Yes, i added him to that group to see if that makes any difference. Thanks
for all your help. And I will let you know, when I found out what the
problem is.

Best Regards,
Oliver


On 4/29/08, Dietrich Streifert wrote:
>
> I wonder why oweinmann is member of the group staff. Maybe there is an
> entry for oweinmann in /etc/passwd?
>
> So I'm running out of ideas :-( Mabye someone out there can take over.
>
> Good luck and report back what you have found.
>
>
> Oliver Weinmann schrieb:
>
> I changed both groups and users to "no". Still no difference. Another
> strange thing i came across.
>
> as user "oweinmann"
>
> $ id
> uid=3D11611(oweinmann) gid=3D1613(domain users)
> $ id -a oweinmann
> uid=3D11611(oweinmann) gid=3D1613(domain users) groups=3D10(staff)
> $ id -a
>
> why is the id -a oweinmann working as user "oweinmann" but not id -a????
>
>
> On 4/29/08, Dietrich Streifert wrote:
> >
> > Please try to set combinations of
> >
> > winbind enum groups =3D No
> >
> > and test again.
> >
> > This could be the reason why getent groups never ends. This is known to
> > be a problem with big AD user/groups databases.
> >
> > Have a look at this and related paramters in > > path>/swat/help/manpages/smb.conf.5.html
> >
> >
> >
> > Oliver Weinmann schrieb:
> >
> > It's the latest stable.
> >
> > # smbd -V
> > Version 3.0.28a
> >
> > [global]
> > netbios name =3D rose8
> > realm =3D VEGAGROUP.NET
> > workgroup =3D VEGA
> > security =3D ADS
> > encrypt passwords =3D yes
> > password server =3D *
> > os level =3D 20
> > socket options =3D TCP_NODELAY SO_RCVBUF=3D16384 SO_SNDBUF=3D16=

384
> > idmap uid =3D 1100-200000
> > idmap gid =3D 1100-200000
> > idmap backend =3D rid:VEGA=3D1100-200000
> > allow trusted domains =3D no
> > winbind enum users =3D yes
> > winbind enum groups =3D yes
> > template homedir =3D /home/%U
> > template shell =3D /bin/sh
> > preferred master =3D no
> > winbind nested groups =3D Yes
> > winbind use default domain =3D Yes
> > #winbind separator =3D +
> > #winbind normalize names =3D yes
> > log level =3D 10
> > max log size =3D 50
> > log file =3D /var/log/samba/log.%m
> > dns proxy =3D no
> > wins server =3D 172.20.205.1
> > allow trusted domains =3D No
> > client use spnego =3D Yes
> > use kerberos keytab =3D true
> > winbind offline logon =3D yes
> >
> > I really appreciate your big effort. Thanks!
> >
> > On 4/29/08, Dietrich Streifert wrote:
> > >
> > > Which samba version do you use?
> > >
> > > Please post the global configuration section of smb.conf.
> > >
> > >
> > > Oliver Weinmann schrieb:
> > >
> > > Here could be a problem. I could not change our win 2k3 schema. They
> > > were afraid it could break something... tsss. So i had to use the idm=

ap_rid
> > > module. Which does a good job actually. It uses the last portion of t=

he AD
> > > users SID and adds it to a base set in smb.conf. I issued your comman=

ds:
> > >
> > > bash-2.03# getent passwd | grep oweinmann
> > > oweinmann2:*:15042:1613:Oliver Weinmann2:/home/oweinmann2:/bin/sh
> > > oweinmann:*:11611:1613:Oliver Weinmann:/home/oweinmann:/bin/sh
> > > oweinmann1:*:15041:1613:Oliver Weinmann1:/home/oweinmann1:/bin/sh
> > > bash-2.03# id -a oweinmann
> > > uid=3D11611(oweinmann) gid=3D1613(domain users) groups=3D10(staff)
> > > bash-2.03# su oweinmann
> > > $ id
> > > uid=3D11611(oweinmann) gid=3D1613(domain users)
> > > $ id -a
> > >
> > > the "id -a" as user "oweinmann" seems to get stuck. It just sits
> > > there. I noticed when issuing "groups oweinmann" as root it also gets=

stuck.
> > > On some users the "groups" command seems to be working on some other =

don't.
> > >
> > >
> > > On 4/29/08, Dietrich Streifert wrote=

:
> > > >
> > > > We have several installations where we use the two different AD
> > > > schema extensions (SFU from Windows Services for Unix and rfc2307bi=

s from
> > > > Windows Server 2003R2) to put the needed information in.
> > > >
> > > > We are using the idmap_ad module to map the uid, gid, home etc.
> > > > information from the AD.
> > > >
> > > > The local users and the AD users are completely separated. We do no=

t
> > > > mix up local users and AD users.
> > > >
> > > > The first basic test if the AD user information retreival is workin=

g
> > > > is to use the getent command:
> > > >
> > > > getent
> > > >
> > > > So for a test user account I get:
> > > >
> > > > korund{root}[/]: getent passwd testuser
> > > > testuser:*:1004:1000:Lastname,
> > > > Firstname:/home/testuser:/bin/tcsh
> > > >
> > > > If this works the first step is done.
> > > >
> > > > The second test is to get all related Information for one user:
> > > >
> > > > korund{root}[/]: id -a testuser
> > > > uid=3D1004(testuser) gid=3D1000(visionet) groups=3D1033(devjavalib)
> > > >
> > > > The third test is to su - testuser and again try to issue both
> > > > commands obove. If the retreived information is the same you should=

all be
> > > > done (except from pam.conf which is another story).
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Oliver Weinmann schrieb:
> > > >
> > > > Could the problem be that the AD users are not in any of the local
> > > > groups on the machine? How do you manage your AD users to be member=

s of
> > > > local groups e.g. staff, sys etc.? pam_groups?
> > > >
> > > > On 4/29/08, Oliver Weinmann wrote:
> > > > >
> > > > > there is nothing in /etc/profile and the user oweinmann has no
> > > > > .bashrc. The problem seems to be related to nscd. When nscd is tu=

rned on i
> > > > > can login and issue commands and I don't get kicked out of the ss=

h login.
> > > > > There is no idle session timeout set. If there was I would get ki=

cked out
> > > > > when nscd is turned on as well. Only when logged in as an AD user=

I get
> > > > > kicked out...
> > > > >
> > > > > On 4/29/08, Dietrich Streifert
> > > > > wrote:
> > > > > >
> > > > > > So there must be something in your bash init files, /etc/profil=

e
> > > > > > or ~/.bashrc (sorry I'm not a bash user) which causes the probl=

em.
> > > > > >
> > > > > > Maybe something which forms the shell prompt like whoami etc.
> > > > > >
> > > > > > Maybe there is something like a autologout set for the csh or i=

n
> > > > > > sshd with idle session timeout.
> > > > > >
> > > > > >
> > > > > > Oliver Weinmann schrieb:
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > no, there was nothing in /var/adm/messages, but guess what wit=

h
> > > > > > the csh ls -alrt and such commands work fine... But i get kicke=

d out of the
> > > > > > ssh session after 2 minutes...
> > > > > >
> > > > > >
> > > > > > On 4/29/08, Dietrich Streifert
> > > > > > wrote:
> > > > > > >
> > > > > > > Are there any messages in /var/adm/messages which are related
> > > > > > > to nss ?
> > > > > > >
> > > > > > > As I can see you are using bash as your shell.
> > > > > > >
> > > > > > > Try using csh. Does something change?
> > > > > > >
> > > > > > > Oliver Weinmann schrieb:
> > > > > > >
> > > > > > > su to user oweinmann works but when i ussie the ldd -r
> > > > > > > /usr/lib/nss_winbind.so command it gets put in the background=

... i then do
> > > > > > > fg 2 and this is the output:
> > > > > > >
> > > > > > > bash-2.03$ ldd -r /usr/lib/nss_winbind.so
> > > > > > >
> > > > > > > [2]+ Stopped ldd -r /usr/lib/nss_winbind.so
> > > > > > > bash-2.03$ fg 2
> > > > > > > ldd -r /usr/lib/nss_winbind.so
> > > > > > > libthread.so.1 =3D> /usr/lib/libthread.so.1
> > > > > > > libsocket.so.1 =3D> /usr/lib/libsocket.so.1
> > > > > > > libdl.so.1 =3D> /usr/lib/libdl.so.1
> > > > > > > libc.so.1 =3D> /usr/lib/libc.so.1
> > > > > > > libnsl.so.1 =3D> /usr/lib/libnsl.so.1
> > > > > > > libmp.so.2 =3D> /usr/lib/libmp.so.2
> > > > > > > /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
> > > > > > >
> > > > > > > bash-2.03$ ls -alrt /etc/nsswitch.conf
> > > > > > >
> > > > > > > [2]+ Stopped ls -alrt /etc/nsswitch.conf
> > > > > > > bash-2.03$ fg 2
> > > > > > > ls -alrt /etc/nsswitch.conf
> > > > > > > -rw-r--r-- 1 root sys 1320 Apr 28 13:19
> > > > > > > /etc/nsswitch.conf
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On 4/29/08, Dietrich Streifert

e>
> > > > > > > wrote:
> > > > > > > >
> > > > > > > > Please try to login (or su) to the user oweinmann and issue
> > > > > > > > then ldd -r /usr/lib/nss_winbind.so
> > > > > > > >
> > > > > > > > For some reason I think that non root users are not able to
> > > > > > > > read one of the involved files.
> > > > > > > >
> > > > > > > > This could be
> > > > > > > >
> > > > > > > > /etc/nsswitch.conf
> > > > > > > > /usr/lib/nss_winbind.so
> > > > > > > >
> > > > > > > > or some of the files found by the ldd -r command. The fact
> > > > > > > > that you can issue commands while nscd is running points to=

this fact becaus
> > > > > > > > nscd is running as root and has permissions to read all of =

those files.
> > > > > > > >
> > > > > > > > /etc/nsswitch.conf should be readable by everyone.
> > > > > > > >
> > > > > > > > I compiled samba myself with a full stack of openssl, iconv=

,
> > > > > > > > heimdal kerberos, cyrus-sasl, openldap and samba. While peo=

ple often speak
> > > > > > > > of the Windows DLL hell this is the Solaris shared library =

hell :-( But it
> > > > > > > > works.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Oliver Weinmann schrieb:
> > > > > > > >
> > > > > > > > Hi,
> > > > > > > >
> > > > > > > > bash-2.03# ldd -r /usr/lib/nss_winbind.so
> > > > > > > > libthread.so.1 =3D> /usr/lib/libthread.so.1
> > > > > > > > libsocket.so.1 =3D> /usr/lib/libsocket.so.1
> > > > > > > > libdl.so.1 =3D> /usr/lib/libdl.so.1
> > > > > > > > libc.so.1 =3D> /usr/lib/libc.so.1
> > > > > > > > libnsl.so.1 =3D> /usr/lib/libnsl.so.1
> > > > > > > > libmp.so.2 =3D> /usr/lib/libmp.so.2
> > > > > > > > /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
> > > > > > > >
> > > > > > > > I changed the permissions and files exactly to be the same
> > > > > > > > but i still cant issue commands...
> > > > > > > >
> > > > > > > > bash-2.03# ls -alrt /usr/lib/nss_winbind.so*
> > > > > > > > -rwxr-xr-x 1 root other 74744 Apr 29 09:03
> > > > > > > > /usr/lib/nss_winbind.so.1
> > > > > > > > lrwxrwxrwx 1 root other 25 Apr 29 09:04
> > > > > > > > /usr/lib/nss_winbind.so -> /usr/lib/nss_winbind.so.1
> > > > > > > >
> > > > > > > > Could this also be a problem of a compiling? Have you
> > > > > > > > compiled the samba yourself or are you using prebuilt packa=

ges?
> > > > > > > >
> > > > > > > > On 4/29/08, Dietrich Streifert <
> > > > > > > > dietrich.streifert@visionet.de> wrote:
> > > > > > > > >
> > > > > > > > > which output gives ldd -r /usr/lib/nss_winbind.so ?
> > > > > > > > >
> > > > > > > > > I have the following naming and permission for
> > > > > > > > > nss_winbind:
> > > > > > > > >
> > > > > > > > > lrwxrwxrwx 1 root other 16 Jan 15 2004
> > > > > > > > > nss_winbind.so -> nss_winbind.so.1
> > > > > > > > > -rwxr-xr-x 1 root other 44540 Apr 28 17:35
> > > > > > > > > nss_winbind.so.1
> > > > > > > > >
> > > > > > > > > Please try with the exactly same naming and permissions o=

f
> > > > > > > > > your files.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Oliver Weinmann schrieb:
> > > > > > > > >
> > > > > > > > > > I will try to get hands on the latest patches for
> > > > > > > > > > solaris 8 and see if that
> > > > > > > > > > fixes the nscd problems. I can't believe that
> > > > > > > > > > samba-winbind is not running
> > > > > > > > > > 100% well on a Solaris 8 machine.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On 4/28/08, Oliver Weinmann <
> > > > > > > > > > oliver.weinmann@googlemail.com> wrote:
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > > Just for fun i changed the perms of
> > > > > > > > > > > /usr/lib/libnss_winbind.so to 777
> > > > > > > > > > >
> > > > > > > > > > > bash-2.03# chmod 777 /usr/lib/libnss_winbind.so
> > > > > > > > > > > bash-2.03# ls -alrt /usr/lib/libnss_winbind.so
> > > > > > > > > > > -rwxrwxrwx 1 root other 74744 Apr 28 13:32
> > > > > > > > > > > /usr/lib/libnss_winbind.so
> > > > > > > > > > >
> > > > > > > > > > > nscd is turned off. I can login as an AD users but I
> > > > > > > > > > > cant start any
> > > > > > > > > > > command.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > login as: oweinmann
> > > > > > > > > > > Using keyboard-interactive authentication.
> > > > > > > > > > > Password:
> > > > > > > > > > > Last login: Mon Apr 28 15:17:11 2008 from
> > > > > > > > > > > vb8860.vegagrou
> > > > > > > > > > > bash-2.03$ ls -alrt
> > > > > > > > > > >
> > > > > > > > > > > [1]+ Stopped ls -alrt
> > > > > > > > > > > bash-2.03$ id
> > > > > > > > > > >
> > > > > > > > > > > [2]+ Stopped id
> > > > > > > > > > > bash-2.03$ group
> > > > > > > > > > >
> > > > > > > > > > > [3]+ Stopped group
> > > > > > > > > > > bash-2.03$ echo "TEST"
> > > > > > > > > > > TEST
> > > > > > > > > > > bash-2.03$
> > > > > > > > > > > Some commands are working and some others are put in
> > > > > > > > > > > background and the
> > > > > > > > > > > session closes after one or two minutes?
> > > > > > > > > > >
> > > > > > > > > > > When I turn on nscd everything is fine, except ls
> > > > > > > > > > > -alrt not working.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > On 4/28/08, Gerald (Jerry) Carter
> > > > > > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > > > > > > > > > Hash: SHA1
> > > > > > > > > > > >
> > > > > > > > > > > > Oliver Weinmann wrote:
> > > > > > > > > > > > | forgot to mention that the nss_winbind links are
> > > > > > > > > > > > there:
> > > > > > > > > > > > |
> > > > > > > > > > > > | bash-2.03# ls -alrt /usr/lib/nss_w*
> > > > > > > > > > > > | lrwxrwxrwx 1 root other 28 Apr 23
> > > > > > > > > > > > 14:30
> > > > > > > > > > > > | /usr/lib/nss_winbind.so.2 ->
> > > > > > > > > > > > /usr/lib/libnss_winbind.so.1
> > > > > > > > > > > > | lrwxrwxrwx 1 root other 28 Apr 23
> > > > > > > > > > > > 14:30
> > > > > > > > > > > > | /usr/lib/nss_winbind.so.1 ->
> > > > > > > > > > > > /usr/lib/libnss_winbind.so.1
> > > > > > > > > > > > | lrwxrwxrwx 1 root other 28 Apr 23
> > > > > > > > > > > > 14:30
> > > > > > > > > > > > | /usr/lib/nss_winbind.so ->
> > > > > > > > > > > > /usr/lib/libnss_winbind.so.1
> > > > > > > > > > > >
> > > > > > > > > > > > Check the perms on /usr/lib/libnss_winbind.so.1.
> > > > > > > > > > > > Sounds
> > > > > > > > > > > > like it might be rwx for root only.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > cheers, jerry
> > > > > > > > > > > > - --
> > > > > > > > > > > >
> > > > > > > > > > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D
> > > > > > > > > > > > Samba -------
> > > > > > > > > > > > http://www.samba.org
> > > > > > > > > > > > Likewise Software ---------
> > > > > > > > > > > > http://www.likewisesoftware.com
> > > > > > > > > > > > "What man is a man who does not make the world
> > > > > > > > > > > > better?" --Balian
> > > > > > > > > > > > -----BEGIN PGP SIGNATURE-----
> > > > > > > > > > > > Version: GnuPG v1.4.2.2 (Darwin)
> > > > > > > > > > > > Comment: Using GnuPG with Mozilla -
> > > > > > > > > > > > http://enigmail.mozdev.org
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > iD8DBQFIFcnJIR7qMdg1EfYRAp+uAKCoT5s9gRV+x0M+PUrFnY W=

VRtqmcwCg293J
> > > > > > > > > > > > 0OxWwTr/wJPDW67YmZCAfQo=3D
> > > > > > > > > > > > =3D6S2v
> > > > > > > > > > > > -----END PGP SIGNATURE-----
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Mit freundlichen Gr=FC=DFen
> > > > > > > > > Dietrich Streifert
> > > > > > > > > --
> > > > > > > > > Visionet GmbH
> > > > > > > > > Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> > > > > > > > > Registergericht: Handelsregister F=FCrth, HRB 6573
> > > > > > > > > Gesch=E4ftsf=FChrer: Stefan Lindner
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Mit freundlichen Gr=FC=DFen
> > > > > > > > Dietrich Streifert
> > > > > > > > --
> > > > > > > > Visionet GmbH
> > > > > > > > Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> > > > > > > > Registergericht: Handelsregister F=FCrth, HRB 6573
> > > > > > > > Gesch=E4ftsf=FChrer: Stefan Lindner
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Mit freundlichen Gr=FC=DFen
> > > > > > > Dietrich Streifert
> > > > > > > --
> > > > > > > Visionet GmbH
> > > > > > > Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> > > > > > > Registergericht: Handelsregister F=FCrth, HRB 6573
> > > > > > > Gesch=E4ftsf=FChrer: Stefan Lindner
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > > --
> > > > > > Mit freundlichen Gr=FC=DFen
> > > > > > Dietrich Streifert
> > > > > > --
> > > > > > Visionet GmbH
> > > > > > Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> > > > > > Registergericht: Handelsregister F=FCrth, HRB 6573
> > > > > > Gesch=E4ftsf=FChrer: Stefan Lindner
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > > > --
> > > > Mit freundlichen Gr=FC=DFen
> > > > Dietrich Streifert
> > > > --
> > > > Visionet GmbH
> > > > Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> > > > Registergericht: Handelsregister F=FCrth, HRB 6573
> > > > Gesch=E4ftsf=FChrer: Stefan Lindner
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > > --
> > > Mit freundlichen Gr=FC=DFen
> > > Dietrich Streifert
> > > --
> > > Visionet GmbH
> > > Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> > > Registergericht: Handelsregister F=FCrth, HRB 6573
> > > Gesch=E4ftsf=FChrer: Stefan Lindner
> > >
> > >
> > >
> > >
> > >

> >
> > --
> > Mit freundlichen Gr=FC=DFen
> > Dietrich Streifert
> > --
> > Visionet GmbH
> > Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> > Registergericht: Handelsregister F=FCrth, HRB 6573
> > Gesch=E4ftsf=FChrer: Stefan Lindner
> >
> >
> >
> >
> >

>
> --
> Mit freundlichen Gr=FC=DFen
> Dietrich Streifert
> --
> Visionet GmbH
> Firmensitz: Am Weichselgarten 7, 91058 Erlangen
> Registergericht: Handelsregister F=FCrth, HRB 6573
> Gesch=E4ftsf=FChrer: Stefan Lindner
>
>
>
>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba