[Samba] Strange problem - Samba 3.0.23 on Solaris 9 Sparc

Samuel Partida samuel.partida at isotrol.com
Tue Jul 25 07:09:43 GMT 2006 

Hi, we have deployed successfully Linux clients to an Active Directory domain 
with Samba 3.0.23. We had no problem with the ads authentication, winbind, 
kerberos, and id resolutions.

Late we did the same on a test Solaris 9 x86 server, with a successful result 
again.

Our problem begins with a production Solaris 9 Sparc server, everything runs 
succesful, but there is just one user on the Active Directory that when we 
change some group membership, the changes are not reflected on the Solaris 9 
server (verifying with groups command)... is very strange because for other 
users it is working perfectly.

We thought that the winbind cache was implicated so we deleted the files and 
ran the daemon in no-caching mode, without success....

¿Does someone has any clue? Thanks!

P.D.: Attached are the config files.
-- 
---
Samuel Partida Amores
ISOTROL. Área de Seguridad.
samuel.partida at isotrol.com
Tfno. 955 036 836
---
-------------- next part --------------
[libdefaults]
	default_realm = SEGURIDAD.RED.ISOTROL.COM
[realms] 
	SEGURIDAD.RED.ISOTROL.COM = {
	kdc = 192.168.101.138:88
}
-------------- next part --------------
#
#ident	"@(#)pam.conf	1.20	02/01/23 SMI"
#
# Copyright 1996-2002 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login	auth requisite		pam_authtok_get.so.1
login	auth sufficient		pam_dhkeys.so.1
login	auth sufficient		pam_unix_auth.so.1
login	auth sufficient		pam_dial_auth.so.1
login	auth sufficient         /usr/lib/security/pam_winbind.so.1 debug try_first_pass
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin	auth sufficient		pam_rhosts_auth.so.1
rlogin	auth requisite		pam_authtok_get.so.1
rlogin	auth sufficient		pam_dhkeys.so.1
rlogin	auth sufficient		pam_unix_auth.so.1
rlogin	auth sufficient         /usr/lib/security/pam_winbind.so.1 debug try_first_pass
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh	auth sufficient		pam_rhosts_auth.so.1
rsh	auth sufficient		pam_unix_auth.so.1
rsh	auth sufficient         /usr/lib/security/pam_winbind.so.1 debug try_first_pass
#
# PPP service (explicit because of pam_dial_auth)
#
ppp	auth requisite		pam_authtok_get.so.1
ppp	auth required		pam_dhkeys.so.1
ppp	auth required		pam_unix_auth.so.1
ppp	auth required		pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
#
other	auth requisite		pam_authtok_get.so.1
other	auth sufficient		pam_dhkeys.so.1
other	auth sufficient		pam_unix_auth.so.1
other 	auth sufficient         /usr/lib/security/pam_winbind.so.1 debug try_first_pass
#
# passwd command (explicit because of a different authentication module)
#
passwd	auth required		pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron	account required	pam_projects.so.1
cron	account required	pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other	account requisite	pam_roles.so.1
other	account sufficient	pam_projects.so.1
other	account sufficient	pam_unix_account.so.1
other	account sufficient      /usr/lib/security/pam_winbind.so.1 
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other	session sufficient	pam_unix_session.so.1
other	session sufficient      /usr/lib/security/pam_winbind.so 
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other	password required	pam_dhkeys.so.1
other	password requisite	pam_authtok_get.so.1
other	password requisite	pam_authtok_check.so.1
other	password required	pam_authtok_store.so.1

#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin		auth optional		pam_krb5.so.1 try_first_pass
#login		auth optional		pam_krb5.so.1 try_first_pass
#other		auth optional		pam_krb5.so.1 try_first_pass
#cron		account optional 	pam_krb5.so.1
#other		account optional 	pam_krb5.so.1
#other		session optional 	pam_krb5.so.1
#other		password optional 	pam_krb5.so.1 try_first_pass
-------------- next part --------------

[global]
workgroup = SEGURIDAD
log file = /var/log/samba/log.%m
max log size = 1000
security = ads
password server = 192.168.101.138
realm = SEGURIDAD.RED.ISOTROL.COM
socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nss info = template sfu
winbind separator = '\'
template shell = /bin/bash
template homedir = /export/home/%U
idmap backend = rid:SEGURIDAD=10000-20000
allow trusted domains = no
winbind uid = 10000-20000
winbind gid = 10000-20000
restrict anonymous = no
domain master = no
preferred master = no
server signing = Auto

[Temporal]
case sensitive = no
msdfs proxy = no
path = /tmp

[LiveState]
case sensitive = no
guest ok = yes
msdfs proxy = no
read only = no
hosts allow = 192.168.101.138
path = /LiveState
-------------- next part --------------
#
# /etc/nsswitch.files:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# does not use any naming service.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

passwd:     files winbind
group:      files winbind
hosts:      files
ipnodes:    files
networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
# At present there isn't a 'files' backend for netgroup;  the system will 
#   figure it out pretty quickly, and won't use netgroups at all.
netgroup:   files
automount:  files
aliases:    files
services:   files
sendmailvars:   files
printers:	user files

auth_attr:  files
prof_attr:  files
project:    files

More information about the samba mailing list