[Samba] getent does not get remote users
Arno Hahma
arno at jyu.fi
Wed Mar 3 09:31:17 GMT 2004
I have a samba 3.0.2a -server running Linux, which I try to set up to
authenticate users from a NT4 PDC using winbindd. Now, everything works
to the point, where I try to list users with "getent passwd". Getent
only gets the local unix-users and has no clue about the NT4 -users.
Also, home directories for the NT4 -users are not created and no logs
whatsoever are left behind by the
PAM module pam_mkhomedir, although I added the debug -switch to it.
Otherwise, the system works: the shared secret is ok, wbinfo -u shows
all NT4 -users correctly,
and the NT4 -users can even create a samba -mount, provided the mounted
directory has
world rwx -permissions (such as the /tmp below in the smb.conf). This
means the authentication works ok, but the unix box is just not aware
of any winbindd users, even though samba is.
Any clues, where to look for the problem? And yes, I did search through
winbindd how-tos and
this mailing list archives and tried all the tricks there. I also do
not have any local users
by the same names as the NT4 has them, thus, no conflicts here. Samba
has been compiled
with all necessary support (PAM, winbind etc. ) to support this scheme.
/etc/nsswitch.conf
has been edited to include winbind. ldconfig has been run to include
the winbind shared modules. No nscd or any other NSS services are
running. What can still be wrong?
PAM configuration file "samba":
#%PAM-1.0
# pam_smbpass.so authenticates against the smbpasswd file
auth required pam_smbpass.so nodelay
account required /lib/security/pam_stack.so
service=system-auth-winbind
session required /lib/security/pam_stack.so
service=system-auth-winbind
password required pam_smbpass.so nodelay
smbconf=/etc/samba/smb.conf
The service -lines were edited according to the instructions in
smb.conf comments
to include system-auth-winbind:
#%PAM-1.0
# $Header:
/home/cvsroot/gentoo-x86/net-fs/samba/files/system-auth-winbind,v 1.1
2002/05/06 19:57:08 woodchip Exp $
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
use_first_pass
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_mkhomedir.so
skel=/etc/skel/ umask=0022 debug
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
My smb.conf looks like:
# Global parameters
[global]
dos charset = 850
unix charset = UTF8
workgroup = TESTWG
server string = %h Samba Server %v
interfaces = 192.168.1.1/23 192.168.3.1/23
security = DOMAIN
map to guest = Bad User
log level = 2
log file = /var/log/samba3/log.%m
max log size = 500
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = cups
local master = No
dns proxy = No
remote announce = 192.168.2.255 192.168.3.255
remote browse sync = 192.168.2.255 192.168.3.255
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = _
printer admin = '@Domain Admins'
hosts allow = 192.168.1., 192.168.2., 192.168.3., 127.
hosts deny = ALL
map acl inherit = Yes
printing = cups
[homes]
comment = Home dirs
read only = No
browseable = No
[printers]
comment = Printers
path = /var/spool/samba
create mask = 0700
guest ok = Yes
printable = Yes
print command = lpr-cups -P %p %s # using cups own drivers (use
generic PostScript on clients).
browseable = No
[print$]
path = /var/lib/samba/printers
write list = @adm, root
guest ok = Yes
[tmp]
comment = temporary files
path = /tmp
guest ok = Yes
--
ArNO
2
More information about the samba
mailing list