[Samba] self compiled samba domain member, jessie, pam config

Rowland Penny rowlandpenny241155 at gmail.com
Mon Oct 26 20:46:03 UTC 2015


On 26/10/15 20:22, mourik jan c heupink wrote:
> Hi,
>
> On 26-10-2015 21:03, Rowland Penny wrote:
>> How are you trying to log in with ssh ? I use it with plain passwords to
>> the DC all the time and don't have any problems.
> It seems that smb.conf cannot have
> > kerberos method = secrets and keytab
>
> If that line is in place, I cannot logon. If I take it out, I can logon.
>
> Is this normal..? (or..are you also seeing that?)

No and never seen it.

>
> Read about it here:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784656
>

Do you have /etc/krb5.keytab?

This is my smb.conf from a domain member:

[global]
     workgroup = SAMDOM
     realm = SAMDOM.EXAMPLE.COM
     security = ADS
     username map = /etc/samba/samba_usermapping
     dedicated keytab file = /etc/krb5.keytab
     kerberos method = secrets and keytab
     reset on zero vc = Yes
     unix extensions = No
     client signing = if_required
     domain master = No
     host msdfs = No
     winbind enum users = Yes
     winbind enum groups = Yes
     winbind use default domain = Yes
     winbind nss info = rfc2307
     winbind refresh tickets = Yes # <-- do you have this line
     winbind offline logon = Yes
     idmap config SAMDOM:range = 10000-99999
     idmap config SAMDOM:schema_mode = rfc2307
     idmap config SAMDOM:backend = ad
     idmap config *:range = 2000-9999
     idmap config * : backend = tdb
     map acl inherit = Yes
     hide unreadable = Yes
     veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
     store dos attributes = Yes
     vfs objects = acl_xattr

This is on Debian Wheezy using Version 4.2.4-SerNet-Debian-7.wheezy

If you don't have the keytab, try leaving the domain and re-joining, 
this should create the keytab, if you do have the keytab, remove it 
then, leave and re-join.

Rowland





More information about the samba mailing list