[Samba] idmap uid range 10000-20000: pam_winbind does NOT wor k ?

Ganguly, Sapan Sapan.Ganguly at thalesgroup.com
Thu Feb 5 10:48:21 GMT 2004 

Mike, 

I got it working!!  Have a look at what I have, here is my smb.conf and my
pam.conf.

# Global parameters
[global]
        workgroup = RRLNTD01
        server string = SUN001
        security = DOMAIN
        password server = nts009
        log level = 10
        syslog = 7
        log file = /var/log/samba/log.%m
        max log size = 50
        name resolve order = wins lmhosts bcast
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        printcap name = /etc/printcap
        local master = No
        dns proxy = No
        wins server = 192.168.224.25
        ldap suffix = dc=uk,dc=trt,dc=thales
        ldap idmap suffix = ou=idmap
        ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales
        idmap backend = ldap:ldap://lnxs001
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template homedir = /mnt/spare/%U
        template shell = /bin/bash
        winbind separator = -
        winbind use default domain = Yes

#
#ident  "@(#)pam.conf   1.20    02/01/23 SMI"
#
# Copyright 1996-2002 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth required           pam_winbind.so
login   auth requisite          pam_authtok_get.so.1 debug
#login   auth sufficient         /usr/lib/security/pam_winbind.so.1
try_first_pass debug
login   auth sufficient         pam_dhkeys.so.1 debug
login   auth sufficient         pam_unix_auth.so.1 debug
login   auth sufficient         pam_dial_auth.so.1 debug
#login   auth sufficient         /usr/lib/security/pam_winbind.so.1 debug
try_first_pass

#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth required           pam_winbind.so
rlogin  auth sufficient         pam_rhosts_auth.so.1 debug
rlogin  auth requisite          pam_authtok_get.so.1 debug
rlogin  auth sufficient         pam_dhkeys.so.1 debug
rlogin  auth sufficient         pam_unix_auth.so.1 debug
#rlogin auth sufficient         /usr/lib/security/pam_winbind.so.1
try_first_pass debug
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1 debug
rsh     auth required           pam_unix_auth.so.1 debug
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1 debug
ppp     auth required           pam_dhkeys.so.1 debug
ppp     auth required           pam_unix_auth.so.1 debug
ppp     auth required           pam_dial_auth.so.1 debug
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
#
other   auth sufficient         pam_winbind.so
other   auth requisite          pam_authtok_get.so.1 debug
other   auth sufficient         pam_dhkeys.so.1 debug
other   auth sufficient         pam_unix_auth.so.1 debug
#other  auth sufficient         /usr/lib/security/pam_winbind.so.1
try_first_pass debug
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth required           pam_passwd_auth.so.1 debug
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_projects.so.1 debug
cron    account required        pam_unix_account.so.1 debug
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account sufficient      pam_winbind.so
other   account requisite       pam_roles.so.1 debug
other   account sufficient      pam_projects.so.1 debug
other   account sufficient      pam_unix_account.so.1 debug
#other  account sufficient      /usr/lib/security/pam_winbind.so.1 debug
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_mkhomedir.so skel=/etc/skel umask=0022
other   session required        pam_unix_session.so.1 debug
other   session sufficient      /usr/lib/security/pam_winbind.so.1
try_first_pass debug
#other  session required        pam_mkhomedir.so.1 debug skel=/etc/skel
umask=0022
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1 debug
other   password requisite      pam_authtok_get.so.1 debug
other   password requisite      pam_authtok_check.so.1 debug
other   password required       pam_authtok_store.so.1 debug
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin         auth optional           pam_krb5.so.1 try_first_pass
#login          auth optional           pam_krb5.so.1 try_first_pass
#other          auth optional           pam_krb5.so.1 try_first_pass
#cron           account optional        pam_krb5.so.1
#other          account optional        pam_krb5.so.1
#other          session optional        pam_krb5.so.1
#other          password optional       pam_krb5.so.1 try_first_pass

Also this is what Andy from the BBC told me to do -

Hi Sapan,

	I've also got winbind authentication working with my Solaris 9. Just
looked through the truss output from your su command and noticed that your
library search path seems to be /usr/local/lib:/usr/lib. Now I can't think
that should cause a problem but it is the only difference I can see between
my system and yours. Can you try setting the search path as follows and see
if that helps,

crle -C /var/ld/ld.config -l /usr/lib:/usr/local/lib

Also can you confirm you have all of the following files present?

/usr/lib/security/pam_winbind.c
/usr/lib/security/pam_winbind.h /usr/lib/security/pam_winbind.po
/usr/lib/security/pam_winbind.so /usr/lib/libnss_winbind.so
/usr/lib/libnss_winbind.so.1 /usr/lib/libnss_winbind.so.2
/usr/lib/nss_winbind.so.1 /usr/lib/nss_winbind.so.2

cheers Andy.

-----Original Message-----
From: DorofeevMS at tmn.transneft.ru [mailto:DorofeevMS at tmn.transneft.ru] 
Sent: 05 February 2004 04:12
To: samba at lists.samba.org
Subject: [Samba] idmap uid range 10000-20000: pam_winbind does NOT work ?


Hi all!

Again, unexpected behaviour!
When I set in smb.conf
idmap uid = 10000-20000
idmap gid = 10000-20000
I CAN change and SEE domain users ang groups as I change the owner of a file
on Unix:

chown domain+user ./test.txt
chgrp domain+group ./test.txt
ls -l /tmp
-rw-r--r--   1 user group            0 Feb  4 20:25 test.txt <- I SEE DOMAIN
USER AND GROUP

BUT I'm NOT able to telnet or ftp to my Unix server!!! Otherwise, when I set

idmap uid = 1000-2000
idmap gid = 1000-2000

I CAN telnet or FTP to my Unix server using domain accounts but if I chown
or chgrp I DO NOT see domain users an groups...

In debug.log I see:
......................
Feb  5 08:42:30 as08-tmn smbd[20403]: [ID 702911 daemon.warning] [2004/02/05
08:42:30, 1] smbd/service.c:make_connection_snum(705)
Feb  5 08:42:30 as08-tmn smbd[20403]: [ID 702911 daemon.warning]
wxpdorofeevms (10.81.1.254) connect to service tmp initially as user
TMN+dorofeevms (uid=10000, gid=10000) (pid 20403)
Feb  5 08:42:31 as08-tmn named[144]: [ID 873579 daemon.debug] clientmgr
@18d098: createclients Feb  5 08:42:31 as08-tmn named[144]: [ID 873579
daemon.debug] clientmgr @18d098: recycle Feb  5 08:42:37 as08-tmn
winbindd[20354]: [ID 702911 daemon.info] [2004/02/05 08:42:37, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(232)
Feb  5 08:42:37 as08-tmn winbindd[20354]: [ID 702911 daemon.info]   [20407]:
request interface version
Feb  5 08:42:37 as08-tmn winbindd[20354]: [ID 702911 daemon.info]
[2004/02/05 08:42:37, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(268)
Feb  5 08:42:37 as08-tmn winbindd[20354]: [ID 702911 daemon.info]   [20407]:
request location of privileged pipe
Feb  5 08:42:37 as08-tmn winbindd[20354]: [ID 702911 daemon.debug]
[2004/02/05 08:42:37, 5] nsswitch/winbindd.c:winbind_client_read(464)
Feb  5 08:42:37 as08-tmn winbindd[20354]: [ID 702911 daemon.debug]   read
failed on sock 22, pid 20407: EOF
Feb  5 08:42:37 as08-tmn winbindd[20354]: [ID 702911 daemon.info]
[2004/02/05 08:42:37, 3] nsswitch/winbindd_group.c:winbindd_getgrgid(339)
Feb  5 08:42:37 as08-tmn winbindd[20354]: [ID 702911 daemon.info]   [20407]:
getgrgid 10000
Feb  5 08:42:37 as08-tmn winbindd[20354]: [ID 702911 daemon.debug]
[2004/02/05 08:42:37, 5] nsswitch/winbindd.c:winbind_client_read(464)
Feb  5 08:42:37 as08-tmn winbindd[20354]: [ID 702911 daemon.debug]   read
failed on sock 23, pid 20407: EOF 
......................

What might be the problem ?

Sincerely yours,
Mike
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list