[Samba] Winbind and openSSH problem on Solaris 8/Sparc

Disatnik Gil Gil.Disatnik at comverse.com
Mon Mar 21 13:24:40 GMT 2005

Hello there,
I have winbind configured and working fine on a Solaris 8 machine
pam is configured ok (I guess) as telnet/su'ing/smb access  is working
fine, OpenSSH 3.9 is configured with the following options:
--prefix=/usr/local --sysconfdir=/etc/ssh --with-md5-passwords
bin:/bin --with-ipv4-default --with-privsep-path=/var/empty
--with-privsep-user=sshd --with-ssl-dir=/tmp/openssl-0.9.7e
--with-zlib=/tmp/zlib1.2.2 --with-pam

Yet, when trying to login, this is what I see in the messages file:

sshd[21182]: [ID 401707 auth.error] open_module:
/usr/lib/security/pam_winbind.so failed: ld.so.1: /usr/local/sbin/sshd:
fatal: relocation error: file /usr/lib/security/pam_winbind.so: symbol
main: referenced symbol not found
sshd[21182]: [ID 487707 auth.error] load_modules: can not open module
sshd[21180]: [ID 800047 auth.error] error: PAM: Dlopen failure for
illegal user my_user from x.x.x.x 
Another issue, not related to this problem - 
(happens on Solaris 8/sparc machines only) - sometimes when I login
while winbind is enabled and running, every command I run is running in
the background automatically... this is really annoying...
Any suggestions?
#ident  "@(#)pam.conf   1.16    01/01/24 SMI"
# Copyright (c) 1996-2000 by Sun Microsystems, Inc.
# All rights reserved.
# PAM configuration
# Authentication management
login   auth required            /usr/lib/security/pam_winbind.so
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_auth.so.1 try_first_pass
login   auth required           pam_dial_auth.so.1 try_first_pass
rlogin  auth sufficient         /usr/lib/security/pam_winbind.so
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_auth.so.1 try_first_pass
dtlogin auth sufficient         /usr/lib/security/pam_winbind.so
dtlogin auth requisite          pam_authtok_get.so.1
dtlogin auth required           pam_dhkeys.so.1
dtlogin auth required           pam_unix_auth.so.1 try_first_pass
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_auth.so.1
other   auth sufficient         /usr/lib/security/pam_winbind.so
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_auth.so.1 try_first_pass
# Account management
login   account sufficient              /usr/lib/security/pam_winbind.so
login   account requisite               pam_roles.so.1
login   account required                pam_projects.so.1
login   account required                pam_unix_account.so.1
dtlogin account sufficient              /usr/lib/security/pam_winbind.so
dtlogin account requisite               pam_roles.so.1
dtlogin account required                pam_projects.so.1
dtlogin account required                pam_unix_account.so.1
other   account sufficient              /usr/lib/security/pam_winbind.so
other   account requisite               pam_roles.so.1
other   account required                pam_projects.so.1
other   account required                pam_unix_account.so.1
# Session management
other   session required                pam_unix_session.so.1
# Password management
#other  password sufficient             /usr/lib/security/pam_winbind.so
other   password required               pam_dhkeys.so.1
other   password requisite              pam_authtok_get.so.1
other   password requisite              pam_authtok_check.so.1
other   password required               pam_authtok_store.so.1
dtsession       auth requisite          pam_authtok_get.so.1
dtsession       auth required           pam_dhkeys.so.1
dtsession       auth required           pam_unix_auth.so.1
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#rlogin auth optional           pam_krb5.so.1 try_first_pass
#login  auth optional           pam_krb5.so.1 try_first_pass
#dtlogin        auth optional           pam_krb5.so.1 try_first_pass
#other  auth optional           pam_krb5.so.1 try_first_pass
#dtlogin        account optional        pam_krb5.so.1
#other  account optional        pam_krb5.so.1
#other  session optional        pam_krb5.so.1
#other  password optional       pam_krb5.so.1 try_first_pass
# Support for Solaris PPP (sppp)
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth    required                pam_dial_auth.so.1
ppp     account requisite               pam_roles.so.1
ppp     account required                pam_projects.so.1
ppp     account required                pam_unix_account.so.1
ppp     session required                pam_unix_session.so.1
passwd  auth required           pam_passwd_auth.so.1
cron    account required                pam_unix_account.so.1
#cron   account optional                pam_krb5.so.1

        # Generic
        workgroup = XXX
        server string = Solaris 8 Sparc - Samba %v
        # Security
        security = DOMAIN
        encrypt passwords = Yes
        password server = x.x.x.x
        allow trusted domains = No
        # Logging
        log level = 2
        syslog = 0
        # Performance
        # Browsing / Services
        os level = 0
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        wins server = x.x.x.x
        # Winbind
        idmap uid = 10000-100000
        idmap gid = 10000-100000
        idmap backend = idmap_rid:FOO_CORP=10000-100000
        winbind separator = -
        winbind enum users = Yes
        winbind enum groups = Yes
        template homedir = /home/%U
        template shell = /bin/bash
        browseable = No
        read only = No

More information about the samba mailing list