FreeeBSD & Winbind | New NSS???

From: PHELPS, SCOTT <SPHELPS_at_ridgways.com>
Date: Sun, 11 May 2003 19:48:22 -0500
Hi folks,

I appreciate you taking the time to read this.  I have less than 1yr
experience with FreeBSD, so please bear with me.  I hope somebody can
give me some tender guidance here.

I have been spending a couple of days trying to get winbind to work on
my FreeBSD 5.0 RELEASE box, and I stumbled upon this reply from last
year:

> From: rwatson_at_FreeBSD.ORG (rwatson_at_FreeBSD.ORG)
> Subject: Re: nsswitch functionality 
> Newsgroups: sol.lists.freebsd.hackers
> Date: 2002-12-06 10:58:54 PST 
> Right now there is no active work (that I know of) to complete
nsswitch. 
> It's something I've wanted to see in place for a long time, but I've
had
> some trouble finding funding to make this happen.  Having funding
would
> provide access to a broader array of hands, and always has a good
affect
> on motivation.  I can find you a contractor if you can find the money
--
> otherwise my guess is that the support will gradually trickle in, but
that
> it's something that will take a look longer than either you or I would
> like.  Having nsswitch in place is very important for precisely the
reason
> you identify: it's required to properly integrate with a variet of
> directory services in use in the enterprise.  FWIW, there's no way it
will
> happen for 5.0, because we're already in the release candidate series.
> However, it could be made to happen within a quarter or two.  If
anyone is
> interested in picking up this task unfunded, we can certainly provide
the
> technical information and work with them to make it happen, but it's a
> non-trivial task.  There are some work-arounds, but none of them
nearly as
> pretty as just having nsswitch support :-).  One I know of involves
> redistributing directory service data via NIS.
>
> Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
> robert_at_fledge.watson.org      Network Associates Laboratories


My question is, will it work now?  The release notes for 5.0 say that
nss works:

"nsswitch support has been merged from NetBSD. By creating an
nsswitch.conf(5) file, FreeBSD can be configured so that various
databases such as passwd(5) and group(5) can be looked up using flat
files, NIS, or Hesiod. If /etc/nsswitch.conf does not exist, it will
be automatically generated from an existing /etc/hosts.conf at system
startup time. The /etc/hosts.conf file may be used by old executables;
it will be automatically generated from an existing /etc/nsswitch.conf
during system startup if it exists."

However, nsswitch.conf did not get created.  I had to make it myself.

Furthermore, desparate for answers, and unwillingness to go back to
Linux :).  I stumbled upon and read this entire thread from last month:
http://lists.freebsd.org/mailman/htdig/freebsd-current/2003-April/001040.html

Here's everything I have done:

Configured Samba 2.2.8a
- without cups
- with winbind
- with winbind-auth
- with audit

Then I copied the libnss_winbind.so to /usr/lib
and softlinked it to /usr/local/lib as well as
to the other files mentioned in the howto (with 
the .so.1 and .so.2 endings). FreeBSD has no /lib 
directory, so I used the ones below /usr and /usr/local.

I left out the pam step because I just want to provide
the file-serving capabilities of samba to the clients
(hope this is correct - this is my first time playing around 
with winbind because I'm bored with syncronizing NT&Unix 
Accounts).

Also, I didn't see a nsswitch.conf so I created one that says:

Passwd: files winbind
Group:  files winbind

Then, I joined the domain with
smbpasswd -j MYDOM -r NT4PDC -U Administrator (supplied the 
correct password) and got the success message.

The wbinfo otions -u, -g, -t, -a (challenge/response & plaintext) do
all work fine. But when I want to connect from a w2ksp2-machine to
Samba, it doesn't seem to hand over the provided user credentials to
winbindd (same with smbclient on localhost).

So here are some more questions:
- I don't need the pam configuration if I don't want other services to
  be authenticated with winbind, do I?
- I don't need more winbind uid's and gid's than Users and Groups on 
  the PDC?
- If I enable the "winbind use default domain" option, I don't need to
  add the NT-Domainname to the Usernames in valid/admin users, do I?
- Is there anything I need to do in the Kernel for nssswitch to work?
    - Do I need to update my sources to CURRENT and build world?
- Any other hints from more experienced
samba/winbind/freebsd(non-linux) users (maybe you have a look at my
smb.conf below)?


btw here's my smb.conf:

[global]
	workgroup = MYDOM
	netbios name = FOO
	interfaces = xl0
	bind interfaces only = Yes
	security = DOMAIN
	encrypt passwords = Yes
	update encrypted = Yes
	password server = NT4PDC, NT4BDC
	wins server = NT4PDC
	winbind uid = 15000-15050
	winbind gid = 15000-15050
	template shell = /sbin/nologin
	winbind separator = +
	winbind cache time = 5
	winbind use default domain = Yes

[sysroot$]
	path = /
	valid users = Admin1, Admin2
	admin users = Admin1, Admin2
	read only = No

[raid$]
	path = /raid
	valid users = Admin1, Admin2
	admin users = Admin1, Admin2
	read only = No


Any help would be greatly apperciated ;-)


Scott
Received on Sun May 11 2003 - 15:50:40 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:07 UTC