[Samba] Windows pre-requisites for login with winbind?
A. James Lewis
james at fsck.co.uk
Mon Aug 21 11:51:18 UTC 2017
Hi all,
I've just been following a series of guides to set up "winbind" authentication on a container build I'm working on, but I'm seeing some strange behaviour....
After the "net ads join -k", some users can log in, but others cannot (pam says their account does not exist)... although they can all authenticate with kinit!
If someone has an idea why this might be, what I should change, or if users need to be in particular groups on the Windows side, that would be really useful. The users that don't work are the most recent ones.... which leads me to believe that there is probably some group they have not been added to, but I don't have much access to the AD to look.
My configs look like this:-
KRB5.CONF
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.LOCAL
default_tgs_entypes = rc4-hmac des-cbc-md5
default_tkt__enctypes = rc4-hmac des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-md5
dns_lookup_realm = true
dns_lookup_kdc = true
dns_fallback = yes
[realms]
DOMAIN.LOCAL = {
kdc = local_dc01.domain.local
kdc = local_dc02.domain.local
kdc = local_dc03.domain.local
kdc = remote_dc01.domain.local
kdc = remote_dc02.domain.local
kdc = remote_dc03.domain.local
kdc = local_dc10.domain.local
kdc = local_dc11.domain.local
admin_server = local_dc01.domain.local
default_domain = domain.local
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
SMB.CONF
[global]
# netbios name = %NETBIOS_NAME%
workgroup = DOMAIN
security = ADS
password server = local_dc01.domain.local, local_dc02.domain.local, local_dc03.domain.local, local_dc10.domain.local, local_dc11.domain.local, remote_dc01.domain.local, remote_dc02.domain.local, remote_dc03.domain.local
realm = DOMAIN.LOCAL
encrypt passwords = yes
idmap config *:backend = rid
idmap config *:range = 5000-100000
# winbind allow trusted domains = no
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
template shell = /bin/bash
template homedir = /home/%D/%U
winbind use default domain = yes
--
A. James Lewis (james at fsck.co.uk (mailto:james at fsck.co.uk))
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."
More information about the samba
mailing list