[Samba] Solaris nsswitch.conf with winbind
Mike
mseow at singnet.com.sg
Mon Feb 27 09:16:40 GMT 2006
Hi,
I have the exact same problem (described in this archived mail below) but couldn't find any solution in the archives or on google.
So far, I have tried renaming one of the "allowed" libraries like ldap and then creating a symlink named nss_ldap.so.1 to point to nss_winbind.so.1 and also tried renaming in different versions of the /etc/nsswitch.conf file before and after starting winbindd but none of these work.
Can any Solaris admin who also uses Winbind with password aging let me know of any workarounds for this problem ?
thanks,
Mike
(the exact problem is described below)
========================================================
>From David.Legge at dier.tas.gov.au Sun Jan 4 23:49:02 2004
From: David.Legge at dier.tas.gov.au (David Legge)
Date: Sun Jan 4 23:49:26 2004
Subject: [Samba] Problem with winbind and nsswitch.conf on Solaris 8 server
Message-ID: <2E2D9E4E474FD14C9F9A76B3A2EF61B7048917 at MURR-MAIL.core.agency>
Hello,
I'm having some problems using winbind on Samba 3.0.1 with /etc/nsswitch.conf on a Solaris 8 server. The Solaris 8 release is 10/00.
The basic problem that I have is that there are restrictions on what nsswitch.conf can contain if password ageing is used.
My setup is that users connecting to shares on the Solaris samba server are authenticated against a accounts on a Windows Active Directory Domain. (That is, smb.conf is configured to use "security = ADS"). I am using winbind on the Solaris samba server to enumerate Active Directory Domain users and groups as standard unix groups and users.
I have installed the winbind libraries thus:
cp libnss_winbind.so /lib
ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1
ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1
ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2
I have also edited /etc/nsswitch.conf from using
passwd: files
group: files
to
passwd: files winbind
group: files winbind
The problem that I have is that there are restrictions on what nsswitch.conf can contain if password ageing is used.
This is indicated in the Solaris 8 man page for nsswitch.conf(4), which says:
Interaction with Password Aging
When password aging is turned on, only a limited set of pos-
sible name services are permitted for the passwd: database
in the /etc/nsswitch.conf file:
passwd:
files
passwd:
files nis
passwd:
files nisplus
passwd:
files ldap
passwd:
compat
passwd_compat:
nisplus
passwd_compat:
ldap
Any other settings will cause the passwd(1) command to fail
when it attempts to change the password after expiration and
will prevent the user from logging in. These are the only
permitted settings when password aging has been turned on.
Otherwise, you can work around incorrect passwd: lines by
using the -r repository argument to the passwd(1) command
and using passwd -r repository to override the nsswitch.conf
settings and specify in which name service you want to
modify your password.
So, using winbind like this forces me to use `passwd -r files` to do operations using the passwd command.
If I don't use the "-r" switch on the password command, an error is produced due to the presense of winbind in the nsswitch.conf file. The error is
passwd: Unsupported nsswitch entry for "passwd:". Use "-r repository ".
We have some applications that will break because of this and we have to use password ageing because of our security policy.
Is there any way of overcoming this limitation with nsswitch.conf and winbind on Solaris 8?
Thanks,
David Legge
David Legge Ph.D.
Corporate Applications Server Support Officer
Information Management Branch
Department of Infrastructure, Energy and Resources
10 Murray Street, Hobart
GPO Box 936, Hobart, 7001
Tasmania, Australia
Telephone: (03) 62337148
Facsimile: (03) 62332573
===============================================
More information about the samba
mailing list