[Samba] Winbind trouble. Wbinfo see's users, "getent passwd"
doesn't
Buchan Milne
bgmilne at cae.co.za
Thu Jul 25 04:19:02 GMT 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
| Message: 8
| From: Colin Davis <ColinD at traininghott.com>
| To: "'samba at lists.samba.org'" <samba at lists.samba.org>
| Date: Wed, 24 Jul 2002 10:46:11 -0400
| Subject: [Samba] Winbind trouble. Wbinfo see's users, "getent passwd"
doesn't
|
| I'm trying to set up a new fileshare, to replace an aging NT4 machine
we've
| been using for far too long.
| I'd like to run Linux (RedHat 7.3) on the machine.
|
| Basically, I'm trying to create a fileshare "files" that people can
| transparently log in to from NT4 and Windows 2000 workstations. My
boss has
| approved the use of Linux for the server, but only if I can make it
| transparent to the users.
| (which means that they shouldn't need to enter anything special to use it.
| just the standard domain username/password)
Well, even that shouldn't be necessary.
|
| Our workstations are authenticating off of the domain, which has a Primary
| Domain Controller of HOTT-Main. I want to create several shared
folders that
| any one can write to, for dumping files, but also several directories that
| are user-specific.
| This means that I need to import the NT4 domain list. I'm using winbind to
| try to do this, but having some trouble.
|
| I set up both Samba and Winbind, but I don't think that winbind is working
| correctly, and I'm trying to figure out what I missed.
| when I do a "wbinfo -u"
| I get a list get a list of domain users, but "getent passwd" it just lists
| the unix users, and not the NT users.
That narrows it down to either your nsswitch.conf file, or your
libnss_winbind.so* files
| What adds to my confusion is that the groups (including the domain
groups!)
| can be listed with "getent group"
That narrows it down to your nsswitch.conf file.
|
| Do you have any suggestions on why this might be happening? Could it be
| because I'm using shadow passwords?
| I'd appreciate any advice you could offer.
|
| (I'm having a hard time figuring out what is wrong, and it's starting to
| become tempting to just write a perl script to parse the "wbinfo -u" info,
| and put it into the /etc/passwd file, but that seems unnecessarily messy)
|
| My smb.conf looks like the following
|
| [global]
| password server = *
| wins server = {ip address of wins server}
| remote announce = {ip address of wins server}
| winbind uid = 10000-20000service=system-auth
| security = domain
| encrypt passwords = Yes
| winbind separator = +
For a file server, you may want to comment out "winbind seperator =", so
that it uses the default of "\", and will be totally transparent. You
may also want to try "winbind use default domain = yes" if you have
2.2.4 or later.
| template shell = /bin/bash
| server string = Fileshare
| workgroup = DOMAINNAME
| winbind gid = 10000-20000
| winbind enum groups = yes
| netbios name = Files
| winbind enum users = yes
|
| {shares go here}
|
| /etc/nsswitch.conf contains
|
| passwd: files windbind
~ ^
It should be:
passwd: files winbind
| shadow: files nisplus
| group: files winbind
~ ^^^^^^^
That's why your groups work, but users don't.
|
| /etc/pam.d/login looks like
| #%PAM-1.0
| auth required /lib/security/pam_securetty.so
| auth required /lib/security/pam_stack.so service=system-auth
| auth required /lib/security/pam_nologin.so
| account required /lib/security/pam_stack.so service=system-auth
| password required /lib/security/pam_stack.so service=system-auth
| session required /lib/security/pam_stack.so service=system-auth
| session optional /lib/security/pam_console.so
| account sufficient /lib/security/pam_winbind.so
| session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
| umask=0022
If you need login to work also, you have a tough choice between using +
and \ as winbind seperator ...
|
| finally, /etc/pam.d/samba
|
| #%PAM-1.0
| auth required pam_securetty.so
| auth required pam_nologin.so
| auth sufficient pam_winbind.so
| auth required pam_pwdb.so use_first_pass shadow nullok
| account required pam_winbind.so service=system-auth
~ ^^^^^^^^^^^^^^^^^^^
This is not going to do anything useful! (although it shouldn't be a
problem.
| session required pam_stack.so service=system-auth
| password required pam_stack.so service=system-auth
You could also do better to try the system-auth-winbind.pamd file that
is in packaging/Mandrake, and either use it to replace
/etc/pam.d/system-auth, or copy it to /etc/pam.d/system-auth-winbind,
and replace the "service=system-auth" with "service=system-auth-winbind"
And finally, if your /etc/pam.d/samba file uses pam_mkhomedir (either
directly or via pam_stack), you will probably want to have "obey pam
restrictions = yes" in your smb.conf, so that samba can create home
directories when users connect the first time (just remember to make the
parent directory of the homes specified in your template). This will
give you instant personal shares like you mentioned above.
Of course, you may rather just want to spare yourself the effort, and
install Mandrake 8.2 with the updated samba RPMs for Mandrake from
ftp.samba.org, since installing samba-winbind will do most of this for
you, and there is a surprise coming in Mandrake 9.0!
Buchan
- --
|----------------Registered Linux User #182071-----------------|
Buchan Milne Mechanical Engineer, Network Manager
Cellphone * Work +27 82 472 2231 * +27 21 8828820x121
Stellenbosch Automotive Engineering http://www.cae.co.za
GPG Key http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE9P95jrJK6UGDSBKcRAuI8AJ9FCNWTOot8EPnctecl1yIlm4DkGwCaAz/i
bvXz54HNbqGicV9salFzB8o=
=AeA8
-----END PGP SIGNATURE-----
More information about the samba
mailing list