[Samba] Windows pre-requisites for login with winbind?

A. James Lewis james at fsck.co.uk
Mon Aug 21 11:51:18 UTC 2017 

Hi all,

I've just been following a series of guides to set up "winbind" authentication on a container build I'm working on, but I'm seeing some strange behaviour....

After the "net ads join -k", some users can log in, but others cannot (pam says their account does not exist)... although they can all authenticate with kinit!

If someone has an idea why this might be, what I should change, or if users need to be in particular groups on the Windows side, that would be really useful. The users that don't work are the most recent ones.... which leads me to believe that there is probably some group they have not been added to, but I don't have much access to the AD to look.

My configs look like this:-
KRB5.CONF
[libdefaults]
 ticket_lifetime = 24000
 default_realm = DOMAIN.LOCAL
 default_tgs_entypes = rc4-hmac des-cbc-md5
 default_tkt__enctypes = rc4-hmac des-cbc-md5
 permitted_enctypes = rc4-hmac des-cbc-md5
 dns_lookup_realm = true
 dns_lookup_kdc = true
 dns_fallback = yes
[realms]
 DOMAIN.LOCAL = {
 kdc = local_dc01.domain.local
 kdc = local_dc02.domain.local
 kdc = local_dc03.domain.local
 kdc = remote_dc01.domain.local
 kdc = remote_dc02.domain.local
 kdc = remote_dc03.domain.local
 kdc = local_dc10.domain.local
 kdc = local_dc11.domain.local
 admin_server = local_dc01.domain.local
 default_domain = domain.local
 }

[domain_realm]
 .domain.local = DOMAIN.LOCAL
 domain.local = DOMAIN.LOCAL

[appdefaults]
 pam = {
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false
 }

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

SMB.CONF
[global]

# netbios name = %NETBIOS_NAME%
 workgroup = DOMAIN
 security = ADS
 password server = local_dc01.domain.local, local_dc02.domain.local, local_dc03.domain.local, local_dc10.domain.local, local_dc11.domain.local, remote_dc01.domain.local, remote_dc02.domain.local, remote_dc03.domain.local
 realm = DOMAIN.LOCAL
 encrypt passwords = yes

 idmap config *:backend = rid
 idmap config *:range = 5000-100000

# winbind allow trusted domains = no
 winbind trusted domains only = no
 winbind use default domain = yes
 winbind enum users = yes
 winbind enum groups = yes
 winbind refresh tickets = yes

 template shell = /bin/bash
 template homedir = /home/%D/%U
 winbind use default domain = yes
--
A. James Lewis (james at fsck.co.uk (mailto:james at fsck.co.uk))
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

More information about the samba mailing list