[Samba] getent does not get remote users

Shannon Johnson sjohnson at engr.psu.edu
Wed Mar 3 15:25:21 GMT 2004 

I'm not sure where you've gotten some of your configuration, but it
doesn't look right to me... I am, however, only comparing it to my
setup, which does work. I'll make notes on what differences I see,
although I wouldn't consider myself an expert on samba, winbind, or pam.

First, I never changed my /etc/pam.d/samba from the original. Mine looks
like:

#%PAM-1.0
auth       required     pam_nologin.so
auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth


The other files in /etc/pam.d which I want to use the PDC for
authentication look like:

#%PAM-1.0
auth       required     pam_securetty.so
auth       sufficient   pam_winbind.so
auth       sufficient   pam_unix.so service=system-auth
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    sufficient   pam_winbind.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_mkhomedir.so skel=/etc/skel umask=0222
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so


Your smb.conf file looks like it's lacking something, mostly concerning
winbind, although since I'm using an Active Directory domain, rather
than NT4, I'm not sure if the differences between yours and mine would
cause the problems you're seeing. I would assume you could cut out the
AD stuff from mine and substitute the non-AD settings for yours... but
I'm not sure. My smb.conf file (which I wrote out by hand, rather than
using samba's default template) looks like:

# General Options
workgroup = TEST
netbios name = linux-machine-name

# Winbind Configuration
winbind separator = _
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /users/%U
template shell = /bin/bash
# following option automatically prepends the domain name
# to the username when a user tries to login
winbind use default domain = yes

# Active Directory Config
security = ads
encrypt passwords = yes
password server = 192.168.1.5        # IP of the AD server
realm = TEST.DOMAIN.COM


I've probably managed to confuse more than I've helped... but I hope
not.

Shannon


____________________________
 
Shannon Johnson
Network Support Specialist / Systems Administrator
Dept. of Mechanical and Nuclear Engineering
224 Reber Building
University Park, PA 16802
Phone: (814) 865-8267
____________________________
 
> -----Original Message-----
> From: Arno Hahma [mailto:arno at jyu.fi]
> Sent: Wednesday, March 03, 2004 4:31 AM
> To: samba at lists.samba.org
> Subject: [Samba] getent does not get remote users
> 
> I have a samba 3.0.2a -server running Linux, which I try to set up to
> authenticate users from a NT4 PDC using winbindd. Now, everything
works
> to the point, where I try to list users with "getent passwd". Getent
> only gets the local unix-users and has no clue about the NT4 -users.
> Also, home directories for the NT4 -users are not created and no logs
> whatsoever are left behind by the
> PAM module pam_mkhomedir, although I added the debug -switch to it.
> 
> Otherwise, the system works: the shared secret is ok, wbinfo -u shows
> all NT4 -users correctly,
> and the NT4 -users can even create a samba -mount, provided the
mounted
> directory has
> world rwx -permissions (such as the /tmp below in the smb.conf). This
> means the authentication works ok, but the unix box is just not aware
> of any winbindd users, even though samba is.
> 
> Any clues, where to look for the problem? And yes, I did search
through
> winbindd how-tos and
> this mailing list archives and tried all the tricks there. I also do
> not have any local users
> by the same names as the NT4 has them, thus, no conflicts here. Samba
> has been compiled
> with all necessary support (PAM, winbind etc. ) to support this
scheme.
> /etc/nsswitch.conf
> has been edited to include winbind. ldconfig has been run to include
> the winbind shared modules.  No nscd or any other NSS services are
> running. What can still be wrong?
> 
> PAM configuration file "samba":
> 
> #%PAM-1.0
> # pam_smbpass.so authenticates against the smbpasswd file
> auth       required     pam_smbpass.so nodelay
> account    required     /lib/security/pam_stack.so
> service=system-auth-winbind
> session    required     /lib/security/pam_stack.so
> service=system-auth-winbind
> password   required     pam_smbpass.so nodelay
> smbconf=/etc/samba/smb.conf
> 
> The service -lines were edited according to the instructions in
> smb.conf comments
> to include system-auth-winbind:
> 
> #%PAM-1.0
> # $Header:
> /home/cvsroot/gentoo-x86/net-fs/samba/files/system-auth-winbind,v 1.1
>   2002/05/06 19:57:08 woodchip Exp $
> 
> auth        required      /lib/security/pam_env.so
> auth        sufficient    /lib/security/pam_unix.so likeauth nullok
> use_first_pass
> auth        sufficient    /lib/security/pam_winbind.so
> auth        required      /lib/security/pam_deny.so
> 
> account     sufficient    /lib/security/pam_winbind.so
> account     required      /lib/security/pam_unix.so
> 
> password    required      /lib/security/pam_cracklib.so retry=3
> password    sufficient    /lib/security/pam_unix.so nullok use_authtok
> md5 shadow
> password    required      /lib/security/pam_deny.so
> 
> session     required      /lib/security/pam_mkhomedir.so
> skel=/etc/skel/ umask=0022 debug
> session     required      /lib/security/pam_limits.so
> session     required      /lib/security/pam_unix.so
> 
> 
> My smb.conf looks like:
> 
> # Global parameters
> [global]
>          dos charset = 850
>          unix charset = UTF8
>          workgroup = TESTWG
>          server string = %h Samba Server %v
>          interfaces = 192.168.1.1/23 192.168.3.1/23
>          security = DOMAIN
>          map to guest = Bad User
>          log level = 2
>          log file = /var/log/samba3/log.%m
>          max log size = 500
>          socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>          printcap name = cups
>          local master = No
>          dns proxy = No
>          remote announce = 192.168.2.255 192.168.3.255
>          remote browse sync = 192.168.2.255 192.168.3.255
>          idmap uid = 10000-20000
>          idmap gid = 10000-20000
>          winbind separator = _
>          printer admin = '@Domain Admins'
>          hosts allow = 192.168.1., 192.168.2., 192.168.3., 127.
>          hosts deny = ALL
>          map acl inherit = Yes
>          printing = cups
> 
> [homes]
>          comment = Home dirs
>          read only = No
>          browseable = No
> 
> [printers]
>          comment = Printers
>          path = /var/spool/samba
>          create mask = 0700
>          guest ok = Yes
>          printable = Yes
>          print command = lpr-cups -P %p %s # using cups own drivers
(use
> generic PostScript on clients).
>          browseable = No
> 
> [print$]
>          path = /var/lib/samba/printers
>          write list = @adm, root
>          guest ok = Yes
> 
> [tmp]
>          comment = temporary files
>          path = /tmp
>          guest ok = Yes
> 
> 
> --
> ArNO
>      2

More information about the samba mailing list