winbind network authentication troubleshooting

C.J. Adams-Collier KF7BMP cjac at colliertech.org
Mon May 6 20:04:52 MDT 2013 

Hello folks, 

I'm working on a project to replace NIS with winbind on FreeBSD 6.3.
I've not worked with nss before, as all of my own systems authenticate
against local files, so both NIS and winbind are relatively new to me.
I have built samba 3.5.21 for the target environment and am currently
exercising the ssh use case.  You can also assume that I'm new to
FreeBSD.

I have modified /etc/nsswitch.conf to query libnss_winbind.so after
files:

# grep -E '^(group|passwd):' /etc/nsswitch.conf
group: files winbind
passwd: files winbind

I have also modified /etc/pam.d/sshd to make use of the functions in
pam_winbind.so:

# grep -E '^(auth|account|session|password)' /etc/pam.d/sshd
auth		sufficient	pam_opie.so		no_warn no_fake_prompts
auth		requisite	pam_opieaccess.so	no_warn allow_local
auth		required	pam_unix.so		no_warn try_first_pass
auth            sufficient      pam_winbind.so try_first_pass
account		required	pam_nologin.so
account		required	pam_login_access.so
account		required	pam_unix.so
account         sufficient      pam_winbind.so try_first_pass
session		required	pam_permit.so
session         sufficient      pam_winbind.so mkhomedir
session         sufficient      pam_winbind.so
password        sufficient      pam_winbind.so try_first_pass
password	required	pam_unix.so		no_warn try_first_pass

From what I have observed with gdb, based on the nsswitch.conf changes,
libc will dlopen /lib/nss_winbind.so.1 (not /lib/libnss_winbind.so.2)
and (eventually) call the _nss_winbind_getpwnam_r, which is defined in
nsswitch/winbind_nss_linux.[co] and extern defined in
nsswitch/winbind_nss_freebsd.c.  gdb 6.1.1 doesn't much like the
indirect way we get to winbind_nss_freebsd.c, so it's a bit difficult
for me to step through the code once it gets to this point.

Anybody got any tips?

Cheers,

C.J.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130506/860a6657/attachment.pgp>

More information about the samba-technical mailing list