[Samba] Strange behaviour of winbind on solaris 8
Dietrich Streifert
dietrich.streifert at visionet.de
Tue Apr 29 11:15:53 GMT 2008
We have several installations where we use the two different AD schema
extensions (SFU from Windows Services for Unix and rfc2307bis from
Windows Server 2003R2) to put the needed information in.
We are using the idmap_ad module to map the uid, gid, home etc.
information from the AD.
The local users and the AD users are completely separated. We do not mix
up local users and AD users.
The first basic test if the AD user information retreival is working is
to use the getent command:
getent <someADUser>
So for a test user account I get:
korund{root}[/]: getent passwd testuser
testuser:*:1004:1000:Lastname, Firstname:/home/testuser:/bin/tcsh
If this works the first step is done.
The second test is to get all related Information for one user:
korund{root}[/]: id -a testuser
uid=1004(testuser) gid=1000(visionet) groups=1033(devjavalib)
The third test is to su - testuser and again try to issue both commands
obove. If the retreived information is the same you should all be done
(except from pam.conf which is another story).
Oliver Weinmann schrieb:
> Could the problem be that the AD users are not in any of the local
> groups on the machine? How do you manage your AD users to be members
> of local groups e.g. staff, sys etc.? pam_groups?
>
> On 4/29/08, *Oliver Weinmann* <oliver.weinmann at googlemail.com
> <mailto:oliver.weinmann at googlemail.com>> wrote:
>
> there is nothing in /etc/profile and the user oweinmann has no
> .bashrc. The problem seems to be related to nscd. When nscd is
> turned on i can login and issue commands and I don't get kicked
> out of the ssh login. There is no idle session timeout set. If
> there was I would get kicked out when nscd is turned on as well.
> Only when logged in as an AD user I get kicked out...
>
>
> On 4/29/08, *Dietrich Streifert* <dietrich.streifert at visionet.de
> <mailto:dietrich.streifert at visionet.de>> wrote:
>
> So there must be something in your bash init files,
> /etc/profile or ~/.bashrc (sorry I'm not a bash user) which
> causes the problem.
>
> Maybe something which forms the shell prompt like whoami etc.
>
> Maybe there is something like a autologout set for the csh or
> in sshd with idle session timeout.
>
>
> Oliver Weinmann schrieb:
>> Hi,
>>
>> no, there was nothing in /var/adm/messages, but guess what
>> with the csh ls -alrt and such commands work fine... But i
>> get kicked out of the ssh session after 2 minutes... :(
>>
>>
>> On 4/29/08, *Dietrich Streifert*
>> <dietrich.streifert at visionet.de
>> <mailto:dietrich.streifert at visionet.de>> wrote:
>>
>> Are there any messages in /var/adm/messages which are
>> related to nss ?
>>
>> As I can see you are using bash as your shell.
>>
>> Try using csh. Does something change?
>>
>> Oliver Weinmann schrieb:
>>> su to user oweinmann works but when i ussie the ldd -r
>>> /usr/lib/nss_winbind.so command it gets put in the
>>> background.. :( i then do fg 2 and this is the output:
>>>
>>> bash-2.03$ ldd -r /usr/lib/nss_winbind.so
>>>
>>> [2]+ Stopped ldd -r /usr/lib/nss_winbind.so
>>> bash-2.03$ fg 2
>>> ldd -r /usr/lib/nss_winbind.so
>>> libthread.so.1 => /usr/lib/libthread.so.1
>>> libsocket.so.1 => /usr/lib/libsocket.so.1
>>> libdl.so.1 => /usr/lib/libdl.so.1
>>> libc.so.1 => /usr/lib/libc.so.1
>>> libnsl.so.1 => /usr/lib/libnsl.so.1
>>> libmp.so.2 => /usr/lib/libmp.so.2
>>> /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
>>>
>>> bash-2.03$ ls -alrt /etc/nsswitch.conf
>>>
>>> [2]+ Stopped ls -alrt /etc/nsswitch.conf
>>> bash-2.03$ fg 2
>>> ls -alrt /etc/nsswitch.conf
>>> -rw-r--r-- 1 root sys 1320 Apr 28 13:19
>>> /etc/nsswitch.conf
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 4/29/08, *Dietrich Streifert*
>>> <dietrich.streifert at visionet.de
>>> <mailto:dietrich.streifert at visionet.de>> wrote:
>>>
>>> Please try to login (or su) to the user oweinmann
>>> and issue then ldd -r /usr/lib/nss_winbind.so
>>>
>>> For some reason I think that non root users are not
>>> able to read one of the involved files.
>>>
>>> This could be
>>>
>>> /etc/nsswitch.conf
>>> /usr/lib/nss_winbind.so
>>>
>>> or some of the files found by the ldd -r command.
>>> The fact that you can issue commands while nscd is
>>> running points to this fact becaus nscd is running
>>> as root and has permissions to read all of those files.
>>>
>>> /etc/nsswitch.conf should be readable by everyone.
>>>
>>> I compiled samba myself with a full stack of
>>> openssl, iconv, heimdal kerberos, cyrus-sasl,
>>> openldap and samba. While people often speak of the
>>> Windows DLL hell this is the Solaris shared library
>>> hell :-( But it works.
>>>
>>>
>>>
>>> Oliver Weinmann schrieb:
>>>> Hi,
>>>>
>>>> bash-2.03# ldd -r /usr/lib/nss_winbind.so
>>>> libthread.so.1 =>
>>>> /usr/lib/libthread.so.1
>>>> libsocket.so.1 =>
>>>> /usr/lib/libsocket.so.1
>>>> libdl.so.1 => /usr/lib/libdl.so.1
>>>> libc.so.1 => /usr/lib/libc.so.1
>>>> libnsl.so.1 => /usr/lib/libnsl.so.1
>>>> libmp.so.2 => /usr/lib/libmp.so.2
>>>> /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
>>>>
>>>> I changed the permissions and files exactly to be
>>>> the same but i still cant issue commands... :(
>>>>
>>>> bash-2.03# ls -alrt /usr/lib/nss_winbind.so*
>>>> -rwxr-xr-x 1 root other 74744 Apr 29
>>>> 09:03 /usr/lib/nss_winbind.so.1
>>>> lrwxrwxrwx 1 root other 25 Apr 29
>>>> 09:04 /usr/lib/nss_winbind.so ->
>>>> /usr/lib/nss_winbind.so.1
>>>>
>>>> Could this also be a problem of a compiling? Have
>>>> you compiled the samba yourself or are you using
>>>> prebuilt packages?
>>>>
>>>> On 4/29/08, *Dietrich Streifert*
>>>> <dietrich.streifert at visionet.de
>>>> <mailto:dietrich.streifert at visionet.de>> wrote:
>>>>
>>>> which output gives ldd -r /usr/lib/nss_winbind.so ?
>>>>
>>>> I have the following naming and permission for
>>>> nss_winbind:
>>>>
>>>> lrwxrwxrwx 1 root other 16 Jan 15
>>>> 2004 nss_winbind.so -> nss_winbind.so.1
>>>> -rwxr-xr-x 1 root other 44540 Apr 28
>>>> 17:35 nss_winbind.so.1
>>>>
>>>> Please try with the exactly same naming and
>>>> permissions of your files.
>>>>
>>>>
>>>>
>>>> Oliver Weinmann schrieb:
>>>>
>>>> I will try to get hands on the latest
>>>> patches for solaris 8 and see if that
>>>> fixes the nscd problems. I can't believe
>>>> that samba-winbind is not running
>>>> 100% well on a Solaris 8 machine.
>>>>
>>>>
>>>> On 4/28/08, Oliver Weinmann
>>>> <oliver.weinmann at googlemail.com
>>>> <mailto:oliver.weinmann at googlemail.com>> wrote:
>>>>
>>>>
>>>> Just for fun i changed the perms of
>>>> /usr/lib/libnss_winbind.so to 777
>>>>
>>>> bash-2.03# chmod 777
>>>> /usr/lib/libnss_winbind.so
>>>> bash-2.03# ls -alrt
>>>> /usr/lib/libnss_winbind.so
>>>> -rwxrwxrwx 1 root other
>>>> 74744 Apr 28 13:32
>>>> /usr/lib/libnss_winbind.so
>>>>
>>>> nscd is turned off. I can login as an
>>>> AD users but I cant start any
>>>> command. :(
>>>>
>>>>
>>>> login as: oweinmann
>>>> Using keyboard-interactive authentication.
>>>> Password:
>>>> Last login: Mon Apr 28 15:17:11 2008
>>>> from vb8860.vegagrou
>>>> bash-2.03$ ls -alrt
>>>>
>>>> [1]+ Stopped ls -alrt
>>>> bash-2.03$ id
>>>>
>>>> [2]+ Stopped id
>>>> bash-2.03$ group
>>>>
>>>> [3]+ Stopped group
>>>> bash-2.03$ echo "TEST"
>>>> TEST
>>>> bash-2.03$
>>>> Some commands are working and some
>>>> others are put in background and the
>>>> session closes after one or two minutes?
>>>>
>>>> When I turn on nscd everything is fine,
>>>> except ls -alrt not working.
>>>>
>>>>
>>>>
>>>> On 4/28/08, Gerald (Jerry) Carter
>>>> <jerry at samba.org
>>>> <mailto:jerry at samba.org>> wrote:
>>>>
>>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Oliver Weinmann wrote:
>>>> | forgot to mention that the
>>>> nss_winbind links are there:
>>>> |
>>>> | bash-2.03# ls -alrt /usr/lib/nss_w*
>>>> | lrwxrwxrwx 1 root other
>>>> 28 Apr 23 14:30
>>>> | /usr/lib/nss_winbind.so.2 ->
>>>> /usr/lib/libnss_winbind.so.1
>>>> | lrwxrwxrwx 1 root other
>>>> 28 Apr 23 14:30
>>>> | /usr/lib/nss_winbind.so.1 ->
>>>> /usr/lib/libnss_winbind.so.1
>>>> | lrwxrwxrwx 1 root other
>>>> 28 Apr 23 14:30
>>>> | /usr/lib/nss_winbind.so ->
>>>> /usr/lib/libnss_winbind.so.1
>>>>
>>>> Check the perms on
>>>> /usr/lib/libnss_winbind.so.1. Sounds
>>>> like it might be rwx for root only.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> cheers, jerry
>>>> - --
>>>> =====================================================================
>>>> Samba
>>>> ------- http://www.samba.org
>>>> <http://www.samba.org/>
>>>> Likewise Software
>>>> ---------
>>>> http://www.likewisesoftware.com
>>>> <http://www.likewisesoftware.com/>
>>>> "What man is a man who does not
>>>> make the world better?" --Balian
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.2.2 (Darwin)
>>>> Comment: Using GnuPG with Mozilla -
>>>> http://enigmail.mozdev.org
>>>> <http://enigmail.mozdev.org/>
>>>>
>>>> iD8DBQFIFcnJIR7qMdg1EfYRAp+uAKCoT5s9gRV+x0M+PUrFnYWVRtqmcwCg293J
>>>> 0OxWwTr/wJPDW67YmZCAfQo=
>>>> =6S2v
>>>> -----END PGP SIGNATURE-----
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Mit freundlichen Grüßen
>>>> Dietrich Streifert
>>>> --
>>>> Visionet GmbH
>>>> Firmensitz: Am Weichselgarten 7, 91058 Erlangen
>>>> Registergericht: Handelsregister Fürth, HRB 6573
>>>> Geschäftsführer: Stefan Lindner
>>>>
>>>>
>>>>
>>>>
>>>
>>> --
>>> Mit freundlichen Grüßen
>>> Dietrich Streifert
>>> --
>>> Visionet GmbH
>>> Firmensitz: Am Weichselgarten 7, 91058 Erlangen
>>> Registergericht: Handelsregister Fürth, HRB 6573
>>> Geschäftsführer: Stefan Lindner
>>>
>>>
>>>
>>>
>>>
>>
>> --
>> Mit freundlichen Grüßen
>> Dietrich Streifert
>> --
>> Visionet GmbH
>> Firmensitz: Am Weichselgarten 7, 91058 Erlangen
>> Registergericht: Handelsregister Fürth, HRB 6573
>> Geschäftsführer: Stefan Lindner
>>
>>
>>
>>
>>
>
> --
> Mit freundlichen Grüßen
> Dietrich Streifert
> --
> Visionet GmbH
> Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> Registergericht: Handelsregister Fürth, HRB 6573
> Geschäftsführer: Stefan Lindner
>
>
>
>
>
>
--
Mit freundlichen Grüßen
Dietrich Streifert
--
Visionet GmbH
Firmensitz: Am Weichselgarten 7, 91058 Erlangen
Registergericht: Handelsregister Fürth, HRB 6573
Geschäftsführer: Stefan Lindner
More information about the samba
mailing list