winbind network authentication troubleshooting
C.J. Adams-Collier
cjac at colliertech.org
Tue May 7 09:00:01 MDT 2013
Oh, I know. And I have said the same to the client. But the customer, as
I'm sure you are aware, is always right.
On May 7, 2013 3:55 AM, "Timur I. Bakeyev" <timur at com.bat.ru> wrote:
> The right answer here is:
>
> 1. Upgrade to FreeBSD 9.1
> 2. Install net/samba36 from ports.
>
> 6.x have been EOL ages ago, not supported and, basically, is too old for
> any practical usage.
>
> Regards,
> Timur Bakeyev.
>
>
> On Tue, May 7, 2013 at 4:04 AM, C.J. Adams-Collier KF7BMP <
> cjac at colliertech.org> wrote:
>
>> Hello folks,
>>
>> I'm working on a project to replace NIS with winbind on FreeBSD 6.3.
>> I've not worked with nss before, as all of my own systems authenticate
>> against local files, so both NIS and winbind are relatively new to me.
>> I have built samba 3.5.21 for the target environment and am currently
>> exercising the ssh use case. You can also assume that I'm new to
>> FreeBSD.
>>
>> I have modified /etc/nsswitch.conf to query libnss_winbind.so after
>> files:
>>
>> # grep -E '^(group|passwd):' /etc/nsswitch.conf
>> group: files winbind
>> passwd: files winbind
>>
>> I have also modified /etc/pam.d/sshd to make use of the functions in
>> pam_winbind.so:
>>
>> # grep -E '^(auth|account|session|password)' /etc/pam.d/sshd
>> auth sufficient pam_opie.so no_warn
>> no_fake_prompts
>> auth requisite pam_opieaccess.so no_warn
>> allow_local
>> auth required pam_unix.so no_warn
>> try_first_pass
>> auth sufficient pam_winbind.so try_first_pass
>> account required pam_nologin.so
>> account required pam_login_access.so
>> account required pam_unix.so
>> account sufficient pam_winbind.so try_first_pass
>> session required pam_permit.so
>> session sufficient pam_winbind.so mkhomedir
>> session sufficient pam_winbind.so
>> password sufficient pam_winbind.so try_first_pass
>> password required pam_unix.so no_warn
>> try_first_pass
>>
>> From what I have observed with gdb, based on the nsswitch.conf changes,
>> libc will dlopen /lib/nss_winbind.so.1 (not /lib/libnss_winbind.so.2)
>> and (eventually) call the _nss_winbind_getpwnam_r, which is defined in
>> nsswitch/winbind_nss_linux.[co] and extern defined in
>> nsswitch/winbind_nss_freebsd.c. gdb 6.1.1 doesn't much like the
>> indirect way we get to winbind_nss_freebsd.c, so it's a bit difficult
>> for me to step through the code once it gets to this point.
>>
>> Anybody got any tips?
>>
>> Cheers,
>>
>> C.J.
>>
>>
>
More information about the samba-technical
mailing list