[Samba] Strange behaviour of winbind on solaris 8
Dietrich Streifert
dietrich.streifert at visionet.de
Tue Apr 29 12:03:02 GMT 2008
I wonder why oweinmann is member of the group staff. Maybe there is an
entry for oweinmann in /etc/passwd?
So I'm running out of ideas :-( Mabye someone out there can take over.
Good luck and report back what you have found.
Oliver Weinmann schrieb:
> I changed both groups and users to "no". Still no difference. Another
> strange thing i came across.
>
> as user "oweinmann"
>
> $ id
> uid=11611(oweinmann) gid=1613(domain users)
> $ id -a oweinmann
> uid=11611(oweinmann) gid=1613(domain users) groups=10(staff)
> $ id -a
>
> why is the id -a oweinmann working as user "oweinmann" but not id -a????
>
>
> On 4/29/08, *Dietrich Streifert* <dietrich.streifert at visionet.de
> <mailto:dietrich.streifert at visionet.de>> wrote:
>
> Please try to set combinations of
>
> winbind enum groups = No
>
> and test again.
>
> This could be the reason why getent groups never ends. This is
> known to be a problem with big AD user/groups databases.
>
> Have a look at this and related paramters in <samba installation
> path>/swat/help/manpages/smb.conf.5.html
>
>
>
> Oliver Weinmann schrieb:
>> It's the latest stable.
>>
>> # smbd -V
>> Version 3.0.28a
>>
>> [global]
>> netbios name = rose8
>> realm = VEGAGROUP.NET <http://vegagroup.net/>
>> workgroup = VEGA
>> security = ADS
>> encrypt passwords = yes
>> password server = *
>> os level = 20
>> socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
>> idmap uid = 1100-200000
>> idmap gid = 1100-200000
>> idmap backend = rid:VEGA=1100-200000
>> allow trusted domains = no
>> winbind enum users = yes
>> winbind enum groups = yes
>> template homedir = /home/%U
>> template shell = /bin/sh
>> preferred master = no
>> winbind nested groups = Yes
>> winbind use default domain = Yes
>> #winbind separator = +
>> #winbind normalize names = yes
>> log level = 10
>> max log size = 50
>> log file = /var/log/samba/log.%m
>> dns proxy = no
>> wins server = 172.20.205.1 <http://172.20.205.1/>
>> allow trusted domains = No
>> client use spnego = Yes
>> use kerberos keytab = true
>> winbind offline logon = yes
>>
>> I really appreciate your big effort. Thanks!
>>
>> On 4/29/08, *Dietrich Streifert* <dietrich.streifert at visionet.de
>> <mailto:dietrich.streifert at visionet.de>> wrote:
>>
>> Which samba version do you use?
>>
>> Please post the global configuration section of smb.conf.
>>
>>
>> Oliver Weinmann schrieb:
>>> Here could be a problem. I could not change our win 2k3
>>> schema. They were afraid it could break something... tsss.
>>> So i had to use the idmap_rid module. Which does a good job
>>> actually. It uses the last portion of the AD users SID and
>>> adds it to a base set in smb.conf. I issued your commands:
>>>
>>> bash-2.03# getent passwd | grep oweinmann
>>> oweinmann2:*:15042:1613:Oliver
>>> Weinmann2:/home/oweinmann2:/bin/sh
>>> oweinmann:*:11611:1613:Oliver Weinmann:/home/oweinmann:/bin/sh
>>> oweinmann1:*:15041:1613:Oliver
>>> Weinmann1:/home/oweinmann1:/bin/sh
>>> bash-2.03# id -a oweinmann
>>> uid=11611(oweinmann) gid=1613(domain users) groups=10(staff)
>>> bash-2.03# su oweinmann
>>> $ id
>>> uid=11611(oweinmann) gid=1613(domain users)
>>> $ id -a
>>>
>>> the "id -a" as user "oweinmann" seems to get stuck. It just
>>> sits there. I noticed when issuing "groups oweinmann" as
>>> root it also gets stuck. On some users the "groups" command
>>> seems to be working on some other don't.
>>>
>>>
>>> On 4/29/08, *Dietrich Streifert*
>>> <dietrich.streifert at visionet.de
>>> <mailto:dietrich.streifert at visionet.de>> wrote:
>>>
>>> We have several installations where we use the two
>>> different AD schema extensions (SFU from Windows
>>> Services for Unix and rfc2307bis from Windows Server
>>> 2003R2) to put the needed information in.
>>>
>>> We are using the idmap_ad module to map the uid, gid,
>>> home etc. information from the AD.
>>>
>>> The local users and the AD users are completely
>>> separated. We do not mix up local users and AD users.
>>>
>>> The first basic test if the AD user information
>>> retreival is working is to use the getent command:
>>>
>>> getent <someADUser>
>>>
>>> So for a test user account I get:
>>>
>>> korund{root}[/]: getent passwd testuser
>>> testuser:*:1004:1000:Lastname,
>>> Firstname:/home/testuser:/bin/tcsh
>>>
>>> If this works the first step is done.
>>>
>>> The second test is to get all related Information for
>>> one user:
>>>
>>> korund{root}[/]: id -a testuser
>>> uid=1004(testuser) gid=1000(visionet)
>>> groups=1033(devjavalib)
>>>
>>> The third test is to su - testuser and again try to
>>> issue both commands obove. If the retreived information
>>> is the same you should all be done (except from pam.conf
>>> which is another story).
>>>
>>>
>>>
>>>
>>>
>>>
>>> Oliver Weinmann schrieb:
>>>> Could the problem be that the AD users are not in any
>>>> of the local groups on the machine? How do you manage
>>>> your AD users to be members of local groups e.g. staff,
>>>> sys etc.? pam_groups?
>>>>
>>>> On 4/29/08, *Oliver Weinmann*
>>>> <oliver.weinmann at googlemail.com
>>>> <mailto:oliver.weinmann at googlemail.com>> wrote:
>>>>
>>>> there is nothing in /etc/profile and the user
>>>> oweinmann has no .bashrc. The problem seems to be
>>>> related to nscd. When nscd is turned on i can login
>>>> and issue commands and I don't get kicked out of
>>>> the ssh login. There is no idle session timeout
>>>> set. If there was I would get kicked out when nscd
>>>> is turned on as well. Only when logged in as an AD
>>>> user I get kicked out...
>>>>
>>>>
>>>> On 4/29/08, *Dietrich Streifert*
>>>> <dietrich.streifert at visionet.de
>>>> <mailto:dietrich.streifert at visionet.de>> wrote:
>>>>
>>>> So there must be something in your bash init
>>>> files, /etc/profile or ~/.bashrc (sorry I'm not
>>>> a bash user) which causes the problem.
>>>>
>>>> Maybe something which forms the shell prompt
>>>> like whoami etc.
>>>>
>>>> Maybe there is something like a autologout set
>>>> for the csh or in sshd with idle session timeout.
>>>>
>>>>
>>>> Oliver Weinmann schrieb:
>>>>> Hi,
>>>>>
>>>>> no, there was nothing in /var/adm/messages,
>>>>> but guess what with the csh ls -alrt and such
>>>>> commands work fine... But i get kicked out of
>>>>> the ssh session after 2 minutes... :(
>>>>>
>>>>>
>>>>> On 4/29/08, *Dietrich Streifert*
>>>>> <dietrich.streifert at visionet.de
>>>>> <mailto:dietrich.streifert at visionet.de>> wrote:
>>>>>
>>>>> Are there any messages in
>>>>> /var/adm/messages which are related to nss ?
>>>>>
>>>>> As I can see you are using bash as your shell.
>>>>>
>>>>> Try using csh. Does something change?
>>>>>
>>>>> Oliver Weinmann schrieb:
>>>>>> su to user oweinmann works but when i
>>>>>> ussie the ldd -r /usr/lib/nss_winbind.so
>>>>>> command it gets put in the background..
>>>>>> :( i then do fg 2 and this is the output:
>>>>>>
>>>>>> bash-2.03$ ldd -r /usr/lib/nss_winbind.so
>>>>>>
>>>>>> [2]+ Stopped ldd -r
>>>>>> /usr/lib/nss_winbind.so
>>>>>> bash-2.03$ fg 2
>>>>>> ldd -r /usr/lib/nss_winbind.so
>>>>>> libthread.so.1 =>
>>>>>> /usr/lib/libthread.so.1
>>>>>> libsocket.so.1 =>
>>>>>> /usr/lib/libsocket.so.1
>>>>>> libdl.so.1 => /usr/lib/libdl.so.1
>>>>>> libc.so.1 => /usr/lib/libc.so.1
>>>>>> libnsl.so.1 => /usr/lib/libnsl.so.1
>>>>>> libmp.so.2 => /usr/lib/libmp.so.2
>>>>>>
>>>>>> /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
>>>>>>
>>>>>> bash-2.03$ ls -alrt /etc/nsswitch.conf
>>>>>>
>>>>>> [2]+ Stopped ls -alrt
>>>>>> /etc/nsswitch.conf
>>>>>> bash-2.03$ fg 2
>>>>>> ls -alrt /etc/nsswitch.conf
>>>>>> -rw-r--r-- 1 root sys 1320
>>>>>> Apr 28 13:19 /etc/nsswitch.conf
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 4/29/08, *Dietrich Streifert*
>>>>>> <dietrich.streifert at visionet.de
>>>>>> <mailto:dietrich.streifert at visionet.de>>
>>>>>> wrote:
>>>>>>
>>>>>> Please try to login (or su) to the
>>>>>> user oweinmann and issue then ldd -r
>>>>>> /usr/lib/nss_winbind.so
>>>>>>
>>>>>> For some reason I think that non root
>>>>>> users are not able to read one of the
>>>>>> involved files.
>>>>>>
>>>>>> This could be
>>>>>>
>>>>>> /etc/nsswitch.conf
>>>>>> /usr/lib/nss_winbind.so
>>>>>>
>>>>>> or some of the files found by the ldd
>>>>>> -r command. The fact that you can
>>>>>> issue commands while nscd is running
>>>>>> points to this fact becaus nscd is
>>>>>> running as root and has permissions
>>>>>> to read all of those files.
>>>>>>
>>>>>> /etc/nsswitch.conf should be readable
>>>>>> by everyone.
>>>>>>
>>>>>> I compiled samba myself with a full
>>>>>> stack of openssl, iconv, heimdal
>>>>>> kerberos, cyrus-sasl, openldap and
>>>>>> samba. While people often speak of
>>>>>> the Windows DLL hell this is the
>>>>>> Solaris shared library hell :-( But
>>>>>> it works.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Oliver Weinmann schrieb:
>>>>>>> Hi,
>>>>>>>
>>>>>>> bash-2.03# ldd -r
>>>>>>> /usr/lib/nss_winbind.so
>>>>>>> libthread.so.1 =>
>>>>>>> /usr/lib/libthread.so.1
>>>>>>> libsocket.so.1 =>
>>>>>>> /usr/lib/libsocket.so.1
>>>>>>> libdl.so.1 =>
>>>>>>> /usr/lib/libdl.so.1
>>>>>>> libc.so.1 =>
>>>>>>> /usr/lib/libc.so.1
>>>>>>> libnsl.so.1 =>
>>>>>>> /usr/lib/libnsl.so.1
>>>>>>> libmp.so.2 =>
>>>>>>> /usr/lib/libmp.so.2
>>>>>>>
>>>>>>> /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
>>>>>>>
>>>>>>> I changed the permissions and files
>>>>>>> exactly to be the same but i still
>>>>>>> cant issue commands... :(
>>>>>>>
>>>>>>> bash-2.03# ls -alrt
>>>>>>> /usr/lib/nss_winbind.so*
>>>>>>> -rwxr-xr-x 1 root other
>>>>>>> 74744 Apr 29 09:03
>>>>>>> /usr/lib/nss_winbind.so.1
>>>>>>> lrwxrwxrwx 1 root
>>>>>>> other 25 Apr 29 09:04
>>>>>>> /usr/lib/nss_winbind.so ->
>>>>>>> /usr/lib/nss_winbind.so.1
>>>>>>>
>>>>>>> Could this also be a problem of a
>>>>>>> compiling? Have you compiled the
>>>>>>> samba yourself or are you using
>>>>>>> prebuilt packages?
>>>>>>>
>>>>>>> On 4/29/08, *Dietrich Streifert*
>>>>>>> <dietrich.streifert at visionet.de
>>>>>>> <mailto:dietrich.streifert at visionet.de>>
>>>>>>> wrote:
>>>>>>>
>>>>>>> which output gives ldd -r
>>>>>>> /usr/lib/nss_winbind.so ?
>>>>>>>
>>>>>>> I have the following naming and
>>>>>>> permission for nss_winbind:
>>>>>>>
>>>>>>> lrwxrwxrwx 1 root other
>>>>>>> 16 Jan 15 2004
>>>>>>> nss_winbind.so -> nss_winbind.so.1
>>>>>>> -rwxr-xr-x 1 root other
>>>>>>> 44540 Apr 28 17:35
>>>>>>> nss_winbind.so.1
>>>>>>>
>>>>>>> Please try with the exactly same
>>>>>>> naming and permissions of your
>>>>>>> files.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Oliver Weinmann schrieb:
>>>>>>>
>>>>>>> I will try to get hands on
>>>>>>> the latest patches for
>>>>>>> solaris 8 and see if that
>>>>>>> fixes the nscd problems. I
>>>>>>> can't believe that
>>>>>>> samba-winbind is not running
>>>>>>> 100% well on a Solaris 8
>>>>>>> machine.
>>>>>>>
>>>>>>>
>>>>>>> On 4/28/08, Oliver Weinmann
>>>>>>> <oliver.weinmann at googlemail.com
>>>>>>> <mailto:oliver.weinmann at googlemail.com>>
>>>>>>> wrote:
>>>>>>>
>>>>>>>
>>>>>>> Just for fun i changed
>>>>>>> the perms of
>>>>>>> /usr/lib/libnss_winbind.so
>>>>>>> to 777
>>>>>>>
>>>>>>> bash-2.03# chmod 777
>>>>>>> /usr/lib/libnss_winbind.so
>>>>>>> bash-2.03# ls -alrt
>>>>>>> /usr/lib/libnss_winbind.so
>>>>>>> -rwxrwxrwx 1 root
>>>>>>> other 74744 Apr 28
>>>>>>> 13:32
>>>>>>> /usr/lib/libnss_winbind.so
>>>>>>>
>>>>>>> nscd is turned off. I
>>>>>>> can login as an AD users
>>>>>>> but I cant start any
>>>>>>> command. :(
>>>>>>>
>>>>>>>
>>>>>>> login as: oweinmann
>>>>>>> Using
>>>>>>> keyboard-interactive
>>>>>>> authentication.
>>>>>>> Password:
>>>>>>> Last login: Mon Apr 28
>>>>>>> 15:17:11 2008 from
>>>>>>> vb8860.vegagrou
>>>>>>> bash-2.03$ ls -alrt
>>>>>>>
>>>>>>> [1]+ Stopped
>>>>>>> ls -alrt
>>>>>>> bash-2.03$ id
>>>>>>>
>>>>>>> [2]+ Stopped
>>>>>>> id
>>>>>>> bash-2.03$ group
>>>>>>>
>>>>>>> [3]+ Stopped
>>>>>>> group
>>>>>>> bash-2.03$ echo "TEST"
>>>>>>> TEST
>>>>>>> bash-2.03$
>>>>>>> Some commands are
>>>>>>> working and some others
>>>>>>> are put in background
>>>>>>> and the
>>>>>>> session closes after one
>>>>>>> or two minutes?
>>>>>>>
>>>>>>> When I turn on nscd
>>>>>>> everything is fine,
>>>>>>> except ls -alrt not working.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 4/28/08, Gerald
>>>>>>> (Jerry) Carter
>>>>>>> <jerry at samba.org
>>>>>>> <mailto:jerry at samba.org>>
>>>>>>> wrote:
>>>>>>>
>>>>>>>
>>>>>>> -----BEGIN PGP
>>>>>>> SIGNED MESSAGE-----
>>>>>>> Hash: SHA1
>>>>>>>
>>>>>>> Oliver Weinmann wrote:
>>>>>>> | forgot to mention
>>>>>>> that the nss_winbind
>>>>>>> links are there:
>>>>>>> |
>>>>>>> | bash-2.03# ls
>>>>>>> -alrt /usr/lib/nss_w*
>>>>>>> | lrwxrwxrwx 1
>>>>>>> root other
>>>>>>> 28 Apr 23 14:30
>>>>>>> |
>>>>>>> /usr/lib/nss_winbind.so.2
>>>>>>> ->
>>>>>>> /usr/lib/libnss_winbind.so.1
>>>>>>> | lrwxrwxrwx 1
>>>>>>> root other
>>>>>>> 28 Apr 23 14:30
>>>>>>> |
>>>>>>> /usr/lib/nss_winbind.so.1
>>>>>>> ->
>>>>>>> /usr/lib/libnss_winbind.so.1
>>>>>>> | lrwxrwxrwx 1
>>>>>>> root other
>>>>>>> 28 Apr 23 14:30
>>>>>>> |
>>>>>>> /usr/lib/nss_winbind.so
>>>>>>> ->
>>>>>>> /usr/lib/libnss_winbind.so.1
>>>>>>>
>>>>>>> Check the perms on
>>>>>>> /usr/lib/libnss_winbind.so.1.
>>>>>>> Sounds
>>>>>>> like it might be rwx
>>>>>>> for root only.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> cheers, jerry
>>>>>>> - --
>>>>>>> =====================================================================
>>>>>>> Samba
>>>>>>>
>>>>>>> -------
>>>>>>> http://www.samba.org
>>>>>>> <http://www.samba.org/>
>>>>>>> Likewise Software
>>>>>>> ---------
>>>>>>> http://www.likewisesoftware.com
>>>>>>> <http://www.likewisesoftware.com/>
>>>>>>> "What man is a man
>>>>>>> who does not make
>>>>>>> the world better?"
>>>>>>> --Balian
>>>>>>> -----BEGIN PGP
>>>>>>> SIGNATURE-----
>>>>>>> Version: GnuPG
>>>>>>> v1.4.2.2 (Darwin)
>>>>>>> Comment: Using GnuPG
>>>>>>> with Mozilla -
>>>>>>> http://enigmail.mozdev.org
>>>>>>> <http://enigmail.mozdev.org/>
>>>>>>>
>>>>>>> iD8DBQFIFcnJIR7qMdg1EfYRAp+uAKCoT5s9gRV+x0M+PUrFnYWVRtqmcwCg293J
>>>>>>> 0OxWwTr/wJPDW67YmZCAfQo=
>>>>>>> =6S2v
>>>>>>> -----END PGP
>>>>>>> SIGNATURE-----
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Mit freundlichen Grüßen
>>>>>>> Dietrich Streifert
>>>>>>> --
>>>>>>> Visionet GmbH
>>>>>>> Firmensitz: Am Weichselgarten 7,
>>>>>>> 91058 Erlangen
>>>>>>> Registergericht: Handelsregister
>>>>>>> Fürth, HRB 6573
>>>>>>> Geschäftsführer: Stefan Lindner
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Mit freundlichen Grüßen
>>>>>> Dietrich Streifert
>>>>>> --
>>>>>> Visionet GmbH
>>>>>> Firmensitz: Am Weichselgarten 7, 91058 Erlangen
>>>>>> Registergericht: Handelsregister Fürth, HRB 6573
>>>>>> Geschäftsführer: Stefan Lindner
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Mit freundlichen Grüßen
>>>>> Dietrich Streifert
>>>>> --
>>>>> Visionet GmbH
>>>>> Firmensitz: Am Weichselgarten 7, 91058 Erlangen
>>>>> Registergericht: Handelsregister Fürth, HRB 6573
>>>>> Geschäftsführer: Stefan Lindner
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> Mit freundlichen Grüßen
>>>> Dietrich Streifert
>>>> --
>>>> Visionet GmbH
>>>> Firmensitz: Am Weichselgarten 7, 91058 Erlangen
>>>> Registergericht: Handelsregister Fürth, HRB 6573
>>>> Geschäftsführer: Stefan Lindner
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>> --
>>> Mit freundlichen Grüßen
>>> Dietrich Streifert
>>> --
>>> Visionet GmbH
>>> Firmensitz: Am Weichselgarten 7, 91058 Erlangen
>>> Registergericht: Handelsregister Fürth, HRB 6573
>>> Geschäftsführer: Stefan Lindner
>>>
>>>
>>>
>>>
>>>
>>
>> --
>> Mit freundlichen Grüßen
>> Dietrich Streifert
>> --
>> Visionet GmbH
>> Firmensitz: Am Weichselgarten 7, 91058 Erlangen
>> Registergericht: Handelsregister Fürth, HRB 6573
>> Geschäftsführer: Stefan Lindner
>>
>>
>>
>>
>>
>
> --
> Mit freundlichen Grüßen
> Dietrich Streifert
> --
> Visionet GmbH
> Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> Registergericht: Handelsregister Fürth, HRB 6573
> Geschäftsführer: Stefan Lindner
>
>
>
>
>
--
Mit freundlichen Grüßen
Dietrich Streifert
--
Visionet GmbH
Firmensitz: Am Weichselgarten 7, 91058 Erlangen
Registergericht: Handelsregister Fürth, HRB 6573
Geschäftsführer: Stefan Lindner
More information about the samba
mailing list