Web lists-archives.com

Re: [Samba] Samba 4.3.13 logon oddity on Solaris 10




On Wed, 2018-06-20 at 14:20 +0100, Rowland Penny via samba wrote:
> On Wed, 20 Jun 2018 15:01:12 +0200
> Bernd Markgraf <bernd.markgraf@xxxxxxxxxxx> wrote:
> > I would like to see that behaviour on my machine too ;-)
> 
> Then just do what I do, use only winbind.
That's what I have now.
pre-winbind (ldap in nsswitch.conf)

root.niihau ~ # wbinfo --uid-info=10058
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 10058
root.niihau ~ # wbinfo -i markgrafb
markgrafb:*:4294967295:4294967295::/home/markgrafb:/usr/bin/tcsh
root.niihau ~ # getent passwd markgrafb
markgrafb:x:10058:10001:Bernd Markgraf:/home/markgrafb:/usr/bin/tcsh
root.niihau ~ # getent group pakan
pakan::10066:

I copied nss_winbind.so.1 and the pam module into the appropriate
places and set nsswitch.conf to

passwd:     files winbind
group:      files winbind

Now I get:
root.niihau ~ # getent group pakan
pakan:x:-1:
root.niihau ~ # getent passwd markgrafb
markgrafb:*:-1:-1::/home/markgrafb:/usr/bin/tcsh
root.niihau ~ # wbinfo -i markgrafb
markgrafb:*:4294967295:4294967295::/home/markgrafb:/usr/bin/tcsh
root.niihau ~ # wbinfo --uid-info 10058
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 10058

So for now back to using LDAP so at least OS logins work and Samba
shares can be used at the second connection attempt.

> > How would you retrieve any random attribute from the user object
> > using Samba cli tools?
> 
> What 'random' attribute are we talking about here ? If you use
> winbind, it will obtain the username, home directory, shell etc.
That's more an academic question. The schema has enough room to store
information and if that's not enough one can easily extend it and
retrieve that information using ldapsearch or ldaplist...

> If you are talking about something like an email server, for
> instance, these usually can be set to use kerberos instead.
There are various places were we used LDAP attributes in scripts to run
jobs, though not need on this box at the moment, the need may arise. 


> > I don't. But how you go about when you would the the need to use
> > different name services on the same machine?
> 
> Do you store your users & groups in several places ? if not, why
> would you need to use different name services ?
Again more of the theoretical/academic question. But I already had the
need to use different services at once in the past. Mostly in the
transition times NIS->NIS+->LDAP. Again I wouldn't say it never happens
and rule out the possibility to do so one day.

> > I should have a correctly setup smb.conf now too. I just don't use
> > winbindd to provide users on the OS level... 
> 
> Why not ? using it means you have only place to set up and maintain.
LDAP+Kerberos on the OS level is a lot easier to maintain. Regular OS
patches and things are sorted. Updating Samba to anything halfway
recent involves building things from source unfortunately.

> > Where do I dig next?
> You could try reading this:
> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> 
Apart from skipping the * lines in smb.conf that's what I used. 

  Bernd

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba