[Samba] PAM (winbind?) auth still does NOT work on Solaris 9
Дорофеев Михаил Сергеевич
DorofeevMS at tmn.transneft.ru
Fri Jan 23 03:44:11 GMT 2004
Hi all!
I'm getting STUCK trying to get pam and winbind working.
Using Solaris 9, Samba 3.0.1 (built as ./configure --with-ads --with-pam --with-syslog --with-winbind)
Kerberos 5 is installed.
It looks like everything is working EXCEPT for user auth when telneting, ftping etc...
(Browsing of Samba box and connecting to it works fine and fast!!!)
PLEASE, HELP!
Or, point me the right place to read, I've read everithing from [docbook] to Thanks and the Internet...
Sincerely yours,
Mike
Below is my configuration:
--------------------------------------------------------------------------
Here is my smb.conf file (unmodified)
-------------------------------------------------------------------------
# Global parameters
[global]
workgroup = TMN
realm = TMN.TRANSNEFT.RU
server string = AS08-TMN Samba server (running Samba 3.0.1)
security = DOMAIN
password server = msg01-tmn dc01-tmn
log level = 3 passdb:5 auth:10 winbind:2
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /export/home
template shell = /bin/bash
winbind separator = +
[tmp]
comment = Temporary place
path = /tmp
read only = No
-------------------------------------------------------------------------
Here is how I joined the domain:
bash-2.05# /usr/local/samba/bin/net rpc join -S dc01-tmn -U Administrator
Password:
Joined domain TMN.
bash-2.05#
Just to make sure it worked:
bash-2.05# ./net join -S dc01-tmn -UAdministrator
Administrator password:
[2004/01/22 21:03:33, 0] libads/ldap.c:ads_join_realm(1314)
Host account for as08-tmn already exists - deleting old account
Using short domain name -- TMN
Joined 'AS08-TMN' to realm 'TMN.TRANSNEFT.RU'
-------------------------------------------------------------------------
Wbinfo -g works!
bash-2.05# /usr/local/samba/bin/wbinfo -g
TMN+Domain Admins
TMN+Domain Users
TMN+Domain Guests
TMN+Domain Computers
TMN+Domain Controllers
TMN+Cert Publishers
.......................
Wbinfo -t works!
Wbinfo -u works!
/etc/nsswitch.conf:
passwd: files winbind
group: files winbind
-------------------------------------------------------------------------
Here is the listing of *nss* modules in my /usr/lib/:
bash-2.05# ls -l /usr/lib/*nss*
-rwxr-xr-x 1 root other 29576 Янв 16 08:39 /usr/lib/libnss_winbind.so
lrwxrwxrwx 1 root other 26 Янв 23 08:37 /usr/lib/libnss_winbind.so.1 -> /usr/lib/libnss_winbind.so
lrwxrwxrwx 1 root other 22 Янв 16 08:39 /usr/lib/libnss_winbind.so.2 -> /lib/libnss_winbind.so
-rwxr-xr-x 1 root bin 23500 Апр 7 2002 /usr/lib/nss_compat.so.1
-rwxr-xr-x 1 root bin 22552 Апр 7 2002 /usr/lib/nss_dns.so.1
-rwxr-xr-x 1 root bin 35060 Апр 7 2002 /usr/lib/nss_files.so.1
-rwxr-xr-x 1 root bin 77552 Сен 30 06:45 /usr/lib/nss_ldap.so.1
-rwxr-xr-x 1 root bin 36508 Апр 7 2002 /usr/lib/nss_nis.so.1
-rwxr-xr-x 1 root bin 45572 Апр 7 2002 /usr/lib/nss_nisplus.so.1
-rwxr-xr-x 1 root bin 12516 Апр 7 2002 /usr/lib/nss_user.so.1
lrwxrwxrwx 1 root other 26 Янв 23 08:37 /usr/lib/nss_winbind.so.1 -> /usr/lib/libnss_winbind.so
lrwxrwxrwx 1 root other 26 Янв 23 08:37 /usr/lib/nss_winbind.so.2 -> /usr/lib/libnss_winbind.so
-rwxr-xr-x 1 root bin 13760 Апр 7 2002 /usr/lib/nss_xfn.so.1
-------------------------------------------------------------------------
Here is the list of my /lib/security:
(cut)
lrwxrwxrwx 1 root root 20 Ноя 13 03:18 pam_unix_auth.so -> ./pam_unix_auth.so.1
-rwxr-xr-x 1 root bin 13604 Июл 16 2003 pam_unix_auth.so.1
lrwxrwxrwx 1 root root 23 Ноя 13 03:18 pam_unix_session.so -> ./pam_unix_session.so.1
-rwxr-xr-x 1 root bin 11828 Апр 7 2002 pam_unix_session.so.1
-rwxr-xr-x 1 root other 27768 Янв 16 18:20 pam_winbind.so
lrwxrwxrwx 1 root other 16 Янв 22 20:39 pam_winbind.so.1 -> ./pam_winbind.so
drwxr-xr-x 2 root bin 1024 Янв 16 09:48 sparcv9
-------------------------------------------------------------------------
Below is my /etc/pam.conf file:
-------------------------------------------------------------------------
#
#ident "@(#)pam.conf 1.20 02/01/23 SMI"
#
# Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth sufficient pam_dhkeys.so.1
login auth sufficient pam_unix_auth.so.1
login auth sufficient pam_dial_auth.so.1
login auth sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth sufficient pam_dhkeys.so.1
rlogin auth sufficient pam_unix_auth.so.1
rlogin auth sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
#
other auth requisite pam_authtok_get.so.1
other auth sufficient pam_dhkeys.so.1
other auth sufficient pam_unix_auth.so.1
other auth sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account sufficient pam_projects.so.1
other account sufficient pam_unix_account.so.1
other account sufficient /usr/lib/security/pam_winbind.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
other session sufficient /usr/lib/security/pam_winbind.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
-------------------------------------------------------------------------
Below is what I'm getting trying to telnet :
-------------------------------------------------------------------------
[2004/01/23 08:11:23, 5] nsswitch/winbindd_pam.c:winbindd_pam_auth(196)
Plain-text authentication for user tmn+DorofeevMS returned NT_STATUS_OK (PAM: 0)
[2004/01/23 08:11:23, 5] nsswitch/winbindd.c:winbind_client_read(464)
read failed on sock 24, pid 16372: EOF
[2004/01/23 08:11:23, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(113)
[16372]: getpwnam tmn+DorofeevMS
[2004/01/23 08:11:23, 3] nsswitch/winbindd_rpc.c:name_to_sid(290)
rpc: name_to_sid name=DorofeevMS
[2004/01/23 08:11:23, 3] nsswitch/winbindd_rpc.c:name_to_sid(299)
name_to_sid [rpc] DorofeevMS for domain TMN
[2004/01/23 08:11:23, 5] rpc_parse/parse_lsa.c:init_q_lookup_names(1062)
init_q_lookup_names
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_debug(82)
000000 lsa_io_q_lookup_names
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
0000 data1: 00000000
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
0004 data2: a6746219
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint16(606)
0008 data3: 2d57
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint16(606)
000a data4: 4a78
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint8s(722)
000c data5: 98 50 5a a0 67 42 b9 b5
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
0014 num_entries : 00000001
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
0018 num_entries2 : 00000001
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint16(606)
001c uni_str_len: 001c
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint16(606)
001e uni_max_len: 001c
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
0020 buffer : 00000001
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
0024 uni_max_len: 0000000e
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
0028 offset : 00000000
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
002c uni_str_len: 0000000e
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:dbg_rw_punival(807)
0030 buffer : T.M.N.\.D.o.r.o.f.e.e.v.M.S.
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
004c num_trans_entries : 00000000
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
0050 ptr_trans_sids : 00000000
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
0054 lookup_level : 00000001
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
0058 mapped_count : 00000000
[2004/01/23 08:11:23, 5] rpc_client/cli_pipe.c:create_rpc_request(841)
create_rpc_request: opnum: 0xe data_len: 0x74
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_debug(82)
000000 smb_io_rpc_hdr hdr
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint8(577)
0000 major : 05
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint8(577)
0001 minor : 00
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint8(577)
0002 pkt_type : 00
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint8(577)
0003 flags : 03
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint8(577)
0004 pack_type0: 10
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint8(577)
0005 pack_type1: 00
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint8(577)
0006 pack_type2: 00
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint8(577)
0007 pack_type3: 00
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint16(606)
0008 frag_len : 0074
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint16(606)
000a auth_len : 0000
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
000c call_id : 00000100
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_debug(82)
000010 smb_io_rpc_hdr_req hdr_req
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
0010 alloc_hint: 00000064
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint16(606)
0014 context_id: 0000
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint16(606)
0016 opnum : 000e
[2004/01/23 08:11:23, 5] rpc_client/cli_pipe.c:rpc_api_pipe(410)
rpc_api_pipe: fnum:e
[2004/01/23 08:11:23, 5] lib/util.c:show_msg(456)
[2004/01/23 08:11:23, 5] lib/util.c:show_msg(466)
size=198
smb_com=0x25
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=8
smb_flg2=51201
smb_tid=6149
smb_pid=2023
smb_uid=10241
smb_mid=240
smt_wct=16
smb_vwv[ 0]= 0 (0x0)
smb_vwv[ 1]= 116 (0x74)
smb_vwv[ 2]= 0 (0x0)
smb_vwv[ 3]= 4280 (0x10B8)
smb_vwv[ 4]= 0 (0x0)
smb_vwv[ 5]= 0 (0x0)
smb_vwv[ 6]= 0 (0x0)
smb_vwv[ 7]= 0 (0x0)
smb_vwv[ 8]= 0 (0x0)
smb_vwv[ 9]= 0 (0x0)
smb_vwv[10]= 82 (0x52)
smb_vwv[11]= 116 (0x74)
smb_vwv[12]= 82 (0x52)
smb_vwv[13]= 2 (0x2)
smb_vwv[14]= 38 (0x26)
smb_vwv[15]= 14 (0xE)
smb_bcc=131
[2004/01/23 08:11:23, 5] lib/util.c:show_msg(456)
[2004/01/23 08:11:23, 5] lib/util.c:show_msg(466)
size=192
smb_com=0x25
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=51201
smb_tid=6149
smb_pid=2023
smb_uid=10241
smb_mid=240
smt_wct=10
smb_vwv[ 0]= 0 (0x0)
smb_vwv[ 1]= 136 (0x88)
smb_vwv[ 2]= 0 (0x0)
smb_vwv[ 3]= 0 (0x0)
smb_vwv[ 4]= 56 (0x38)
smb_vwv[ 5]= 0 (0x0)
smb_vwv[ 6]= 136 (0x88)
smb_vwv[ 7]= 56 (0x38)
smb_vwv[ 8]= 0 (0x0)
smb_vwv[ 9]= 0