[Samba] PAM (winbind?) auth still does NOT work on Solaris 9

Дорофеев Михаил Сергеевич DorofeevMS at tmn.transneft.ru
Fri Jan 23 03:44:11 GMT 2004


Hi all!

I'm getting STUCK trying to get pam and winbind working.
Using Solaris 9, Samba 3.0.1 (built as ./configure --with-ads  --with-pam --with-syslog  --with-winbind)

Kerberos 5 is installed.

It looks like everything is working EXCEPT for user auth when telneting, ftping etc...

(Browsing of Samba box and connecting to it works fine and fast!!!)

PLEASE, HELP!
Or, point me the right  place to read, I've read everithing from [docbook] to Thanks and the Internet...

Sincerely yours, 
Mike

Below is my configuration:

--------------------------------------------------------------------------
Here is my smb.conf file (unmodified)
-------------------------------------------------------------------------
# Global parameters
[global]
workgroup = TMN
realm = TMN.TRANSNEFT.RU
server string = AS08-TMN Samba server (running Samba 3.0.1)
security = DOMAIN
password server = msg01-tmn dc01-tmn
log level = 3 passdb:5 auth:10 winbind:2
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /export/home
template shell = /bin/bash
winbind separator = +

[tmp]
comment = Temporary place
path = /tmp
read only = No
-------------------------------------------------------------------------
Here is how I joined the domain:

bash-2.05# /usr/local/samba/bin/net rpc join -S dc01-tmn -U Administrator
Password:

Joined domain TMN.
bash-2.05#

Just to make sure it worked:

bash-2.05# ./net join -S dc01-tmn -UAdministrator
Administrator password:

[2004/01/22 21:03:33, 0] libads/ldap.c:ads_join_realm(1314)
  Host account for as08-tmn already exists - deleting old account
Using short domain name -- TMN
Joined 'AS08-TMN' to realm 'TMN.TRANSNEFT.RU'

-------------------------------------------------------------------------
Wbinfo -g works!
bash-2.05# /usr/local/samba/bin/wbinfo -g
TMN+Domain Admins
TMN+Domain Users
TMN+Domain Guests
TMN+Domain Computers
TMN+Domain Controllers
TMN+Cert Publishers
.......................
Wbinfo -t works!
Wbinfo -u works!

/etc/nsswitch.conf:

passwd:     files winbind
group:      files winbind

-------------------------------------------------------------------------
Here is the listing of *nss* modules in my /usr/lib/:

bash-2.05# ls -l /usr/lib/*nss*
-rwxr-xr-x   1 root     other      29576 Янв 16 08:39 /usr/lib/libnss_winbind.so
lrwxrwxrwx   1 root     other         26 Янв 23 08:37 /usr/lib/libnss_winbind.so.1 -> /usr/lib/libnss_winbind.so
lrwxrwxrwx   1 root     other         22 Янв 16 08:39 /usr/lib/libnss_winbind.so.2 -> /lib/libnss_winbind.so
-rwxr-xr-x   1 root     bin        23500 Апр  7  2002 /usr/lib/nss_compat.so.1
-rwxr-xr-x   1 root     bin        22552 Апр  7  2002 /usr/lib/nss_dns.so.1
-rwxr-xr-x   1 root     bin        35060 Апр  7  2002 /usr/lib/nss_files.so.1
-rwxr-xr-x   1 root     bin        77552 Сен 30 06:45 /usr/lib/nss_ldap.so.1
-rwxr-xr-x   1 root     bin        36508 Апр  7  2002 /usr/lib/nss_nis.so.1
-rwxr-xr-x   1 root     bin        45572 Апр  7  2002 /usr/lib/nss_nisplus.so.1
-rwxr-xr-x   1 root     bin        12516 Апр  7  2002 /usr/lib/nss_user.so.1
lrwxrwxrwx   1 root     other         26 Янв 23 08:37 /usr/lib/nss_winbind.so.1 -> /usr/lib/libnss_winbind.so
lrwxrwxrwx   1 root     other         26 Янв 23 08:37 /usr/lib/nss_winbind.so.2 -> /usr/lib/libnss_winbind.so
-rwxr-xr-x   1 root     bin        13760 Апр  7  2002 /usr/lib/nss_xfn.so.1
-------------------------------------------------------------------------
Here is the list of my /lib/security:
(cut)
lrwxrwxrwx   1 root     root          20 Ноя 13 03:18 pam_unix_auth.so -> ./pam_unix_auth.so.1
-rwxr-xr-x   1 root     bin        13604 Июл 16  2003 pam_unix_auth.so.1
lrwxrwxrwx   1 root     root          23 Ноя 13 03:18 pam_unix_session.so -> ./pam_unix_session.so.1
-rwxr-xr-x   1 root     bin        11828 Апр  7  2002 pam_unix_session.so.1
-rwxr-xr-x   1 root     other      27768 Янв 16 18:20 pam_winbind.so
lrwxrwxrwx   1 root     other         16 Янв 22 20:39 pam_winbind.so.1 -> ./pam_winbind.so
drwxr-xr-x   2 root     bin         1024 Янв 16 09:48 sparcv9

-------------------------------------------------------------------------
Below is my /etc/pam.conf file:
-------------------------------------------------------------------------
#
#ident	"@(#)pam.conf	1.20	02/01/23 SMI"
#
# Copyright 1996-2002 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login	auth requisite		pam_authtok_get.so.1
login auth sufficient		pam_dhkeys.so.1
login auth sufficient		pam_unix_auth.so.1
login auth sufficient		pam_dial_auth.so.1
login auth sufficient		/usr/lib/security/pam_winbind.so.1 try_first_pass
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin	auth sufficient		pam_rhosts_auth.so.1
rlogin	auth requisite		pam_authtok_get.so.1
rlogin	auth sufficient		pam_dhkeys.so.1
rlogin	auth sufficient		pam_unix_auth.so.1
rlogin	auth sufficient		/usr/lib/security/pam_winbind.so.1 try_first_pass
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh	auth sufficient		pam_rhosts_auth.so.1
rsh	auth required		pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp	auth requisite		pam_authtok_get.so.1
ppp	auth required		pam_dhkeys.so.1
ppp	auth required		pam_unix_auth.so.1
ppp	auth required		pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
#
other	auth requisite		pam_authtok_get.so.1
other auth sufficient		pam_dhkeys.so.1
other auth sufficient		pam_unix_auth.so.1
other auth sufficient		/usr/lib/security/pam_winbind.so.1 try_first_pass
#
# passwd command (explicit because of a different authentication module)
#
passwd	auth required		pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron	account required	pam_projects.so.1
cron	account required	pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other	account requisite	pam_roles.so.1
other	account sufficient	pam_projects.so.1
other	account sufficient	pam_unix_account.so.1
other	account sufficient	/usr/lib/security/pam_winbind.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other	session required	pam_unix_session.so.1
other session sufficient	/usr/lib/security/pam_winbind.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other	password required	pam_dhkeys.so.1
other	password requisite	pam_authtok_get.so.1
other	password requisite	pam_authtok_check.so.1
other	password required	pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin		auth optional		pam_krb5.so.1 try_first_pass
#login		auth optional		pam_krb5.so.1 try_first_pass
#other		auth optional		pam_krb5.so.1 try_first_pass
#cron		account optional 	pam_krb5.so.1
#other		account optional 	pam_krb5.so.1
#other		session optional 	pam_krb5.so.1
#other		password optional 	pam_krb5.so.1 try_first_pass 
-------------------------------------------------------------------------

Below is what I'm getting trying to telnet :

-------------------------------------------------------------------------
[2004/01/23 08:11:23, 5] nsswitch/winbindd_pam.c:winbindd_pam_auth(196)
  Plain-text authentication for user tmn+DorofeevMS returned NT_STATUS_OK (PAM: 0)
[2004/01/23 08:11:23, 5] nsswitch/winbindd.c:winbind_client_read(464)
  read failed on sock 24, pid 16372: EOF
[2004/01/23 08:11:23, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(113)
  [16372]: getpwnam tmn+DorofeevMS
[2004/01/23 08:11:23, 3] nsswitch/winbindd_rpc.c:name_to_sid(290)
  rpc: name_to_sid name=DorofeevMS
[2004/01/23 08:11:23, 3] nsswitch/winbindd_rpc.c:name_to_sid(299)
  name_to_sid [rpc] DorofeevMS for domain TMN
[2004/01/23 08:11:23, 5] rpc_parse/parse_lsa.c:init_q_lookup_names(1062)
  init_q_lookup_names
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_debug(82)
  000000 lsa_io_q_lookup_names 
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
          0000 data1: 00000000
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
          0004 data2: a6746219
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint16(606)
          0008 data3: 2d57
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint16(606)
          000a data4: 4a78
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint8s(722)
          000c data5: 98 50 5a a0 67 42 b9 b5 
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
      0014 num_entries    : 00000001
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
      0018 num_entries2   : 00000001
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint16(606)
          001c uni_str_len: 001c
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint16(606)
          001e uni_max_len: 001c
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
          0020 buffer     : 00000001
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
          0024 uni_max_len: 0000000e
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
          0028 offset     : 00000000
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
          002c uni_str_len: 0000000e
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:dbg_rw_punival(807)
          0030 buffer     : T.M.N.\.D.o.r.o.f.e.e.v.M.S.
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
      004c num_trans_entries : 00000000
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
      0050 ptr_trans_sids : 00000000
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
      0054 lookup_level   : 00000001
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
      0058 mapped_count   : 00000000
[2004/01/23 08:11:23, 5] rpc_client/cli_pipe.c:create_rpc_request(841)
  create_rpc_request: opnum: 0xe data_len: 0x74
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_debug(82)
  000000 smb_io_rpc_hdr hdr    
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint8(577)
      0000 major     : 05
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint8(577)
      0001 minor     : 00
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint8(577)
      0002 pkt_type  : 00
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint8(577)
      0003 flags     : 03
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint8(577)
      0004 pack_type0: 10
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint8(577)
      0005 pack_type1: 00
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint8(577)
      0006 pack_type2: 00
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint8(577)
      0007 pack_type3: 00
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint16(606)
      0008 frag_len  : 0074
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint16(606)
      000a auth_len  : 0000
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
      000c call_id   : 00000100
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_debug(82)
  000010 smb_io_rpc_hdr_req hdr_req
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint32(635)
      0010 alloc_hint: 00000064
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint16(606)
      0014 context_id: 0000
[2004/01/23 08:11:23, 5] rpc_parse/parse_prs.c:prs_uint16(606)
      0016 opnum     : 000e
[2004/01/23 08:11:23, 5] rpc_client/cli_pipe.c:rpc_api_pipe(410)
  rpc_api_pipe: fnum:e
[2004/01/23 08:11:23, 5] lib/util.c:show_msg(456)
[2004/01/23 08:11:23, 5] lib/util.c:show_msg(466)
  size=198
  smb_com=0x25
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=8
  smb_flg2=51201
  smb_tid=6149
  smb_pid=2023
  smb_uid=10241
  smb_mid=240
  smt_wct=16
  smb_vwv[ 0]=    0 (0x0)
  smb_vwv[ 1]=  116 (0x74)
  smb_vwv[ 2]=    0 (0x0)
  smb_vwv[ 3]= 4280 (0x10B8)
  smb_vwv[ 4]=    0 (0x0)
  smb_vwv[ 5]=    0 (0x0)
  smb_vwv[ 6]=    0 (0x0)
  smb_vwv[ 7]=    0 (0x0)
  smb_vwv[ 8]=    0 (0x0)
  smb_vwv[ 9]=    0 (0x0)
  smb_vwv[10]=   82 (0x52)
  smb_vwv[11]=  116 (0x74)
  smb_vwv[12]=   82 (0x52)
  smb_vwv[13]=    2 (0x2)
  smb_vwv[14]=   38 (0x26)
  smb_vwv[15]=   14 (0xE)
  smb_bcc=131
[2004/01/23 08:11:23, 5] lib/util.c:show_msg(456)
[2004/01/23 08:11:23, 5] lib/util.c:show_msg(466)
  size=192
  smb_com=0x25
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=136
  smb_flg2=51201
  smb_tid=6149
  smb_pid=2023
  smb_uid=10241
  smb_mid=240
  smt_wct=10
  smb_vwv[ 0]=    0 (0x0)
  smb_vwv[ 1]=  136 (0x88)
  smb_vwv[ 2]=    0 (0x0)
  smb_vwv[ 3]=    0 (0x0)
  smb_vwv[ 4]=   56 (0x38)
  smb_vwv[ 5]=    0 (0x0)
  smb_vwv[ 6]=  136 (0x88)
  smb_vwv[ 7]=   56 (0x38)
  smb_vwv[ 8]=    0 (0x0)
  smb_vwv[ 9]=    0