[Samba] Windows pre-requisites for login with winbind?
A. James Lewis
james at fsck.co.uk
Mon Aug 21 14:18:00 UTC 2017
OK, I've made those changes, and now I cannot use kinit to verify authentication, eg:-
$ kinit user at DOMAIN.LOCAL
kinit: Cannot find KDC for realm "DOMAIN.LOCAL" while getting initial credentials
$
However, the winbind users that could log in before are still able to log in, while the ones who were not able to log in still cannot log in!...
Just to make sure I've made the changes correctly, my config is now:-
# cat krb5.conf
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
# cat smb.conf
[global]
workgroup = DOMAIN
security = ADS
realm = DOMAIN.LOCAL
idmap config *:backend = tdb
idmap config *:range = 4000-4999
idmap config DOMAIN:backend = rid
idmap config DOMAIN:range = 5000-100000
winbind trusted domains only = no
winbind use default domain = yes
winbind refresh tickets = yes
template shell = /bin/bash
template homedir = /home/%D/%U
#
August 21, 2017 2:56 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:
> On Mon, 21 Aug 2017 13:14:16 +0000
> "A. James Lewis" <james at fsck.co.uk> wrote:
>
>> I'm slightly confused, you appear to have trimmed down the config,
>> but not changed anything.... would you think this would affect the
>> issue where long standing users are able to log in, but new users are
>> not... even after a couple of weeks they are not able to log in via
>> "winbind", although they can authenticate via Kerberos, and obviously
>> log in to Windows desktops.
>>
>> James
>
> Yes I trimmed you /etc/krb5.conf down to all that is required, I also
> removed all the unnecessary lines from your smb.conf, but I also
> altered two lines and added two others.
>
> Your set up was putting everything into the '*' domain and nothing into
> the 'DOMAIN' domain. You were also using the 'rid' backend for the '*'
> domain and you MUST use 'tdb' for this.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."
More information about the samba
mailing list