Web lists-archives.com

Re: [Samba] Samba 4.3.13 logon oddity on Solaris 10

> > On the OS level everything works flawlessly (without using
> > winbind).
> > Login upon first try, kerberos ticket properly issued, uid/gid set
> > to the numbers provided from the LDAP (Samba DC) backend. 
> Well, yes it would work to allow login to the computer, it is
> bypassing Samba and going direct to the info stored in AD.
That part works just as intended.

> > I would simply expect smbd to use the uid/gid provided by whatever
> > backend if present in the user's data.
> Er no, smbd asks winbind for the info and if this doesn't know who
> the user is it fails, but after the user logs in, then it does.
In general I wouldn't care w hat mechanism is used to identify the
user... But as I see in the logfile that the user is
identified/authenticated via winbind:
[2018/06/20 14:28:15.299349,  5] ../source3/lib/username.c:159(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [markgrafb]!
[2018/06/20 14:28:15.299447,  3] ../source3/auth/auth.c:249(auth_check_ntlm_password)
  check_ntlm_password: winbind authentication for user [markgrafb] succeeded

I don't quite understand why it fails to find the user a few step

> > The only thing not working as expected is when I try to connect to
> > a share provided by smbd running on that machine. That takes two
> > login attempts.
> yes one fail and then success, I use winbind and just the success, no
> fails.
I would like to see that behaviour on my machine too ;-)

> > > > What LDAP record ? You said the DC was a Samba AD DC, so I take
> > > it you are referring to the users AD object. 
> > Well, yes - assuming AD is just a fancy way to bundle
> > LDAP+Kerberos ;-) You can just use about any LDAP tools to retrieve
> > information from a Samba AD DC and see all attributes set. 
> Yes and any Unix domain client running winbind can do the same. the
> only place it doesn't fully work is on a Samba AD DC.
How would you retrieve any random attribute from the user object using
Samba cli tools?

> > > The only place I would use something like nslcd (I take it this
> > > is what you are using) is on a DC and only then to obtain the
> > > users homedir and shell from AD.
> > No, I'm not using nslcd. Solaris provides it's own set of tools and
> > clients for various name service backends. Usually the different
> > backends are accessed through nscd which deals with the clients for
> > the different types of name services.
> You cannot use nscd with winbind, their caches clash.
I don't. But how you go about when you would the the need to use
different name services on the same machine?

> > > You have to run winbind, so why not use it fully ?
> > I already have 
> >        idmap config MD-DZNE:backend = ad
> >        idmap config MD-DZNE:schema_mode = rfc2307
> >        idmap config MD-DZNE:range = 10000-999999
> > 
> >        winbind nss info = rfc2307
> >        winbind use default domain = yes
> >        winbind enum users = Yes
> >        winbind enum groups = Yes
> No you haven't, there are no lines for the '*' domain.
As suggested I added
       idmap config *:backend = tdb
       idmap config *:range = 3000-7999

> > in my smb.conf and winbindd is running. 
> > I just don't see why I should third party stuff to do user
> > authentication on the OS side when the system's own mechanisms work
> > just fine. And as long as I haven't figured out, why wbinfo doesn't
> > return the id's I assigned to the users I'd rather not try to use
> > winbind for unix logins on that machine.
> > 
> > markgrafb.niihau ~ > wbinfo -i markgrafb
> > markgrafb:*:4294967295:4294967295::/home/markgrafb:/usr/bin/tcsh
> > markgrafb.niihau ~ > getent passwd markgrafb
> > markgrafb:x:10058:10001:Bernd
> > Markgraf:/home/markgrafb:/usr/bin/tcsh
> > 
> > I would expect to see the same output from both commands.
> You should:
> rowland@devstation:~$ wbinfo -i rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> rowland@devstation:~$ getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
That's what I would expect to see. But even after adding the lines for
the * domain and reloading the config I still see no difference.
Still the same output as before...

> The only difference between your set up (apart for the OS) and mine,
> I use winbind and have a correctly set up smb.conf.
I should have a correctly setup smb.conf now too. I just don't use
winbindd to provide users on the OS level... 
Where do I dig next?


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba