[Samba] Winbind with krb5auth for trust users

L.P.H. van Belle belle at bazuin.nl
Tue Aug 22 08:04:04 UTC 2017 

Hai, 

Whats the os used? 

The first things i would check. 

Did you give both servers the nfs/spn. ? 
The current search order for keytabs to be used for "machine credentials" :
<HOSTNAME>$@<REALM>
root/<hostname>@<REALM>
nfs/<hostname>@<REALM>
host/<hostname>@<REALM>
root/<anyname>@<REALM>
nfs/<anyname>@<REALM>
host/<anyname>@<REALM>

So make sure one of these is know in the system keytab file.
The trusted domain, same REALM or other REALM, and if needed defined in krb5.conf? 

And both servers have A and PTR records and are correct resolved? 

If all of above does not work or is checked already. 
You could configure idmap.conf like this. ( there might be things to improve below )
( from my debian jessie servers, the stretch servers dont have the idmap changes anymore. )

[General]

Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs

# set your own domain here, if id differs from FQDN minus hostname
# Domain = localdomain
Domain = internal.domain.tld
Local-Realm = MY_REALM

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup

[Translation]
Method = static,nsswitch
GSS-Methods = static,nsswitch

[Static]
RTD-WEB1$@MY_REALM = root
host/rtd-web1.internal.domain.tld at MY_REALM = root
nfs/rtd-web1.internal.domain.tld at MY_REALM = root
nfs/rtd-web1.internal.domain.tld@ = root



Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Andreas Hauffe via samba
> Verzonden: dinsdag 22 augustus 2017 9:36
> Aan: Andreas Hauffe via samba
> Onderwerp: [Samba] Winbind with krb5auth for trust users
> 
> Hi,
> 
> I'm having trouble realizing a krb5auth with pam_winbind with 
> trusted domain users (external trust) on our clients. The 
> client is joined to a local domain, which has a "external 
> trust" to a global domain.
> 
> The following things are working for all users (local and 
> trusted domain):
> 
> "wbinfo -i"
> "wbinfo --pam-logon"
> "wbinfo -a"
> "kinit"
> 
> 
> Just "wbinfo -K" works only for local domain users. And that 
> is the problem. I need the Kerberos ticket for NFS.
> 
> smb.conf, krb5.conf and the other configs are taken from 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member. 
> Just changed the domain/realm name to the local domain name.
> 
> Regards
> Andreas
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list