[Samba] Login to AD Member Fail
Rowland Penny
rpenny at samba.org
Wed Jun 27 11:43:43 UTC 2018
On Wed, 27 Jun 2018 13:04:12 +0200
basti via samba <samba at lists.samba.org> wrote:
> Hello,
> when I try to login to AD member via IP-Address from Windows Client it
> works.
>
> Login to AD Member from Windows Client via DNS Name fail.
> Windows Errorcode: 0x80070035
>
> Dc1: Samba 4.5.12+dfsg-2+deb9u2
> AD Member: Samba 4.5.12+dfsg-2+deb9u2
>
> winbindd.log (AD Member)
>
> [2018/06/27 12:49:58.787087, 1]
> ../source3/winbindd/winbindd_pam.c:2567(winbindd_pam_auth_pac_send)
> Error during PAC signature verification: NT_STATUS_UNSUCCESSFUL
> [2018/06/27 12:50:17.766117, 1]
> ../source3/winbindd/winbindd_pam.c:2502(extract_pac_vrfy_sigs)
> Failed to initialize kerberos context: Invalid argument
>
>
> win-client.log (AD Member)
>
> [2018/06/27 12:49:13.354207, 1]
> ../source3/printing/printer_list.c:234(printer_list_get_last_refresh)
> Failed to fetch record!
> [2018/06/27 12:49:13.354282, 1]
> ../source3/smbd/server_reload.c:69(delete_and_reload_printers)
> pcap cache not loaded
>
>
> smb.conf (AD Member)
>
> security = ADS
> workgroup = DOM
> realm = DOM.EXAMPLE.COM
>
> bind interfaces only = yes
> interfaces = lo eth0
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> idmap config * : backend = tdb
> idmap config * : range = 1000-1005
The above range is much too small, there are more than 6 'Well known
SIDs'
>
> # idmap config for the DOM domain
> idmap config KES:backend = ad
> idmap config KES:schema_mode = rfc2307
> idmap config KES:range = 1006-999999
I hope this is just a typo, but just in case it isn't, 'KES' != 'DOM'
I also hope you don't use sudo on this machine, mainly because you
cannot have any local Unix users with the set ranges.
>
> winbind enum users = yes
> winbind enum groups = yes
> template homedir = /home/users/%U
> template shell = /bin/bash
>
> winbind use default domain = yes
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
>
Rowland
More information about the samba
mailing list