[Samba] solaris 10 winbind authentication with ADS
Gaiseric Vandal
gaiseric.vandal at gmail.com
Tue Dec 21 13:43:25 MST 2010
Is this to support authentication for unix users (e.g. via ssh) or
windows users (via samba?)
I found that after upgrading from samba 3.0.x to 3.4.x that the idmap
allocation stopped working. In my case I already had the imdap entries
populated into ldap. can you use "wbinfo --allocate-uid" or
"wbinfo --set-uid-mapping " to manually create a UID-to-SID mapping?
On 12/21/2010 01:44 PM, CJ Keist wrote:
> Forgot to add, my nsswitch.conf file has the winbind option added to
> the end of the passwd and group lines:
>
> passwd: files winbind
> group: files winbind
>
> ------------------------------------
>
> I'm trying to setup a Solaris 10 Sparc station to authenticate users
> on login with Windows ADS. I have found the documentation for this
> but having no luck in getting the pam modules to work. Here is what I
> have done so far:
>
> Compiling Kerberos MIT5-1.8.3:
> cd into the src directory
> ./configure --prefix=/opt/local
> gmake
> gmake install
>
> Compiling Samba 3.5.6:
> setenv CFLAGS "-O2"
> setenv LDFLAGS "-L/opt/local/lib -Wl,-R/opt/local/lib"
> setenv CPPFLAGS "-I/opt/local/include"
>
> ./configure --prefix=/opt/local --with-pam --with-ads --with-winbind
> --with-krb5=/opt/local
> gmake
> gmake install
>
> Compiles and installs with no errors. Here is my samba conf. file:
>
> [global]
> workgroup = DOMAINNAME
> realm = DOMINNAME.EDU
> security = ADS
> password server = domainname.edu
> log file = /var/samba/log/log.%m
> max log size = 50
> load printers = No
> utmp = Yes
> idmap backend = idmap_rid:DOMAINNAME=100000-500000
> idmap uid = 100000-500000
> idmap gid = 100000-500000
> template homedir = /home/%U
> template shell = /bin/tcsh
> winbind cache time = 1800
> winbind enum users = No
> winbind enum groups = No
> winbind use default domain = Yes
> winbind separator = /
> create krb5 conf = No
>
> Krb5.conf:
> [libdefaults]
> default_realm = DOMAINNAME.EDU
>
> [realms]
> DOMAINNAME.EDU = {
> kdc = server.domainname.edu
> }
>
> [domain_realm]
> .server.domainname.edu = DOMAINNAME.EDU
> server.domainname.edu = DOMAINNAME.EDU
>
> Then I was able to join okay:
>
> # ./net ads join -U user
> Enter user's password:
> Using short domain name -- DOMAINNAME
> Joined 'SUNTEST1' to realm 'DomainName.EDU'
> # ./net ads testjoin
> Join is OK
>
> I can get info from the ADS from wbinfo command just fine. But I
> cannot get anything via
>
> getent passwd user_name or getent group group_name
>
> I did copy the libnss_winbind.so from the samba build and have the
> pam_winbind.so linked in as well:
>
> # cd /usr/lib
> # ls -l *winbind*
> -r-xr-xr-x 1 root root 50880 Dec 20 13:07 libnss_winbind.so
> lrwxrwxrwx 1 root root 17 Dec 17 15:29
> libnss_winbind.so.1 -> libnss_winbind.so
> lrwxrwxrwx 1 root root 17 Dec 17 15:30
> libnss_winbind.so.2 -> libnss_winbind.so
> lrwxrwxrwx 1 root root 17 Dec 20 13:41 nss_winbind.so.1
> -> libnss_winbind.so
> lrwxrwxrwx 1 root root 17 Dec 20 13:41 nss_winbind.so.2
> -> libnss_winbind.so
>
> # cd /usr/lib/security/
> # ls -l *winbind*
> lrwxrwxrwx 1 root root 38 Dec 20 13:04 pam_winbind.so
> -> /opt/local/lib/security/pam_winbind.so
> lrwxrwxrwx 1 root root 38 Dec 20 13:05 pam_winbind.so.1
> -> /opt/local/lib/security/pam_winbind.so
>
>
> My pam.conf:
>
> login auth sufficient /opt/local/lib/security/pam_winbind.so
> try_first_pass
> login auth requisite pam_authtok_get.so.1
> login auth required pam_dhkeys.so.1
> login auth required pam_unix_cred.so.1
> login auth required pam_unix_auth.so.1
> login auth required pam_dial_auth.so.1
>
> other auth sufficient /opt/local/lib/security/pam_winbind.so
> try_first_pass
> other auth requisite pam_authtok_get.so.1
> other auth required pam_dhkeys.so.1
> other auth required pam_unix_cred.so.1
> other auth required pam_unix_auth.so.1
>
> other session sufficient /opt/local/lib/security/pam_winbind.so
> try_first
> _pass
> other session required pam_unix_session.so.1
>
> What am I missing????
>
More information about the samba
mailing list