[Samba] Winbind with krb5auth for trust users
L.P.H. van Belle
belle at bazuin.nl
Tue Aug 22 08:04:04 UTC 2017
Hai,
Whats the os used?
The first things i would check.
Did you give both servers the nfs/spn. ?
The current search order for keytabs to be used for "machine credentials" :
<HOSTNAME>$@<REALM>
root/<hostname>@<REALM>
nfs/<hostname>@<REALM>
host/<hostname>@<REALM>
root/<anyname>@<REALM>
nfs/<anyname>@<REALM>
host/<anyname>@<REALM>
So make sure one of these is know in the system keytab file.
The trusted domain, same REALM or other REALM, and if needed defined in krb5.conf?
And both servers have A and PTR records and are correct resolved?
If all of above does not work or is checked already.
You could configure idmap.conf like this. ( there might be things to improve below )
( from my debian jessie servers, the stretch servers dont have the idmap changes anymore. )
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if id differs from FQDN minus hostname
# Domain = localdomain
Domain = internal.domain.tld
Local-Realm = MY_REALM
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
[Translation]
Method = static,nsswitch
GSS-Methods = static,nsswitch
[Static]
RTD-WEB1$@MY_REALM = root
host/rtd-web1.internal.domain.tld at MY_REALM = root
nfs/rtd-web1.internal.domain.tld at MY_REALM = root
nfs/rtd-web1.internal.domain.tld@ = root
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Andreas Hauffe via samba
> Verzonden: dinsdag 22 augustus 2017 9:36
> Aan: Andreas Hauffe via samba
> Onderwerp: [Samba] Winbind with krb5auth for trust users
>
> Hi,
>
> I'm having trouble realizing a krb5auth with pam_winbind with
> trusted domain users (external trust) on our clients. The
> client is joined to a local domain, which has a "external
> trust" to a global domain.
>
> The following things are working for all users (local and
> trusted domain):
>
> "wbinfo -i"
> "wbinfo --pam-logon"
> "wbinfo -a"
> "kinit"
>
>
> Just "wbinfo -K" works only for local domain users. And that
> is the problem. I need the Kerberos ticket for NFS.
>
> smb.conf, krb5.conf and the other configs are taken from
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member.
> Just changed the domain/realm name to the local domain name.
>
> Regards
> Andreas
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list