From owner-freebsd-current@FreeBSD.ORG Sun May 11 17:50:40 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D6AFF37B401 for ; Sun, 11 May 2003 17:50:40 -0700 (PDT) Received: from mailhost.ridgways.com (mailhost.ridgways.com [12.109.12.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1531B43F75 for ; Sun, 11 May 2003 17:50:40 -0700 (PDT) (envelope-from SPHELPS@ridgways.com) Received: by mailhost.ridgways.com with Internet Mail Service (5.5.2653.19) id ; Sun, 11 May 2003 19:43:08 -0500 Received: from ip68-109-1-72.hr.hr.cox.net ([68.109.1.72]) by mailhost.ridgways.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id KT4R0ZTW; Sun, 11 May 2003 19:43:01 -0500 Message-ID: <1052700502.4364.622.camel@home.virginiabeach.va> From: "PHELPS, SCOTT" To: freebsd-current@freebsd.org Date: Sun, 11 May 2003 19:48:22 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Subject: FreeeBSD & Winbind | New NSS??? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "PHELPS, SCOTT" List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 May 2003 00:50:41 -0000 Hi folks, I appreciate you taking the time to read this. I have less than 1yr experience with FreeBSD, so please bear with me. I hope somebody can give me some tender guidance here. I have been spending a couple of days trying to get winbind to work on my FreeBSD 5.0 RELEASE box, and I stumbled upon this reply from last year: > From: rwatson@FreeBSD.ORG (rwatson@FreeBSD.ORG) > Subject: Re: nsswitch functionality > Newsgroups: sol.lists.freebsd.hackers > Date: 2002-12-06 10:58:54 PST > Right now there is no active work (that I know of) to complete nsswitch. > It's something I've wanted to see in place for a long time, but I've had > some trouble finding funding to make this happen. Having funding would > provide access to a broader array of hands, and always has a good affect > on motivation. I can find you a contractor if you can find the money -- > otherwise my guess is that the support will gradually trickle in, but that > it's something that will take a look longer than either you or I would > like. Having nsswitch in place is very important for precisely the reason > you identify: it's required to properly integrate with a variet of > directory services in use in the enterprise. FWIW, there's no way it will > happen for 5.0, because we're already in the release candidate series. > However, it could be made to happen within a quarter or two. If anyone is > interested in picking up this task unfunded, we can certainly provide the > technical information and work with them to make it happen, but it's a > non-trivial task. There are some work-arounds, but none of them nearly as > pretty as just having nsswitch support :-). One I know of involves > redistributing directory service data via NIS. > > Robert N M Watson FreeBSD Core Team, TrustedBSD Projects > robert@fledge.watson.org Network Associates Laboratories My question is, will it work now? The release notes for 5.0 say that nss works: "nsswitch support has been merged from NetBSD. By creating an nsswitch.conf(5) file, FreeBSD can be configured so that various databases such as passwd(5) and group(5) can be looked up using flat files, NIS, or Hesiod. If /etc/nsswitch.conf does not exist, it will be automatically generated from an existing /etc/hosts.conf at system startup time. The /etc/hosts.conf file may be used by old executables; it will be automatically generated from an existing /etc/nsswitch.conf during system startup if it exists." However, nsswitch.conf did not get created. I had to make it myself. Furthermore, desparate for answers, and unwillingness to go back to Linux :). I stumbled upon and read this entire thread from last month: http://lists.freebsd.org/mailman/htdig/freebsd-current/2003-April/001040.html Here's everything I have done: Configured Samba 2.2.8a - without cups - with winbind - with winbind-auth - with audit Then I copied the libnss_winbind.so to /usr/lib and softlinked it to /usr/local/lib as well as to the other files mentioned in the howto (with the .so.1 and .so.2 endings). FreeBSD has no /lib directory, so I used the ones below /usr and /usr/local. I left out the pam step because I just want to provide the file-serving capabilities of samba to the clients (hope this is correct - this is my first time playing around with winbind because I'm bored with syncronizing NT&Unix Accounts). Also, I didn't see a nsswitch.conf so I created one that says: Passwd: files winbind Group: files winbind Then, I joined the domain with smbpasswd -j MYDOM -r NT4PDC -U Administrator (supplied the correct password) and got the success message. The wbinfo otions -u, -g, -t, -a (challenge/response & plaintext) do all work fine. But when I want to connect from a w2ksp2-machine to Samba, it doesn't seem to hand over the provided user credentials to winbindd (same with smbclient on localhost). So here are some more questions: - I don't need the pam configuration if I don't want other services to be authenticated with winbind, do I? - I don't need more winbind uid's and gid's than Users and Groups on the PDC? - If I enable the "winbind use default domain" option, I don't need to add the NT-Domainname to the Usernames in valid/admin users, do I? - Is there anything I need to do in the Kernel for nssswitch to work? - Do I need to update my sources to CURRENT and build world? - Any other hints from more experienced samba/winbind/freebsd(non-linux) users (maybe you have a look at my smb.conf below)? btw here's my smb.conf: [global] workgroup = MYDOM netbios name = FOO interfaces = xl0 bind interfaces only = Yes security = DOMAIN encrypt passwords = Yes update encrypted = Yes password server = NT4PDC, NT4BDC wins server = NT4PDC winbind uid = 15000-15050 winbind gid = 15000-15050 template shell = /sbin/nologin winbind separator = + winbind cache time = 5 winbind use default domain = Yes [sysroot$] path = / valid users = Admin1, Admin2 admin users = Admin1, Admin2 read only = No [raid$] path = /raid valid users = Admin1, Admin2 admin users = Admin1, Admin2 read only = No Any help would be greatly apperciated ;-) Scott