[Samba] Strange behaviour of winbind on solaris 8
Dietrich Streifert
dietrich.streifert at visionet.de
Tue Apr 29 11:29:10 GMT 2008
Which samba version do you use?
Please post the global configuration section of smb.conf.
Oliver Weinmann schrieb:
> Here could be a problem. I could not change our win 2k3 schema. They
> were afraid it could break something... tsss. So i had to use the
> idmap_rid module. Which does a good job actually. It uses the last
> portion of the AD users SID and adds it to a base set in smb.conf. I
> issued your commands:
>
> bash-2.03# getent passwd | grep oweinmann
> oweinmann2:*:15042:1613:Oliver Weinmann2:/home/oweinmann2:/bin/sh
> oweinmann:*:11611:1613:Oliver Weinmann:/home/oweinmann:/bin/sh
> oweinmann1:*:15041:1613:Oliver Weinmann1:/home/oweinmann1:/bin/sh
> bash-2.03# id -a oweinmann
> uid=11611(oweinmann) gid=1613(domain users) groups=10(staff)
> bash-2.03# su oweinmann
> $ id
> uid=11611(oweinmann) gid=1613(domain users)
> $ id -a
>
> the "id -a" as user "oweinmann" seems to get stuck. It just sits
> there. I noticed when issuing "groups oweinmann" as root it also gets
> stuck. On some users the "groups" command seems to be working on some
> other don't.
>
>
> On 4/29/08, *Dietrich Streifert* <dietrich.streifert at visionet.de
> <mailto:dietrich.streifert at visionet.de>> wrote:
>
> We have several installations where we use the two different AD
> schema extensions (SFU from Windows Services for Unix and
> rfc2307bis from Windows Server 2003R2) to put the needed
> information in.
>
> We are using the idmap_ad module to map the uid, gid, home etc.
> information from the AD.
>
> The local users and the AD users are completely separated. We do
> not mix up local users and AD users.
>
> The first basic test if the AD user information retreival is
> working is to use the getent command:
>
> getent <someADUser>
>
> So for a test user account I get:
>
> korund{root}[/]: getent passwd testuser
> testuser:*:1004:1000:Lastname, Firstname:/home/testuser:/bin/tcsh
>
> If this works the first step is done.
>
> The second test is to get all related Information for one user:
>
> korund{root}[/]: id -a testuser
> uid=1004(testuser) gid=1000(visionet) groups=1033(devjavalib)
>
> The third test is to su - testuser and again try to issue both
> commands obove. If the retreived information is the same you
> should all be done (except from pam.conf which is another story).
>
>
>
>
>
>
> Oliver Weinmann schrieb:
>> Could the problem be that the AD users are not in any of the
>> local groups on the machine? How do you manage your AD users to
>> be members of local groups e.g. staff, sys etc.? pam_groups?
>>
>> On 4/29/08, *Oliver Weinmann* <oliver.weinmann at googlemail.com
>> <mailto:oliver.weinmann at googlemail.com>> wrote:
>>
>> there is nothing in /etc/profile and the user oweinmann has
>> no .bashrc. The problem seems to be related to nscd. When
>> nscd is turned on i can login and issue commands and I don't
>> get kicked out of the ssh login. There is no idle session
>> timeout set. If there was I would get kicked out when nscd is
>> turned on as well. Only when logged in as an AD user I get
>> kicked out...
>>
>>
>> On 4/29/08, *Dietrich Streifert*
>> <dietrich.streifert at visionet.de
>> <mailto:dietrich.streifert at visionet.de>> wrote:
>>
>> So there must be something in your bash init files,
>> /etc/profile or ~/.bashrc (sorry I'm not a bash user)
>> which causes the problem.
>>
>> Maybe something which forms the shell prompt like whoami etc.
>>
>> Maybe there is something like a autologout set for the
>> csh or in sshd with idle session timeout.
>>
>>
>> Oliver Weinmann schrieb:
>>> Hi,
>>>
>>> no, there was nothing in /var/adm/messages, but guess
>>> what with the csh ls -alrt and such commands work
>>> fine... But i get kicked out of the ssh session after 2
>>> minutes... :(
>>>
>>>
>>> On 4/29/08, *Dietrich Streifert*
>>> <dietrich.streifert at visionet.de
>>> <mailto:dietrich.streifert at visionet.de>> wrote:
>>>
>>> Are there any messages in /var/adm/messages which
>>> are related to nss ?
>>>
>>> As I can see you are using bash as your shell.
>>>
>>> Try using csh. Does something change?
>>>
>>> Oliver Weinmann schrieb:
>>>> su to user oweinmann works but when i ussie the ldd
>>>> -r /usr/lib/nss_winbind.so command it gets put in
>>>> the background.. :( i then do fg 2 and this is the
>>>> output:
>>>>
>>>> bash-2.03$ ldd -r /usr/lib/nss_winbind.so
>>>>
>>>> [2]+ Stopped ldd -r
>>>> /usr/lib/nss_winbind.so
>>>> bash-2.03$ fg 2
>>>> ldd -r /usr/lib/nss_winbind.so
>>>> libthread.so.1 =>
>>>> /usr/lib/libthread.so.1
>>>> libsocket.so.1 =>
>>>> /usr/lib/libsocket.so.1
>>>> libdl.so.1 => /usr/lib/libdl.so.1
>>>> libc.so.1 => /usr/lib/libc.so.1
>>>> libnsl.so.1 => /usr/lib/libnsl.so.1
>>>> libmp.so.2 => /usr/lib/libmp.so.2
>>>> /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
>>>>
>>>> bash-2.03$ ls -alrt /etc/nsswitch.conf
>>>>
>>>> [2]+ Stopped ls -alrt
>>>> /etc/nsswitch.conf
>>>> bash-2.03$ fg 2
>>>> ls -alrt /etc/nsswitch.conf
>>>> -rw-r--r-- 1 root sys 1320 Apr 28
>>>> 13:19 /etc/nsswitch.conf
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 4/29/08, *Dietrich Streifert*
>>>> <dietrich.streifert at visionet.de
>>>> <mailto:dietrich.streifert at visionet.de>> wrote:
>>>>
>>>> Please try to login (or su) to the user
>>>> oweinmann and issue then ldd -r
>>>> /usr/lib/nss_winbind.so
>>>>
>>>> For some reason I think that non root users are
>>>> not able to read one of the involved files.
>>>>
>>>> This could be
>>>>
>>>> /etc/nsswitch.conf
>>>> /usr/lib/nss_winbind.so
>>>>
>>>> or some of the files found by the ldd -r
>>>> command. The fact that you can issue commands
>>>> while nscd is running points to this fact
>>>> becaus nscd is running as root and has
>>>> permissions to read all of those files.
>>>>
>>>> /etc/nsswitch.conf should be readable by everyone.
>>>>
>>>> I compiled samba myself with a full stack of
>>>> openssl, iconv, heimdal kerberos, cyrus-sasl,
>>>> openldap and samba. While people often speak of
>>>> the Windows DLL hell this is the Solaris shared
>>>> library hell :-( But it works.
>>>>
>>>>
>>>>
>>>> Oliver Weinmann schrieb:
>>>>> Hi,
>>>>>
>>>>> bash-2.03# ldd -r /usr/lib/nss_winbind.so
>>>>> libthread.so.1 =>
>>>>> /usr/lib/libthread.so.1
>>>>> libsocket.so.1 =>
>>>>> /usr/lib/libsocket.so.1
>>>>> libdl.so.1 => /usr/lib/libdl.so.1
>>>>> libc.so.1 => /usr/lib/libc.so.1
>>>>> libnsl.so.1 => /usr/lib/libnsl.so.1
>>>>> libmp.so.2 => /usr/lib/libmp.so.2
>>>>>
>>>>> /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
>>>>>
>>>>> I changed the permissions and files exactly to
>>>>> be the same but i still cant issue commands... :(
>>>>>
>>>>> bash-2.03# ls -alrt /usr/lib/nss_winbind.so*
>>>>> -rwxr-xr-x 1 root other 74744 Apr
>>>>> 29 09:03 /usr/lib/nss_winbind.so.1
>>>>> lrwxrwxrwx 1 root other 25 Apr
>>>>> 29 09:04 /usr/lib/nss_winbind.so ->
>>>>> /usr/lib/nss_winbind.so.1
>>>>>
>>>>> Could this also be a problem of a compiling?
>>>>> Have you compiled the samba yourself or are
>>>>> you using prebuilt packages?
>>>>>
>>>>> On 4/29/08, *Dietrich Streifert*
>>>>> <dietrich.streifert at visionet.de
>>>>> <mailto:dietrich.streifert at visionet.de>> wrote:
>>>>>
>>>>> which output gives ldd -r
>>>>> /usr/lib/nss_winbind.so ?
>>>>>
>>>>> I have the following naming and permission
>>>>> for nss_winbind:
>>>>>
>>>>> lrwxrwxrwx 1 root other 16
>>>>> Jan 15 2004 nss_winbind.so ->
>>>>> nss_winbind.so.1
>>>>> -rwxr-xr-x 1 root other 44540
>>>>> Apr 28 17:35 nss_winbind.so.1
>>>>>
>>>>> Please try with the exactly same naming
>>>>> and permissions of your files.
>>>>>
>>>>>
>>>>>
>>>>> Oliver Weinmann schrieb:
>>>>>
>>>>> I will try to get hands on the latest
>>>>> patches for solaris 8 and see if that
>>>>> fixes the nscd problems. I can't
>>>>> believe that samba-winbind is not running
>>>>> 100% well on a Solaris 8 machine.
>>>>>
>>>>>
>>>>> On 4/28/08, Oliver Weinmann
>>>>> <oliver.weinmann at googlemail.com
>>>>> <mailto:oliver.weinmann at googlemail.com>>
>>>>> wrote:
>>>>>
>>>>>
>>>>> Just for fun i changed the perms
>>>>> of /usr/lib/libnss_winbind.so to 777
>>>>>
>>>>> bash-2.03# chmod 777
>>>>> /usr/lib/libnss_winbind.so
>>>>> bash-2.03# ls -alrt
>>>>> /usr/lib/libnss_winbind.so
>>>>> -rwxrwxrwx 1 root other
>>>>> 74744 Apr 28 13:32
>>>>> /usr/lib/libnss_winbind.so
>>>>>
>>>>> nscd is turned off. I can login as
>>>>> an AD users but I cant start any
>>>>> command. :(
>>>>>
>>>>>
>>>>> login as: oweinmann
>>>>> Using keyboard-interactive
>>>>> authentication.
>>>>> Password:
>>>>> Last login: Mon Apr 28 15:17:11
>>>>> 2008 from vb8860.vegagrou
>>>>> bash-2.03$ ls -alrt
>>>>>
>>>>> [1]+ Stopped ls -alrt
>>>>> bash-2.03$ id
>>>>>
>>>>> [2]+ Stopped id
>>>>> bash-2.03$ group
>>>>>
>>>>> [3]+ Stopped group
>>>>> bash-2.03$ echo "TEST"
>>>>> TEST
>>>>> bash-2.03$
>>>>> Some commands are working and some
>>>>> others are put in background and the
>>>>> session closes after one or two
>>>>> minutes?
>>>>>
>>>>> When I turn on nscd everything is
>>>>> fine, except ls -alrt not working.
>>>>>
>>>>>
>>>>>
>>>>> On 4/28/08, Gerald (Jerry) Carter
>>>>> <jerry at samba.org
>>>>> <mailto:jerry at samba.org>> wrote:
>>>>>
>>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> Oliver Weinmann wrote:
>>>>> | forgot to mention that the
>>>>> nss_winbind links are there:
>>>>> |
>>>>> | bash-2.03# ls -alrt
>>>>> /usr/lib/nss_w*
>>>>> | lrwxrwxrwx 1 root
>>>>> other 28 Apr 23 14:30
>>>>> | /usr/lib/nss_winbind.so.2 ->
>>>>> /usr/lib/libnss_winbind.so.1
>>>>> | lrwxrwxrwx 1 root
>>>>> other 28 Apr 23 14:30
>>>>> | /usr/lib/nss_winbind.so.1 ->
>>>>> /usr/lib/libnss_winbind.so.1
>>>>> | lrwxrwxrwx 1 root
>>>>> other 28 Apr 23 14:30
>>>>> | /usr/lib/nss_winbind.so ->
>>>>> /usr/lib/libnss_winbind.so.1
>>>>>
>>>>> Check the perms on
>>>>> /usr/lib/libnss_winbind.so.1.
>>>>> Sounds
>>>>> like it might be rwx for root
>>>>> only.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> cheers, jerry
>>>>> - --
>>>>> =====================================================================
>>>>> Samba
>>>>> -------
>>>>> http://www.samba.org
>>>>> <http://www.samba.org/>
>>>>> Likewise Software
>>>>> ---------
>>>>> http://www.likewisesoftware.com
>>>>> <http://www.likewisesoftware.com/>
>>>>> "What man is a man who does
>>>>> not make the world better?"
>>>>> --Balian
>>>>> -----BEGIN PGP SIGNATURE-----
>>>>> Version: GnuPG v1.4.2.2 (Darwin)
>>>>> Comment: Using GnuPG with
>>>>> Mozilla -
>>>>> http://enigmail.mozdev.org
>>>>> <http://enigmail.mozdev.org/>
>>>>>
>>>>> iD8DBQFIFcnJIR7qMdg1EfYRAp+uAKCoT5s9gRV+x0M+PUrFnYWVRtqmcwCg293J
>>>>> 0OxWwTr/wJPDW67YmZCAfQo=
>>>>> =6S2v
>>>>> -----END PGP SIGNATURE-----
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Mit freundlichen Grüßen
>>>>> Dietrich Streifert
>>>>> --
>>>>> Visionet GmbH
>>>>> Firmensitz: Am Weichselgarten 7, 91058
>>>>> Erlangen
>>>>> Registergericht: Handelsregister Fürth,
>>>>> HRB 6573
>>>>> Geschäftsführer: Stefan Lindner
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> Mit freundlichen Grüßen
>>>> Dietrich Streifert
>>>> --
>>>> Visionet GmbH
>>>> Firmensitz: Am Weichselgarten 7, 91058 Erlangen
>>>> Registergericht: Handelsregister Fürth, HRB 6573
>>>> Geschäftsführer: Stefan Lindner
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>> --
>>> Mit freundlichen Grüßen
>>> Dietrich Streifert
>>> --
>>> Visionet GmbH
>>> Firmensitz: Am Weichselgarten 7, 91058 Erlangen
>>> Registergericht: Handelsregister Fürth, HRB 6573
>>> Geschäftsführer: Stefan Lindner
>>>
>>>
>>>
>>>
>>>
>>
>> --
>> Mit freundlichen Grüßen
>> Dietrich Streifert
>> --
>> Visionet GmbH
>> Firmensitz: Am Weichselgarten 7, 91058 Erlangen
>> Registergericht: Handelsregister Fürth, HRB 6573
>> Geschäftsführer: Stefan Lindner
>>
>>
>>
>>
>>
>>
>
> --
> Mit freundlichen Grüßen
> Dietrich Streifert
> --
> Visionet GmbH
> Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> Registergericht: Handelsregister Fürth, HRB 6573
> Geschäftsführer: Stefan Lindner
>
>
>
>
>
--
Mit freundlichen Grüßen
Dietrich Streifert
--
Visionet GmbH
Firmensitz: Am Weichselgarten 7, 91058 Erlangen
Registergericht: Handelsregister Fürth, HRB 6573
Geschäftsführer: Stefan Lindner
More information about the samba
mailing list