4.2rc2 and winbindd

Tue Oct 21 02:56:48 MDT 2014

On 20/10/14 22:12, Rowland Penny wrote:
> On 20/10/14 15:08, Rowland Penny wrote:
>> On 20/10/14 14:45, David Mansfield wrote:
>>>
>>> On 10/20/2014 08:46 AM, Rowland Penny wrote:
>>>> On 20/10/14 13:34, Michael Adam wrote:
>>>>> Hi Rowland,
>>>>>
>>>>> On 2014-10-20 at 13:07 +0100, Rowland Penny wrote:
>>>>>> On 20/10/14 12:44, Michael Adam wrote:
>>>>>>> Ok. I think the DC-with-winbindd scenario is special here,
>>>>>>> just need to understand, how so.
>>>>>> I thought that the whole idea of changing 'winbind' to 'winbindd'
>>>>>> was to get all the benefits of the established winbind without
>>>>>> having to do anything special, you are now saying that 'Something
>>>>>> special' may be required, if this is the case, just what is required
>>>>>> ????
>>>>> There are several points for using winbindd.
>>>>> Here are the two (imho) most important ones:
>>>>>
>>>>> - Make use of winbindd's ability to speak to other domains
>>>>>    (the winbind internal samba component can't), hence enabling
>>>>>    support for trusts!
>>>>>
>>>>> - Don't maintain two winbind implementations but just one.
>>>>>
>>>>> That being said, winbindd is avery versatile, flexible tool
>>>>> that can be configured in various ways. So similar to the
>>>>> mode of samba starting smbd for file serving, which also
>>>>> enforces several parameters for the running smbd (which reflects
>>>>> the special purpose for which smbd is run, namely to serve
>>>>> SMB in a DC setup), I could imagine that samba enforces
>>>>> several parameters to reflect the special situation.
>>>>> That's what I meant with special.
>>>>> I have not found anything special though with a brief look at
>>>>> the code.
>>>>>
>>>>> But that being said, of course things should work in the DC
>>>>> setup, and you have most certainly found a problem.
>>>>> Since I did not have the time yet to dig deeper, I don't know
>>>>> the answer yet. So we'll need to do more testing / digging until
>>>>> we find it or possibly Andrew can shed some light.
>>>>>
>>>>> We should have some nss-level test also in our selftest.
>>>>> (If this is not the case, then it needs to be added...)
>>>>> The samba-setup for this test (from the selftest provisioning
>>>>> code) would tell us how to proceed.
>>>>> (Just trying to give a few hints as to where I would look next
>>>>> if I had the time right now..)
>>>>>
>>>>> Cheers - Michael
>>>>>
>>>> Hi Michael, I have the feeling that you would like me to compile 
>>>> samba again, this is not a problem except I haven't a clue just how 
>>>> to configure the build and then how do I carry out any tests. ?
>>>>
>>>> Rowland
>>>>
>>> Hi Rowland,
>>>
>>> Just a stab in the dark: with the "old" winbind-on-DC approach (4.0, 
>>> 4.1) you had to use the libnss_winbind.so that was built during 
>>> compile, which in my case involved symlinking the shared objects 
>>> into the /lib64 directory (on centos6). This was not done by "make 
>>> install".  Is it possible you are using the "old" libraries still?
>>>
>> Good thought, but unfortunately wrong ;-)
>>
>> I installed samba4 from backports, then ignored it, built 
>> samba4.2rc2, altered /etc/init.d/samba-ad-dc to use the samba daemon 
>> in /usr/local/samba/sbin, updated PATH and then tried wbinfo, all ok 
>> so tried getent, got nothing. remembered having to create the 
>> symlinks from when I did compile samba4, so copied the ones I 
>> compiled to where the ones apt-get had installed and getent burst 
>> into life, but it just doesn't display the users home directory or 
>> login shell.
>>
>> Bug report made:
>>
>> https://bugzilla.samba.org/show_bug.cgi?id=10886
>>
>> Rowland
> OK, I have just received an update to my bug report:
>
> --- Comment #1 from Andrew Bartlett<abartlet at samba.org>  ---
> Correct, just as the old internal winbind did not ask for these 
> attributes,
> nothing has changed with Samba 4.2.  The %U and %D bug is 10852.
>
> So it would seem that we will have to wait until the attributes are 
> plumbed in :'(
>
> Until bug 10852 is fixed I suppose the work around is to add 'server 
> service = -winbindd +winbind' to smb.conf on the DC, this will at 
> least get you back to where you where before 4.2, or you can do as I 
> will be doing, not upgrading until it is fixed.
>
> Rowland
>
OK, another update, the fix for bug 10852 is to change one word in 
'source3/winbindd/wb_fill_pwent.c' and then recompile, this gets you 
from this:

rowland:*:10000:10000:Rowland Penny:/home/%D/%U:/bin/false

To this:

rowland:*:10000:10000:Rowland Penny:/home/EXAMPLE/rowland:/bin/false

Better, just like it was with 'winbind', but not as good as the same 
daemon 'winbindd' on a client:

rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

Rowland