Winbind on HPUX 11, some small progress

MCCALL,DON (HP-USA,ex1) don_mccall at hp.com
Thu Feb 6 20:37:26 GMT 2003


ps, the fact that get getpwent and getent programs that you are running do
NOT 
return any output indicate that the issue is probably with the
libnss_winbind.so
on your system..
Don

> -----Original Message-----
> From: Miles Roper [mailto:mroper at westcoastdhb.org.nz]
> Sent: Thursday, February 06, 2003 15:31
> To: 'MCCALL,DON (HP-USA,ex1)'; samba-technical at lists.samba.org;
> 'samba at lists.samba.org'; 'Esh, Andrew'; 'Ronan Waide';
> michael_steffens at bbn.exch.hp.com; 'Richard Sharpe'; 'John H Terpstra';
> GILCHRIST,KIM (HP-NewZealand,ex1)
> Subject: RE: Winbind on HPUX 11, some small progress
> 
> 
> Hi Don,
> 
> Michael Steffens a while back sent me a compiled version of 
> getent which I
> couldn't get to work.
> 
> I compiled your version and it doesn't seem to produce any 
> result either,
> seems to return immeditaly without doing anything.
> 
> ie
> coastdr: /mnt/1/samba/test> ./getent passwd WESTCOASTDHB+mroper
> coastdr: /mnt/1/samba/test>
> 
> If I run it without any parameters I get a core dump :o)
> 
> Better tell you that I'm compiling winbind with gcc 3.01 on hpux.  I
> compiled the getent program you sent me with.
> 
> gcc -c -I. -g -O2 getent.c
> gcc -g getent.o -o getent
> 
> >From what you have said it would seem like libnss_winbind.so 
> itsn't working.
> Anyway to get any debug output?
> 
> Here is my /usr/lib/libnss*
> 
> -r-xr-xr-x   1 bin        bin          28672 Mar 13  2001 
> libnss_compat.1
> -r-xr-xr-x   1 bin        bin         104536 Nov  6  1997 libnss_dns.1
> -r-xr-xr-x   1 bin        bin          40960 Mar  7  2001 
> libnss_files.1
> lrwxrwxrwx   1 root       sys             17 Jan 27 09:49 
> libnss_ldap.1 ->
> libns
> s_winbind.so
> -r-xr-xr-x   1 bin        bin          40960 Mar 13  2001 libnss_nis.1
> -r-xr-xr-x   1 bin        bin          57344 Mar 13  2001 
> libnss_nisplus.1
> -r-xr-xr-x   1 bin        bin          28672 Jan 24 15:23 
> libnss_winbind.so
> lrwxrwxrwx   1 root       sys             17 Jan 27 11:51
> libnss_winbind.so.1 ->
>  libnss_winbind.so
> lrwxrwxrwx   1 root       sys             17 Oct 15 16:14
> libnss_winbind.so.2 ->
>  libnss_winbind.so
> 
> Here is my /etc/nsswitch.conf
> 
> hosts: dns     [NOTFOUND=continue UNAVAIL=continue 
> TRYAGAIN=continue] files
> [N
> OTFOUND=return UNAVAIL=continue TRYAGAIN=return]
> passwd: files winbind
> group: files winbind
> 
> Here is the compile output from libnss_winbind.so
> 
> Compiling nsswitch/winbind_nss.c with -fpic
> nsswitch/winbind_nss.c: In function `fill_pwent':
> nsswitch/winbind_nss.c:600: warning: passing arg 2 of 
> `get_static' from
> incompatible pointer type
> nsswitch/winbind_nss.c:612: warning: passing arg 2 of 
> `get_static' from
> incompatible pointer type
> nsswitch/winbind_nss.c:629: warning: passing arg 2 of 
> `get_static' from
> incompatible pointer type
> nsswitch/winbind_nss.c:641: warning: passing arg 2 of 
> `get_static' from
> incompatible pointer type
> nsswitch/winbind_nss.c:653: warning: passing arg 2 of 
> `get_static' from
> incompatible pointer type
> nsswitch/winbind_nss.c: In function `fill_grent':
> nsswitch/winbind_nss.c:690: warning: passing arg 2 of 
> `get_static' from
> incompatible pointer type
> nsswitch/winbind_nss.c:702: warning: passing arg 2 of 
> `get_static' from
> incompatible pointer type
> nsswitch/winbind_nss.c:728: warning: passing arg 2 of 
> `get_static' from
> incompatible pointer type
> nsswitch/winbind_nss.c:753: warning: passing arg 2 of 
> `get_static' from
> incompatible pointer type
> nsswitch/winbind_nss.c: In function `_nss_winbind_getpwent_r':
> nsswitch/winbind_nss.c:870: warning: passing arg 4 of 
> `fill_pwent' from
> incompatible pointer type
> nsswitch/winbind_nss.c: In function `_nss_winbind_getpwuid_r':
> nsswitch/winbind_nss.c:920: warning: passing arg 4 of 
> `fill_pwent' from
> incompatible pointer type
> nsswitch/winbind_nss.c:933: warning: passing arg 4 of 
> `fill_pwent' from
> incompatible pointer type
> nsswitch/winbind_nss.c: In function `_nss_winbind_getpwnam_r':
> nsswitch/winbind_nss.c:982: warning: passing arg 4 of 
> `fill_pwent' from
> incompatible pointer type
> nsswitch/winbind_nss.c:995: warning: passing arg 4 of 
> `fill_pwent' from
> incompatible pointer type
> nsswitch/winbind_nss.c: In function `_nss_winbind_getgrent_r':
> nsswitch/winbind_nss.c:1119: warning: passing arg 5 of 
> `fill_grent' from
> incompatible pointer type
> nsswitch/winbind_nss.c: In function `_nss_winbind_getgrnam_r':
> nsswitch/winbind_nss.c:1179: warning: passing arg 5 of 
> `fill_grent' from
> incompatible pointer type
> nsswitch/winbind_nss.c:1193: warning: passing arg 5 of 
> `fill_grent' from
> incompatible pointer type
> nsswitch/winbind_nss.c: In function `_nss_winbind_getgrgid_r':
> nsswitch/winbind_nss.c:1242: warning: passing arg 5 of 
> `fill_grent' from
> incompatible pointer type
> nsswitch/winbind_nss.c:1256: warning: passing arg 5 of 
> `fill_grent' from
> incompatible pointer type
> Compiling nsswitch/winbind_nss_solaris.c with -fpic
> Linking nsswitch/libnss_winbind.so
> 
> Any idea where to go from here?
> 
> Cheers
> 
> Miles
> 
> -----Original Message-----
> From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall at hp.com]
> Sent: Thursday, 6 February 2003 05:53 a.m.
> To: 'Miles Roper'; MCCALL,DON (HP-USA,ex1);
> samba-technical at lists.samba.org; 'samba at lists.samba.org'; 
> 'Esh, Andrew';
> 'Ronan Waide'; STEFFENS,MICHAEL (HP-Germany,ex1); 'Richard Sharpe';
> 'John H Terpstra'; GILCHRIST,KIM (HP-NewZealand,ex1)
> Subject: RE: Winbind on HPUX 11, some small progress
> 
> 
> Hi Miles,
> This sounds like a 
> PAM_USER_UNKNOWN        13
> error.  Which would indicate that winbind daemon did it's job 
> (ie passed the
> username and 
> password to the password server ,and got validation back that 
> the user is
> authenticated,
> but then when it went thru the nsswitch stuff to 'look up' 
> the user, that
> failed.
> Kinda wierd.  I don't have your original post, but I'm 
> assuming that you
> have 
> passwd: files winbind
> group: files winbind
> 
> in your /etc/nsswitch.conf file
> and that  you have working links to the winbind nss code 
> (look something
> like this):
> 
> 46 Aug 27 11:16 /usr/lib/libnss_winbind.1 ->
> /usr/local/samba/lib/winbind/libnss_winbind.so
> 
> 
> To verify that your nsswitch code is working compile the 
> getent.c program I
> have attached to this message, and then verify that you can get an
> appropriate uid/gid back for a user
> defined on your NT password server in the following manner;
> 
> getent passwd <domainname><domainseparator><username>
> (for instance on my system, I use '+' as winbind domain 
> separator, and my
> domain is atl-wtec,
> so: getent passwd atl-wtec+administrator  returns me the 
> 'passwd' entry
> faked up from the 
> NT domain controller I am a member of.
> 
> Just a thought,
> Don
> 
> > -----Original Message-----
> > From: Miles Roper [mailto:mroper at westcoastdhb.org.nz]
> > Sent: Tuesday, February 04, 2003 21:28
> > To: 'MCCALL,DON (HP-USA,ex1)'; samba-technical at lists.samba.org;
> > 'samba at lists.samba.org'; 'Esh, Andrew'; 'Ronan Waide';
> > michael_steffens at bbn.exch.hp.com; 'Richard Sharpe'; 'John H 
> Terpstra';
> > Kim (E-mail)
> > Subject: Winbind on HPUX 11, some small progress
> > 
> > 
> > Hi All,
> > 
> > Well, i've managed to enable some debugging in syslog, I 
> had to put in
> > /etc/syslog.conf
> > 
> > ;*.debug
> > 
> > on the syslog line.
> > 
> > So at least I have an error which is being returned into syslog from
> > winbind.
> > 
> > This is what I get from winbind
> > 
> > Feb  4 21:13:17 coastdr pam_winbind[20753]: Verify user `lonnie'
> > Feb  4 21:13:18 coastdr pam_winbind[20753]: user 'lonnie' 
> > granted acces
> > Feb  4 21:13:18 coastdr pam_winbind[20753]: LOGIN: exiting 
> > with return code
> > 13
> > 
> > This is what I get from pamsmb (ignore the dates, they are a 
> > bit funny for
> > some reason)
> > 
> > Feb  5 14:53:55 coastdr pamsmbd[20119]: server: remote auth user
> > unix:trainingus
> > er nt:traininguser NTDOM:WESTCOASTDHB PDC:COASTDB BDC:
> > Feb  5 14:53:55 coastdr pamsmbd[20119]: cache_add: inserted entry
> > Feb  4 20:53:55 coastdr : pamsmbd: Got something back... 0
> > Feb  4 20:53:55 coastdr : pam_smb: got back 0 username traininguser
> > Feb  4 20:53:55 coastdr : LOGIN: exiting with return code 13
> > 
> > So the error with pamsmb and winbind is the same.  I've done 
> > a man on login
> > and can only find a description of errors, not the error 
> > codes.  What is
> > error code 13?  If I can find that out it will make looking 
> > for it a bit
> > easier.  I thought it might be that the shell doens't exist, 
> > but I tried
> > making a user with a invalid shell and get back error code 1, 
> > so its not
> > that.
> > 
> > Ideas?
> > 
> > Cheers
> > 
> > Miles
> > 
> > 
> > -----Original Message-----
> > From: Miles Roper 
> > Sent: Monday, 3 February 2003 08:54 a.m.
> > To: 'MCCALL,DON (HP-USA,ex1)'
> > Cc: 'samba-technical at lists.samba.org'; 'samba at lists.samba.org'; Esh,
> > Andrew; Ronan Waide; STEFFENS,MICHAEL (HP-Germany,ex1); 'Richard
> > Sharpe'; 'John H Terpstra'
> > Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck, 
> Please Help
> > 
> > 
> > Thanks for your help, still no luck though.  More info for you.
> > 
> > with no debug statements in my /etc/pam.conf I get in sys log 
> > the following.
> > 
> > Feb  2 14:43:02 coastdr pam_winbind[2832]: user 
> > 'traininguser' granted acces
> > 
> > with debug turned on I get
> > 
> > Feb  2 14:47:49 coastdr pam_winbind[2839]: Verify user 
> `traininguser'
> > Feb  2 14:47:49 coastdr pam_winbind[2839]: user 
> > 'traininguser' granted acces
> > 
> > the user is still logging out.
> > 
> > incidentlally, when I log in as a unix user, rather than a 
> > win2k user I
> > don't get anything in sys log.  I've included my pam.conf below.
> > 
> > Also, I checked for /etc/shells, no such file, and I have set 
> > my smb.conf
> > shell line to
> > 
> > template shell = /sbin/sh
> > 
> > and also tried
> > 
> > template shell = /usr/bin/sh
> > 
> > both files exist.
> > 
> > #
> > # PAM configuration
> > #
> > # Authentication management
> > #
> > login    auth sufficient        
> /usr/lib/security/libpam_unix.1 debug
> > login    auth sufficient        /usr/lib/security/libpam_winbind.1
> > debug
> > #login   auth sufficient        
> /usr/lib/security/libpam_smb.1 nolocal
> > debug
> > su       auth required  /usr/lib/security/libpam_unix.1 debug
> > dtlogin  auth required  /usr/lib/security/libpam_unix.1 debug
> > dtaction auth required  /usr/lib/security/libpam_unix.1 debug
> > ftp      auth required  /usr/lib/security/libpam_unix.1 debug
> > OTHER    auth required  /usr/lib/security/libpam_unix.1 debug
> > #
> > # Account management
> > #
> > login    account sufficient     
> /usr/lib/security/libpam_unix.1 debug
> > login    account sufficient     /usr/lib/security/libpam_winbind.1
> > debug
> > su       account required       
> /usr/lib/security/libpam_unix.1 debug
> > dtlogin  account required       
> /usr/lib/security/libpam_unix.1 debug
> > dtaction account required       
> /usr/lib/security/libpam_unix.1 debug
> > ftp      account required       
> /usr/lib/security/libpam_unix.1 debug
> > #
> > OTHER    account required       
> /usr/lib/security/libpam_unix.1 debug
> > #
> > # Session management
> > #
> > login    session sufficient     
> /usr/lib/security/libpam_unix.1 debug
> > login    session sufficient     /usr/lib/security/libpam_winbind.1
> > debug
> > dtlogin  session required       
> /usr/lib/security/libpam_unix.1 debug
> > dtaction session required       
> /usr/lib/security/libpam_unix.1 debug
> > OTHER    session required       
> /usr/lib/security/libpam_unix.1 debug
> > #
> > # Password management
> > #
> > login    password sufficient    
> /usr/lib/security/libpam_unix.1 debug
> > login    password sufficient    /usr/lib/security/libpam_winbind.1
> > debug
> > passwd   password required      
> /usr/lib/security/libpam_unix.1 debug
> > passwd   password required      /usr/lib/security/libpam_winbind.1
> > debug
> > dtlogin  password required      
> /usr/lib/security/libpam_unix.1 debug
> > dtaction password required      
> /usr/lib/security/libpam_unix.1 debug
> > OTHER    password required      
> /usr/lib/security/libpam_unix.1 debug
> > 
> > Cheers
> > 
> > Miles
> > 
> > -----Original Message-----
> > From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall at hp.com]
> > Sent: Saturday, 1 February 2003 04:53 a.m.
> > To: 'John H Terpstra'; Miles Roper
> > Cc: 'samba-technical at lists.samba.org'; 'samba at lists.samba.org'; Esh,
> > Andrew; Ronan Waide; STEFFENS,MICHAEL (HP-Germany,ex1); MCCALL,DON
> > (HP-USA,ex1); 'Richard Sharpe'
> > Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck, 
> Please Help
> > 
> > 
> > Hi, Miles,
> > Actually on HP-UX, you will need to add the word 'debug' at 
> > the end of each
> > of 
> > the lines in you /etc/pam.conf file, to enable more debugging 
> > to go into the
> > 
> > /var/adm/syslog/syslog.log file.
> > 
> > One thing that I have seen something like this happen on is if the 
> > /etc/shells file is corrupt, or if the shell that is defined 
> > for the user
> > (since they don't have a /etc/passwd entry, this would be 
> > whatever you put
> > in
> > template in the smb.conf) does not exactly match one of the lines in
> > /etc/shells,
> > or the defaults, if this file does not exist.
> > The defaults for 11.0 are:
> > 
> > 
> > 
> >                                     /sbin/sh
> >                                     /usr/bin/sh
> >                                     /usr/bin/rsh
> >                                     /usr/bin/ksh
> >                                     /usr/bin/rksh
> >                                     /usr/bin/csh
> >                                     /usr/bin/keysh
> > 
> > Hope this helps,
> > Don
> > > -----Original Message-----
> > > From: John H Terpstra [mailto:jht at samba.org]
> > > Sent: Friday, January 31, 2003 1:36
> > > To: Miles Roper
> > > Cc: 'samba-technical at lists.samba.org'; 
> 'samba at lists.samba.org'; Esh,
> > > Andrew; Ronan Waide; STEFFENS,MICHAEL (HP-Germany,ex1); 
> 'MCCALL,DON
> > > (HP-USA,ex1)'; 'Richard Sharpe'
> > > Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck, 
> > Please Help
> > > 
> > > 
> > > On Fri, 31 Jan 2003, Miles Roper wrote:
> > > 
> > > > Hi Everyone,
> > > >
> > > > I'm forgetting about the password one at the moment, thanks 
> > > for all your
> > > > input :o)
> > > >
> > > > I still don't have a clue how to solve my main problem.  
> > > I'm assuming that
> > > > its not actually winbind related now, as I've recently 
> > > tried pam_smb and get
> > > > the same basic problem.
> > > >
> > > > Basically, when I log into the UNIX box, the 
> > > username/password of a NT user
> > > > is being authenticated, but doesn't actually log in.  It 
> > > doesn't get past
> > > > the password line.  I know it accepts the password.  Its 
> > > almost as if it
> > > > can't find the shell.  But the template variable is set 
> > > within the smb.conf
> > > > file.  Permissions are fine.  I have exactly the same 
> > > problem with the
> > > > pam_smb module.
> > > 
> > > So what does PAM report into your /var/log files?
> > > 
> > > Have you tried adding to each line in your /etc/pam.d/login 
> > > (after the .so
> > > file name) the word 'audit' - this will increase the volume 
> > > of debugging
> > > info spit out into /var/log/messages, or wherever PAM send 
> > > this on your
> > > distro.
> > > 
> > > - John T.
> > > 
> > > >
> > > > If there is any further information I can send let me know.
> > > >
> > > > Ideas?
> > > >
> > > > Thanks
> > > >
> > > > Miles
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall at hp.com]
> > > > Sent: Friday, 31 January 2003 07:06 a.m.
> > > > To: STEFFENS,MICHAEL (HP-Germany,ex1); Ronan Waide
> > > > Cc: 'samba at lists.samba.org'; Esh, Andrew; Miles Roper;
> > > > 'samba-technical at lists.samba.org'; 'Richard Sharpe'
> > > > Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck, 
> > > Please Help
> > > >
> > > >
> > > > Hi Everyone,
> > > > This whole problem with the password command not working 
> > > when winbind
> > > > is included as a method in the nsswitch.conf can probably 
> > > be worked around
> > > > by simply using the -r files (or -r nis or -r nisplus) 
> > > switch.  Take a look
> > > > at the man page for passwd on HP-UX 11.x  and see if this 
> > > won't help you
> > > > out.
> > > > Hope this helps,
> > > > Don
> > > >
> > > > > -----Original Message-----
> > > > > From: Michael Steffens [mailto:michael.steffens at hp.com]
> > > > > Sent: Tuesday, January 28, 2003 11:52
> > > > > To: Ronan Waide
> > > > > Cc: 'samba at lists.samba.org'; Esh, Andrew; Miles Roper;
> > > > > 'samba-technical at lists.samba.org'; 'Richard Sharpe'
> > > > > Subject: Re: [Samba] RE: Winbind on HPUX11, Totally 
> > > Stuck, Please Help
> > > > >
> > > > >
> > > > > Ronan Waide wrote:
> > > > > > On January 28, Andrew_Esh at adaptec.com said:
> > > > > >
> > > > > >>I don't have HPUX, so I don't know what to suggest for
> > > > > that. I just know
> > > > > >>getent won't work without winbindd in nsswitch.conf 
> on Linux.
> > > > > >
> > > > > >
> > > > > > I think the point that was being made is that NSS support
> > > > > on HPUX only
> > > > > > supports a few known types, of which one is LDAP. The 
> > > discussion was
> > > > > > basically about faking out the system so that what it 
> > > thinks is LDAP
> > > > > > is actually winbind.
> > > > >
> > > > > Yep. It's a HP-UX specific workaround. Please ignore it
> > > > > everywhere else.
> > > > >
> > > > > Michael
> > > > >
> > > > >
> > > >
> > > 
> > > -- 
> > > John H Terpstra
> > > Email: jht at samba.org
> > > 
> > 
> 


More information about the samba-technical mailing list