Prev: samba 4 libnss_winbind.so
Next: [Pkg-samba-maint] Samba 3.5.2 packages for Debian lenny
From: Christian PERRIER on 8 May 2010 04:10
Quoting Mike Leone (turgon(a)mike-leone.com):

> directories. Even tho Ubuntu 10.04 seems to have the /etc/pam.d files
> already configured for samba, I copied over the common-account,
> common-auth, common-password, common-session files from the 9.10 server
> to the 10.04 server. Did the same with the nsswitch.conf file.

This is very very probably the source of all your problems.

Even though I don't know the details of changes introduced in Ubuntu
itself (not using Ubuntu myself), the 2:3.4.0-4 version of samba
packages has seen changes in the way PAM modules, and particularly
pam_winbind, are handled in samba packages postinst.

If the version in Ubuntu 9.10 is lower than this, the chances that
your manual changes broke the planned upgrade path are high.

All this is meant to cope with the pam-auth-update utility introduced in
pam 1.0.1-6.

So, these 3 files have the explicit mention:
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.



> If I use sudo, then wbinfo -a DOMAIN+user works. (I used "+" as a delimiter)
>
> Getent passwd fails.
> Getent group fails.
>
> I am seeing this, in log.winbind on the 10.04 server:
>
> [2010/05/07 23:16:59, 1] winbindd/winbindd_user.c:97(winbindd_fill_pwent)
> error getting user id for sid S-1-5-21-2780757143-49591276-3462498634-500
> [2010/05/07 23:16:59, 1] winbindd/winbindd_user.c:856(winbindd_getpwent)
> could not lookup domain user Administrator
> [2010/05/07 23:16:59, 1] winbindd/idmap_ad.c:651(idmap_ad_sids_to_unixids)
> Could not get unix ID
>
> and repeating, for all domain users.
>
> I'm pretty much ready to just give up, and use the Windows installed on
> this laptop. That one has no problem accessing shares from the Samba
> server, or the Windows stations on the LAN.


Messing up with files owned by packages without letting the package
maintainer scripts handling this properly for you is quite probably
one of the reasons of your problems.

I'm suggest putting the common-* files you had after upgrading and
before replacing them with those of 9.10 (you kept them somewhere,
right?) in place and reconfigure packages with "dpkg-reconfigure
winbind".

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Mike Leone on 8 May 2010 09:50
On 05/08/2010 04:00 AM, Christian PERRIER wrote:


> Quoting Mike Leone (turgon(a)mike-leone.com):
>
>
>> directories. Even tho Ubuntu 10.04 seems to have the /etc/pam.d files
>> already configured for samba, I copied over the common-account,
>> common-auth, common-password, common-session files from the 9.10 server
>> to the 10.04 server. Did the same with the nsswitch.conf file.
>>
> This is very very probably the source of all your problems.
>

No, I get the exact same results, using the original files as provided
by Ubuntu. I thought *they* were the cause of the problem, so that's why
I changed them to match the working ones on the other server.


> the chances that
> your manual changes broke the planned upgrade path are high.
>
I kep copies of the original files, and replaced my changes with those.
Exact same errors - getent passwd fails.

>
> I'm suggest putting the common-* files you had after upgrading and
>

There was no upgrade. This was a clean install of 10.04.

> before replacing them with those of 9.10 (you kept them somewhere,
> right?) in place and reconfigure packages with "dpkg-reconfigure
> winbind".
>
>
Did that. Exact same error - getent passwd fails.


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Michael Leone on 8 May 2010 12:00
On Sat, May 8, 2010 at 4:00 AM, Christian PERRIER <bubulle(a)debian.org> wrote:
> Quoting Mike Leone (turgon(a)mike-leone.com):
>
>> directories. Even tho Ubuntu 10.04 seems to have the /etc/pam.d files
>> already configured for samba, I copied over the common-account,
>> common-auth, common-password, common-session files from the 9.10 server
>> to the 10.04 server. Did the same with the nsswitch.conf file.
>
> This is very very probably the source of all your problems.

To test that, I completely re-formatted by laptop once again, and
re-installed 10.04. This time, I did *not* touch any file under
/etc/pam.d. I then installed winbind and samba; configured
nsswitch.conf; cleaned out /var/lo/samba and /var/cache/samba and
/var/lib/samba.

Got a ticket; joined the domain.

Exact same error. "getent passwd" returns no domain users. wbinfo
-u/-g/-t/-a ... all work.

So the problem must not have been my editing the pam files, since I've
never touched them.

log.winbind shows:

[2010/05/08 11:44:18, 3]
libads/ldap_schema.c:324(ads_check_posix_schema_mapping)
ads_check_posix_schema_mapping: failed STATUS_SOME_UNMAPPED
[2010/05/08 11:44:18, 2] winbindd/idmap_ad.c:185(ad_idmap_cached_connection)
ad_idmap_cached_connection: Failed to obtain schema details!
[2010/05/08 11:44:18, 1] winbindd/idmap_ad.c:543(idmap_ad_sids_to_unixids)
ADS uninitialized: STATUS_SOME_UNMAPPED
[2010/05/08 11:44:18, 1] winbindd/winbindd_user.c:97(winbindd_fill_pwent)
error getting user id for sid S-1-5-21-2780757143-49591276-3462498634-500
[2010/05/08 11:44:18, 1] winbindd/winbindd_user.c:856(winbindd_getpwent)
could not lookup domain user Administrator

smb.conf:

[global]
workgroup = DACRIB
realm = DACRIB.LOCAL
server string = %h server (Samba %v, Domain: %D, Server: %L - %R)
security = ADS
map to guest = Bad User

client use spnego = true
client ntlmv2 auth = yes
auth methods = winbind
restrict anonymous = 0
server signing = auto

eventlog list = Application System Security SyslogLinux

# PAM AUTH
encrypt passwords = Yes
obey pam restrictions = Yes
pam password change = true
password server = dim-win2300.DaCrib.local
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes

log level = 3
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000

preferred master = No
domain master = No
local master = No
os level = 2

dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
hide dot files = No

# WINBIND

idmap config DACRIB:backend = ad
idmap config DACRIB:range=100000 - 200000
idmap config DACRIB:schema_mode = rfc2307

idmap uid = 100000-200000
idmap gid = 100000-200000

winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = No
winbind nested groups = Yes
winbind refresh tickets = true
winbind separator = +
winbind nss info = rfc2307
allow trusted domains = No

template homedir = /home/%D/%u
template shell = /bin/bash

enable privileges = Yes
wide links = No

Anyone see anything wrong here?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
 | 
Pages: 1
Prev: samba 4 libnss_winbind.so
Next: [Pkg-samba-maint] Samba 3.5.2 packages for Debian lenny