sysvol replication between samba4 DCs

Daniele Dario d.dario76 at gmail.com
Fri Oct 5 07:57:26 MDT 2012


Hi list,
I'm back again to try to get ssh working with kerberos.

I've updated both DCs to RC1 and reprovisioned the domain to start from
scratch so the secondary DC has been joined and all worked fine.

Now I started following what pointed in the Samba4/Winbind howto at
http://wiki.samba.org/index.php/Samba4/Winbind to get pam_winbind
working (in order to allow UsePAM = yes in sshd_config) but even after
adding symlinks of libnss_winbind.so and others to /lib
and /lib/security I can't get ldconfig -v to show libnss_winbind.

Both DCs are running on ubuntu 11.04 x86.

After adding the symlinks, wbinfo -p, wbinfo -u, getent passwd work as
pointed in the howto but libnss_winbind.so.2 will not be shown.

Can please someone tell me if this is correct?

Thanks,
Daniele.

On Fri, 2012-09-21 at 15:16 +0200, Michael Wood wrote:
> Hi Daniele
> 
> On 21 September 2012 14:41, Daniele Dario <d.dario76 at gmail.com> wrote:
> > Hi Michael,
> >
> > On Fri, 2012-09-21 at 11:54 +0200, Michael Wood wrote:
> >> Hi
> >>
> >> On 21 September 2012 11:27, Daniele Dario <d.dario76 at gmail.com> wrote:
> >> [...]
> >> > I'm trying to use the sync_dc script but I'm stuck at the rsync point:
> >> > from man rsync I see that the line
> >> >
> >> > rsync -X -A -u -a $dc_account_name\$@${dc}.${domain}:$SYSVOL $STAGING
> >> >
> >> >       * will access via remote shell (don't need rsyncd on the other
> >> >         side)
> >>
> >> Yes, it will use ssh.
> >>
> >> >       * will use $dc_account_name\$ as the user which has to
> >> >         authenticate on the ${dc}.${domain} host
> >> >
> >> > How does rsync authenticate the given account (eg. KDC01$) on the other
> >>
> >> rsync does not do the authentication.  ssh does.  So I suspect you
> >> will need to get Kerberos working with ssh for the above to work.
> >>
> > [...]
> >
> > ok thanks.
> >
> > I'm trying to follow some topic on the internet which tells to:
> >
> > assert in ssh_config (for the client)
> > GSSAPIAuthentication yes
> > GSSAPIDelegateCredentials yes
> > GSSAPITrustDns yes
> >
> > on sshd_config enable
> > KerberosAuthentication yes
> > KerberosOrLocalPasswd yes
> > GSSAPIAuthentication yes
> > GSSAPICleanupCredentials yes
> >
> > and don't use PAM.
> >
> > With this config I can't get it working so please can you point me in the right direction?
> 
> I've never tried to get ssh working with Kerberos.
> 
> You could try doing this on the server:
> 
> # /usr/sbin/sshd -p 222 -ddd
> 
> That will run another copy of sshd on port 222 in debugging mode.
> 
> Then on the client:
> 
> # ssh -vvv -p 222 server
> 
> And see if you can figure out from the debug messages what is going wrong.
> 
> Otherwise you could use SSH with a passwordless key, but that's
> obviously less secure.
> 
> > Both DCs are working on Ubuntu 11.04 x86 server.
> >
> > Thanks in advance,
> > Daniele.
> 




More information about the samba-technical mailing list