winbind network authentication troubleshooting

C.J. Adams-Collier KF7BMP cjac at colliertech.org
Tue May 7 02:58:39 MDT 2013 

On Mon, 2013-05-06 at 19:04 -0700, C.J. Adams-Collier KF7BMP wrote:
> Hello folks, 
> 
> I'm working on a project to replace NIS with winbind on FreeBSD 6.3.
> I've not worked with nss before, as all of my own systems authenticate
> against local files, so both NIS and winbind are relatively new to me.
> I have built samba 3.5.21 for the target environment and am currently
> exercising the ssh use case.  You can also assume that I'm new to
> FreeBSD.
> 
> I have modified /etc/nsswitch.conf to query libnss_winbind.so after
> files:
> 
> # grep -E '^(group|passwd):' /etc/nsswitch.conf
> group: files winbind
> passwd: files winbind
> 
> I have also modified /etc/pam.d/sshd to make use of the functions in
> pam_winbind.so:
> 
> # grep -E '^(auth|account|session|password)' /etc/pam.d/sshd
> auth		sufficient	pam_opie.so		no_warn no_fake_prompts
> auth		requisite	pam_opieaccess.so	no_warn allow_local
> auth		required	pam_unix.so		no_warn try_first_pass
> auth            sufficient      pam_winbind.so try_first_pass
> account		required	pam_nologin.so
> account		required	pam_login_access.so
> account		required	pam_unix.so
> account         sufficient      pam_winbind.so try_first_pass
> session		required	pam_permit.so
> session         sufficient      pam_winbind.so mkhomedir
> session         sufficient      pam_winbind.so
> password        sufficient      pam_winbind.so try_first_pass
> password	required	pam_unix.so		no_warn try_first_pass
> 
> From what I have observed with gdb, based on the nsswitch.conf changes,
> libc will dlopen /lib/nss_winbind.so.1 (not /lib/libnss_winbind.so.2)
> and (eventually) call the _nss_winbind_getpwnam_r, which is defined in
> nsswitch/winbind_nss_linux.[co] and extern defined in
> nsswitch/winbind_nss_freebsd.c.  gdb 6.1.1 doesn't much like the
> indirect way we get to winbind_nss_freebsd.c, so it's a bit difficult
> for me to step through the code once it gets to this point.
> 
> Anybody got any tips?
> 
> Cheers,
> 
> C.J.
> 

I passed --with-dynamic-modules=idmap_ad,idmap_tdb2,... to ./configure
and re-built.  Seems to have fixed the problem.  Still having problems
ssh'ing in to FreeBSD 6.3 when the user doesn't exist in the local
files, but I think I can figure that out tomorrow.

C.J.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130507/7730e190/attachment.pgp>

More information about the samba-technical mailing list