nss_winbind support

Will Saxon WillS at housing.ufl.edu
Mon Jan 26 16:31:22 PST 2004 

Note: long. 

> -----Original Message-----
> From: Tim Aslat [mailto:tim at spyderweb.com.au]
> Sent: Monday, January 26, 2004 4:38 PM
> To: Will Saxon
> Cc: current at freebsd.org
> Subject: Re: nss_winbind support
> 
> I'm glad someone has.  Did you use the ports or install from source?

I used the port, although it does not install the PAM or 
nss_winbind modules at all, I did that by hand.

> 
> I've spent several weeks (on and off) trying to get ADS 
> support in samba
> 3 and it's driving me up the wall.

Well I have been fighting with this for about the same amount of time. My main 
resource is a paper copy of the Official Samba-2 HOWTO and Reference Guide, but 
it does not seem to consider FreeBSD 5.x at all. The only FreeBSD information I 
saw was lumped in with Linux and was not applicable to 5.x (pam stuff).

> 
> have installed heimdal from ports, and build samba with
> KRB5_HOME=/usr/local but any reference to net ads gives me 
> "ADS support
> not compiled in"
> 

Do you have an LDAP library installed? You must have LDAP for ADS support to be 
compiled in. I chose the openldap21-server port and compiled it with -DWITH_SASL
for kicks. I don't think the -DWITH_SASL ends up making any difference.

I have tried the base distro of Heimdal as well as the Heimdal from ports. I am
currently using the Heimdal from ports because I wanted to try compiling in LDAP 
support. Samba compiled against the included Heimdal vs. the ports Heimdal with 
LDAP support seems to operate the same.

Despite what the HOWTO indicates, I am not able to join the domain without an
/etc/krb.conf. It looks like the ldap server is detected right and it tries to
authenticate, but I get errors like this when I turn debug mode on:

[2004/01/26 18:52:36, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
  krb5_cc_get_principal failed (No such file or directory)
[2004/01/26 18:52:36, 1] libsmb/clikrb5.c:ads_krb5_mk_req(276)
  krb5_get_credentials failed for machine_account$@REALM_NAME (Unknown error -1765328343)
[2004/01/26 18:52:36, 1] utils/net_ads.c:ads_startup(181)
  ads_connect: Operations error
[2004/01/26 18:52:36, 2] utils/net.c:main(758)
  return code = -1

The 'use if you have a pre-0.6 Heimdal' skeleton krb5.conf settings they put
in the book work for me. They list it in section 6.4.2 of the HOWTO, which is
also available online I think.

I also had to use the 'password server = <ip>' entry in my smb.conf file since 
it was resolving a non-GC domain controller first and seemed to not work when
not using a GC Domain Controller.

At this point, with OpenLDAP, Heimdal and Samba installed I am able to:

	net ads join -U <username>

and I can then join the domain.

After starting nmd, smbd and winbindd I am then able to do the wbinfo stuff as
suggested by the docs. 

> > I may have just missed it but there doesn't seem to be a lot of
> > information available on how to set Samba 3 up under FreeBSD 5.x to
> > use nss_winbind and pam_winbind. What information I have 
> found doesn't
> > seem to work, maybe because it focuses on joining the domain as an
> > NT-style domain member vs. Active Directory-style membership.
> 
> Sorry I can't help with this one, still working it out myself. 

Well so far I have copied the libnss_winbind.so and libnss_wins.so files from
the samba-3.0.0/source/nsswitch dir to /usr/local/lib and updated the library 
cache. It finds the libraries. I have edited /etc/nsswitch.conf to include
winbind as a source but it doesn't seem to work. The utility the HOWTO suggests,
getent, is not available. I tried 'pw <user/group> show <username/groupname>' 
instead without success. 

When I initially started working on this, my user account name on the samba server
was the same as my account name on the domain. This was causing me to not be able
to enumerate users/groups with wbinfo no matter what I tried. However, I WAS able
to at least access the shares I had set up on the server. I changed my user name
and was then able to use wbinfo, but now I am no longer able to access any shares.
I am presented with a 'please enter username and password' dialog and nothing I enter
seems to work. I tried adding a password via smbpasswd but that did not work either.

So this is where I am: stumped.

-Will

More information about the freebsd-current mailing list