[Samba] Winbind trouble. Wbinfo see's users, "getent passwd" doesn't

Buchan Milne bgmilne at cae.co.za
Thu Jul 25 04:19:02 GMT 2002

Hash: SHA1

| Message: 8
| From: Colin Davis <ColinD at traininghott.com>
| To: "'samba at lists.samba.org'" <samba at lists.samba.org>
| Date: Wed, 24 Jul 2002 10:46:11 -0400
| Subject: [Samba] Winbind trouble. Wbinfo see's users,  "getent passwd"
| I'm trying to set up a new fileshare, to replace an aging NT4 machine
| been using for far too long.
| I'd like to run Linux (RedHat 7.3) on the machine.
| Basically, I'm trying to create a fileshare "files" that people can
| transparently log in to from NT4 and Windows 2000 workstations. My
boss has
| approved the use of Linux for the server, but only if I can make it
| transparent to the users.
| (which means that they shouldn't need to enter anything special to use it.
| just the standard domain username/password)

Well, even that shouldn't be necessary.

| Our workstations are authenticating off of the domain, which has a Primary
| Domain Controller of HOTT-Main. I want to create several shared
folders that
| any one can write to, for dumping files, but also several directories that
| are user-specific.
| This means that I need to import the NT4 domain list. I'm using winbind to
| try to do this, but having some trouble.
| I set up both Samba and Winbind, but I don't think that winbind is working
| correctly, and I'm trying to figure out what I missed.
| when I do a "wbinfo -u"
| I get a list get a list of domain users, but "getent passwd" it just lists
| the unix users, and not the NT users.

That narrows it down to either your nsswitch.conf file, or your
libnss_winbind.so* files

| What adds to my confusion is that the groups (including the domain
| can be listed with "getent group"

That narrows it down to your nsswitch.conf file.

| Do you have any suggestions on why this might be happening? Could it be
| because I'm using shadow passwords?
| I'd appreciate any advice you could offer.
| (I'm having a hard time figuring out what is wrong, and it's starting  to
| become tempting to just write a perl script to parse the "wbinfo -u" info,
| and put it into the /etc/passwd file, but that seems unnecessarily messy)
| My smb.conf looks like the following
| [global]
|         password server = *
|         wins server = {ip address of wins server}
|         remote announce = {ip address of wins server}
|         winbind uid = 10000-20000service=system-auth
|         security = domain
|         encrypt passwords = Yes
|         winbind separator = +

For a file server, you may want to comment out "winbind seperator =", so
that it uses the default of "\", and will be totally transparent. You
may also want to try "winbind use default domain = yes" if you have
2.2.4 or later.

|         template shell = /bin/bash
|         server string = Fileshare
|         workgroup = DOMAINNAME
|         winbind gid = 10000-20000
|         winbind enum groups = yes
|         netbios name = Files
|         winbind enum users = yes
| {shares go here}
| /etc/nsswitch.conf contains
| passwd:     files windbind
~                       ^
It should be:
passwd:     files winbind

| shadow:     files  nisplus
| group:      files winbind
~                    ^^^^^^^
That's why your groups work, but users don't.

| /etc/pam.d/login looks like
| #%PAM-1.0
| auth       required     /lib/security/pam_securetty.so
| auth       required     /lib/security/pam_stack.so service=system-auth
| auth       required     /lib/security/pam_nologin.so
| account    required     /lib/security/pam_stack.so service=system-auth
| password   required     /lib/security/pam_stack.so service=system-auth
| session    required     /lib/security/pam_stack.so service=system-auth
| session    optional     /lib/security/pam_console.so
| account   sufficient /lib/security/pam_winbind.so
| session   required   /lib/security/pam_mkhomedir.so skel=/etc/skel/
| umask=0022

If you need login to work also, you have a tough choice between using +
and \ as winbind seperator ...

| finally, /etc/pam.d/samba
| #%PAM-1.0
| auth       required     pam_securetty.so
| auth       required     pam_nologin.so
| auth       sufficient   pam_winbind.so
| auth       required     pam_pwdb.so use_first_pass shadow nullok
| account    required     pam_winbind.so  service=system-auth
~                                          ^^^^^^^^^^^^^^^^^^^
This is not going to do anything useful! (although it shouldn't be a

| session    required     pam_stack.so service=system-auth
| password   required     pam_stack.so service=system-auth

You could also do better to try the system-auth-winbind.pamd file that
is in packaging/Mandrake, and either use it to replace
/etc/pam.d/system-auth, or copy it to /etc/pam.d/system-auth-winbind,
and replace the "service=system-auth" with "service=system-auth-winbind"

And finally, if your /etc/pam.d/samba file uses pam_mkhomedir (either
directly or via pam_stack), you will probably want to have "obey pam
restrictions = yes" in your smb.conf, so that samba can create home
directories when users connect the first time (just remember to make the
parent directory of the homes specified in your template). This will
give you instant personal shares like you mentioned above.

Of course, you may rather just want to spare yourself the effort, and
install Mandrake 8.2 with the updated samba RPMs for Mandrake from
ftp.samba.org, since installing samba-winbind will do most of this for
you, and there is a surprise coming in Mandrake 9.0!


- --
|----------------Registered Linux User #182071-----------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x121
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list