[Samba] solaris 10 winbind authentication with ADS

CJ Keist cj.keist at colostate.edu
Tue Dec 21 10:35:58 MST 2010 

I'm trying to setup a Solaris 10 Sparc station to authenticate users on 
login with Windows ADS.  I have found the documentation for this but 
having no luck in getting the pam modules to work.  Here is what I have 
done so far:

Compiling Kerberos MIT5-1.8.3:
cd into the src directory
./configure --prefix=/opt/local
gmake
gmake install

Compiling Samba 3.5.6:
setenv CFLAGS "-O2"
setenv LDFLAGS "-L/opt/local/lib -Wl,-R/opt/local/lib"
setenv CPPFLAGS "-I/opt/local/include"

./configure --prefix=/opt/local --with-pam --with-ads --with-winbind 
--with-krb5=/opt/local
gmake
gmake install

Compiles and installs with no errors.  Here is my samba conf. file:

[global]
     workgroup = DOMAINNAME
     realm = DOMINNAME.EDU
     security = ADS
     password server = domainname.edu
     log file = /var/samba/log/log.%m
     max log size = 50
     load printers = No
     utmp = Yes
     idmap backend = idmap_rid:DOMAINNAME=100000-500000
     idmap uid = 100000-500000
     idmap gid = 100000-500000
     template homedir = /home/%U
     template shell = /bin/tcsh
     winbind cache time = 1800
     winbind enum users = No
     winbind enum groups = No
     winbind use default domain = Yes
     winbind separator = /
     create krb5 conf = No

Krb5.conf:
[libdefaults]
     default_realm = DOMAINNAME.EDU

[realms]
     DOMAINNAME.EDU = {
     kdc = server.domainname.edu
     }

[domain_realm]
     .server.domainname.edu = DOMAINNAME.EDU
     server.domainname.edu = DOMAINNAME.EDU

Then I was able to join okay:

# ./net ads join -U user
Enter user's password:
Using short domain name -- DOMAINNAME
Joined 'SUNTEST1' to realm 'DomainName.EDU'
# ./net ads testjoin
Join is OK

I can get info from the ADS from wbinfo command just fine.  But I cannot get anything via

getent passwd user_name or getent group group_name

I did copy the libnss_winbind.so from the samba build and have the 
pam_winbind.so linked in as well:

# cd /usr/lib
# ls -l *winbind*
-r-xr-xr-x   1 root     root       50880 Dec 20 13:07 libnss_winbind.so
lrwxrwxrwx   1 root     root          17 Dec 17 15:29 
libnss_winbind.so.1 -> libnss_winbind.so
lrwxrwxrwx   1 root     root          17 Dec 17 15:30 
libnss_winbind.so.2 -> libnss_winbind.so
lrwxrwxrwx   1 root     root          17 Dec 20 13:41 nss_winbind.so.1 
-> libnss_winbind.so
lrwxrwxrwx   1 root     root          17 Dec 20 13:41 nss_winbind.so.2 
-> libnss_winbind.so

# cd /usr/lib/security/
# ls -l *winbind*
lrwxrwxrwx   1 root     root          38 Dec 20 13:04 pam_winbind.so -> 
/opt/local/lib/security/pam_winbind.so
lrwxrwxrwx   1 root     root          38 Dec 20 13:05 pam_winbind.so.1 
-> /opt/local/lib/security/pam_winbind.so


My pam.conf:

login    auth sufficient    /opt/local/lib/security/pam_winbind.so 
try_first_pass
login    auth requisite        pam_authtok_get.so.1
login    auth required        pam_dhkeys.so.1
login    auth required        pam_unix_cred.so.1
login    auth required        pam_unix_auth.so.1
login    auth required        pam_dial_auth.so.1

other    auth sufficient    /opt/local/lib/security/pam_winbind.so 
try_first_pass
other    auth requisite        pam_authtok_get.so.1
other    auth required        pam_dhkeys.so.1
other    auth required        pam_unix_cred.so.1
other    auth required        pam_unix_auth.so.1

other    session sufficient    /opt/local/lib/security/pam_winbind.so 
try_first
_pass
other    session required    pam_unix_session.so.1

What am I missing????

-- 
C. J. Keist                     Email: cj.keist at colostate.edu
Systems Group Manager           Phone: 970-491-0630
Engineering Network Services    Fax:   970-491-5569
College of Engineering, CSU
Ft. Collins, CO 80523-1301

All I want is a chance to prove 'Money can't buy happiness'

More information about the samba mailing list