[Samba] Windows pre-requisites for login with winbind?

A. James Lewis james at fsck.co.uk
Mon Aug 21 16:15:33 UTC 2017 

Rowland,

I guess you have probably uncovered an issue in the environment which is resulting in the kerberos issues, probably that there is nothing in "broadcast" range of the host which may be why I ended up having to explicitly state the password server etc... 

That said, the error says "cifs/LOCAL_AD02.domain.local at DOMAIN.LOCAL", and the host "LOCAL_AD02" is nowhere in the configuration and I can resolve the name "LOCAL_AD02.domain.local" and connect to it on port 88, so I don't see why it has an issue.

This said, I still think there is also an issue in AD, such that the more recently created users are missing a group or some parameter that allows them to work in "winbind", since many users do work.... independently of the issue with finding a KDC, is there any property in AD that is required to log in with winbind that a user might be missing?

James


August 21, 2017 4:40 PM, "A. James Lewis via samba" <samba at lists.samba.org> wrote:

> OK, obviously I am slightly sanitising the output here, but I'm preserving the case, and just
> replacing local names with generic ones as I did for the config.
> 
> # more /etc/hostname
> hostname01
> 
> # more /etc/hosts
> 127.0.0.1 localhost
> 127.0.1.1 hostname01
> 
> # The following lines are desirable for IPv6 capable hosts
> ::1 ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 
> # more /etc/resolv.conf
> search domain.local
> nameserver 10.0.3.1
> 
> # more /etc/nsswitch.conf 
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
> 
> passwd: compat winbind
> group: compat winbind
> shadow: compat
> gshadow: files
> 
> hosts: files dns
> networks: files
> 
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
> 
> netgroup: nis
> # 
> 
> James
> 
> August 21, 2017 3:54 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:
> 
>> On Mon, 21 Aug 2017 14:32:16 +0000
>> "A. James Lewis" <james at fsck.co.uk> wrote:
>> 
>>> Also, I see the following repeated in syslog:-
>>> 
>>> ==> syslog <==
>>> Aug 21 15:25:41 hostname01 winbindd[691]: [2017/08/21
>>> 15:25:41.438959,
>>> 0] ../source3/libsmb/cliconnect.c:1895(cli_session_setup_spnego_send)
>>> Aug 21 15:25:41 hostname01 winbindd[691]: Kinit for
>>> HOSTNAME01$@DOMAIN.LOCAL to access
>>> cifs/LOCAL_AD02.domain.local at DOMAIN.LOCAL failed: Cannot contact any
>>> KDC for requested realm
>>> 
>>> When one of the suspect users tries to log in I get:-
>>> 
>>> ==> auth.log <==
>>> Aug 21 15:25:14 op-sdes-dsk01 su[690]: No passwd entry for user
>>> 'username' Aug 21 15:25:14 op-sdes-dsk01 su[690]: FAILED su for
>>> username by root Aug 21 15:25:14 op-sdes-dsk01 su[690]: - ???
>>> root:username
>>> 
>>> However, other AD users do work correctly.
>>> 
>>> This is Samba 4.5.8 BTW...
>> 
>> OK, can you post the following files:
>> 
>> /etc/hostname
>> /etc/hosts
>> /etc/resolv.conf
>> /etc/nsswitch.conf
>> 
>> Rowland
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
> 
> --
> A. James Lewis (james at fsck.co.uk)
> "Engineering does not require science. Science helps a lot but people
> built perfectly good brick walls long before they knew why cement works."
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

More information about the samba mailing list