[Samba] winbind and Solaris 9 with AD

Patrik Gustavsson Patrik.Gustavsson at Sun.COM
Tue Jan 27 06:47:28 GMT 2004 

Hi,

I have attached a pam.conf file for Solaris 9.

I had to re-create the file.

It has been tested for telnet,rlogin and ftp using winbind
for 3.0.1 as a W2003 Server member.

/Patrik



On Mon, 2004-01-19 at 15:45, Ganguly, Sapan wrote:
> Patrik,
> 
> Hello!  I have been waiting for you to get back, you may be able to help me.
> I am having trouble making winbind work with Solaris 9.  I was wondering if
> you could post a copy of your pam.conf again so that I can double check that
> I have a correct copy of it?
> 
> The problem I am having is that when I try to log in with an NT username and
> password the login process hangs after I put the password in.  I don't know
> why this happens because getent works.  I decided to log what is going on in
> PAM, here is what I got -
> 
> Jan 14 13:29:55 sun001 pam_winbind[15352]: [ID 571141 auth.debug]
> libpam_winbind:pam_sm_close_sessio
> n handler
> Jan 14 13:29:59 sun001 login: [ID 634615 auth.debug]
> pam_authtok_get:pam_sm_authenticate: flags = 0 Jan 14 13:30:05 sun001 login:
> [ID 378613 auth.debug] pam_dhkeys: user ganguly not found Jan 14 13:30:05
> sun001 login: [ID 896952 auth.debug] pam_unix_auth: entering
> pam_sm_authenticate() Jan 14 13:30:05 sun001 login: [ID 219349 auth.debug]
> pam_unix_auth: user ganguly not found Jan 14 13:30:05 sun001
> pam_winbind[15369]: [ID 572310 auth.info] Verify user `ganguly' Jan 14
> 13:30:05 sun001 pam_winbind[15369]: [ID 614614 auth.notice] user 'ganguly'
> granted acces Jan 14 13:30:05 sun001 login[15369]: [ID 509786 auth.debug]
> roles pam_sm_authenticate, service = tel net user = ganguly ruser = not set
> rhost = 192.168.224.90
> 
> Thanks for any help you can offer!
> 
> Sapan
> 
> -----Original Message-----
> From: Patrik Gustavsson [mailto:Patrik.Gustavsson at Sun.COM] 
> Sent: 19 January 2004 14:39
> To: Unix Service (ANTS)
> Cc: 'samba at lists.samba.org'
> Subject: Re: [Samba] winbind and Solaris 9 with AD
> 
> 
> Hi,
> 
> I have the following libraries and links in /usr/lib and 
> it works:
> 
> libnss_winbind.so
> libnss_winbind.so.1 -> libnss_winbind.so
> nss_winbind.so.1 -> libnss_winbind.so
> 
> /Patrik
> On Mon, 2004-01-19 at 13:13, Unix Service (ANTS) wrote:
> > Hi
> > 
> > have been trying to get winbind working on Solaris 9 but to no effect.
> > 
> > version info:
> > 
> > samba: 3.0.0
> > openldap: 2.1.23
> > kerberos: MIT 1.3.1
> > 
> > Have followed the instructions in every howto, usenet posting I could
> > find:
> > 
> > nscd not running
> > created relevant links in /lib and /lib/security/sparcv9 applied patch 
> > for nsswitch as recommended
> > 
> > kinit -e works
> > net ads join works
> > wbinfo -t works
> > wbinfo -u gives list of all users in all trusted domains getent 
> > doesn't work samba authentication doesn't work - get the following in 
> > winbindd.log:
> > 
> > [2004/01/19 10:59:27, 5] nsswitch/winbindd_pam.c:(379)
> >   NTLM CRAP authentication for user [DEV]\[test7] returned 
> > NT_STATUS_OK (PAM: 0) [2004/01/19 10:59:27, 3] 
> > nsswitch/winbindd_acct.c:(875)
> >   [ 3551]: create_user: user=>(test7), group=>()
> > [2004/01/19 10:59:27, 5] nsswitch/winbindd_acct.c:(521)
> >   wb_getgrnam: Did not find group (nobody)
> > 
> > my smb.conf is:
> > 
> > workgroup = DEV
> > #workgroup = DEV.ANTS.AD.ANPLC.CO.UK
> > realm = DEV.ANTS.AD.ANPLC.CO.UK
> > security = ADS
> > password server = lonsd010.dev.ants.ad.anplc.co.uk
> > dns proxy = no
> > idmap gid = 70000-80000
> > idmap uid = 800000-900000
> > winbind cache time = 15
> > winbind use default domain = yes
> > winbind enum users = yes
> > winbind enum groups = yes
> > encrypt passwords = yes
> > log level = 9
> > 
> > [temp]
> > path = /tmp
> > read list = @users
> > 
> > [docs]
> > path = /var/tmp/samba-3.0.0
> > read list = @users
> > 
> > I would appreciate any pointers as to further debugging I could do or 
> > possible problems as being able to use winbind to deal with samba 
> > authentication would make life a great deal easier.
> > 
> > 
> > 
> > 
> > **********************************************************************
> > *****
> > This communication (including any attachments) contains confidential
> information.  If you are not the intended recipient and you have received
> this communication in error, you should destroy it without copying,
> disclosing or otherwise using its contents.  Please notify the sender
> immediately of the error.
> > 
> > Internet communications are not necessarily secure and may be 
> > intercepted or changed after they are sent.  Abbey National Treasury 
> > Services plc does not accept liability for any loss you may suffer as 
> > a result of interception or any liability for such changes.  If you 
> > wish to confirm the origin or content of this communication, please 
> > contact the sender by using an alternative means of communication.
> > 
> > This communication does not create or modify any contract and, unless 
> > otherwise stated, is not intended to be contractually binding.
> > 
> > Abbey National Treasury Services plc. Registered Office:  Abbey 
> > National House, 2 Triton Square, Regents Place, London NW1 3AN.
> Registered in England under Company Registration Number: 2338548.  Regulated
> by the Financial Services Authority (FSA).
> >
> ***************************************************************************
> -- 
> "In a world without fences who needs Gates"
> Patrik Gustavsson, Senior Technical Consultant
> patrik.gustavsson at sun.com     Telephone: +46 60 671540
> http://glen.sweden            Mobile: +46 70 3551040
> SUN MICROSYSTEMS              Fax: +46 60 671550
> --------------------------------------------------------------
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
-- 
"In a world without fences who needs Gates"
Patrik Gustavsson, Senior Technical Consultant
patrik.gustavsson at sun.com     Telephone: +46 60 671540
http://glen.sweden            Mobile: +46 70 3551040
SUN MICROSYSTEMS              Fax: +46 60 671550
--------------------------------------------------------------

-------------- next part --------------
#
#ident	"@(#)pam.conf	1.20	02/01/23 SMI"
#
# Copyright 1996-2002 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login	auth requisite		pam_authtok_get.so.1
login	auth sufficient		pam_winbind.so.1 try_first_pass
login	auth required		pam_dhkeys.so.1
login	auth required		pam_unix_auth.so.1
login	auth required		pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin	auth sufficient		pam_rhosts_auth.so.1
rlogin	auth requisite		pam_authtok_get.so.1
rlogin	auth sufficient		pam_dhkeys.so.1
rlogin	auth sufficient		pam_unix_auth.so.1
rlogin	auth sufficient		pam_winbind.so.1 try_first_pass
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh	auth sufficient		pam_rhosts_auth.so.1
rsh	auth required		pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp	auth requisite		pam_authtok_get.so.1
ppp	auth required		pam_dhkeys.so.1
ppp	auth required		pam_unix_auth.so.1
ppp	auth required		pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
#
other	auth requisite		pam_authtok_get.so.1
other	auth sufficient		pam_dhkeys.so.1
other	auth sufficient		pam_unix_auth.so.1
other	auth sufficient		pam_winbind.so.1 try_first_pass
#
# passwd command (explicit because of a different authentication module)
#
passwd	auth required		pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron	account required	pam_projects.so.1
cron	account required	pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other	account requisite	pam_roles.so.1
other	account required	pam_projects.so.1
other	account sufficient	pam_unix_account.so.1
other	account sufficient	pam_winbind.so.1 try_first_pass
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other	session required	pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other	password required	pam_dhkeys.so.1
other	password requisite	pam_authtok_get.so.1
other	password requisite	pam_authtok_check.so.1
other	password required	pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin		auth optional		pam_krb5.so.1 try_first_pass
#login		auth optional		pam_krb5.so.1 try_first_pass
#other		auth optional		pam_krb5.so.1 try_first_pass
#cron		account optional 	pam_krb5.so.1
#other		account optional 	pam_krb5.so.1
#other		session optional 	pam_krb5.so.1
#other		password optional 	pam_krb5.so.1 try_first_pass

More information about the samba mailing list