Re: [Samba] Strange behaviour of winbind on solaris 8

It's the latest stable.

# smbd -V
Version 3.0.28a

[global]
netbios name =3D rose8
realm =3D VEGAGROUP.NET
workgroup =3D VEGA
security =3D ADS
encrypt passwords =3D yes
password server =3D *
os level =3D 20
socket options =3D TCP_NODELAY SO_RCVBUF=3D16384 SO_SNDBUF=3D16384
idmap uid =3D 1100-200000
idmap gid =3D 1100-200000
idmap backend =3D rid:VEGA=3D1100-200000
allow trusted domains =3D no
winbind enum users =3D yes
winbind enum groups =3D yes
template homedir =3D /home/%U
template shell =3D /bin/sh
preferred master =3D no
winbind nested groups =3D Yes
winbind use default domain =3D Yes
#winbind separator =3D +
#winbind normalize names =3D yes
log level =3D 10
max log size =3D 50
log file =3D /var/log/samba/log.%m
dns proxy =3D no
wins server =3D 172.20.205.1
allow trusted domains =3D No
client use spnego =3D Yes
use kerberos keytab =3D true
winbind offline logon =3D yes

I really appreciate your big effort. Thanks!

On 4/29/08, Dietrich Streifert <dietrich.streifert@visionet.de> wrote:
>
> Which samba version do you use?
>
> Please post the global configuration section of smb.conf.
>
>
> Oliver Weinmann schrieb:
>
> Here could be a problem. I could not change our win 2k3 schema. They were
> afraid it could break something... tsss. So i had to use the idmap_rid
> module. Which does a good job actually. It uses the last portion of the A=
D
> users SID and adds it to a base set in smb.conf. I issued your commands:
>
> bash-2.03# getent passwd | grep oweinmann
> oweinmann2:*:15042:1613:Oliver Weinmann2:/home/oweinmann2:/bin/sh
> oweinmann:*:11611:1613:Oliver Weinmann:/home/oweinmann:/bin/sh
> oweinmann1:*:15041:1613:Oliver Weinmann1:/home/oweinmann1:/bin/sh
> bash-2.03# id -a oweinmann
> uid=3D11611(oweinmann) gid=3D1613(domain users) groups=3D10(staff)
> bash-2.03# su oweinmann
> $ id
> uid=3D11611(oweinmann) gid=3D1613(domain users)
> $ id -a
>
> the "id -a" as user "oweinmann" seems to get stuck. It just sits there. I
> noticed when issuing "groups oweinmann" as root it also gets stuck. On so=
me
> users the "groups" command seems to be working on some other don't.
>
>
> On 4/29/08, Dietrich Streifert <dietrich.streifert@visionet.de> wrote:
> >
> > We have several installations where we use the two different AD schema
> > extensions (SFU from Windows Services for Unix and rfc2307bis from Wind=
ows
> > Server 2003R2) to put the needed information in.
> >
> > We are using the idmap_ad module to map the uid, gid, home etc.
> > information from the AD.
> >
> > The local users and the AD users are completely separated. We do not mi=
x
> > up local users and AD users.
> >
> > The first basic test if the AD user information retreival is working is
> > to use the getent command:
> >
> > getent <someADUser>
> >
> > So for a test user account I get:
> >
> > korund{root}[/]: getent passwd testuser
> > testuser:*:1004:1000:Lastname, Firstname:/home/testuser:/bin/tcsh
> >
> > If this works the first step is done.
> >
> > The second test is to get all related Information for one user:
> >
> > korund{root}[/]: id -a testuser
> > uid=3D1004(testuser) gid=3D1000(visionet) groups=3D1033(devjavalib)
> >
> > The third test is to su - testuser and again try to issue both commands
> > obove. If the retreived information is the same you should all be done
> > (except from pam.conf which is another story).
> >
> >
> >
> >
> >
> >
> > Oliver Weinmann schrieb:
> >
> > Could the problem be that the AD users are not in any of the local
> > groups on the machine? How do you manage your AD users to be members of
> > local groups e.g. staff, sys etc.? pam_groups?
> >
> > On 4/29/08, Oliver Weinmann <oliver.weinmann@googlemail.com> wrote:
> > >
> > > there is nothing in /etc/profile and the user oweinmann has no
> > > .bashrc. The problem seems to be related to nscd. When nscd is turned=
on i
> > > can login and issue commands and I don't get kicked out of the ssh lo=
gin.
> > > There is no idle session timeout set. If there was I would get kicked=
out
> > > when nscd is turned on as well. Only when logged in as an AD user I g=
et
> > > kicked out...
> > >
> > > On 4/29/08, Dietrich Streifert <dietrich.streifert@visionet.de> wrote=
:
> > > >
> > > > So there must be something in your bash init files, /etc/profile or
> > > > ~/.bashrc (sorry I'm not a bash user) which causes the problem.
> > > >
> > > > Maybe something which forms the shell prompt like whoami etc.
> > > >
> > > > Maybe there is something like a autologout set for the csh or in
> > > > sshd with idle session timeout.
> > > >
> > > >
> > > > Oliver Weinmann schrieb:
> > > >
> > > > Hi,
> > > >
> > > > no, there was nothing in /var/adm/messages, but guess what with th=
e
> > > > csh ls -alrt and such commands work fine... But i get kicked out of=
the ssh
> > > > session after 2 minutes... :(
> > > >
> > > >
> > > > On 4/29/08, Dietrich Streifert <dietrich.streifert@visionet.de>
> > > > wrote:
> > > > >
> > > > > Are there any messages in /var/adm/messages which are related to
> > > > > nss ?
> > > > >
> > > > > As I can see you are using bash as your shell.
> > > > >
> > > > > Try using csh. Does something change?
> > > > >
> > > > > Oliver Weinmann schrieb:
> > > > >
> > > > > su to user oweinmann works but when i ussie the ldd -r
> > > > > /usr/lib/nss_winbind.so command it gets put in the background.. :=
( i then do
> > > > > fg 2 and this is the output:
> > > > >
> > > > > bash-2.03$ ldd -r /usr/lib/nss_winbind.so
> > > > >
> > > > > [2]+ Stopped ldd -r /usr/lib/nss_winbind.so
> > > > > bash-2.03$ fg 2
> > > > > ldd -r /usr/lib/nss_winbind.so
> > > > > libthread.so.1 =3D> /usr/lib/libthread.so.1
> > > > > libsocket.so.1 =3D> /usr/lib/libsocket.so.1
> > > > > libdl.so.1 =3D> /usr/lib/libdl.so.1
> > > > > libc.so.1 =3D> /usr/lib/libc.so.1
> > > > > libnsl.so.1 =3D> /usr/lib/libnsl.so.1
> > > > > libmp.so.2 =3D> /usr/lib/libmp.so.2
> > > > > /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
> > > > >
> > > > > bash-2.03$ ls -alrt /etc/nsswitch.conf
> > > > >
> > > > > [2]+ Stopped ls -alrt /etc/nsswitch.conf
> > > > > bash-2.03$ fg 2
> > > > > ls -alrt /etc/nsswitch.conf
> > > > > -rw-r--r-- 1 root sys 1320 Apr 28 13:19
> > > > > /etc/nsswitch.conf
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On 4/29/08, Dietrich Streifert <dietrich.streifert@visionet.de>
> > > > > wrote:
> > > > > >
> > > > > > Please try to login (or su) to the user oweinmann and issue the=
n
> > > > > > ldd -r /usr/lib/nss_winbind.so
> > > > > >
> > > > > > For some reason I think that non root users are not able to rea=
d
> > > > > > one of the involved files.
> > > > > >
> > > > > > This could be
> > > > > >
> > > > > > /etc/nsswitch.conf
> > > > > > /usr/lib/nss_winbind.so
> > > > > >
> > > > > > or some of the files found by the ldd -r command. The fact that
> > > > > > you can issue commands while nscd is running points to this fac=
t becaus nscd
> > > > > > is running as root and has permissions to read all of those fil=
es.
> > > > > >
> > > > > > /etc/nsswitch.conf should be readable by everyone.
> > > > > >
> > > > > > I compiled samba myself with a full stack of openssl, iconv,
> > > > > > heimdal kerberos, cyrus-sasl, openldap and samba. While people =
often speak
> > > > > > of the Windows DLL hell this is the Solaris shared library hell=
:-( But it
> > > > > > works.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Oliver Weinmann schrieb:
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > bash-2.03# ldd -r /usr/lib/nss_winbind.so
> > > > > > libthread.so.1 =3D> /usr/lib/libthread.so.1
> > > > > > libsocket.so.1 =3D> /usr/lib/libsocket.so.1
> > > > > > libdl.so.1 =3D> /usr/lib/libdl.so.1
> > > > > > libc.so.1 =3D> /usr/lib/libc.so.1
> > > > > > libnsl.so.1 =3D> /usr/lib/libnsl.so.1
> > > > > > libmp.so.2 =3D> /usr/lib/libmp.so.2
> > > > > > /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
> > > > > >
> > > > > > I changed the permissions and files exactly to be the same but =
i
> > > > > > still cant issue commands... :(
> > > > > >
> > > > > > bash-2.03# ls -alrt /usr/lib/nss_winbind.so*
> > > > > > -rwxr-xr-x 1 root other 74744 Apr 29 09:03
> > > > > > /usr/lib/nss_winbind.so.1
> > > > > > lrwxrwxrwx 1 root other 25 Apr 29 09:04
> > > > > > /usr/lib/nss_winbind.so -> /usr/lib/nss_winbind.so.1
> > > > > >
> > > > > > Could this also be a problem of a compiling? Have you compiled
> > > > > > the samba yourself or are you using prebuilt packages?
> > > > > >
> > > > > > On 4/29/08, Dietrich Streifert <dietrich.streifert@visionet.de>
> > > > > > wrote:
> > > > > > >
> > > > > > > which output gives ldd -r /usr/lib/nss_winbind.so ?
> > > > > > >
> > > > > > > I have the following naming and permission for nss_winbind:
> > > > > > >
> > > > > > > lrwxrwxrwx 1 root other 16 Jan 15 2004
> > > > > > > nss_winbind.so -> nss_winbind.so.1
> > > > > > > -rwxr-xr-x 1 root other 44540 Apr 28 17:35
> > > > > > > nss_winbind.so.1
> > > > > > >
> > > > > > > Please try with the exactly same naming and permissions of
> > > > > > > your files.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Oliver Weinmann schrieb:
> > > > > > >
> > > > > > > > I will try to get hands on the latest patches for solaris 8
> > > > > > > > and see if that
> > > > > > > > fixes the nscd problems. I can't believe that samba-winbind
> > > > > > > > is not running
> > > > > > > > 100% well on a Solaris 8 machine.
> > > > > > > >
> > > > > > > >
> > > > > > > > On 4/28/08, Oliver Weinmann <oliver.weinmann@googlemail.com=
>
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > >
> > > > > > > > > Just for fun i changed the perms of
> > > > > > > > > /usr/lib/libnss_winbind.so to 777
> > > > > > > > >
> > > > > > > > > bash-2.03# chmod 777 /usr/lib/libnss_winbind.so
> > > > > > > > > bash-2.03# ls -alrt /usr/lib/libnss_winbind.so
> > > > > > > > > -rwxrwxrwx 1 root other 74744 Apr 28 13:32
> > > > > > > > > /usr/lib/libnss_winbind.so
> > > > > > > > >
> > > > > > > > > nscd is turned off. I can login as an AD users but I cant
> > > > > > > > > start any
> > > > > > > > > command. :(
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > login as: oweinmann
> > > > > > > > > Using keyboard-interactive authentication.
> > > > > > > > > Password:
> > > > > > > > > Last login: Mon Apr 28 15:17:11 2008 from vb8860.vegagrou
> > > > > > > > > bash-2.03$ ls -alrt
> > > > > > > > >
> > > > > > > > > [1]+ Stopped ls -alrt
> > > > > > > > > bash-2.03$ id
> > > > > > > > >
> > > > > > > > > [2]+ Stopped id
> > > > > > > > > bash-2.03$ group
> > > > > > > > >
> > > > > > > > > [3]+ Stopped group
> > > > > > > > > bash-2.03$ echo "TEST"
> > > > > > > > > TEST
> > > > > > > > > bash-2.03$
> > > > > > > > > Some commands are working and some others are put in
> > > > > > > > > background and the
> > > > > > > > > session closes after one or two minutes?
> > > > > > > > >
> > > > > > > > > When I turn on nscd everything is fine, except ls -alrt
> > > > > > > > > not working.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On 4/28/08, Gerald (Jerry) Carter <jerry@samba.org> wrote=
:
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > > > > > > > Hash: SHA1
> > > > > > > > > >
> > > > > > > > > > Oliver Weinmann wrote:
> > > > > > > > > > | forgot to mention that the nss_winbind links are
> > > > > > > > > > there:
> > > > > > > > > > |
> > > > > > > > > > | bash-2.03# ls -alrt /usr/lib/nss_w*
> > > > > > > > > > | lrwxrwxrwx 1 root other 28 Apr 23 14:30
> > > > > > > > > > | /usr/lib/nss_winbind.so.2 ->
> > > > > > > > > > /usr/lib/libnss_winbind.so.1
> > > > > > > > > > | lrwxrwxrwx 1 root other 28 Apr 23 14:30
> > > > > > > > > > | /usr/lib/nss_winbind.so.1 ->
> > > > > > > > > > /usr/lib/libnss_winbind.so.1
> > > > > > > > > > | lrwxrwxrwx 1 root other 28 Apr 23 14:30
> > > > > > > > > > | /usr/lib/nss_winbind.so ->
> > > > > > > > > > /usr/lib/libnss_winbind.so.1
> > > > > > > > > >
> > > > > > > > > > Check the perms on /usr/lib/libnss_winbind.so.1. Sound=
s
> > > > > > > > > > like it might be rwx for root only.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > cheers, jerry
> > > > > > > > > > - --
> > > > > > > > > >
> > > > > > > > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
> > > > > > > > > > Samba -------
> > > > > > > > > > http://www.samba.org
> > > > > > > > > > Likewise Software ---------
> > > > > > > > > > http://www.likewisesoftware.com
> > > > > > > > > > "What man is a man who does not make the world better?"
> > > > > > > > > > --Balian
> > > > > > > > > > -----BEGIN PGP SIGNATURE-----
> > > > > > > > > > Version: GnuPG v1.4.2.2 (Darwin)
> > > > > > > > > > Comment: Using GnuPG with Mozilla -
> > > > > > > > > > http://enigmail.mozdev.org
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > iD8DBQFIFcnJIR7qMdg1EfYRAp+uAKCoT5s9gRV+x0M+PUrFnY WVRtq=
mcwCg293J
> > > > > > > > > > 0OxWwTr/wJPDW67YmZCAfQo=3D
> > > > > > > > > > =3D6S2v
> > > > > > > > > > -----END PGP SIGNATURE-----
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > --
> > > > > > > Mit freundlichen Gr=FC=DFen
> > > > > > > Dietrich Streifert
> > > > > > > --
> > > > > > > Visionet GmbH
> > > > > > > Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> > > > > > > Registergericht: Handelsregister F=FCrth, HRB 6573
> > > > > > > Gesch=E4ftsf=FChrer: Stefan Lindner
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > > --
> > > > > > Mit freundlichen Gr=FC=DFen
> > > > > > Dietrich Streifert
> > > > > > --
> > > > > > Visionet GmbH
> > > > > > Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> > > > > > Registergericht: Handelsregister F=FCrth, HRB 6573
> > > > > > Gesch=E4ftsf=FChrer: Stefan Lindner
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > > --
> > > > > Mit freundlichen Gr=FC=DFen
> > > > > Dietrich Streifert
> > > > > --
> > > > > Visionet GmbH
> > > > > Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> > > > > Registergericht: Handelsregister F=FCrth, HRB 6573
> > > > > Gesch=E4ftsf=FChrer: Stefan Lindner
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > > --
> > > > Mit freundlichen Gr=FC=DFen
> > > > Dietrich Streifert
> > > > --
> > > > Visionet GmbH
> > > > Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> > > > Registergericht: Handelsregister F=FCrth, HRB 6573
> > > > Gesch=E4ftsf=FChrer: Stefan Lindner
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> >
> > --
> > Mit freundlichen Gr=FC=DFen
> > Dietrich Streifert
> > --
> > Visionet GmbH
> > Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> > Registergericht: Handelsregister F=FCrth, HRB 6573
> > Gesch=E4ftsf=FChrer: Stefan Lindner
> >
> >
> >
> >
> >
>
> --
> Mit freundlichen Gr=FC=DFen
> Dietrich Streifert
> --
> Visionet GmbH
> Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> Registergericht: Handelsregister F=FCrth, HRB 6573
> Gesch=E4ftsf=FChrer: Stefan Lindner
>
>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba