From owner-freebsd-current@FreeBSD.ORG Mon Jan 26 16:31:22 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D86316A4CF for ; Mon, 26 Jan 2004 16:31:22 -0800 (PST) Received: from bragi.housing.ufl.edu (bragi.housing.ufl.edu [128.227.47.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0D9D43D41 for ; Mon, 26 Jan 2004 16:29:33 -0800 (PST) (envelope-from WillS@housing.ufl.edu) content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 Date: Mon, 26 Jan 2004 19:29:07 -0500 Message-ID: <0E972CEE334BFE4291CD07E056C76ED8CBBE22@bragi.housing.ufl.edu> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: nss_winbind support Thread-Index: AcPkVSQDfIUVU/P4ROa3qB+QTc+rIQAABgjA From: "Will Saxon" To: "Tim Aslat" cc: current@freebsd.org Subject: RE: nss_winbind support X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 00:31:22 -0000 Note: long.=20 > -----Original Message----- > From: Tim Aslat [mailto:tim@spyderweb.com.au] > Sent: Monday, January 26, 2004 4:38 PM > To: Will Saxon > Cc: current@freebsd.org > Subject: Re: nss_winbind support >=20 > I'm glad someone has. Did you use the ports or install from source? I used the port, although it does not install the PAM or=20 nss_winbind modules at all, I did that by hand. >=20 > I've spent several weeks (on and off) trying to get ADS=20 > support in samba > 3 and it's driving me up the wall. Well I have been fighting with this for about the same amount of time. = My main=20 resource is a paper copy of the Official Samba-2 HOWTO and Reference = Guide, but=20 it does not seem to consider FreeBSD 5.x at all. The only FreeBSD = information I=20 saw was lumped in with Linux and was not applicable to 5.x (pam stuff). >=20 > have installed heimdal from ports, and build samba with > KRB5_HOME=3D/usr/local but any reference to net ads gives me=20 > "ADS support > not compiled in" >=20 Do you have an LDAP library installed? You must have LDAP for ADS = support to be=20 compiled in. I chose the openldap21-server port and compiled it with = -DWITH_SASL for kicks. I don't think the -DWITH_SASL ends up making any difference. I have tried the base distro of Heimdal as well as the Heimdal from = ports. I am currently using the Heimdal from ports because I wanted to try compiling = in LDAP=20 support. Samba compiled against the included Heimdal vs. the ports = Heimdal with=20 LDAP support seems to operate the same. Despite what the HOWTO indicates, I am not able to join the domain = without an /etc/krb.conf. It looks like the ldap server is detected right and it = tries to authenticate, but I get errors like this when I turn debug mode on: [2004/01/26 18:52:36, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269) krb5_cc_get_principal failed (No such file or directory) [2004/01/26 18:52:36, 1] libsmb/clikrb5.c:ads_krb5_mk_req(276) krb5_get_credentials failed for machine_account$@REALM_NAME (Unknown = error -1765328343) [2004/01/26 18:52:36, 1] utils/net_ads.c:ads_startup(181) ads_connect: Operations error [2004/01/26 18:52:36, 2] utils/net.c:main(758) return code =3D -1 The 'use if you have a pre-0.6 Heimdal' skeleton krb5.conf settings they = put in the book work for me. They list it in section 6.4.2 of the HOWTO, = which is also available online I think. I also had to use the 'password server =3D ' entry in my smb.conf = file since=20 it was resolving a non-GC domain controller first and seemed to not work = when not using a GC Domain Controller. At this point, with OpenLDAP, Heimdal and Samba installed I am able to: net ads join -U and I can then join the domain. After starting nmd, smbd and winbindd I am then able to do the wbinfo = stuff as suggested by the docs.=20 > > I may have just missed it but there doesn't seem to be a lot of > > information available on how to set Samba 3 up under FreeBSD 5.x to > > use nss_winbind and pam_winbind. What information I have=20 > found doesn't > > seem to work, maybe because it focuses on joining the domain as an > > NT-style domain member vs. Active Directory-style membership. >=20 > Sorry I can't help with this one, still working it out myself.=20 Well so far I have copied the libnss_winbind.so and libnss_wins.so files = from the samba-3.0.0/source/nsswitch dir to /usr/local/lib and updated the = library=20 cache. It finds the libraries. I have edited /etc/nsswitch.conf to = include winbind as a source but it doesn't seem to work. The utility the HOWTO = suggests, getent, is not available. I tried 'pw show = '=20 instead without success.=20 When I initially started working on this, my user account name on the = samba server was the same as my account name on the domain. This was causing me to = not be able to enumerate users/groups with wbinfo no matter what I tried. However, I = WAS able to at least access the shares I had set up on the server. I changed my = user name and was then able to use wbinfo, but now I am no longer able to access = any shares. I am presented with a 'please enter username and password' dialog and = nothing I enter seems to work. I tried adding a password via smbpasswd but that did not = work either. So this is where I am: stumped. -Will