[Samba] winbind and Solaris 9 with AD

Ganguly, Sapan Sapan.Ganguly at thalesgroup.com
Thu Jan 22 10:59:14 GMT 2004


You should note that I'm not using ADS, I'm in an NT4 domain.

OK, from memory this is what I did.  (If anyone can see any errors in this,
please let me know!) 

First I compiled Samba with the following -

./configure --with-winbind --with-pam --with-pam_smbpass
--with-included-popt
make
make install

I then created these links in /usr/lib, I think I had to copy
libnss_winbind.so from samba/sources/nsswitch directory (compile directory)
to /usr/lib  

libnss_winbind.so
libnss_winbind.so.1 -> libnss_winbind.so
nss_winbind.so.1 -> libnss_winbind.so

After that I dropped in my smb.conf from an Linux machine I had already
built with samba 3.  Here is what it looks like -

# Global parameters
[global]
        workgroup = MYDOMAIN
        server string = SUN001
        log file = /var/log/samba/log.%m
        max log size = 50
        name resolve order = wins lmhosts bcast
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        printcap name = /etc/printcap
        local master = No
        dns proxy = No
        wins server = 192.168.224.25
        ldap suffix = dc=uk,dc=trt,dc=thales
        ldap machine suffix = dc=uk,dc=trt,dc=thales
        ldap user suffix = dc=uk,dc=trt,dc=thales
        ldap group suffix = dc=uk,dc=trt,dc=thales
        ldap idmap suffix = ou=idmap,dc=uk,dc=trt,dc=thales
        ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales
        idmap backend = ldap:ldap://lnxs001
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template homedir = /mnt/spare/%U
        template shell = /bin/bash
        winbind separator = -
        winbind use default domain = Yes

[homes]
        comment = Home Directories
        read only = No
        browseable = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        browseable = No

[public]
        path = /public
        read only = No
        guest ok = Yes

My LDAP server is a separate Redhat 9.0 machine with OpenLDAP running.

Next I ran 'smbpasswd -w xxxxx' where xxxxx is my LDAP admin password, this
gives samba write access to your LDAP server.

Then I had to make my samba server a member of my domain -
	
	net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd

Now I edited nsswitch.conf

Passwd: files winbind
Group: files winbind



Then I created the startup scripts for samba and winbind (don't for get to
chmod it to make it executable) -

#!/sbin/sh
##
        ## samba.server
        ##

        if [ ! -d /usr/bin ]
        then                    # /usr not mounted
                exit
        fi

        killproc() {            # kill the named process(es)
                pid=`/usr/bin/ps -e |
                     /usr/bin/grep -w $1 |
                     /usr/bin/sed -e 's/^  *//' -e 's/ .*//'`
                [ "$pid" != "" ] && kill $pid
        }

        # Start/stop processes required for Samba server

        case "$1" in

        'start')
        #
        # Edit these lines to suit your installation (paths, workgroup,
host)
        #
        echo Starting SMBD
           /usr/local/samba/sbin/smbd -D -d 10 -s
/usr/local/samba/lib/smb.conf
        echo Starting NMBD
           /usr/local/samba/sbin/nmbd -D -l /usr/local/samba/var/log -s
/usr/local/samba/lib/smb.conf

        echo Starting Winbind Daemon
           /usr/local/samba/sbin/winbindd -B -d 10 -s
/usr/local/samba/lib/smb.conf
           ;;

        'stop')
           killproc nmbd
           killproc smbd
           killproc winbindd
           ;;

        *)
           echo "Usage: /etc/init.d/samba.server { start | stop }"
           ;;
        esac 

After I started samba up with this script and ran getent it worked.  

I could type out all of my OpenLDAP config for you too but at this stage it
probably isn't very useful to you.  What I think you should try first is
using a simpler idmap backend first.  Make that work and then do the LDAP
stuff.


-----Original Message-----
From: Wright, Tim (ANTS) [mailto:tim.wright at ants.co.uk] 
Sent: 21 January 2004 16:37
To: 'Ganguly, Sapan '
Subject: RE: [Samba] winbind and Solaris 9 with AD


hi

I've been looking at my problem and compring the Solaris 9 box to a working
Linux box. I noticed that if I take the winbind entry out of nsswitch.conf
on the linux box then samba will no longer accept connections from users
with no unix account or relevanr username map.

So I'm assuming that if I can get getent working on the Solaris box then the
samba authentication problem will be solved as well.

So would you be able to provide me with a step by step of how you built and
configured samba/winbind on the host where getent works ( including other
stuff like kerberos and openldap compiles )? I can't offer much in return
but if I can get getent working then I will look at getting logging on to
the box working as well ( unless of course you 've already cracked it
yourself ).

anyway any help you could give me would be greatly appreciated.

thanks

tim

-----Original Message-----
From: Ganguly, Sapan [mailto:Sapan.Ganguly at thalesgroup.com] 
Sent: 19 January 2004 13:06
To: 'Unix Service (ANTS)'; 'samba at lists.samba.org'
Subject: RE: [Samba] winbind and Solaris 9 with AD



I'm having trouble with this too but getent works for me, I'm not using AD
though.  

Have you edited nsswitch.conf?  

Passwd: files winbind
Group: files winbind

I'm stuck on getting logging in working...Sun seems to think there may be
some bug with PAM.

-----Original Message-----
From: Unix Service (ANTS) [mailto:Unix.Services at ants.co.uk] 
Sent: 19 January 2004 12:13
To: 'samba at lists.samba.org'
Subject: [Samba] winbind and Solaris 9 with AD


Hi

have been trying to get winbind working on Solaris 9 but to no effect.

version info:

samba: 3.0.0
openldap: 2.1.23
kerberos: MIT 1.3.1

Have followed the instructions in every howto, usenet posting I could
find:

nscd not running
created relevant links in /lib and /lib/security/sparcv9 applied patch for
nsswitch as recommended

kinit -e works
net ads join works
wbinfo -t works
wbinfo -u gives list of all users in all trusted domains
getent doesn't work
samba authentication doesn't work - get the following in winbindd.log:

[2004/01/19 10:59:27, 5] nsswitch/winbindd_pam.c:(379)
  NTLM CRAP authentication for user [DEV]\[test7] returned NT_STATUS_OK
(PAM: 0) [2004/01/19 10:59:27, 3] nsswitch/winbindd_acct.c:(875)
  [ 3551]: create_user: user=>(test7), group=>()
[2004/01/19 10:59:27, 5] nsswitch/winbindd_acct.c:(521)
  wb_getgrnam: Did not find group (nobody)

my smb.conf is:

workgroup = DEV
#workgroup = DEV.ANTS.AD.ANPLC.CO.UK
realm = DEV.ANTS.AD.ANPLC.CO.UK
security = ADS
password server = lonsd010.dev.ants.ad.anplc.co.uk
dns proxy = no
idmap gid = 70000-80000
idmap uid = 800000-900000
winbind cache time = 15
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
encrypt passwords = yes
log level = 9

[temp]
path = /tmp
read list = @users

[docs]
path = /var/tmp/samba-3.0.0
read list = @users

I would appreciate any pointers as to further debugging I could do or
possible problems as being able to use winbind to deal with samba
authentication would make life a great deal easier.




***************************************************************************
This communication (including any attachments) contains confidential
information.  If you are not the intended recipient and you have received
this communication in error, you should destroy it without copying,
disclosing or otherwise using its contents.  Please notify the sender
immediately of the error.

Internet communications are not necessarily secure and may be intercepted or
changed after they are sent.  Abbey National Treasury Services plc does not
accept liability for any loss you may suffer as a result of interception or
any liability for such changes.  If you wish to confirm the origin or
content of this communication, please contact the sender by using an
alternative means of communication.

This communication does not create or modify any contract and, unless
otherwise stated, is not intended to be contractually binding.

Abbey National Treasury Services plc. Registered Office:  Abbey National
House, 2 Triton Square, Regents Place, London NW1 3AN.  Registered in
England under Company Registration Number: 2338548.  Regulated by the
Financial Services Authority (FSA).
***************************************************************************

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba


***************************************************************************
This communication (including any attachments) contains confidential
information.  If you are not the intended recipient and you have received
this communication in error, you should destroy it without copying,
disclosing or otherwise using its contents.  Please notify the sender
immediately of the error.

Internet communications are not necessarily secure and may be intercepted or
changed after they are sent.  Abbey National Treasury Services plc does not
accept liability for any loss you may suffer as a result of interception or
any liability for such changes.  If you wish to confirm the origin or
content of this communication, please contact the sender by using an
alternative means of communication.

This communication does not create or modify any contract and, unless
otherwise stated, is not intended to be contractually binding.

Abbey National Treasury Services plc. Registered Office:  Abbey National
House, 2 Triton Square, Regents Place, London NW1 3AN.  Registered in
England under Company Registration Number: 2338548.  Regulated by the
Financial Services Authority (FSA).
***************************************************************************


More information about the samba mailing list