0

The Oracle packaged version of samba gave me some problems(error with krb5 and no join with AD samba4 server). So I recompile by myself using IPS the latest version of samba(4.3.13). After 30 minutes of compilation, my samba4 is installed. All works fine: net ads join OK, wbinfo OK, wbinfo -i user OK, all except two things: id winbinduser and finger winbinduser. I have resolved for id, with this dirty but working solution(would be better to put those files in manifest and standard location, but I want to avoid conflict with Oracle samba standard package).

ln -sf /opt/gm/lib/nss_winbind.so.1 /usr/lib/amd64/nss_winbind.so.1
ln -sf /opt/gm/lib/nss_winbind.so.1 /usr/lib/nss_winbind.so.1
ln -sf /opt/gm/lib/security/pam_winbind.so /usr/lib/security/amd64/pam_winbind.so
ln -sf /opt/gm/lib/security/pam_winbind.so /usr/lib/security/amd64/pam_winbind.so.1
ln -sf /opt/gm/lib/security/pam_winbind.so /usr/lib/security/pam_winbind.so
ln -sf /opt/gm/lib/security/pam_winbind.so /usr/lib/security/pam_winbind.so.1

Id is working, but finger remain mute. What I miss?

id pino
uid=10005(pino) gid=10016(domain users)
root@solaris11:~# finger !$
finger pino
Login name: pino                        In real life: ???

This is the nsswitch.conf

passwd: files winbind
group:  files winbind
hosts:  files dns wins
ipnodes:        files dns wins
networks:       files
protocols:      files
rpc:    files
ethers: files
netmasks:       files
bootparams:     files
publickey:      files 
netgroup:       ldap
automount:      files 
aliases:        files 
services:       files
project:        files 
auth_attr:      files 
prof_attr:      files
tnrhtp: files 
tnrhdb: files 
sudoers:        files

This is the output of truss.

elbarna
  • 12,050
  • 22
  • 92
  • 170
  • *would be better to put those files in manifest and standard location* In no universe that I'm aware of is it ever better to overwrite OS-supplied components with custom-compiled ones. You just break your OS and its packaging/update system and make future maintainability impossible. – Andrew Henle Jan 28 '21 at 12:38
  • I know, but they cause conflict with samba official package of Oracle – elbarna Jan 29 '21 at 03:44

2 Answers2

1

It might have helped if you had set up the smb.conf correctly, you do not use the winbind ldap backend with Samba AD, also you should only use the 'winbind enum' lines for testing. Try this smb.conf:

[global]
workgroup = MYDOM
server string = solaris11
realm = MYDOM.PRIV
security = ads
hosts allow = 10.3.0.
log file = /var/opt/gm/log/samba/samba.%m
max log size = 50
dns proxy = no 
kerberos method = secrets and keytab
server signing = mandatory
client signing = mandatory
smb encrypt = mandatory
restrict anonymous = 2
log level = 1
server min protocol = SMB3
client max protocol = SMB3
local master = No
preferred master = No
bind interfaces only = Yes
local master = No
preferred master = No
winbind use default domain = Yes
template homedir = /export/home/%U
template shell = /usr/bin/bash

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config MYDOM : backend = rid
idmap config MYDOM : range = 10000-20000

Finally, remove 'wins' from /etc/nsswitch.conf

Rowland Penny
  • 141
  • 2
  • I prefer the ldap idmap because for every server i have the same uid per user, this is essential when I use nfs(different uid can cause a lot of troubles). – elbarna Jan 24 '21 at 21:46
  • 1
    No, you misunderstood me, when i said 'you do not use the ldap idmap' I really meant 'YOU DO NOT USE THE LDAP IDMAP'. If you want to ensure the same ids on all Unix domain members, then either add uidNumber & gidNumbers attributes to AD and use the winbind ad backend, or use the winbind rid backend with exactly the same smb.conf on all Samba machines. – Rowland Penny Jan 25 '21 at 08:36
  • I never tried the winbind rid, I will try it, thanks, but atm the ldap idmap never give me problems, so atm I use this rid. – elbarna Jan 26 '21 at 03:34
0

Solution found. Was a problem of winbind cache files, not libraries. After adding those lines on smb.conf

# Winbind
winbind enum groups = yes
winbind enum users = yes

and restarting winbind inger works fine, and also getent passwd and getent group.

finger pino
Login name: pino                        
Directory: /export/home/pino            Shell: /usr/bin/bash
Never logged in.
No unread mail
No Plan.

If interested this is my smb.conf for Solaris 11 client

[global]
workgroup = MYDOM
server string = solaris11
netbios name = SOLARIS11
server role = standalone server
hosts allow = 10.3.0.
log file = /var/opt/gm/log/samba/samba.%m
max log size = 50
realm = mydom.priv
dns proxy = no 
kerberos method = secrets and keytab
server signing = mandatory
client signing = mandatory
smb encrypt = mandatory
restrict anonymous = 2
log level = 1
server min protocol = SMB3
client max protocol = SMB3
name resolve order = bcast lmhosts host wins
local master = No
preferred master = No
bind interfaces only = Yes
local master = No
preferred master = No
winbind use default domain = Yes
ldap admin dn = cn=ldapadm,dc=ldap2,dc=mydom,dc=priv
security = ads
ldap ssl = start tls
tls verify peer = no_check
template homedir = /export/home/%U
template shell = /usr/bin/bash
password hash userPassword schemes = CryptSHA512:rounds=7000

# Winbind
winbind enum groups = yes
winbind enum users = yes

idmap config * : backend      = ldap
idmap config * : range        = 10000-20000
idmap config * : ldap_url     = ldap://ldap2.mydom.priv
idmap config * : ldap_base_dn = ou=idmap,dc=ldap2,dc=mydom,dc=priv
idmap config * : ldap_user_dn = cn=ldapadm,dc=ldap2,dc=mydom,dc=priv
elbarna
  • 12,050
  • 22
  • 92
  • 170