winbind network authentication troubleshooting

Timur I. Bakeyev timur at com.bat.ru
Tue May 7 04:55:34 MDT 2013 

The right answer here is:

1. Upgrade to FreeBSD 9.1
2. Install net/samba36 from ports.

6.x have been EOL ages ago, not supported and, basically, is too old for
any practical usage.

Regards,
Timur Bakeyev.


On Tue, May 7, 2013 at 4:04 AM, C.J. Adams-Collier KF7BMP <
cjac at colliertech.org> wrote:

> Hello folks,
>
> I'm working on a project to replace NIS with winbind on FreeBSD 6.3.
> I've not worked with nss before, as all of my own systems authenticate
> against local files, so both NIS and winbind are relatively new to me.
> I have built samba 3.5.21 for the target environment and am currently
> exercising the ssh use case.  You can also assume that I'm new to
> FreeBSD.
>
> I have modified /etc/nsswitch.conf to query libnss_winbind.so after
> files:
>
> # grep -E '^(group|passwd):' /etc/nsswitch.conf
> group: files winbind
> passwd: files winbind
>
> I have also modified /etc/pam.d/sshd to make use of the functions in
> pam_winbind.so:
>
> # grep -E '^(auth|account|session|password)' /etc/pam.d/sshd
> auth            sufficient      pam_opie.so             no_warn
> no_fake_prompts
> auth            requisite       pam_opieaccess.so       no_warn allow_local
> auth            required        pam_unix.so             no_warn
> try_first_pass
> auth            sufficient      pam_winbind.so try_first_pass
> account         required        pam_nologin.so
> account         required        pam_login_access.so
> account         required        pam_unix.so
> account         sufficient      pam_winbind.so try_first_pass
> session         required        pam_permit.so
> session         sufficient      pam_winbind.so mkhomedir
> session         sufficient      pam_winbind.so
> password        sufficient      pam_winbind.so try_first_pass
> password        required        pam_unix.so             no_warn
> try_first_pass
>
> From what I have observed with gdb, based on the nsswitch.conf changes,
> libc will dlopen /lib/nss_winbind.so.1 (not /lib/libnss_winbind.so.2)
> and (eventually) call the _nss_winbind_getpwnam_r, which is defined in
> nsswitch/winbind_nss_linux.[co] and extern defined in
> nsswitch/winbind_nss_freebsd.c.  gdb 6.1.1 doesn't much like the
> indirect way we get to winbind_nss_freebsd.c, so it's a bit difficult
> for me to step through the code once it gets to this point.
>
> Anybody got any tips?
>
> Cheers,
>
> C.J.
>
>

More information about the samba-technical mailing list