'Esh, Andrew';
'Ronan Waide'; STEFFENS,MICHAEL (HP-Germany,ex1); 'Richard Sharpe';
'John H Terpstra'; GILCHRIST,KIM (HP-NewZealand,ex1)
Subject: RE: Winbind on HPUX 11, some small progress
Hi Miles,
This sounds like a
PAM_USER_UNKNOWN 13
error. Which would indicate that winbind daemon did it's job (ie passed the
username and
password to the password server ,and got validation back that the user is
authenticated,
but then when it went thru the nsswitch stuff to 'look up' the user, that
failed.
Kinda wierd. I don't have your original post, but I'm assuming that you
have
passwd: files winbind
group: files winbind
in your /etc/nsswitch.conf file
and that you have working links to the winbind nss code (look something
like this):
46 Aug 27 11:16 /usr/lib/libnss_winbind.1 ->
/usr/local/samba/lib/winbind/libnss_winbind.so
To verify that your nsswitch code is working compile the getent.c program I
have attached to this message, and then verify that you can get an
appropriate uid/gid back for a user
defined on your NT password server in the following manner;
getent passwd <domainname><domainseparator><username>
(for instance on my system, I use '+' as winbind domain separator, and my
domain is atl-wtec,
so: getent passwd atl-wtec+administrator returns me the 'passwd' entry
faked up from the
NT domain controller I am a member of.
Just a thought,
Don
> -----Original Message-----
> From: Miles Roper [mailto:mroper at westcoastdhb.org.nz]
> Sent: Tuesday, February 04, 2003 21:28
> To: 'MCCALL,DON (HP-USA,ex1)'; samba-technical at lists.samba.org;
> 'samba at lists.samba.org'; 'Esh, Andrew'; 'Ronan Waide';
> michael_steffens at bbn.exch.hp.com; 'Richard Sharpe'; 'John H Terpstra';
> Kim (E-mail)
> Subject: Winbind on HPUX 11, some small progress
>
>
> Hi All,
>
> Well, i've managed to enable some debugging in syslog, I had to put in
> /etc/syslog.conf
>
> ;*.debug
>
> on the syslog line.
>
> So at least I have an error which is being returned into syslog from
> winbind.
>
> This is what I get from winbind
>
> Feb 4 21:13:17 coastdr pam_winbind[20753]: Verify user `lonnie'
> Feb 4 21:13:18 coastdr pam_winbind[20753]: user 'lonnie'
> granted acces
> Feb 4 21:13:18 coastdr pam_winbind[20753]: LOGIN: exiting
> with return code
> 13
>
> This is what I get from pamsmb (ignore the dates, they are a
> bit funny for
> some reason)
>
> Feb 5 14:53:55 coastdr pamsmbd[20119]: server: remote auth user
> unix:trainingus
> er nt:traininguser NTDOM:WESTCOASTDHB PDC:COASTDB BDC:
> Feb 5 14:53:55 coastdr pamsmbd[20119]: cache_add: inserted entry
> Feb 4 20:53:55 coastdr : pamsmbd: Got something back... 0
> Feb 4 20:53:55 coastdr : pam_smb: got back 0 username traininguser
> Feb 4 20:53:55 coastdr : LOGIN: exiting with return code 13
>
> So the error with pamsmb and winbind is the same. I've done
> a man on login
> and can only find a description of errors, not the error
> codes. What is
> error code 13? If I can find that out it will make looking
> for it a bit
> easier. I thought it might be that the shell doens't exist,
> but I tried
> making a user with a invalid shell and get back error code 1,
> so its not
> that.
>
> Ideas?
>
> Cheers
>
> Miles
>
>
> -----Original Message-----
> From: Miles Roper
> Sent: Monday, 3 February 2003 08:54 a.m.
> To: 'MCCALL,DON (HP-USA,ex1)'
> Cc: 'samba-technical at lists.samba.org'; 'samba at lists.samba.org'; Esh,
> Andrew; Ronan Waide; STEFFENS,MICHAEL (HP-Germany,ex1); 'Richard
> Sharpe'; 'John H Terpstra'
> Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help
>
>
> Thanks for your help, still no luck though. More info for you.
>
> with no debug statements in my /etc/pam.conf I get in sys log
> the following.
>
> Feb 2 14:43:02 coastdr pam_winbind[2832]: user
> 'traininguser' granted acces
>
> with debug turned on I get
>
> Feb 2 14:47:49 coastdr pam_winbind[2839]: Verify user `traininguser'
> Feb 2 14:47:49 coastdr pam_winbind[2839]: user
> 'traininguser' granted acces
>
> the user is still logging out.
>
> incidentlally, when I log in as a unix user, rather than a
> win2k user I
> don't get anything in sys log. I've included my pam.conf below.
>
> Also, I checked for /etc/shells, no such file, and I have set
> my smb.conf
> shell line to
>
> template shell = /sbin/sh
>
> and also tried
>
> template shell = /usr/bin/sh
>
> both files exist.
>
> #
> # PAM configuration
> #
> # Authentication management
> #
> login auth sufficient /usr/lib/security/libpam_unix.1 debug
> login auth sufficient /usr/lib/security/libpam_winbind.1
> debug
> #login auth sufficient /usr/lib/security/libpam_smb.1 nolocal
> debug
> su auth required /usr/lib/security/libpam_unix.1 debug
> dtlogin auth required /usr/lib/security/libpam_unix.1 debug
> dtaction auth required /usr/lib/security/libpam_unix.1 debug
> ftp auth required /usr/lib/security/libpam_unix.1 debug
> OTHER auth required /usr/lib/security/libpam_unix.1 debug
> #
> # Account management
> #
> login account sufficient /usr/lib/security/libpam_unix.1 debug
> login account sufficient /usr/lib/security/libpam_winbind.1
> debug
> su account required /usr/lib/security/libpam_unix.1 debug
> dtlogin account required /usr/lib/security/libpam_unix.1 debug
> dtaction account required /usr/lib/security/libpam_unix.1 debug
> ftp account required /usr/lib/security/libpam_unix.1 debug
> #
> OTHER account required /usr/lib/security/libpam_unix.1 debug
> #
> # Session management
> #
> login session sufficient /usr/lib/security/libpam_unix.1 debug
> login session sufficient /usr/lib/security/libpam_winbind.1
> debug
> dtlogin session required /usr/lib/security/libpam_unix.1 debug
> dtaction session required /usr/lib/security/libpam_unix.1 debug
> OTHER session required /usr/lib/security/libpam_unix.1 debug
> #
> # Password management
> #
> login password sufficient /usr/lib/security/libpam_unix.1 debug
> login password sufficient /usr/lib/security/libpam_winbind.1
> debug
> passwd password required /usr/lib/security/libpam_unix.1 debug
> passwd password required /usr/lib/security/libpam_winbind.1
> debug
> dtlogin password required /usr/lib/security/libpam_unix.1 debug
> dtaction password required /usr/lib/security/libpam_unix.1 debug
> OTHER password required /usr/lib/security/libpam_unix.1 debug
>
> Cheers
>
> Miles
>
> -----Original Message-----
> From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall at hp.com]
> Sent: Saturday, 1 February 2003 04:53 a.m.
> To: 'John H Terpstra'; Miles Roper
> Cc: 'samba-technical at lists.samba.org'; 'samba at lists.samba.org'; Esh,
> Andrew; Ronan Waide; STEFFENS,MICHAEL (HP-Germany,ex1); MCCALL,DON
> (HP-USA,ex1); 'Richard Sharpe'
> Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help
>
>
> Hi, Miles,
> Actually on HP-UX, you will need to add the word 'debug' at
> the end of each
> of
> the lines in you /etc/pam.conf file, to enable more debugging
> to go into the
>
> /var/adm/syslog/syslog.log file.
>
> One thing that I have seen something like this happen on is if the
> /etc/shells file is corrupt, or if the shell that is defined
> for the user
> (since they don't have a /etc/passwd entry, this would be
> whatever you put
> in
> template in the smb.conf) does not exactly match one of the lines in
> /etc/shells,
> or the defaults, if this file does not exist.
> The defaults for 11.0 are:
>
>
>
> /sbin/sh
> /usr/bin/sh
> /usr/bin/rsh
> /usr/bin/ksh
> /usr/bin/rksh
> /usr/bin/csh
> /usr/bin/keysh
>
> Hope this helps,
> Don
> > -----Original Message-----
> > From: John H Terpstra [mailto:jht at samba.org]
> > Sent: Friday, January 31, 2003 1:36
> > To: Miles Roper
> > Cc: 'samba-technical at lists.samba.org'; 'samba at lists.samba.org'; Esh,
> > Andrew; Ronan Waide; STEFFENS,MICHAEL (HP-Germany,ex1); 'MCCALL,DON
> > (HP-USA,ex1)'; 'Richard Sharpe'
> > Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck,
> Please Help
> >
> >
> > On Fri, 31 Jan 2003, Miles Roper wrote:
> >
> > > Hi Everyone,
> > >
> > > I'm forgetting about the password one at the moment, thanks
> > for all your
> > > input :o)
> > >
> > > I still don't have a clue how to solve my main problem.
> > I'm assuming that
> > > its not actually winbind related now, as I've recently
> > tried pam_smb and get
> > > the same basic problem.
> > >
> > > Basically, when I log into the UNIX box, the
> > username/password of a NT user
> > > is being authenticated, but doesn't actually log in. It
> > doesn't get past
> > > the password line. I know it accepts the password. Its
> > almost as if it
> > > can't find the shell. But the template variable is set
> > within the smb.conf
> > > file. Permissions are fine. I have exactly the same
> > problem with the
> > > pam_smb module.
> >
> > So what does PAM report into your /var/log files?
> >
> > Have you tried adding to each line in your /etc/pam.d/login
> > (after the .so
> > file name) the word 'audit' - this will increase the volume
> > of debugging
> > info spit out into /var/log/messages, or wherever PAM send
> > this on your
> > distro.
> >
> > - John T.
> >
> > >
> > > If there is any further information I can send let me know.
> > >
> > > Ideas?
> > >
> > > Thanks
> > >
> > > Miles
> > >
> > >
> > > -----Original Message-----
> > > From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall at hp.com]
> > > Sent: Friday, 31 January 2003 07:06 a.m.
> > > To: STEFFENS,MICHAEL (HP-Germany,ex1); Ronan Waide
> > > Cc: 'samba at lists.samba.org'; Esh, Andrew; Miles Roper;
> > > 'samba-technical at lists.samba.org'; 'Richard Sharpe'
> > > Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck,
> > Please Help
> > >
> > >
> > > Hi Everyone,
> > > This whole problem with the password command not working
> > when winbind
> > > is included as a method in the nsswitch.conf can probably
> > be worked around
> > > by simply using the -r files (or -r nis or -r nisplus)
> > switch. Take a look
> > > at the man page for passwd on HP-UX 11.x and see if this
> > won't help you
> > > out.
> > > Hope this helps,
> > > Don
> > >
> > > > -----Original Message-----
> > > > From: Michael Steffens [mailto:michael.steffens at hp.com]
> > > > Sent: Tuesday, January 28, 2003 11:52
> > > > To: Ronan Waide
> > > > Cc: 'samba at lists.samba.org'; Esh, Andrew; Miles Roper;
> > > > 'samba-technical at lists.samba.org'; 'Richard Sharpe'
> > > > Subject: Re: [Samba] RE: Winbind on HPUX11, Totally
> > Stuck, Please Help
> > > >
> > > >
> > > > Ronan Waide wrote:
> > > > > On January 28, Andrew_Esh at adaptec.com said:
> > > > >
> > > > >>I don't have HPUX, so I don't know what to suggest for
> > > > that. I just know
> > > > >>getent won't work without winbindd in nsswitch.conf on Linux.
> > > > >
> > > > >
> > > > > I think the point that was being made is that NSS support
> > > > on HPUX only
> > > > > supports a few known types, of which one is LDAP. The
> > discussion was
> > > > > basically about faking out the system so that what it
> > thinks is LDAP
> > > > > is actually winbind.
> > > >
> > > > Yep. It's a HP-UX specific workaround. Please ignore it
> > > > everywhere else.
> > > >
> > > > Michael
> > > >
> > > >
> > >
> >
> > --
> > John H Terpstra
> > Email: jht at samba.org
> >
>
More information about the samba-technical
mailing list