[Samba] Winbind with krb5auth for trust users

L.P.H. van Belle belle at bazuin.nl
Tue Aug 22 08:04:04 UTC 2017


Whats the os used? 

The first things i would check. 

Did you give both servers the nfs/spn. ? 
The current search order for keytabs to be used for "machine credentials" :

So make sure one of these is know in the system keytab file.
The trusted domain, same REALM or other REALM, and if needed defined in krb5.conf? 

And both servers have A and PTR records and are correct resolved? 

If all of above does not work or is checked already. 
You could configure idmap.conf like this. ( there might be things to improve below )
( from my debian jessie servers, the stretch servers dont have the idmap changes anymore. )


Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs

# set your own domain here, if id differs from FQDN minus hostname
# Domain = localdomain
Domain = internal.domain.tld
Local-Realm = MY_REALM


Nobody-User = nobody
Nobody-Group = nogroup

Method = static,nsswitch
GSS-Methods = static,nsswitch

host/rtd-web1.internal.domain.tld at MY_REALM = root
nfs/rtd-web1.internal.domain.tld at MY_REALM = root
nfs/rtd-web1.internal.domain.tld@ = root



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Andreas Hauffe via samba
> Verzonden: dinsdag 22 augustus 2017 9:36
> Aan: Andreas Hauffe via samba
> Onderwerp: [Samba] Winbind with krb5auth for trust users
> Hi,
> I'm having trouble realizing a krb5auth with pam_winbind with 
> trusted domain users (external trust) on our clients. The 
> client is joined to a local domain, which has a "external 
> trust" to a global domain.
> The following things are working for all users (local and 
> trusted domain):
> "wbinfo -i"
> "wbinfo --pam-logon"
> "wbinfo -a"
> "kinit"
> Just "wbinfo -K" works only for local domain users. And that 
> is the problem. I need the Kerberos ticket for NFS.
> smb.conf, krb5.conf and the other configs are taken from 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member. 
> Just changed the domain/realm name to the local domain name.
> Regards
> Andreas
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list