[Samba] Windows pre-requisites for login with winbind?

A. James Lewis james at fsck.co.uk
Mon Aug 21 14:18:00 UTC 2017


OK, I've made those changes, and now I cannot use kinit to verify authentication, eg:-

$ kinit user at DOMAIN.LOCAL
kinit: Cannot find KDC for realm "DOMAIN.LOCAL" while getting initial credentials
$

However, the winbind users that could log in before are still able to log in, while the ones who were not able to log in still cannot log in!... 

Just to make sure I've made the changes correctly, my config is now:-

# cat krb5.conf
[libdefaults]
	default_realm = DOMAIN.LOCAL
	dns_lookup_realm = false
	dns_lookup_kdc = true

# cat smb.conf
[global]
   workgroup = DOMAIN
   security = ADS
   realm = DOMAIN.LOCAL

   idmap config *:backend = tdb
   idmap config *:range = 4000-4999
   idmap config DOMAIN:backend = rid
   idmap config DOMAIN:range = 5000-100000

   winbind trusted domains only = no
   winbind use default domain = yes
   winbind refresh tickets = yes

   template shell = /bin/bash
   template homedir = /home/%D/%U
# 



August 21, 2017 2:56 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:

> On Mon, 21 Aug 2017 13:14:16 +0000
> "A. James Lewis" <james at fsck.co.uk> wrote:
> 
>> I'm slightly confused, you appear to have trimmed down the config,
>> but not changed anything.... would you think this would affect the
>> issue where long standing users are able to log in, but new users are
>> not... even after a couple of weeks they are not able to log in via
>> "winbind", although they can authenticate via Kerberos, and obviously
>> log in to Windows desktops.
>> 
>> James
> 
> Yes I trimmed you /etc/krb5.conf down to all that is required, I also
> removed all the unnecessary lines from your smb.conf, but I also
> altered two lines and added two others.
> 
> Your set up was putting everything into the '*' domain and nothing into
> the 'DOMAIN' domain. You were also using the 'rid' backend for the '*'
> domain and you MUST use 'tdb' for this.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."



More information about the samba mailing list