[Samba] Strange behaviour of winbind on solaris 8
Dietrich Streifert
dietrich.streifert at visionet.de
Tue Apr 29 11:51:02 GMT 2008
Please try to set combinations of
winbind enum groups = No
and test again.
This could be the reason why getent groups never ends. This is known to
be a problem with big AD user/groups databases.
Have a look at this and related paramters in <samba installation
path>/swat/help/manpages/smb.conf.5.html
Oliver Weinmann schrieb:
> It's the latest stable.
>
> # smbd -V
> Version 3.0.28a
>
> [global]
> netbios name = rose8
> realm = VEGAGROUP.NET <http://VEGAGROUP.NET>
> workgroup = VEGA
> security = ADS
> encrypt passwords = yes
> password server = *
> os level = 20
> socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
> idmap uid = 1100-200000
> idmap gid = 1100-200000
> idmap backend = rid:VEGA=1100-200000
> allow trusted domains = no
> winbind enum users = yes
> winbind enum groups = yes
> template homedir = /home/%U
> template shell = /bin/sh
> preferred master = no
> winbind nested groups = Yes
> winbind use default domain = Yes
> #winbind separator = +
> #winbind normalize names = yes
> log level = 10
> max log size = 50
> log file = /var/log/samba/log.%m
> dns proxy = no
> wins server = 172.20.205.1 <http://172.20.205.1>
> allow trusted domains = No
> client use spnego = Yes
> use kerberos keytab = true
> winbind offline logon = yes
>
> I really appreciate your big effort. Thanks!
>
> On 4/29/08, *Dietrich Streifert* <dietrich.streifert at visionet.de
> <mailto:dietrich.streifert at visionet.de>> wrote:
>
> Which samba version do you use?
>
> Please post the global configuration section of smb.conf.
>
>
> Oliver Weinmann schrieb:
>> Here could be a problem. I could not change our win 2k3 schema.
>> They were afraid it could break something... tsss. So i had to
>> use the idmap_rid module. Which does a good job actually. It uses
>> the last portion of the AD users SID and adds it to a base set in
>> smb.conf. I issued your commands:
>>
>> bash-2.03# getent passwd | grep oweinmann
>> oweinmann2:*:15042:1613:Oliver Weinmann2:/home/oweinmann2:/bin/sh
>> oweinmann:*:11611:1613:Oliver Weinmann:/home/oweinmann:/bin/sh
>> oweinmann1:*:15041:1613:Oliver Weinmann1:/home/oweinmann1:/bin/sh
>> bash-2.03# id -a oweinmann
>> uid=11611(oweinmann) gid=1613(domain users) groups=10(staff)
>> bash-2.03# su oweinmann
>> $ id
>> uid=11611(oweinmann) gid=1613(domain users)
>> $ id -a
>>
>> the "id -a" as user "oweinmann" seems to get stuck. It just sits
>> there. I noticed when issuing "groups oweinmann" as root it also
>> gets stuck. On some users the "groups" command seems to be
>> working on some other don't.
>>
>>
>> On 4/29/08, *Dietrich Streifert* <dietrich.streifert at visionet.de
>> <mailto:dietrich.streifert at visionet.de>> wrote:
>>
>> We have several installations where we use the two different
>> AD schema extensions (SFU from Windows Services for Unix and
>> rfc2307bis from Windows Server 2003R2) to put the needed
>> information in.
>>
>> We are using the idmap_ad module to map the uid, gid, home
>> etc. information from the AD.
>>
>> The local users and the AD users are completely separated. We
>> do not mix up local users and AD users.
>>
>> The first basic test if the AD user information retreival is
>> working is to use the getent command:
>>
>> getent <someADUser>
>>
>> So for a test user account I get:
>>
>> korund{root}[/]: getent passwd testuser
>> testuser:*:1004:1000:Lastname,
>> Firstname:/home/testuser:/bin/tcsh
>>
>> If this works the first step is done.
>>
>> The second test is to get all related Information for one user:
>>
>> korund{root}[/]: id -a testuser
>> uid=1004(testuser) gid=1000(visionet) groups=1033(devjavalib)
>>
>> The third test is to su - testuser and again try to issue
>> both commands obove. If the retreived information is the same
>> you should all be done (except from pam.conf which is another
>> story).
>>
>>
>>
>>
>>
>>
>> Oliver Weinmann schrieb:
>>> Could the problem be that the AD users are not in any of the
>>> local groups on the machine? How do you manage your AD users
>>> to be members of local groups e.g. staff, sys etc.? pam_groups?
>>>
>>> On 4/29/08, *Oliver Weinmann*
>>> <oliver.weinmann at googlemail.com
>>> <mailto:oliver.weinmann at googlemail.com>> wrote:
>>>
>>> there is nothing in /etc/profile and the user oweinmann
>>> has no .bashrc. The problem seems to be related to nscd.
>>> When nscd is turned on i can login and issue commands
>>> and I don't get kicked out of the ssh login. There is no
>>> idle session timeout set. If there was I would get
>>> kicked out when nscd is turned on as well. Only when
>>> logged in as an AD user I get kicked out...
>>>
>>>
>>> On 4/29/08, *Dietrich Streifert*
>>> <dietrich.streifert at visionet.de
>>> <mailto:dietrich.streifert at visionet.de>> wrote:
>>>
>>> So there must be something in your bash init files,
>>> /etc/profile or ~/.bashrc (sorry I'm not a bash
>>> user) which causes the problem.
>>>
>>> Maybe something which forms the shell prompt like
>>> whoami etc.
>>>
>>> Maybe there is something like a autologout set for
>>> the csh or in sshd with idle session timeout.
>>>
>>>
>>> Oliver Weinmann schrieb:
>>>> Hi,
>>>>
>>>> no, there was nothing in /var/adm/messages, but
>>>> guess what with the csh ls -alrt and such
>>>> commands work fine... But i get kicked out of the
>>>> ssh session after 2 minutes... :(
>>>>
>>>>
>>>> On 4/29/08, *Dietrich Streifert*
>>>> <dietrich.streifert at visionet.de
>>>> <mailto:dietrich.streifert at visionet.de>> wrote:
>>>>
>>>> Are there any messages in /var/adm/messages
>>>> which are related to nss ?
>>>>
>>>> As I can see you are using bash as your shell.
>>>>
>>>> Try using csh. Does something change?
>>>>
>>>> Oliver Weinmann schrieb:
>>>>> su to user oweinmann works but when i ussie
>>>>> the ldd -r /usr/lib/nss_winbind.so command it
>>>>> gets put in the background.. :( i then do fg 2
>>>>> and this is the output:
>>>>>
>>>>> bash-2.03$ ldd -r /usr/lib/nss_winbind.so
>>>>>
>>>>> [2]+ Stopped ldd -r
>>>>> /usr/lib/nss_winbind.so
>>>>> bash-2.03$ fg 2
>>>>> ldd -r /usr/lib/nss_winbind.so
>>>>> libthread.so.1 =>
>>>>> /usr/lib/libthread.so.1
>>>>> libsocket.so.1 =>
>>>>> /usr/lib/libsocket.so.1
>>>>> libdl.so.1 => /usr/lib/libdl.so.1
>>>>> libc.so.1 => /usr/lib/libc.so.1
>>>>> libnsl.so.1 => /usr/lib/libnsl.so.1
>>>>> libmp.so.2 => /usr/lib/libmp.so.2
>>>>>
>>>>> /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
>>>>>
>>>>> bash-2.03$ ls -alrt /etc/nsswitch.conf
>>>>>
>>>>> [2]+ Stopped ls -alrt
>>>>> /etc/nsswitch.conf
>>>>> bash-2.03$ fg 2
>>>>> ls -alrt /etc/nsswitch.conf
>>>>> -rw-r--r-- 1 root sys 1320 Apr
>>>>> 28 13:19 /etc/nsswitch.conf
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 4/29/08, *Dietrich Streifert*
>>>>> <dietrich.streifert at visionet.de
>>>>> <mailto:dietrich.streifert at visionet.de>> wrote:
>>>>>
>>>>> Please try to login (or su) to the user
>>>>> oweinmann and issue then ldd -r
>>>>> /usr/lib/nss_winbind.so
>>>>>
>>>>> For some reason I think that non root
>>>>> users are not able to read one of the
>>>>> involved files.
>>>>>
>>>>> This could be
>>>>>
>>>>> /etc/nsswitch.conf
>>>>> /usr/lib/nss_winbind.so
>>>>>
>>>>> or some of the files found by the ldd -r
>>>>> command. The fact that you can issue
>>>>> commands while nscd is running points to
>>>>> this fact becaus nscd is running as root
>>>>> and has permissions to read all of those
>>>>> files.
>>>>>
>>>>> /etc/nsswitch.conf should be readable by
>>>>> everyone.
>>>>>
>>>>> I compiled samba myself with a full stack
>>>>> of openssl, iconv, heimdal kerberos,
>>>>> cyrus-sasl, openldap and samba. While
>>>>> people often speak of the Windows DLL hell
>>>>> this is the Solaris shared library hell
>>>>> :-( But it works.
>>>>>
>>>>>
>>>>>
>>>>> Oliver Weinmann schrieb:
>>>>>> Hi,
>>>>>>
>>>>>> bash-2.03# ldd -r /usr/lib/nss_winbind.so
>>>>>> libthread.so.1 =>
>>>>>> /usr/lib/libthread.so.1
>>>>>> libsocket.so.1 =>
>>>>>> /usr/lib/libsocket.so.1
>>>>>> libdl.so.1 => /usr/lib/libdl.so.1
>>>>>> libc.so.1 => /usr/lib/libc.so.1
>>>>>> libnsl.so.1 => /usr/lib/libnsl.so.1
>>>>>> libmp.so.2 => /usr/lib/libmp.so.2
>>>>>>
>>>>>> /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
>>>>>>
>>>>>> I changed the permissions and files
>>>>>> exactly to be the same but i still cant
>>>>>> issue commands... :(
>>>>>>
>>>>>> bash-2.03# ls -alrt /usr/lib/nss_winbind.so*
>>>>>> -rwxr-xr-x 1 root other 74744
>>>>>> Apr 29 09:03 /usr/lib/nss_winbind.so.1
>>>>>> lrwxrwxrwx 1 root other 25
>>>>>> Apr 29 09:04 /usr/lib/nss_winbind.so ->
>>>>>> /usr/lib/nss_winbind.so.1
>>>>>>
>>>>>> Could this also be a problem of a
>>>>>> compiling? Have you compiled the samba
>>>>>> yourself or are you using prebuilt packages?
>>>>>>
>>>>>> On 4/29/08, *Dietrich Streifert*
>>>>>> <dietrich.streifert at visionet.de
>>>>>> <mailto:dietrich.streifert at visionet.de>>
>>>>>> wrote:
>>>>>>
>>>>>> which output gives ldd -r
>>>>>> /usr/lib/nss_winbind.so ?
>>>>>>
>>>>>> I have the following naming and
>>>>>> permission for nss_winbind:
>>>>>>
>>>>>> lrwxrwxrwx 1 root other
>>>>>> 16 Jan 15 2004 nss_winbind.so ->
>>>>>> nss_winbind.so.1
>>>>>> -rwxr-xr-x 1 root other
>>>>>> 44540 Apr 28 17:35 nss_winbind.so.1
>>>>>>
>>>>>> Please try with the exactly same
>>>>>> naming and permissions of your files.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Oliver Weinmann schrieb:
>>>>>>
>>>>>> I will try to get hands on the
>>>>>> latest patches for solaris 8 and
>>>>>> see if that
>>>>>> fixes the nscd problems. I can't
>>>>>> believe that samba-winbind is not
>>>>>> running
>>>>>> 100% well on a Solaris 8 machine.
>>>>>>
>>>>>>
>>>>>> On 4/28/08, Oliver Weinmann
>>>>>> <oliver.weinmann at googlemail.com
>>>>>> <mailto:oliver.weinmann at googlemail.com>>
>>>>>> wrote:
>>>>>>
>>>>>>
>>>>>> Just for fun i changed the
>>>>>> perms of
>>>>>> /usr/lib/libnss_winbind.so to 777
>>>>>>
>>>>>> bash-2.03# chmod 777
>>>>>> /usr/lib/libnss_winbind.so
>>>>>> bash-2.03# ls -alrt
>>>>>> /usr/lib/libnss_winbind.so
>>>>>> -rwxrwxrwx 1 root other
>>>>>> 74744 Apr 28 13:32
>>>>>> /usr/lib/libnss_winbind.so
>>>>>>
>>>>>> nscd is turned off. I can
>>>>>> login as an AD users but I
>>>>>> cant start any
>>>>>> command. :(
>>>>>>
>>>>>>
>>>>>> login as: oweinmann
>>>>>> Using keyboard-interactive
>>>>>> authentication.
>>>>>> Password:
>>>>>> Last login: Mon Apr 28
>>>>>> 15:17:11 2008 from
>>>>>> vb8860.vegagrou
>>>>>> bash-2.03$ ls -alrt
>>>>>>
>>>>>> [1]+ Stopped
>>>>>> ls -alrt
>>>>>> bash-2.03$ id
>>>>>>
>>>>>> [2]+ Stopped id
>>>>>> bash-2.03$ group
>>>>>>
>>>>>> [3]+ Stopped
>>>>>> group
>>>>>> bash-2.03$ echo "TEST"
>>>>>> TEST
>>>>>> bash-2.03$
>>>>>> Some commands are working and
>>>>>> some others are put in
>>>>>> background and the
>>>>>> session closes after one or
>>>>>> two minutes?
>>>>>>
>>>>>> When I turn on nscd
>>>>>> everything is fine, except ls
>>>>>> -alrt not working.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 4/28/08, Gerald (Jerry)
>>>>>> Carter <jerry at samba.org
>>>>>> <mailto:jerry at samba.org>> wrote:
>>>>>>
>>>>>>
>>>>>> -----BEGIN PGP SIGNED
>>>>>> MESSAGE-----
>>>>>> Hash: SHA1
>>>>>>
>>>>>> Oliver Weinmann wrote:
>>>>>> | forgot to mention that
>>>>>> the nss_winbind links are
>>>>>> there:
>>>>>> |
>>>>>> | bash-2.03# ls -alrt
>>>>>> /usr/lib/nss_w*
>>>>>> | lrwxrwxrwx 1 root
>>>>>> other 28 Apr 23 14:30
>>>>>> |
>>>>>> /usr/lib/nss_winbind.so.2
>>>>>> ->
>>>>>> /usr/lib/libnss_winbind.so.1
>>>>>> | lrwxrwxrwx 1 root
>>>>>> other 28 Apr 23 14:30
>>>>>> |
>>>>>> /usr/lib/nss_winbind.so.1
>>>>>> ->
>>>>>> /usr/lib/libnss_winbind.so.1
>>>>>> | lrwxrwxrwx 1 root
>>>>>> other 28 Apr 23 14:30
>>>>>> | /usr/lib/nss_winbind.so
>>>>>> ->
>>>>>> /usr/lib/libnss_winbind.so.1
>>>>>>
>>>>>> Check the perms on
>>>>>> /usr/lib/libnss_winbind.so.1.
>>>>>> Sounds
>>>>>> like it might be rwx for
>>>>>> root only.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> cheers, jerry
>>>>>> - --
>>>>>> =====================================================================
>>>>>> Samba
>>>>>> -------
>>>>>> http://www.samba.org
>>>>>> <http://www.samba.org/>
>>>>>> Likewise Software
>>>>>> ---------
>>>>>> http://www.likewisesoftware.com
>>>>>> <http://www.likewisesoftware.com/>
>>>>>> "What man is a man who
>>>>>> does not make the world
>>>>>> better?" --Balian
>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>> Version: GnuPG v1.4.2.2
>>>>>> (Darwin)
>>>>>> Comment: Using GnuPG with
>>>>>> Mozilla -
>>>>>> http://enigmail.mozdev.org
>>>>>> <http://enigmail.mozdev.org/>
>>>>>>
>>>>>> iD8DBQFIFcnJIR7qMdg1EfYRAp+uAKCoT5s9gRV+x0M+PUrFnYWVRtqmcwCg293J
>>>>>> 0OxWwTr/wJPDW67YmZCAfQo=
>>>>>> =6S2v
>>>>>> -----END PGP SIGNATURE-----
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Mit freundlichen Grüßen
>>>>>> Dietrich Streifert
>>>>>> --
>>>>>> Visionet GmbH
>>>>>> Firmensitz: Am Weichselgarten 7,
>>>>>> 91058 Erlangen
>>>>>> Registergericht: Handelsregister
>>>>>> Fürth, HRB 6573
>>>>>> Geschäftsführer: Stefan Lindner
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Mit freundlichen Grüßen
>>>>> Dietrich Streifert
>>>>> --
>>>>> Visionet GmbH
>>>>> Firmensitz: Am Weichselgarten 7, 91058 Erlangen
>>>>> Registergericht: Handelsregister Fürth, HRB 6573
>>>>> Geschäftsführer: Stefan Lindner
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> Mit freundlichen Grüßen
>>>> Dietrich Streifert
>>>> --
>>>> Visionet GmbH
>>>> Firmensitz: Am Weichselgarten 7, 91058 Erlangen
>>>> Registergericht: Handelsregister Fürth, HRB 6573
>>>> Geschäftsführer: Stefan Lindner
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>> --
>>> Mit freundlichen Grüßen
>>> Dietrich Streifert
>>> --
>>> Visionet GmbH
>>> Firmensitz: Am Weichselgarten 7, 91058 Erlangen
>>> Registergericht: Handelsregister Fürth, HRB 6573
>>> Geschäftsführer: Stefan Lindner
>>>
>>>
>>>
>>>
>>>
>>>
>>
>> --
>> Mit freundlichen Grüßen
>> Dietrich Streifert
>> --
>> Visionet GmbH
>> Firmensitz: Am Weichselgarten 7, 91058 Erlangen
>> Registergericht: Handelsregister Fürth, HRB 6573
>> Geschäftsführer: Stefan Lindner
>>
>>
>>
>>
>>
>
> --
> Mit freundlichen Grüßen
> Dietrich Streifert
> --
> Visionet GmbH
> Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> Registergericht: Handelsregister Fürth, HRB 6573
> Geschäftsführer: Stefan Lindner
>
>
>
>
>
--
Mit freundlichen Grüßen
Dietrich Streifert
--
Visionet GmbH
Firmensitz: Am Weichselgarten 7, 91058 Erlangen
Registergericht: Handelsregister Fürth, HRB 6573
Geschäftsführer: Stefan Lindner
More information about the samba
mailing list