[Samba] solaris 10 winbind authentication with ADS

CJ Keist cj.keist at colostate.edu
Tue Dec 21 14:50:11 MST 2010 

I want to authenticate for ssh logins. I will not be running the smbd or 
nmbd daemons. Just winbind.

running your commands I got:

# ./wbinfo --allocate-uid
Could not allocate a uid

The second there is no --set-uid-mapping option.


On 12/21/10 1:43 PM, Gaiseric Vandal wrote:
> Is this to support authentication for unix users (e.g. via ssh) or 
> windows users (via samba?)
>
>
> I found that after upgrading from samba 3.0.x to 3.4.x that the idmap 
> allocation stopped working.   In my case I already had the imdap 
> entries populated into ldap.     can you use "wbinfo --allocate-uid"  
> or "wbinfo   --set-uid-mapping "  to manually create a UID-to-SID 
> mapping?
>
>
>
> On 12/21/2010 01:44 PM, CJ Keist wrote:
>> Forgot to add, my nsswitch.conf file has the winbind option added to 
>> the end of the passwd and group lines:
>>
>> passwd:     files winbind
>> group:      files winbind
>>
>> ------------------------------------
>>
>> I'm trying to setup a Solaris 10 Sparc station to authenticate users 
>> on login with Windows ADS.  I have found the documentation for this 
>> but having no luck in getting the pam modules to work.  Here is what 
>> I have done so far:
>>
>> Compiling Kerberos MIT5-1.8.3:
>> cd into the src directory
>> ./configure --prefix=/opt/local
>> gmake
>> gmake install
>>
>> Compiling Samba 3.5.6:
>> setenv CFLAGS "-O2"
>> setenv LDFLAGS "-L/opt/local/lib -Wl,-R/opt/local/lib"
>> setenv CPPFLAGS "-I/opt/local/include"
>>
>> ./configure --prefix=/opt/local --with-pam --with-ads --with-winbind 
>> --with-krb5=/opt/local
>> gmake
>> gmake install
>>
>> Compiles and installs with no errors.  Here is my samba conf. file:
>>
>> [global]
>>     workgroup = DOMAINNAME
>>     realm = DOMINNAME.EDU
>>     security = ADS
>>     password server = domainname.edu
>>     log file = /var/samba/log/log.%m
>>     max log size = 50
>>     load printers = No
>>     utmp = Yes
>>     idmap backend = idmap_rid:DOMAINNAME=100000-500000
>>     idmap uid = 100000-500000
>>     idmap gid = 100000-500000
>>     template homedir = /home/%U
>>     template shell = /bin/tcsh
>>     winbind cache time = 1800
>>     winbind enum users = No
>>     winbind enum groups = No
>>     winbind use default domain = Yes
>>     winbind separator = /
>>     create krb5 conf = No
>>
>> Krb5.conf:
>> [libdefaults]
>>     default_realm = DOMAINNAME.EDU
>>
>> [realms]
>>     DOMAINNAME.EDU = {
>>     kdc = server.domainname.edu
>>     }
>>
>> [domain_realm]
>>     .server.domainname.edu = DOMAINNAME.EDU
>>     server.domainname.edu = DOMAINNAME.EDU
>>
>> Then I was able to join okay:
>>
>> # ./net ads join -U user
>> Enter user's password:
>> Using short domain name -- DOMAINNAME
>> Joined 'SUNTEST1' to realm 'DomainName.EDU'
>> # ./net ads testjoin
>> Join is OK
>>
>> I can get info from the ADS from wbinfo command just fine.  But I 
>> cannot get anything via
>>
>> getent passwd user_name or getent group group_name
>>
>> I did copy the libnss_winbind.so from the samba build and have the 
>> pam_winbind.so linked in as well:
>>
>> # cd /usr/lib
>> # ls -l *winbind*
>> -r-xr-xr-x   1 root     root       50880 Dec 20 13:07 libnss_winbind.so
>> lrwxrwxrwx   1 root     root          17 Dec 17 15:29 
>> libnss_winbind.so.1 -> libnss_winbind.so
>> lrwxrwxrwx   1 root     root          17 Dec 17 15:30 
>> libnss_winbind.so.2 -> libnss_winbind.so
>> lrwxrwxrwx   1 root     root          17 Dec 20 13:41 
>> nss_winbind.so.1 -> libnss_winbind.so
>> lrwxrwxrwx   1 root     root          17 Dec 20 13:41 
>> nss_winbind.so.2 -> libnss_winbind.so
>>
>> # cd /usr/lib/security/
>> # ls -l *winbind*
>> lrwxrwxrwx   1 root     root          38 Dec 20 13:04 pam_winbind.so 
>> -> /opt/local/lib/security/pam_winbind.so
>> lrwxrwxrwx   1 root     root          38 Dec 20 13:05 
>> pam_winbind.so.1 -> /opt/local/lib/security/pam_winbind.so
>>
>>
>> My pam.conf:
>>
>> login    auth sufficient    /opt/local/lib/security/pam_winbind.so 
>> try_first_pass
>> login    auth requisite        pam_authtok_get.so.1
>> login    auth required        pam_dhkeys.so.1
>> login    auth required        pam_unix_cred.so.1
>> login    auth required        pam_unix_auth.so.1
>> login    auth required        pam_dial_auth.so.1
>>
>> other    auth sufficient    /opt/local/lib/security/pam_winbind.so 
>> try_first_pass
>> other    auth requisite        pam_authtok_get.so.1
>> other    auth required        pam_dhkeys.so.1
>> other    auth required        pam_unix_cred.so.1
>> other    auth required        pam_unix_auth.so.1
>>
>> other    session sufficient    /opt/local/lib/security/pam_winbind.so 
>> try_first
>> _pass
>> other    session required    pam_unix_session.so.1
>>
>> What am I missing????
>>
>

-- 
C. J. Keist                     Email: cj.keist at colostate.edu
Systems Group Manager           Phone: 970-491-0630
Engineering Network Services    Fax:   970-491-5569
College of Engineering, CSU
Ft. Collins, CO 80523-1301

All I want is a chance to prove 'Money can't buy happiness'

More information about the samba mailing list