samba appliance issues

Tim Potter tpot at linuxcare.com.au
Tue Aug 22 07:08:36 GMT 2000 

Michael Brown writes:

>   I have been a happy and contented user of samba for several years now,
> when I got asked several questions I didn't know the answer to. The
> questions were:  
>   1) Is there a way to create a network appliance type unix box, where
> usernames and groupnames are pulled from an existing NT4 or W2K domain?
> (without maintaining a local /etc/passwd file) What is the best way to
> do this?
>   2) How to set up a box so that anybody in the NT domain could log into
> with their NT Domain username and password. (again, without futzing with
> the /etc/passwd file)

As you have discovered, the samba appliance stuff should do all
that.

>   First of all, I am running Redhat 6.2 out-of-the box install, with
> applicable patches and fixes applied, glibc-2.1.3. This has been on
> several Dell Poweredge servers. First, I remove the existing samba
> packages if installed, then install the samba-appliance rpms.

It's probably better if you recompile from source rather than use
the appliance binaries.

>   Our NT domain structure is a multi-master/resource domain structure
> with more than 30,000 objects in the master domains and resource
> domains.   One of our master domains is called "AMERICAS", and  the
> resource domain that the samba appliance resides in is "US". 
> 
> First, very minor issues with the RPM:
> 
> 1.)  missing symbolic link:  /lib/libnss_winbind.so.2  --> 
> /lib/libnss_winbind.so
>    The .so file gets put in /lib, but it won't work without the .so.2
> symlinked back to the main shared library.

The link wasn't made as there is no easy way to determine the
library revision number.  There should be something in the
winbindd manual page about this.

> 1.) Can't get logins to work. I have modified /etc/nsswitch to add
> winbind to the passwd and group entries. The really wierd thing is that
> I can no longer log into the machine when I start winbindd. This is even
> if I haven't modified the /etc/pam.d/login file and I am trying to use a
> user in /etc/passwd.  I've tried modifying /etc/pam.d/login as shown in
> the winbindd man page, but that doesn't work either.  As soon as I kill
> winbindd, I can then log into the machine. 

This is sometimes due to mismatched libnss_winbind.so and
winbindd files.

> The thing that DOES work and is really cool, I can do a "getent passwd"
> and it will dump out our NT domain database, as well as the local
> /etc/passwd file. I can do a "chown AMERICAS\\michael_e_brown filename"
> and it will work. I can do a "wbinfo -n AMERICAS\\michael_e_brown" and
> it will dump my SID.  One interesting problem I have been having is that

Heh.  It is pretty neat.

> Linux kernel 2.2 only supports 16 bit UID, so I get some error messages
> when winbindd bumps up against the uid range limit. Will this problem be
> solved if I drop in a 2.4 kernel and expand the range? I have been
> ignoring this for the time being, while I try to get the other problems
> solved.

A 32-bit uid range should fix this as long as the C library has
the correct type for uid_t as well.

> 2.) Because of the size of our NT domain, I experimented with changing
> the "winbind cache time" to a much larger value (several hours), without
> much sucess. I think that because of the size of our domain, I should
> leave this set at a very high value, is this correct? I have done a
> tcpdump on winbindd grabbing the NT domain userlist, and it normally
> takes a while (between two to ten minutes).

There have been a number of performance enhancements in the
latest code.  Grab the TNG branch from CVS instead of the
appliance rpms.

> And other misc questions:
> 1.) How does the $WINBINDD_DOMAIN variable work? Is it a system wide
> config setting that takes effect when you start winbindd, or is it
> per-process that uses winbindd?

It's per-process.

> 2.) I had some real problems trying to join the machine to the domain
> with "password server = *" in smb.conf. I had to manually point the
> smb.conf at one of our password servers to join the domain as indicated
> in the winbindd man page.

Log file excerpts from winbindd at debug level 3 are a great
help. 

> I am really motivated to try to get some of these things fixed. Can you
> please let me know what I would need to send in order to help debug this
> further?

I've set followups to samba-technical at samba.org so let's continue
the conversation there!


Regards,

Tim.

More information about the samba mailing list