[Samba] passwd command problem with Solaris/winbind/pam

DeStefano, Paul Paul.DeStefano at nwdc.ibs-lmco.com
Fri Nov 8 18:29:59 GMT 2002


Hello Stephen and All,

Yes, I think so.  Someone I know had a good idea and it worked out pretty
well.

My understanding of the problem:  Solaris /usr/bin/passwd doesn't tolerate
the "winbind" nameservice in /etc/nsswitch.conf.

His solution:  Only use winbind resolution for samba, and leave passwd and
the rest of Solaris alone.  We can accomplish this using library
interposition on samba (and any process which requires winbind resolution).
Like overloading operators, you can override the normal system calls linked
when smbd loads.  (I'd never heard of interposers before, but always
wondered when I'd get to use LD_PRELOAD.  Whee.)  Some info:
http://www.itworld.com/AppDev/1006/UIR000929interposers/.

Here's the skinny.  He wrote an interposer library for fopen(2) that opens
/usr/local/samba/lib/nsswitch.conf instead of /etc/nsswitch.conf.  So,
basically, if arg=/etc/nsswitch.conf, return this other file instead.  We
LD_PRELOAD-ed it for smbd and winbindd, and removed winbind from the "real"
nsswitch.conf.  Now, smbd (and winbindd, though I don't think it needs it)
gets name resolution through winbind because it thinks winbind is in
nsswitch.conf, BUT NOTHING ELSE does.  This has the side benefit that logins
and utilities like 'finger' do not have to perform winbind resolution
either, so they're fast, again.  (We're not using the Samba PAM module; we
don't let Windows Domain users login to our Solaris box, so we don't need to
have winbind resolution in the normal utilities.  We just use winbind to
authenticate users when accessing samba shares.)

Now, one problem.  nscd (Name Service Caching Daemon) will now run!  That
sounds good, right, because normally when winbind is in nsswitch.conf, nscd
bails?  Well, when nscd is running, name resolution is done by nscd, NOT the
application, so our fopen(2) override is ineffective.  nscd doesn't crash,
but doesn't resolve through winbind either, so smbd fails to lookup Windows
Domain accounts.  Solution: turn off nscd, easy as that.

Okay, so that's what we did.  We're satisfied with it.  If you don't need
nscd, I think you will be too.  Your reactions are eagerly anticipated!

I bet I can convince my friend to post the source, if you really want it.
But I encourage you to write your own interposer; it's pretty easy and maybe
you'll notice something we didn't.

__
Paul DeStefano


-----Original Message-----
From: Michaels, Stephen P. [mailto:Steve.Michaels at jhuapl.edu]
Sent: November 04, 2002 9:45 AM
To: 'samba at lists.samba.org.'
Subject: [Samba] passwd command problem with Solaris/winbind/pam


Hi-
I am running Samba 2.2.5 on Solaris 8 with winbind and pam configured. I
have the following in my nsswitch.conf:

passwd:     files winbind
group:      files winbind

Now local users on the Solaris 8 machine cannot change there password using
the passwd command:
Here is the sample output:

# passwd michasp1
Enter new password: 
Enter new password again: 
Supported configurations for passwd management are as follows:
    passwd: files
    passwd: files ldap
    passwd: files nis
    passwd: files nisplus
    passwd: compat
    passwd: compat AND
    passwd_compat: ldap OR
    passwd_compat: nisplus
Please check your /etc/nsswitch.conf file
Permission denied
#

Does anybody have a workaround solution for this or I am doing something
wrong?
Thanks



Stephen P. Michaels
ISS-1 Server Systems Group
The Johns Hopkins University Applied Physics Laboratory
11100 Johns Hopkins Rd. 
Laurel, MD. 20723-6099
(443) 778-7527



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba




More information about the samba mailing list