[Samba] Winbind on HPUX11, Totally Stuck, Please Help

Miles Roper mroper at westcoastdhb.org.nz
Mon Jan 27 01:13:37 GMT 2003


/usr/local/samba/bin/wbinfo -g
 
I get all the groups
 
/usr/local/samba/bin/wbinfo -r user1
 
returns the all the guids for user1
 
/usr/local/samba/bin/wbinfo -g xxxx 
 
doesn't seem to make any difference, returns all the groups.

-----Original Message-----
From: Jennifer Fountain [mailto:JFountain at rbinc.com]
Sent: Monday, 27 January 2003 02:05 p.m.
To: Miles Roper; samba at lists.samba.org; samba-technical at lists.samba.org
Subject: RE: [Samba] Winbind on HPUX11, Totally Stuck, Please Help


Miles,
I run samba (winbind) on hpux11 as well. do have this problem:  when you
type $groups, you only get domain admins and no other groups or if you type
groups user1, you get no groups?  but when you type ./wbinfo -g jfountain,
you get all the groups in the gid format?  I am almost ready to give up and
install it on linux! :(
Jenn

-----Original Message----- 
From: Miles Roper [mailto:mroper at westcoastdhb.org.nz] 
Sent: Sun 1/26/2003 7:59 PM 
To: 'samba at lists.samba.org'; 'samba-technical at lists.samba.org' 
Cc: 
Subject: [Samba] Winbind on HPUX11, Totally Stuck, Please Help



Hi,

I've been trying to get windbind working on HP-UX for several years now, I
try for a while, with the new releases, then after I get stuck I give up.
I've tried posting several times on the net to different news groups but had
few responses.

Well, I'm trying again now, with the samba 2.7a release, and after spending
several days on it, I'm nearly ready to give up.  I've gotton further this
time than ever before but I've pretty much exhausted all options.  I've
spent hours looking on the net for any help, and basically I'm totally
stuck.

I've actually managed to get it to compile, using

./configure \
--prefix=/usr/local/samba \
--localstatedir=/usr/local/samba \
--with-msdfs \
--with-winbind \
--with-pam \
--with-winbind-auth-challenge

modifing in configure

if test $ac_cv_prog_cc_Ae = yes; then
                                 BLDSHARED="true"
                                 SHLD="/usr/bin/ld"
                                 LDSHFLAGS="-B symbolic -b -z"
                                 PICFLAG="+z"
fi

change to

#if test $ac_cv_prog_cc_Ae = yes; then
                                 BLDSHARED="true"
                                 SHLD="/usr/bin/ld"
                                 LDSHFLAGS="-B symbolic -b -z"
#                                 PICFLAG="+z"
#fi

and in
/usr/local/lib/gcc-lib/hppa2.0n-hp-hpux11.00/3.1/include/stdio.h
BEFORE
  extern int snprintf(char *, _hpux_size_t, char *,...);
AFTER
      extern int snprintf(char *, _hpux_size_t, const char *,...);

I can do a wbinfo -u and get the user names, and a wbinfo -g returns the
groups.  I had to specify the password to use first with

wbinfo -A user%password

I also joined the domain sucessfully with

smbpasswd -j DOMAIN -r PDC -U Administrator

Ok, here are my problems. 

1), when I try to change the password of a NT user, using passwd, the OS
can't find the user id, ie

coastdr: /mnt/1/samba/samba-2.2.7a/source> passwd traininguser
Changing password for traininguser
(current) NT password:
Enter new NT password:
Retype new NT password:
Invalid login name.

If I use a invalid password I get in syslog

Jan 27 13:43:38 coastdr pam_winbind[3507]: request failed, PAM error was 9,
NT error was NT_STATUS_WRONG_PASSWORD
Jan 27 13:43:38 coastdr pam_winbind[3507]: user `traininguser' denied access
(incorrect password)

however, if I enter the correct (current) password

Jan 27 13:45:24 coastdr pam_winbind[3513]: user 'traininguser' granted acces
Jan 27 13:45:28 coastdr pam_winbind[3513]: request failed, PAM error was 9,
NT error was NT_STATUS_WRONG_PASSWORD

Now, i've set

/etc/nsswitch.conf to

hosts: dns     [NOTFOUND=continue UNAVAIL=continue TRYAGAIN=continue] files
[
passwd: files ldap
group: files ldap

notice it is ldap, rather than winbind.  The reason for this is, if you set
it to winbind you get a error about not being a supported type, ie must be
nis, ldap or files.

i've set a link from symbolic link from /lib/libnss_ldap.1 to
/lib/libnss_winbind.1

2) I can't su

when I try to su from a comment line to a win 2k user using either
WESTCOASTDHB+traininguser or traininguser

Unknown id: WESTCOASTDHB+traininguser

or

Unknown id: traininguser

3) I can't log into the unix box as a win 2k user.  When I try, the best I
get is it seems to accept the password, but doesn't actually log in.  It
exits straight back out.  If I enter a wrong user name or account it says
login incorrect, so it seems to work ok, and I'm getting this in syslog.

Jan 26 19:30:49 coastdr pam_winbind[3414]: Verify user `traininguser'
Jan 26 19:30:49 coastdr pam_winbind[3414]: user 'traininguser' granted acces

Could it be because the home directory doesn't exist?  I've actually tried
setting it to a valid template homedir but still get the same problem.  Does
the home directory need to be created each time with a PAM module, I've seen
one for Linux but had a brief attempt getting this to compile under hpux,
didn't work though.  But I've seen no documentation about this so thought
you must not need to.

my smb.conf file is as follows.

[global]

   workgroup = WESTCOASTDHB
   server string = Samba Server
   log file = /usr/local/samba/log.%m
   max log size = 1000
   security = domain
   password server = coastdb
  encrypt passwords = yes
   socket options = TCP_NODELAY
   local master = no
   username map = /usr/local/samba/lib/users.map

   read only = no
   preserve case = yes
   short preserve case = no
   dos filetime resolution = yes
   syslog = 0

 winbind uid = 10000-65000
 winbind gid = 10000-65000
 template homedir = /home/%U
 template shell = /usr/bin/sh

 winbind separator = +
 winbind use default domain = true

[homes]
   comment = Home Directories
   browseable = yes
   writable = yes
   create mode = 0664


my pam.conf file is

#
# PAM configuration
#
# Authentication management
#
login    auth sufficient  /usr/lib/security/libpam_winbind.1
login    auth required  /usr/lib/security/libpam_unix.1 use_first_pass
su       auth required  /usr/lib/security/libpam_unix.1
su       auth required  /usr/lib/security/libpam_winbind.1 use_first_pass
dtlogin  auth required  /usr/lib/security/libpam_unix.1
dtaction auth required  /usr/lib/security/libpam_unix.1
ftp      auth required  /usr/lib/security/libpam_unix.1
OTHER    auth required  /usr/lib/security/libpam_unix.1
#
# Account management
#
login    account required       /usr/lib/security/libpam_unix.1
login    account sufficient     /usr/lib/security/libpam_winbind.1
su       account required       /usr/lib/security/libpam_unix.1
su       account required       /usr/lib/security/libpam_winbind.1
dtlogin  account required       /usr/lib/security/libpam_unix.1
dtaction account required       /usr/lib/security/libpam_unix.1
ftp      account required       /usr/lib/security/libpam_unix.1
#
OTHER    account required       /usr/lib/security/libpam_unix.1
#
# Session management
#
login    session required       /usr/lib/security/libpam_unix.1
dtlogin  session required       /usr/lib/security/libpam_unix.1
dtaction session required       /usr/lib/security/libpam_unix.1
OTHER    session required       /usr/lib/security/libpam_unix.1
#
# Password management
#
login    password required      /usr/lib/security/libpam_unix.1
passwd   password sufficient    /usr/lib/security/libpam_winbind.1
passwd   password required      /usr/lib/security/libpam_unix.1
dtlogin  password required      /usr/lib/security/libpam_unix.1
dtaction password required      /usr/lib/security/libpam_unix.1
OTHER    password required      /usr/lib/security/libpam_unix.1


So does anyone have any ideas?

Cheers

Miles
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba
<http://lists.samba.org/mailman/listinfo/samba> 




More information about the samba mailing list