[Samba] Windows pre-requisites for login with winbind?

Rowland Penny rpenny at samba.org
Mon Aug 21 12:42:31 UTC 2017


On Mon, 21 Aug 2017 11:51:18 +0000
"A. James Lewis via samba" <samba at lists.samba.org> wrote:

> Hi all,
> 
> I've just been following a series of guides to set up "winbind"
> authentication on a container build I'm working on, but I'm seeing
> some strange behaviour....
> 
> After the "net ads join -k", some users can log in, but others cannot
> (pam says their account does not exist)... although they can all
> authenticate with kinit!
> 
> If someone has an idea why this might be, what I should change, or if
> users need to be in particular groups on the Windows side, that would
> be really useful. The users that don't work are the most recent
> ones.... which leads me to believe that there is probably some group
> they have not been added to, but I don't have much access to the AD
> to look.
> 
> My configs look like this:-

See my modifications:

KRB5.CONF
[libdefaults]
  default_realm = DOMAIN.LOCAL
  dns_lookup_realm = false
  dns_lookup_kdc = true

That is all you need in krb5.conf

> SMB.CONF
[global]
  workgroup = DOMAIN
  security = ADS
  realm = DOMAIN.LOCAL

  idmap config *:backend = tdb
  idmap config *:range = 5000-9999
  idmap config DOMAIN:backend = rid
  idmap config DOMAIN:range = 10000-999999

  winbind trusted domains only = no
  winbind use default domain = yes
  winbind refresh tickets = yes
 
  template shell = /bin/bash
  template homedir = /home/%D/%U

Rowland



More information about the samba mailing list