winbind network authentication troubleshooting

C.J. Adams-Collier cjac at colliertech.org
Tue May 7 09:00:01 MDT 2013 

Oh, I know.  And I have said the same to the client.  But the customer, as
I'm sure you are aware, is always right.
 On May 7, 2013 3:55 AM, "Timur I. Bakeyev" <timur at com.bat.ru> wrote:

> The right answer here is:
>
> 1. Upgrade to FreeBSD 9.1
> 2. Install net/samba36 from ports.
>
> 6.x have been EOL ages ago, not supported and, basically, is too old for
> any practical usage.
>
> Regards,
> Timur Bakeyev.
>
>
> On Tue, May 7, 2013 at 4:04 AM, C.J. Adams-Collier KF7BMP <
> cjac at colliertech.org> wrote:
>
>> Hello folks,
>>
>> I'm working on a project to replace NIS with winbind on FreeBSD 6.3.
>> I've not worked with nss before, as all of my own systems authenticate
>> against local files, so both NIS and winbind are relatively new to me.
>> I have built samba 3.5.21 for the target environment and am currently
>> exercising the ssh use case.  You can also assume that I'm new to
>> FreeBSD.
>>
>> I have modified /etc/nsswitch.conf to query libnss_winbind.so after
>> files:
>>
>> # grep -E '^(group|passwd):' /etc/nsswitch.conf
>> group: files winbind
>> passwd: files winbind
>>
>> I have also modified /etc/pam.d/sshd to make use of the functions in
>> pam_winbind.so:
>>
>> # grep -E '^(auth|account|session|password)' /etc/pam.d/sshd
>> auth            sufficient      pam_opie.so             no_warn
>> no_fake_prompts
>> auth            requisite       pam_opieaccess.so       no_warn
>> allow_local
>> auth            required        pam_unix.so             no_warn
>> try_first_pass
>> auth            sufficient      pam_winbind.so try_first_pass
>> account         required        pam_nologin.so
>> account         required        pam_login_access.so
>> account         required        pam_unix.so
>> account         sufficient      pam_winbind.so try_first_pass
>> session         required        pam_permit.so
>> session         sufficient      pam_winbind.so mkhomedir
>> session         sufficient      pam_winbind.so
>> password        sufficient      pam_winbind.so try_first_pass
>> password        required        pam_unix.so             no_warn
>> try_first_pass
>>
>> From what I have observed with gdb, based on the nsswitch.conf changes,
>> libc will dlopen /lib/nss_winbind.so.1 (not /lib/libnss_winbind.so.2)
>> and (eventually) call the _nss_winbind_getpwnam_r, which is defined in
>> nsswitch/winbind_nss_linux.[co] and extern defined in
>> nsswitch/winbind_nss_freebsd.c.  gdb 6.1.1 doesn't much like the
>> indirect way we get to winbind_nss_freebsd.c, so it's a bit difficult
>> for me to step through the code once it gets to this point.
>>
>> Anybody got any tips?
>>
>> Cheers,
>>
>> C.J.
>>
>>
>

More information about the samba-technical mailing list