[Samba] Windows pre-requisites for login with winbind?

A. James Lewis james at fsck.co.uk
Mon Aug 21 13:14:16 UTC 2017 

I'm slightly confused, you appear to have trimmed down the config, but not changed anything.... would you think this would affect the issue where long standing users are able to log in, but new users are not... even after a couple of weeks they are not able to log in via "winbind", although they can authenticate via Kerberos, and obviously log in to Windows desktops.

James


August 21, 2017 1:45 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:

> On Mon, 21 Aug 2017 11:51:18 +0000
> "A. James Lewis via samba" <samba at lists.samba.org> wrote:
> 
>> Hi all,
>> 
>> I've just been following a series of guides to set up "winbind"
>> authentication on a container build I'm working on, but I'm seeing
>> some strange behaviour....
>> 
>> After the "net ads join -k", some users can log in, but others cannot
>> (pam says their account does not exist)... although they can all
>> authenticate with kinit!
>> 
>> If someone has an idea why this might be, what I should change, or if
>> users need to be in particular groups on the Windows side, that would
>> be really useful. The users that don't work are the most recent
>> ones.... which leads me to believe that there is probably some group
>> they have not been added to, but I don't have much access to the AD
>> to look.
>> 
>> My configs look like this:-
> 
> See my modifications:
> 
> KRB5.CONF
> [libdefaults]
> default_realm = DOMAIN.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = true
> 
> That is all you need in krb5.conf
> 
>> SMB.CONF
> 
> [global]
> workgroup = DOMAIN
> security = ADS
> realm = DOMAIN.LOCAL
> 
> idmap config *:backend = tdb
> idmap config *:range = 5000-9999
> idmap config DOMAIN:backend = rid
> idmap config DOMAIN:range = 10000-999999
> 
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind refresh tickets = yes
> 
> template shell = /bin/bash
> template homedir = /home/%D/%U
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

More information about the samba mailing list