Hello,
I'm having some problems using winbind on Samba 3.0.1 with /etc/nsswitch.conf on a Solaris 8 server. The Solaris 8 release is 10/00.
The basic problem that I have is that there are restrictions on what nsswitch.conf can contain if password ageing is used.
My setup is that users connecting to shares on the Solaris samba server are authenticated against a accounts on a Windows Active Directory Domain. (That is, smb.conf is configured to use "security = ADS"). I am using winbind on the Solaris samba server to enumerate Active Directory Domain users and groups as standard unix groups and users.
I have installed the winbind libraries thus:
cp libnss_winbind.so /lib
ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1
ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1
ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2
I have also edited /etc/nsswitch.conf from using
passwd: files
group: files
to
passwd: files winbind
group: files winbind
The problem that I have is that there are restrictions on what nsswitch.conf can contain if password ageing is used.
This is indicated in the Solaris 8 man page for nsswitch.conf(4), which says:
Interaction with Password Aging
When password aging is turned on, only a limited set of pos-
sible name services are permitted for the passwd: database
in the /etc/nsswitch.conf file:
passwd:
files
passwd:
files nis
passwd:
files nisplus
passwd:
files ldap
passwd:
compat
passwd_compat:
nisplus
passwd_compat:
ldap
Any other settings will cause the passwd(1) command to fail
when it attempts to change the password after expiration and
will prevent the user from logging in. These are the only
permitted settings when password aging has been turned on.
Otherwise, you can work around incorrect passwd: lines by
using the -r repository argument to the passwd(1) command
and using passwd -r repository to override the nsswitch.conf
settings and specify in which name service you want to
modify your password.
So, using winbind like this forces me to use `passwd -r files` to do operations using the passwd command.
If I don't use the "-r" switch on the password command, an error is produced due to the presense of winbind in the nsswitch.conf file. The error is
passwd: Unsupported nsswitch entry for "passwd:". Use "-r repository ".
We have some applications that will break because of this and we have to use password ageing because of our security policy.
Is there any way of overcoming this limitation with nsswitch.conf and winbind on Solaris 8?
Thanks,
David Legge
David Legge Ph.D.
Corporate Applications Server Support Officer
Information Management Branch
Department of Infrastructure, Energy and Resources
10 Murray Street, Hobart
GPO Box 936, Hobart, 7001
Tasmania, Australia
Telephone: (03) 62337148
Facsimile: (03) 62332573
--
To unsubscribe from this list go to the following URL and read the
instructions:
http://lists.samba.org/mailman/listinfo/samba
FAQ
Search
Profile
Private Messages
Log in
Linux