[Samba] RE: Winbind on HPUX 11, some small progress
MCCALL,DON (HP-USA,ex1)
don_mccall at hp.com
Wed Feb 5 16:53:23 GMT 2003
Hi Miles,
This sounds like a
PAM_USER_UNKNOWN 13
error. Which would indicate that winbind daemon did it's job (ie passed the
username and
password to the password server ,and got validation back that the user is
authenticated,
but then when it went thru the nsswitch stuff to 'look up' the user, that
failed.
Kinda wierd. I don't have your original post, but I'm assuming that you
have
passwd: files winbind
group: files winbind
in your /etc/nsswitch.conf file
and that you have working links to the winbind nss code (look something
like this):
46 Aug 27 11:16 /usr/lib/libnss_winbind.1 ->
/usr/local/samba/lib/winbind/libnss_winbind.so
To verify that your nsswitch code is working compile the getent.c program I
have attached to this message, and then verify that you can get an
appropriate uid/gid back for a user
defined on your NT password server in the following manner;
getent passwd <domainname><domainseparator><username>
(for instance on my system, I use '+' as winbind domain separator, and my
domain is atl-wtec,
so: getent passwd atl-wtec+administrator returns me the 'passwd' entry
faked up from the
NT domain controller I am a member of.
Just a thought,
Don
> -----Original Message-----
> From: Miles Roper [mailto:mroper at westcoastdhb.org.nz]
> Sent: Tuesday, February 04, 2003 21:28
> To: 'MCCALL,DON (HP-USA,ex1)'; samba-technical at lists.samba.org;
> 'samba at lists.samba.org'; 'Esh, Andrew'; 'Ronan Waide';
> michael_steffens at bbn.exch.hp.com; 'Richard Sharpe'; 'John H Terpstra';
> Kim (E-mail)
> Subject: Winbind on HPUX 11, some small progress
>
>
> Hi All,
>
> Well, i've managed to enable some debugging in syslog, I had to put in
> /etc/syslog.conf
>
> ;*.debug
>
> on the syslog line.
>
> So at least I have an error which is being returned into syslog from
> winbind.
>
> This is what I get from winbind
>
> Feb 4 21:13:17 coastdr pam_winbind[20753]: Verify user `lonnie'
> Feb 4 21:13:18 coastdr pam_winbind[20753]: user 'lonnie'
> granted acces
> Feb 4 21:13:18 coastdr pam_winbind[20753]: LOGIN: exiting
> with return code
> 13
>
> This is what I get from pamsmb (ignore the dates, they are a
> bit funny for
> some reason)
>
> Feb 5 14:53:55 coastdr pamsmbd[20119]: server: remote auth user
> unix:trainingus
> er nt:traininguser NTDOM:WESTCOASTDHB PDC:COASTDB BDC:
> Feb 5 14:53:55 coastdr pamsmbd[20119]: cache_add: inserted entry
> Feb 4 20:53:55 coastdr : pamsmbd: Got something back... 0
> Feb 4 20:53:55 coastdr : pam_smb: got back 0 username traininguser
> Feb 4 20:53:55 coastdr : LOGIN: exiting with return code 13
>
> So the error with pamsmb and winbind is the same. I've done
> a man on login
> and can only find a description of errors, not the error
> codes. What is
> error code 13? If I can find that out it will make looking
> for it a bit
> easier. I thought it might be that the shell doens't exist,
> but I tried
> making a user with a invalid shell and get back error code 1,
> so its not
> that.
>
> Ideas?
>
> Cheers
>
> Miles
>
>
> -----Original Message-----
> From: Miles Roper
> Sent: Monday, 3 February 2003 08:54 a.m.
> To: 'MCCALL,DON (HP-USA,ex1)'
> Cc: 'samba-technical at lists.samba.org'; 'samba at lists.samba.org'; Esh,
> Andrew; Ronan Waide; STEFFENS,MICHAEL (HP-Germany,ex1); 'Richard
> Sharpe'; 'John H Terpstra'
> Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help
>
>
> Thanks for your help, still no luck though. More info for you.
>
> with no debug statements in my /etc/pam.conf I get in sys log
> the following.
>
> Feb 2 14:43:02 coastdr pam_winbind[2832]: user
> 'traininguser' granted acces
>
> with debug turned on I get
>
> Feb 2 14:47:49 coastdr pam_winbind[2839]: Verify user `traininguser'
> Feb 2 14:47:49 coastdr pam_winbind[2839]: user
> 'traininguser' granted acces
>
> the user is still logging out.
>
> incidentlally, when I log in as a unix user, rather than a
> win2k user I
> don't get anything in sys log. I've included my pam.conf below.
>
> Also, I checked for /etc/shells, no such file, and I have set
> my smb.conf
> shell line to
>
> template shell = /sbin/sh
>
> and also tried
>
> template shell = /usr/bin/sh
>
> both files exist.
>
> #
> # PAM configuration
> #
> # Authentication management
> #
> login auth sufficient /usr/lib/security/libpam_unix.1 debug
> login auth sufficient /usr/lib/security/libpam_winbind.1
> debug
> #login auth sufficient /usr/lib/security/libpam_smb.1 nolocal
> debug
> su auth required /usr/lib/security/libpam_unix.1 debug
> dtlogin auth required /usr/lib/security/libpam_unix.1 debug
> dtaction auth required /usr/lib/security/libpam_unix.1 debug
> ftp auth required /usr/lib/security/libpam_unix.1 debug
> OTHER auth required /usr/lib/security/libpam_unix.1 debug
> #
> # Account management
> #
> login account sufficient /usr/lib/security/libpam_unix.1 debug
> login account sufficient /usr/lib/security/libpam_winbind.1
> debug
> su account required /usr/lib/security/libpam_unix.1 debug
> dtlogin account required /usr/lib/security/libpam_unix.1 debug
> dtaction account required /usr/lib/security/libpam_unix.1 debug
> ftp account required /usr/lib/security/libpam_unix.1 debug
> #
> OTHER account required /usr/lib/security/libpam_unix.1 debug
> #
> # Session management
> #
> login session sufficient /usr/lib/security/libpam_unix.1 debug
> login session sufficient /usr/lib/security/libpam_winbind.1
> debug
> dtlogin session required /usr/lib/security/libpam_unix.1 debug
> dtaction session required /usr/lib/security/libpam_unix.1 debug
> OTHER session required /usr/lib/security/libpam_unix.1 debug
> #
> # Password management
> #
> login password sufficient /usr/lib/security/libpam_unix.1 debug
> login password sufficient /usr/lib/security/libpam_winbind.1
> debug
> passwd password required /usr/lib/security/libpam_unix.1 debug
> passwd password required /usr/lib/security/libpam_winbind.1
> debug
> dtlogin password required /usr/lib/security/libpam_unix.1 debug
> dtaction password required /usr/lib/security/libpam_unix.1 debug
> OTHER password required /usr/lib/security/libpam_unix.1 debug
>
> Cheers
>
> Miles
>
> -----Original Message-----
> From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall at hp.com]
> Sent: Saturday, 1 February 2003 04:53 a.m.
> To: 'John H Terpstra'; Miles Roper
> Cc: 'samba-technical at lists.samba.org'; 'samba at lists.samba.org'; Esh,
> Andrew; Ronan Waide; STEFFENS,MICHAEL (HP-Germany,ex1); MCCALL,DON
> (HP-USA,ex1); 'Richard Sharpe'
> Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help
>
>
> Hi, Miles,
> Actually on HP-UX, you will need to add the word 'debug' at
> the end of each
> of
> the lines in you /etc/pam.conf file, to enable more debugging
> to go into the
>
> /var/adm/syslog/syslog.log file.
>
> One thing that I have seen something like this happen on is if the
> /etc/shells file is corrupt, or if the shell that is defined
> for the user
> (since they don't have a /etc/passwd entry, this would be
> whatever you put
> in
> template in the smb.conf) does not exactly match one of the lines in
> /etc/shells,
> or the defaults, if this file does not exist.
> The defaults for 11.0 are:
>
>
>
> /sbin/sh
> /usr/bin/sh
> /usr/bin/rsh
> /usr/bin/ksh
> /usr/bin/rksh
> /usr/bin/csh
> /usr/bin/keysh
>
> Hope this helps,
> Don
> > -----Original Message-----
> > From: John H Terpstra [mailto:jht at samba.org]
> > Sent: Friday, January 31, 2003 1:36
> > To: Miles Roper
> > Cc: 'samba-technical at lists.samba.org'; 'samba at lists.samba.org'; Esh,
> > Andrew; Ronan Waide; STEFFENS,MICHAEL (HP-Germany,ex1); 'MCCALL,DON
> > (HP-USA,ex1)'; 'Richard Sharpe'
> > Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck,
> Please Help
> >
> >
> > On Fri, 31 Jan 2003, Miles Roper wrote:
> >
> > > Hi Everyone,
> > >
> > > I'm forgetting about the password one at the moment, thanks
> > for all your
> > > input :o)
> > >
> > > I still don't have a clue how to solve my main problem.
> > I'm assuming that
> > > its not actually winbind related now, as I've recently
> > tried pam_smb and get
> > > the same basic problem.
> > >
> > > Basically, when I log into the UNIX box, the
> > username/password of a NT user
> > > is being authenticated, but doesn't actually log in. It
> > doesn't get past
> > > the password line. I know it accepts the password. Its
> > almost as if it
> > > can't find the shell. But the template variable is set
> > within the smb.conf
> > > file. Permissions are fine. I have exactly the same
> > problem with the
> > > pam_smb module.
> >
> > So what does PAM report into your /var/log files?
> >
> > Have you tried adding to each line in your /etc/pam.d/login
> > (after the .so
> > file name) the word 'audit' - this will increase the volume
> > of debugging
> > info spit out into /var/log/messages, or wherever PAM send
> > this on your
> > distro.
> >
> > - John T.
> >
> > >
> > > If there is any further information I can send let me know.
> > >
> > > Ideas?
> > >
> > > Thanks
> > >
> > > Miles
> > >
> > >
> > > -----Original Message-----
> > > From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall at hp.com]
> > > Sent: Friday, 31 January 2003 07:06 a.m.
> > > To: STEFFENS,MICHAEL (HP-Germany,ex1); Ronan Waide
> > > Cc: 'samba at lists.samba.org'; Esh, Andrew; Miles Roper;
> > > 'samba-technical at lists.samba.org'; 'Richard Sharpe'
> > > Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck,
> > Please Help
> > >
> > >
> > > Hi Everyone,
> > > This whole problem with the password command not working
> > when winbind
> > > is included as a method in the nsswitch.conf can probably
> > be worked around
> > > by simply using the -r files (or -r nis or -r nisplus)
> > switch. Take a look
> > > at the man page for passwd on HP-UX 11.x and see if this
> > won't help you
> > > out.
> > > Hope this helps,
> > > Don
> > >
> > > > -----Original Message-----
> > > > From: Michael Steffens [mailto:michael.steffens at hp.com]
> > > > Sent: Tuesday, January 28, 2003 11:52
> > > > To: Ronan Waide
> > > > Cc: 'samba at lists.samba.org'; Esh, Andrew; Miles Roper;
> > > > 'samba-technical at lists.samba.org'; 'Richard Sharpe'
> > > > Subject: Re: [Samba] RE: Winbind on HPUX11, Totally
> > Stuck, Please Help
> > > >
> > > >
> > > > Ronan Waide wrote:
> > > > > On January 28, Andrew_Esh at adaptec.com said:
> > > > >
> > > > >>I don't have HPUX, so I don't know what to suggest for
> > > > that. I just know
> > > > >>getent won't work without winbindd in nsswitch.conf on Linux.
> > > > >
> > > > >
> > > > > I think the point that was being made is that NSS support
> > > > on HPUX only
> > > > > supports a few known types, of which one is LDAP. The
> > discussion was
> > > > > basically about faking out the system so that what it
> > thinks is LDAP
> > > > > is actually winbind.
> > > >
> > > > Yep. It's a HP-UX specific workaround. Please ignore it
> > > > everywhere else.
> > > >
> > > > Michael
> > > >
> > > >
> > >
> >
> > --
> > John H Terpstra
> > Email: jht at samba.org
> >
>
More information about the samba
mailing list