Web lists-archives.com

Re: [Samba] Samba 4.3.13 logon oddity on Solaris 10




On Tue, 2018-06-19 at 12:44 +0100, Rowland Penny via samba wrote:
> > > Why are you using LDAP for authentication on a Unix domain member
> > > ?
> > 
> > Because it just works and is straightforward to set up and things
> > like ldaplist&co work. Until I resolved the open issue I'll just
> > leave things as they are.
> Yes, but its not working, is it, not at first anyway. Samba expects
> to use winbind and it is only half set up.
On the OS level everything works flawlessly (without using winbind).
Login upon first try, kerberos ticket properly issued, uid/gid set to
the numbers provided from the LDAP (Samba DC) backend. 
I would simply expect smbd to use the uid/gid provided by whatever
backend if present in the user's data.
The only thing not working as expected is when I try to connect to a
share provided by smbd running on that machine. That takes two login
attempts.

> > One thing I forgot to mention in the previous mail - once logged
> > into
> > a share files are indeed created with the correct owner/uidnumber
> > as
> > stored in the user's LDAP record.
> 
> What LDAP record ? You said the DC was a Samba AD DC, so I take it
> you are referring to the users AD object. 
Well, yes - assuming AD is just a fancy way to bundle LDAP+Kerberos ;-) 
You can just use about any LDAP tools to retrieve information from a
Samba AD DC and see all attributes set. 

> The only place I would use something like nslcd (I take it this is
> what you are using) is on a DC and only then to obtain the users
> homedir and shell from AD.
No, I'm not using nslcd. Solaris provides it's own set of tools and
clients for various name service backends. Usually the different
backends are accessed through nscd which deals with the clients for the
 different types of name services. 

> You have to run winbind, so why not use it fully ?
I already have 

       idmap config MD-DZNE:backend = ad
       idmap config MD-DZNE:schema_mode = rfc2307
       idmap config MD-DZNE:range = 10000-999999

       winbind nss info = rfc2307
       winbind use default domain = yes
       winbind enum users = Yes
       winbind enum groups = Yes

in my smb.conf and winbindd is running. 
I just don't see why I should third party stuff to do user
authentication on the OS side when the system's own mechanisms work
just fine. And as long as I haven't figured out, why wbinfo doesn't
return the id's I assigned to the users I'd rather not try to use
winbind for unix logins on that machine.

markgrafb.niihau ~ > wbinfo -i markgrafb
markgrafb:*:4294967295:4294967295::/home/markgrafb:/usr/bin/tcsh
markgrafb.niihau ~ > getent passwd markgrafb
markgrafb:x:10058:10001:Bernd Markgraf:/home/markgrafb:/usr/bin/tcsh

I would expect to see the same output from both commands.

  Bernd



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba