[Samba] RE: Smbd 3.0.13 dies when smb.conf has winbind separator = \

Doug VanLeuven roamdad at sonic.net
Sun Apr 3 09:03:24 GMT 2005 

Greg Scott wrote:

>I can run ntlm_auth by hand.  If I pass it a valid domain\username
>password, it returns OK.  And if I pass it a bogus one, it returns ERR.
>When I run
>
>	 /usr/local/samba/bin/wbinfo -u
>
>it returns all my AD usernames like this:  DOMAIN\user.
>
>So it looks like winbindd is working.  But when I run getent passwd, all
>that comes back are the entries from my local passwd file.  If I'm
>reading the documentation correctly, it's supposed to also return my A/D
>entries, right?  (nsswitch.conf and libraries noted below.)  So winbindd
>seems to be doing its job, smbd is just not calling it.  Could this be
>related to the backslash character issue or is this a dead-end?  
>  
>
It's a dead end.  Run testparm -sv |grep 'winbind separator'
with it commented out in the conf file to see what it is.

> <>Here is some more strange behavior, trying to follow the instructions in
> 22.5.3.1 of the HOWTO-Collection:
>
> [root at infra-fw lib]#
> [root at infra-fw lib]# ln --symbolic libnss_windbind.so libnss_winbind.so.2
> [root at infra-fw lib]# ls -la /lib | grep winbind

> -rwxr-xr-x 1 root root 305094 Apr 2 20:21 libnss_winbind.so

> lrwxrwxrwx 1 root root 18 Apr 3 00:45

> libnss_winbind.so.2 -> libnss_windbind.so
> [root at infra-fw lib]#
> [root at infra-fw lib]# /sbin/ldconfig -v | grep winbind
> /sbin/ldconfig: Cannot stat /lib/libnss_winbind.so.2: No such file or 
> directory
> libnss_winbind.so -> libnss_winbind.so
> [root at infra-fw lib]#
> [root at infra-fw lib]# ls -la /lib | grep winbind -rwxr-xr-x 1 root root 
> 305094 Apr 2 20:21 libnss_winbind.so
> [root at infra-fw lib]#
>
> Note that ldconfig got rid of that symbolic link the HOWTO suggested
> putting in. I have to believe the messed up linkage between smbd and
> winbindd are related somehow to this.

I made this script to update the library after each samba build.  Run it 
from the samba source directory.  Should be more robust about the source 
dir, but I'm the only one who uses it.  Remove the libnss_wins.so lines 
if you don't use it.  Probably don't need the .1 links, but I was 
shotgunning in the beginning and never went back.  The version number X 
is 1 for glibc 2.0 and 2 for glibc 2.1.  I have some old stuff.

#!/bin/sh

echo "Copying nsswitch modules to system library"

CWD=`pwd`

cd /lib
rm -f libnss_winbind.so libnss_winbind.so.1 libnss_winbind.so.2
rm -f libnss_wins.so libnss_wins.so.1 libnss_wins.so.2
cd /usr/lib
rm -f libnss_winbind.so libnss_wins.so

cd $CWD
cp -f nsswitch/libnss_winbind.so /lib
cp -f nsswitch/libnss_wins.so /lib

cd /lib
ln -sf libnss_winbind.so libnss_winbind.so.1
ln -sf libnss_winbind.so libnss_winbind.so.2
ln -sf libnss_wins.so libnss_wins.so.1
ln -sf libnss_wins.so libnss_wins.so.2

cd /usr/lib
ln -sf ../../lib/libnss_winbind.so libnss_winbind.so
ln -sf ../../lib/libnss_wins.so libnss_wins.so

ldconfig

>Here is the dump of my current smb.conf, without all the ugly comments:
>
>[root at infra-fw lib]# /usr/local/samba/bin/testparm
>Load smb config files from /usr/local/samba/lib/smb.conf
>Processing section "[homes]"
>Processing section "[printers]"
>Processing section "[gregshare]"
>Loaded services file OK.
>Server role: ROLE_DOMAIN_MEMBER
>Press enter to see a dump of your service definitions
>
># Global parameters
>[global]
>        workgroup = INFRASUPPORTETC
>        realm = INFRASUPPORTETC.COM
>  
>
In your original post, you had specified netbios name = SQUIDTEST but 
the prompt is root at infra-fw samba.  For security=ads, windows and 
kerberos get very picky about the computer name being the same as the 
dns name.  I use netbios aliases, but then manually add them to the 
servicePrincipalName in the computer account in AD.   I can't tell if 
you ever joined the domain, but if you did with the SQUIDTEST netbios 
name, I'd probably stop samba, delete all the *.tdb files in the lock 
directory and private/secrets.tdb and start over.

>        server string = Greg squidtest Samba Server
>        interfaces = 10.10.10.2
>        security = ADS
>        log file = /var/log/samba/log.smbd
>        max log size = 50
>        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>        dns proxy = No
>        idmap uid = 10000-20000
>        idmap gid = 10000-20000
>
>[root at infra-fw lib]# 
>
>  
>
>>I am trying to get windind to work so my domain users can touch shares
>>on this Linux box without being prompted for credentials.   I put
>>these in nsswitch.conf:
>>
>>  passwd:        files winbind
>>  group:         files winbind
>>    
>>
I use compat instead of files.  From man nsswitch.conf
      An  example /etc/nsswitch.conf (namely, the default used when 
/etc/nsswitch.conf is missing):

       passwd:         compat
       group:          compat
       shadow:         compat

I also use NIS and use the winbind trusted domains only = Yes so the 
compat tries all the native authentication methods first.

FYI, I still run RH9 servers.  Some des only, some arc4, some dns=realm 
and some dns != realm.  krb5-MIT-1.3.5-1, ypbind-1.11-4, 2.4.20-28.9smp.
There was some talk that the 2.4 kernels might have trouble with 
sendfile, so use sendfile = No
Regards, Doug

More information about the samba mailing list