Winbind on Solaris 2.6 problem

[knoxth at cch.com]

Hello,

We have an E4500 running Solaris 2.6 that we wish to serve filesystems via Samba
with. I have compiled and installed Samba 2.2.2 on this machine.

The issue that we are having is with winbindd. We have an NT4 domain controller
that we want to authenticate users against for security and file-system lockdown
purposes, while inconveniencing the end users as little as possible. In my
/usr/local/samba/lib/smb.conf file I have the lines:

        winbind uid = 20000-30000
        winbind gid = 20000-30000
        winbind separator = \
        winbind cache time = 60
        template homedir = /users/%U
        template shell = /usr/bin/ksh

and /etc/nsswitch.conf contains the lines:

passwd:     files winbind
group:      files winbind

/etc/pam.conf looks like:

#ident  "@(#)pam.conf 1.19     95/11/30 SMI"
#
# PAM configuration
#
# Authentication management
#
login   auth sufficient /usr/lib/security/pam_winbind.so
login   auth required   /usr/lib/security/pam_unix.so.1 try_first_pass
login   auth required   /usr/lib/security/pam_dial_auth.so.1 try_first_pass
#
rlogin  auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
rlogin  auth sufficient /usr/lib/security/pam_winbind.so
rlogin  auth required   /usr/lib/security/pam_unix.so.1 try_first_pass
#
dtlogin auth sufficient /usr/lib/security/pam_winbind.so
dtlogin auth required   /usr/lib/security/pam_unix.so.1 try_first_pass
#
rsh     auth required   /usr/lib/security/pam_rhosts_auth.so.1
other   auth sufficient /usr/lib/security/pam_winbind.so
other   auth required   /usr/lib/security/pam_unix.so.1 try_first_pass
#
# Account management
#
login   account sufficient      /usr/lib/security/pam_winbind.so
login   account required        /usr/lib/security/pam_unix.so.1
dtlogin account sufficient      /usr/lib/security/pam_winbind.so
dtlogin account required        /usr/lib/security/pam_unix.so.1
#
other   account sufficient      /usr/lib/security/pam_winbind.so
other   account required        /usr/lib/security/pam_unix.so.1
#
# Session management
#
other   session required        /usr/lib/security/pam_unix.so.1
#
# Password management
#
other   password sufficient     /usr/lib/security/pam_winbind.so
other   password required       /usr/lib/security/pam_unix.so.1
#
# Solaris Resource Manager 1.0
#
login account requisite pam_srm.so.1  nolnode=/etc/srm/nolnode
other account requisite pam_srm.so.1  nolnode=/etc/srm/nolnode
other session requisite pam_srm.so.1

I have copied pam_winbind.so to /lib/security and libnss_winbind.so to /lib and
created 2 soft-links in ./lib to libnss_winbind.so named libnss_winbind.so.1 and
libnss_winbind.so.2.

When I try to run "/usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U
Administrator" (where DOMAIN and PDC is our domain name and Primary Domain
Controller respectively), I get the error messages:

INFO: Debug class all level = 3   (pid 3797 from pid 3797)
added interface ip=XXX.XXX.XXX.XXX bcast=XXX.XXX.XXX.XXX nmask=XXX.XXX.XXX.XXX
Password:
resolve_lmhosts: Attempting lmhosts lookup for name PDC<0x20>
resolve_hosts: Attempting host lookup for name PDC<0x20>
Connecting to XXX.XXX.XXX.XXX at port 139
session setup ok
Domain=[DOMAIN] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
Unable to join domain DOMAIN.

I know that the password used is valid and OK.

Has anyone gotten this to work? Management is really pushing for access control
for this.

Thanks!
Tom