[Samba] Winbind with krb5auth for trust users

Andreas Hauffe andreas.hauffe at tu-dresden.de
Tue Aug 22 10:20:04 UTC 2017


Hi,

hier are the file. I replaced the real domain/realm name by 
"search&replace", so there should not be a typping error in my file 
concernig the realm or domain names.

Regards,
Andreas

client:~ # more /etc/hostname
client.loc.example.de
client:~ # more /etc/hosts
#
# hosts         This file describes a number of hostname-to-address
#               mappings for the TCP/IP subsystem.  It is mostly
#               used at boot time, when no name servers are running.
#               On small systems, this file can be used instead of a
#               "named" name server.
# Syntax:
#
# IP-Address  Full-Qualified-Hostname  Short-Hostname
#

127.0.0.1       localhost

# special IPv6 addresses
::1             localhost ipv6-localhost ipv6-loopback

fe00::0         ipv6-localnet

ff00::0         ipv6-mcastprefix
ff02::1         ipv6-allnodes
ff02::2         ipv6-allrouters
ff02::3         ipv6-allhosts
192.168.1.4     client.loc.example.de client.loc.example.de

client:~ # more /etc/resolv.conf
### /etc/resolv.conf file autogenerated by netconfig!
#
# Before you change this file manually, consider to define the
# static DNS configuration using the following variables in the
# /etc/sysconfig/network/config file:
#     NETCONFIG_DNS_STATIC_SEARCHLIST
#     NETCONFIG_DNS_STATIC_SERVERS
#     NETCONFIG_DNS_FORWARDER
# or disable DNS configuration updates via netconfig by setting:
#     NETCONFIG_DNS_POLICY=''
#
# See also the netconfig(8) manual page and other documentation.
#
# Note: Manual change of this file disables netconfig too, but
# may get lost when this file contains comments or empty lines
# only, the netconfig settings are same with settings in this
# file and in case of a "netconfig update -f" call.
#
### Please remove (at least) this line when you modify the file!
search loc.example.de
nameserver 192.168.1.2
nameserver 192.168.1.3
client:~ # more /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       compat                  Use compatibility setup
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       [NOTFOUND=return]       Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#

passwd: compat winbind
group:  compat winbind

hosts:          files mdns_minimal [NOTFOUND=return] dns
networks:       files dns

services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files nis
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files

client:~ # more /etc/krb5.conf
[libdefaults]
         default_realm = LOC.EXAMPLE.COM
         dns_lookup_realm = false
         dns_lookup_kdc = true
client:~ # more /etc/samba/smb.conf
[global]
        security = ADS
        workgroup = LOC
        realm = LOC.EXAMPLE.COM

        log file = /var/log/samba/%m.log
        log level = 1

        template homedir = /home/%D/%U
        template shell = /bin/bash

        # Default ID mapping configuration for local BUILTIN accounts
        # and groups on a domain member. The default (*) domain:
        # - must not overlap with any domain ID mapping configuration!
        # - must use a read-write-enabled back end, such as tdb.
        # - Adding just this is not enough
        # - You must set a DOMAIN backend configuration, see below
        idmap config * : backend = tdb
        idmap config * : range = 1000000-2000000


Am 22.08.2017 um 11:34 schrieb L.P.H. van Belle via samba:
> Hai,
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Andreas Hauffe via samba
>> Verzonden: dinsdag 22 augustus 2017 11:26
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Winbind with krb5auth for trust users
>>
>> Hi,
>>
>> thanks for the fast answer.
>>
>> All DCs (local and trusted domain) running on Windows Server
>> 2012. The client is running on OpenSUSE Leap 42.3. The samba
>> version is 4.6.5.
>>
>> Right now I'm a step before nfs. At first I just want to
>> authorize users with krb5auth.
>>
>> The error is:
>>
>> mlrlinux:~ # wbinfo -K GLOBALDOM\\globdomuser Enter
>> GLOBALDOM\globdomuser's password:
>> plaintext kerberos password authentication for
>> [GLOBALDOM\globdomuser] failed (requesting cctype: FILE)
>> wbcLogonUser(GLOBALDOM\globdomuser): error code was
>> NT_STATUS_NO_LOGON_SERVERS (0xc000005e) error message was: No
>> logon servers Could not authenticate user
>> [GLOBALDOM\globdomuser] with Kerberos
>> (ccache: FILE)
>>
>> DNS resolution is working. I'm able to get the credentials
>> for a GLOBDOM-User with kinit, which should not work if DNS
>> resultion has errors, right?
> Depends on the member server setting.
> For example, do you have : kerberos method = secrets and keytab in smb.conf?
>
> Can you post the following files, sorry, we need to verify files. ( anonimize here needed )
>
> /etc/hostname
> /etc/hosts
> /etc/resolv.conf
> /etc/nsswitch.conf
> Your krb5.conf
>
> And smb.conf
>   
> Greetz,
>
> Louis
>
>> Andreas
>>
>>
>> Am 22.08.2017 um 10:04 schrieb L.P.H. van Belle via samba:
>

-- 
Viele Grüße
Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"

----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering

D-01062 Dresden
Germany

phone : +49 (351) 463 38496
fax :  +49 (351) 463 37263
mail : andreas.hauffe at tu-dresden.de
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------
Do you know our free laminate analysis code eLamX²? If not, please visit the following web address:
http://www.elamx.de



More information about the samba mailing list