[Samba] Samba 4 AD share: Access denied

[Ryan Ashley]

I just checked and I only have */etc/krb5.conf* in */etc*. No keytab. I 
am pasting the provision information from my history as root on the DC.

samba-tool domain provision --use-rfc2307 --interactive

I gave the domain the name "truevine.lan". I also noted that there is no 
Kerberos keytab on the DC. I followed the guides to the letter in both 
cases, and neither mention what you are telling me. I am not disputing 
you, but if this stuff is required, it needs to be in the guide/wiki. 
That is why I started asking questions. I understand the guides and have 
been a Windows admin for years, but doing it with Samba is still new, 
and I love it, though I must learn a standard way to do this so it will 
always work.

On 07/29/2014 10:51 AM, Rowland Penny wrote:
> On 29/07/14 15:33, Ryan Ashley wrote:
>> I will checkout the module later. Working is my top priority as you 
>> stated. However, you have me curious now. If this keytab is created, 
>> where the heck is it created? I am looking for it in /var/lib/samba, 
>> /etc, and other places. None of my member servers have it and they 
>> all seem to work, minus this stubborn one of course.
>
> If you set smb.conf up correctly and the run 'net ads join -U 
> Administrator at EXAMPLE.COM' , you should find that /etc/krb5.keytab is 
> created.
>
>>
>> Also, I did a test earlier and wanted to share the results. This 
>> thing keeps complaining about an idmap ad backend not being found, 
>> and I honestly believe that is the issue, not Kerberos. I am trying 
>> your suggestion because maybe this backend is stored in Kerberos, who 
>> knows. Either way, I am being flooded with errors about this "idmap 
>> backend ad" not being found.
>
> The 'idmap backend ad' is part of winbind, and as such, should be 
> available. If I remember correctly you are using a S4 AD DC, can you 
> remember how you provisioned it ?
>
>>
>>
>> Anyway, I had already added winbind to nsswitch.conf for users and 
>> groups, so I wanted to verify the same UID/GID was being pulled. I 
>> wiped the winbind idmap tdb files and rebooted. Got the same IDs 
>> after it rebooted and created the files again, so no issue there. For 
>> example, the "Domain Users" group always has an ID of 70001. That 
>> much is working. So what in the heck does the missing backend do? 
>> Something is already mapping domain users and groups to IDs, so I am 
>> scratching my head on this one.
>
> The 'idmap backend ad' is one that pulls all the user and group info 
> from RFC2307 attributes on the AD server.
>
> Rowland
>
>>
>> On 07/29/2014 10:22 AM, Rowland Penny wrote:
>>> On 29/07/14 15:00, Ryan Ashley wrote:
>>>> I understand the basics of Kerberos, but the reason that I am 
>>>> asking is because I have dozens of S4 servers in production 
>>>> environments and have never had to create the keytab you mentioned. 
>>>> They all just worked.
>>>
>>> If, when you talk about S4 servers, you mean as an AD DC, then yes 
>>> you do not require the keytab, but on a member server (or client) 
>>> when you you join the domain with the net command, the keytab is 
>>> created.
>>>>
>>>> Now, I do not mind modifying my pam settings as I have done on 
>>>> loads of Linux workstations which are joined to an AD domain, but 
>>>> how would I prevent the login of users? I have a home directory and 
>>>> cannot remove it, so there is technically a place for their home 
>>>> directories. In Windows I would simply modify group policy to deny 
>>>> logon, but we both know Linux knows nothing of a GPO. So without 
>>>> removing "/home", how would I prevent login?
>>>>
>>>> My plan now is to modify pam first, then if needed, do the keytab.
>>>
>>> I would do it the other way, get everything to work and then if need 
>>> be, stop user login with PAM. If you install
>>> the packages I suggested, PAM will do all the work for you 
>>> initially. You could also investigate a PAM module called 
>>> 'pam_nologin' , you should be able to guess what this does ;-)
>>>
>>> Rowland
>>>
>>
>