[Samba] Solaris nsswitch.conf with winbind

Mike mseow at singnet.com.sg
Mon Feb 27 09:16:40 GMT 2006


Hi,

I have the exact same problem (described in this archived mail below) but couldn't find any solution in the archives or on google.

So far, I have tried renaming one of the "allowed" libraries like ldap and then creating a symlink named nss_ldap.so.1 to point to nss_winbind.so.1 and also tried renaming in different versions of the /etc/nsswitch.conf file before and after starting winbindd but none of these work.

Can any Solaris admin who also uses Winbind with password aging let me know of any workarounds for this problem ?

thanks,
Mike

(the exact problem is described below)
========================================================
>From David.Legge at dier.tas.gov.au  Sun Jan  4 23:49:02 2004
From: David.Legge at dier.tas.gov.au (David Legge)
Date: Sun Jan  4 23:49:26 2004
Subject: [Samba] Problem with winbind and nsswitch.conf on Solaris 8 server
Message-ID: <2E2D9E4E474FD14C9F9A76B3A2EF61B7048917 at MURR-MAIL.core.agency>

Hello,

I'm having some problems using winbind on Samba 3.0.1 with /etc/nsswitch.conf on a Solaris 8 server. The Solaris 8 release is 10/00.

The basic problem that I have is that there are restrictions on what nsswitch.conf can contain if password ageing is used. 

My setup is that users connecting to shares on the Solaris samba server are authenticated against a accounts on a Windows Active Directory Domain. (That is, smb.conf is configured to use "security = ADS"). I am using winbind on the Solaris samba server to enumerate Active Directory Domain users and groups as standard unix groups and users.

I have installed the winbind libraries thus:

cp libnss_winbind.so /lib
ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1
ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1
ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2

I have also edited /etc/nsswitch.conf from using 

passwd:     files
group:      files

to

passwd:     files winbind
group:      files winbind


The problem that I have is that there are restrictions on what nsswitch.conf can contain if password ageing is used.

This is indicated in the Solaris 8 man page for nsswitch.conf(4), which says:

  Interaction with Password Aging
     When password aging is turned on, only a limited set of pos-
     sible  name  services are permitted for the passwd: database
     in the /etc/nsswitch.conf file:

          passwd:
                files

          passwd:
                files nis

          passwd:
                files nisplus

          passwd:
                files ldap

          passwd:
                compat

          passwd_compat:
                nisplus

          passwd_compat:

                ldap

     Any other settings will cause the passwd(1) command to  fail
     when it attempts to change the password after expiration and
     will prevent the user from logging in. These  are  the  only
     permitted  settings  when password aging has been turned on.
     Otherwise, you can work around incorrect  passwd:  lines  by
     using  the  -r  repository argument to the passwd(1) command
     and using passwd -r repository to override the nsswitch.conf
     settings  and  specify  in  which  name  service you want to
     modify your password.


So, using winbind like this forces me to use `passwd -r files` to do operations using the passwd command.

If I don't use the "-r" switch on the password command, an error is produced due to the presense of winbind in the nsswitch.conf file. The error is

passwd: Unsupported nsswitch entry for "passwd:". Use "-r repository ".


We have some applications that will break because of this and we have to use password ageing because of our security policy.

Is there any way of overcoming this limitation with nsswitch.conf and winbind on Solaris 8?

Thanks,

David Legge


David Legge Ph.D.
Corporate Applications Server Support Officer
Information Management Branch
Department of Infrastructure, Energy and Resources

10 Murray Street, Hobart

GPO Box 936, Hobart, 7001
Tasmania, Australia

Telephone:  (03) 62337148
Facsimile:  (03) 62332573
===============================================


More information about the samba mailing list