[Samba] Windows pre-requisites for login with winbind?
Rowland Penny
rpenny at samba.org
Mon Aug 21 12:42:31 UTC 2017
On Mon, 21 Aug 2017 11:51:18 +0000
"A. James Lewis via samba" <samba at lists.samba.org> wrote:
> Hi all,
>
> I've just been following a series of guides to set up "winbind"
> authentication on a container build I'm working on, but I'm seeing
> some strange behaviour....
>
> After the "net ads join -k", some users can log in, but others cannot
> (pam says their account does not exist)... although they can all
> authenticate with kinit!
>
> If someone has an idea why this might be, what I should change, or if
> users need to be in particular groups on the Windows side, that would
> be really useful. The users that don't work are the most recent
> ones.... which leads me to believe that there is probably some group
> they have not been added to, but I don't have much access to the AD
> to look.
>
> My configs look like this:-
See my modifications:
KRB5.CONF
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
That is all you need in krb5.conf
> SMB.CONF
[global]
workgroup = DOMAIN
security = ADS
realm = DOMAIN.LOCAL
idmap config *:backend = tdb
idmap config *:range = 5000-9999
idmap config DOMAIN:backend = rid
idmap config DOMAIN:range = 10000-999999
winbind trusted domains only = no
winbind use default domain = yes
winbind refresh tickets = yes
template shell = /bin/bash
template homedir = /home/%D/%U
Rowland
More information about the samba
mailing list