winbind network authentication troubleshooting
C.J. Adams-Collier KF7BMP
cjac at colliertech.org
Tue May 7 02:58:39 MDT 2013
On Mon, 2013-05-06 at 19:04 -0700, C.J. Adams-Collier KF7BMP wrote:
> Hello folks,
>
> I'm working on a project to replace NIS with winbind on FreeBSD 6.3.
> I've not worked with nss before, as all of my own systems authenticate
> against local files, so both NIS and winbind are relatively new to me.
> I have built samba 3.5.21 for the target environment and am currently
> exercising the ssh use case. You can also assume that I'm new to
> FreeBSD.
>
> I have modified /etc/nsswitch.conf to query libnss_winbind.so after
> files:
>
> # grep -E '^(group|passwd):' /etc/nsswitch.conf
> group: files winbind
> passwd: files winbind
>
> I have also modified /etc/pam.d/sshd to make use of the functions in
> pam_winbind.so:
>
> # grep -E '^(auth|account|session|password)' /etc/pam.d/sshd
> auth sufficient pam_opie.so no_warn no_fake_prompts
> auth requisite pam_opieaccess.so no_warn allow_local
> auth required pam_unix.so no_warn try_first_pass
> auth sufficient pam_winbind.so try_first_pass
> account required pam_nologin.so
> account required pam_login_access.so
> account required pam_unix.so
> account sufficient pam_winbind.so try_first_pass
> session required pam_permit.so
> session sufficient pam_winbind.so mkhomedir
> session sufficient pam_winbind.so
> password sufficient pam_winbind.so try_first_pass
> password required pam_unix.so no_warn try_first_pass
>
> From what I have observed with gdb, based on the nsswitch.conf changes,
> libc will dlopen /lib/nss_winbind.so.1 (not /lib/libnss_winbind.so.2)
> and (eventually) call the _nss_winbind_getpwnam_r, which is defined in
> nsswitch/winbind_nss_linux.[co] and extern defined in
> nsswitch/winbind_nss_freebsd.c. gdb 6.1.1 doesn't much like the
> indirect way we get to winbind_nss_freebsd.c, so it's a bit difficult
> for me to step through the code once it gets to this point.
>
> Anybody got any tips?
>
> Cheers,
>
> C.J.
>
I passed --with-dynamic-modules=idmap_ad,idmap_tdb2,... to ./configure
and re-built. Seems to have fixed the problem. Still having problems
ssh'ing in to FreeBSD 6.3 when the user doesn't exist in the local
files, but I think I can figure that out tomorrow.
C.J.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130507/7730e190/attachment.pgp>
More information about the samba-technical
mailing list