[Samba] Winbind with krb5auth for trust users

Tue Aug 22 09:25:58 UTC 2017

Hi,

thanks for the fast answer.

All DCs (local and trusted domain) running on Windows Server 2012. The 
client is running on OpenSUSE Leap 42.3. The samba version is 4.6.5.

Right now I'm a step before nfs. At first I just want to authorize users 
with krb5auth.

The error is:

mlrlinux:~ # wbinfo -K GLOBALDOM\\globdomuser
Enter GLOBALDOM\globdomuser's password:
plaintext kerberos password authentication for [GLOBALDOM\globdomuser] 
failed (requesting cctype: FILE)
wbcLogonUser(GLOBALDOM\globdomuser): error code was 
NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error message was: No logon servers
Could not authenticate user [GLOBALDOM\globdomuser] with Kerberos 
(ccache: FILE)

DNS resolution is working. I'm able to get the credentials for a 
GLOBDOM-User with kinit, which should not work if DNS resultion has 
errors, right?

Andreas

Am 22.08.2017 um 10:04 schrieb L.P.H. van Belle via samba:
> Hai,
>
> Whats the os used?
>
> The first things i would check.
>
> Did you give both servers the nfs/spn. ?
> The current search order for keytabs to be used for "machine credentials" :
> <HOSTNAME>$@<REALM>
> root/<hostname>@<REALM>
> nfs/<hostname>@<REALM>
> host/<hostname>@<REALM>
> root/<anyname>@<REALM>
> nfs/<anyname>@<REALM>
> host/<anyname>@<REALM>
>
> So make sure one of these is know in the system keytab file.
> The trusted domain, same REALM or other REALM, and if needed defined in krb5.conf?
>
> And both servers have A and PTR records and are correct resolved?
>
> If all of above does not work or is checked already.
> You could configure idmap.conf like this. ( there might be things to improve below )
> ( from my debian jessie servers, the stretch servers dont have the idmap changes anymore. )
>
> [General]
>
> Verbosity = 0
> Pipefs-Directory = /run/rpc_pipefs
>
> # set your own domain here, if id differs from FQDN minus hostname
> # Domain = localdomain
> Domain = internal.domain.tld
> Local-Realm = MY_REALM
>
> [Mapping]
>
> Nobody-User = nobody
> Nobody-Group = nogroup
>
> [Translation]
> Method = static,nsswitch
> GSS-Methods = static,nsswitch
>
> [Static]
> RTD-WEB1$@MY_REALM = root
> host/rtd-web1.internal.domain.tld at MY_REALM = root
> nfs/rtd-web1.internal.domain.tld at MY_REALM = root
> nfs/rtd-web1.internal.domain.tld@ = root
>
>
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Andreas Hauffe via samba
>> Verzonden: dinsdag 22 augustus 2017 9:36
>> Aan: Andreas Hauffe via samba
>> Onderwerp: [Samba] Winbind with krb5auth for trust users
>>
>> Hi,
>>
>> I'm having trouble realizing a krb5auth with pam_winbind with
>> trusted domain users (external trust) on our clients. The
>> client is joined to a local domain, which has a "external
>> trust" to a global domain.
>>
>> The following things are working for all users (local and
>> trusted domain):
>>
>> "wbinfo -i"
>> "wbinfo --pam-logon"
>> "wbinfo -a"
>> "kinit"
>>
>>
>> Just "wbinfo -K" works only for local domain users. And that
>> is the problem. I need the Kerberos ticket for NFS.
>>
>> smb.conf, krb5.conf and the other configs are taken from
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member.
>> Just changed the domain/realm name to the local domain name.
>>
>> Regards
>> Andreas
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>

-- 
Viele Grüße
Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"

----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering

D-01062 Dresden
Germany

phone : +49 (351) 463 38496
fax :  +49 (351) 463 37263
mail : andreas.hauffe at tu-dresden.de
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------
Do you know our free laminate analysis code eLamX²? If not, please visit the following web address:
http://www.elamx.de