[Samba] Windows pre-requisites for login with winbind?

A. James Lewis james at fsck.co.uk
Tue Aug 22 11:09:50 UTC 2017 

Ahh, upgrading to 4.6.5 did not change my problem significantly, but it DID change the error message significantly... this might give some much better information to someone who knows how the code works!

Aug 22 11:59:01 hostname01 winbindd[451]: [2017/08/22 11:59:01.055174,  0] ../source3/libads/sasl.c:786(ads_sasl_spnego_bind)
Aug 22 11:59:01 hostname01 winbindd[451]:   kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/local_ad01.domain.local with user[HOSTNAME01$] realm[DOMAIN.LOCAL]: No logon servers

I am still able to log in and list groups for long standing users, and not log in for more recently created users... but I am no-longer able to list groups for the users I can't log in with!

James


August 22, 2017 11:31 AM, "A. James Lewis via samba" <samba at lists.samba.org> wrote:

> Hi!
> 
> Indeed!, this sounds like good advice... there are certainly bugs, I had to get the 7.04.5 package
> from "proposed" to get resolve a PAM library issue!... although I suppose that's a packaging
> problem.
> 
> What is the best way to get an updated Samba package here, I'm trying to make this system
> reproduceable, I have a single script that builds the entire container, and sets up an Xrdp
> terminal server with everything configured... Ideally I'd like to do it in a sustainable way!... 
> 
> Perhaps migrating to 17.10 would be a good move at this point since 4.6.5 is available there, and
> ultimately my goal would be to have this built on 18.04 for some level of stability.... I'm sitting
> on 17.04 right now since the move to Gnome is not popular around here.... 
> 
> I guess I could install the 17.10 package on 17.04 for testing, watch this space... feedback to
> follow.
> 
> James
> 
> August 22, 2017 8:13 AM, "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> 
>> Hai
>> 
>> Since your on ubuntu 17.04 (zesty) and samba 2:4.5.8+dfsg-0ubuntu0.17.04.5.
>> Now i dont know if your able to upgrade you samba to 4.5.12 or at least 4.6.5.
>> 
>> But I would really recommend trying to upgrade to a higher version.
>> I suggest go through the changelogs, and see the winbind and kerberos related fixes so you
>> understand why i say upgrade.
>> I suspect you have hit one or more of these bugs.
>> 
>> Greetz,
>> 
>> Louis
>> 
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>> Rowland Penny via samba
>>> Verzonden: maandag 21 augustus 2017 19:28
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Windows pre-requisites for login with winbind?
>>> 
>>> On Mon, 21 Aug 2017 17:13:12 +0000
>>> "A. James Lewis" <james at fsck.co.uk> wrote:
>>> 
>>> I'm inclined to agree with you regarding resolveconf, but I don't
>>> think that's the issue here, clearly it was able to get the
>>> name and
>>> IP of the AD server.... and connect to it.
>>> 
>>> The error from kinit had the hostname of one of the AD
>>> servers in it,
>>> that name is not in the config, and that address was
>>> reachable... so I
>>> can't think that it's DNS.
>>> 
>>> What is worrying me is if this is valid, to have the domain in
>>> twice:- cifs/LOCAL_AD02.domain.local at DOMAIN.LOCAL in the
>>> kinit error
>>> from auth.log
>>> 
>>> I'd love to solve this issue too... but I started with one
>>> issue, and
>>> now I have 2... LOL!
>>> 
>>> That is perfectly normal, so stop worrying
>>> 
>>> There is an easy way to try and prove if it is a dns problem
>>> (which i am sure it is)
>>> 
>>> ADD
>>> 
>>> <the DCs ipaddress> <the DCs hostname>.domain.local <the DCs hostname>
>>> 
>>> to /etc/hosts
>>> 
>>> Rowland
>>> 
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
> 
> --
> A. James Lewis (james at fsck.co.uk)
> "Engineering does not require science. Science helps a lot but people
> built perfectly good brick walls long before they knew why cement works."
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

More information about the samba mailing list