[Samba] Samba 2.2.8a/winbindd - 2K Domain users passwordchallenged
Stewart, Eric
eric at lib.usf.edu
Thu Jul 17 16:46:06 GMT 2003
Okay okay - forgive me for being a whiney itchbay. But the fix was (when discussing *nix systems) quite counter intuitive ...
I noticed that, even after using chmod #uid file, that the system was not returning the string name for the appropriate numerical uid. So, since I was headed out to lunch, I went ahead and rebooted the server.
Lo and behold it all appears to work now. Correctly even.
I'm guessing that changes to /etc/nsswitch.conf may not necessarily register immediately and that's where I was running into trouble. That or something to do with files moving into place (like /lib/libnss_winbind.so) and not being "seen".
Now if I could only be sure of what service it was that need restarting ...
Eric Stewart - Network Admin - USF Tampa Library - eric at lib.usf.edu
SCUBA Diver: 220 Dives Most Recent: 05/10/03 Chankanaab Park, Cozumel
GeoCacher: 58 Found Most Recent: 07/04/03 GCGBHE - Fun in the Sun
http://www.scubadiving.com/talk/ and http://www.geocaching.com/
> -----Original Message-----
> From: Stewart, Eric
> Sent: Thursday, July 17, 2003 10:42 AM
> To: samba at lists.samba.org
> Subject: RE: [Samba] Samba 2.2.8a/winbindd - 2K Domain users
> passwordchallenged
>
>
> I know it's been less than a day but I'm kind of
> surprised that I
> haven't gotten an answer on this one way or the other ... so
> let me ask a
> simpler question:
>
> Are winbind served users of a Linux machine supposed to
> have access
> to the samba shares served by that Linux machine? If so,
> please provide
> sample smb.conf's (if they differ from mine below) and
> pam.d/* files. As
> my users only need access to the samba shares, and not login
> access, I'm
> hesitant to change any /etc/pam.d/ file aside from
> /etc/pam.d/samba ...
>
> A bit of further testing has shown that at the very least, samba
> continues to attempt to look for "user" instead of "DOM+user"
> when trying
> to validate. Please! This is the last step I *must* get
> past before I
> can move mission critical services from a Sun Solaris 8 box
> to this Redhat
> Linux 9 machine ...
>
> Eric Stewart - Network Admin - USF Tampa Library - eric at lib.usf.edu
> SCUBA Diver: 220 Dives Most Recent: 05/10/03 Chankanaab Park, Cozumel
> GeoCacher: 58 Found Most Recent: 07/04/03 GCGBHE - Fun in the Sun
> http://www.scubadiving.com/talk/ and http://www.geocaching.com/
>
> > -----Original Message-----
> > From: Stewart, Eric
> > Sent: Wednesday, July 16, 2003 3:21 PM
> > To: samba at lists.samba.org
> > Subject: [Samba] Samba 2.2.8a/winbindd - 2K Domain users password
> > challenged
> >
> >
> > I have a RedHat Linux 9 server that I would like to
> > allow users in my Windows 2000 domain to be able to map
> > shares from without actually having an account on the system.
> > Compiled samba, configured with "./configure --with-pam".
> > Got the server into the domain, and regular "security =
> > domain" seems to be working appropriately - providing there's
> > a local account with the same username as the 2K Domain user.
> > winbind appears to be providing the accounts
> > appropriately - both wbinfo and getent return what you'd
> > expect them to; a wbinfo -a with a user on the domain (the
> > one trying to connect, in fact) gets:
> >
> > plaintext password authentication succeeded
> >
> > It simply appears as if, when a user attempts to
> > connect to the share, it fails to try to match the W2K
> > account (IE, DOM\user) to the winbind account (DOM+user) and
> > near as I can tell, fails since there isn't an account on the
> > system under "user".
> > Here are the relevant smb.conf lines:
> >
> > [global]
> > netbios name = newweb
> > load printers = no
> > guest account = nobody
> > workgroup = LIB
> > security = domain
> > password server = *
> > encrypt passwords = yes
> > local master = no
> > os level = 1
> > wins server = 131.247.112.6
> > server string = LIB309 -Sys-Library Web Server
> > preserve case = yes
> > invalid users = root mail daemon
> > log level = 3
> > debug uid = yes
> > debug pid = yes
> > log file = /usr/local/samba/logs/log.%m
> > lock directory = /usr/local/samba/var/locks
> > share modes = yes
> > winbind separator = +
> > winbind uid = 12500-19999
> > winbind gid = 12500-19999
> > winbind enum users = yes
> > winbind enum groups = yes
> > template homedir = /dev/null
> >
> > [webdocs]
> > comment = Webdocs Share
> > browseable = yes
> > force create mode = 0664
> > force directory mode = 0775
> > path = /data1/webdocs
> > valid users = @web, at wheel, at LIB+Technology
> > read only = yes
> > locking = no
> >
> > Not sure that this is set up right, or that I might be
> > missing something else:
> >
> > /etc/pam.d/samba
> > auth sufficient /lib/security/pam_winbind.so
> > auth required /lib/security/pam_pwdb.so
> > use_first_pass
> > shadow nullok
> > account required /lib/security/pam_winbind.so
> > session required /lib/security/pam_pwdb.so
> > password required /lib/security/pam_pwdb.so #
> shadow md5
> > nullok audit
> >
> > When a user that doesn't have a matching Linux account
> > tries to access the share, they get challenged.
> > Please let me know what I'm missing - either in my
> > Samba configuration or in the information I've attempted to
> > provide to you.`
> > Thanks muchly in advance for your assistance.
> >
> > Eric Stewart - Network Admin - USF Tampa Library - eric at lib.usf.edu
> > SCUBA Diver: 220 Dives Most Recent: 05/10/03 Chankanaab
> Park, Cozumel
> > GeoCacher: 58 Found Most Recent: 07/04/03 GCGBHE - Fun
> in the Sun
> > http://www.scubadiving.com/talk/ and http://www.geocaching.com/
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: http://lists.samba.org/mailman/listinfo/samba
> >
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
>
More information about the samba
mailing list