I posted this to the Samba list yesterday and since this is related to
FreeBSD I thought I'd post to this list. Can anyone shed some light on the
'getent' command in FreeBSD 5.4? It isn't working and I'd like to know if
it's because it's based on Linux instead of FreeBSD thus rendering it's
usefulness to nil.
~Doug
-----Original Message-----
Sent: Thursday, September 15, 2005 04:44 PM
To: samba@lists.samba.org
Subject: [Samba] getent & winbindd on FreeBSD 5.4
I'm trying to get a FreeBSD 5.4 server to join a NT4 domain as a member
domain server using winbindd. I've compiled Samba with WinBIND support, ACL
Support, Syslog support, UTMP support, SMB PAM module, and with installed
POPT library.
I've reviewed Chapter 20 of TOSHARG and implemented a good portion of it
into our smb.conf file but am having trouble making the 'getent' command
work. Running Samba 3.0.20.1. The 'getent' command is found in
/usr/compat/linux/usr/bin/.
I can join the domain fine and execute 'wbinfo -u' with the expected domain
user listing as well as with the 'wbinfo -g' command. However when I attempt
to execute 'getent passwd' it shows only the local user accounts. Executing
'getent group' also produces only the local groups.
It seems the getent command that comes with the linux_base port on FreeBSD
5.4 may or may not be working. I am unable to verify it though. Doing a
'tdbdump winbind_cache.tdb' reveals that the users are being enumerated but
without a corresponding *nix user id. I don't know if the tdbsam is supposed
to reveal such information. TOSHARG states that for getent to work, the
nsswitch.conf must be properly configured. Mine is as follows:
# /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
hosts: files winbind wins dns
networks: files
shells: files
NSSwitch depends on PAM modules for authentications so here's my login file:
#
# $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $
#
# PAM configuration for the "login" service
#
# auth
auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
auth required pam_stack.so service=system-auth
auth required pam_nologin.so no_warn
auth sufficient pam_self.so no_warn
auth include system
# account
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
account include system
# session
session required pam_stack.so service=system-auth
session include system
# password
password required pam_stack.so service=system-auth
password include system
# smb.conf
[global]
workgroup = DSP
server string = Samba Server
security = DOMAIN
passdb backend = tdbsam
log file = /var/log/samba/log.%m
max log size = 50
os level = 33
local master = No
dns proxy = No
wins server = 192.168.1.1
idmap uid = 15000-20000
idmap gid = 15000-20000
template homedir = /usr/home/%D/%U
template shell = /bin/bash
winbind separator = +
hosts allow = 192.168.1., 192.168.2., 127.
[homes]
comment = Home Directories
read only = No
browseable = No
[MacData]
comment = Production Data
path = /data
valid users = @DSP+PRODUCTION
read only = No
create mask = 0765
The odd thing is- there's no /etc/pam.d/samba file even though I specified
that the PAM samba module be installed. Is my PAM whacked?
Also, I am unsure if I need to map users to NT account using a text file
similar to /etc/smb/smbusers or some file similar to that? When I execute
'pw groupshow DSP+PRODUCTION', the log.smbd shows this:
[2005/09/15 16:17:24, 0] passdb/pdb_tdb.c:tdbsam_tdbopen(195)
Unable to open/create TDB passwd
[2005/09/15 16:17:24, 0] passdb/pdb_tdb.c:tdbsam_getsampwrid(488)
pdb_getsampwrid: Unable to open TDB rid database!
log.wb-DSP shows this:
[2005/09/15 16:17:24, 0] rpc_client/cli_pipe.c:cli_rpc_open_noauth(1700)
rpc_pipe_bind failed
I'm a newb so would appreciate any advice!
~Doug
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
