[Samba] Winbind with krb5auth for trust users
Andreas Hauffe
andreas.hauffe at tu-dresden.de
Tue Aug 22 10:20:04 UTC 2017
Hi,
hier are the file. I replaced the real domain/realm name by
"search&replace", so there should not be a typping error in my file
concernig the realm or domain names.
Regards,
Andreas
client:~ # more /etc/hostname
client.loc.example.de
client:~ # more /etc/hosts
#
# hosts This file describes a number of hostname-to-address
# mappings for the TCP/IP subsystem. It is mostly
# used at boot time, when no name servers are running.
# On small systems, this file can be used instead of a
# "named" name server.
# Syntax:
#
# IP-Address Full-Qualified-Hostname Short-Hostname
#
127.0.0.1 localhost
# special IPv6 addresses
::1 localhost ipv6-localhost ipv6-loopback
fe00::0 ipv6-localnet
ff00::0 ipv6-mcastprefix
ff02::1 ipv6-allnodes
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts
192.168.1.4 client.loc.example.de client.loc.example.de
client:~ # more /etc/resolv.conf
### /etc/resolv.conf file autogenerated by netconfig!
#
# Before you change this file manually, consider to define the
# static DNS configuration using the following variables in the
# /etc/sysconfig/network/config file:
# NETCONFIG_DNS_STATIC_SEARCHLIST
# NETCONFIG_DNS_STATIC_SERVERS
# NETCONFIG_DNS_FORWARDER
# or disable DNS configuration updates via netconfig by setting:
# NETCONFIG_DNS_POLICY=''
#
# See also the netconfig(8) manual page and other documentation.
#
# Note: Manual change of this file disables netconfig too, but
# may get lost when this file contains comments or empty lines
# only, the netconfig settings are same with settings in this
# file and in case of a "netconfig update -f" call.
#
### Please remove (at least) this line when you modify the file!
search loc.example.de
nameserver 192.168.1.2
nameserver 192.168.1.3
client:~ # more /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# compat Use compatibility setup
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# [NOTFOUND=return] Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#
passwd: compat winbind
group: compat winbind
hosts: files mdns_minimal [NOTFOUND=return] dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files
bootparams: files
automount: files nis
aliases: files
client:~ # more /etc/krb5.conf
[libdefaults]
default_realm = LOC.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
client:~ # more /etc/samba/smb.conf
[global]
security = ADS
workgroup = LOC
realm = LOC.EXAMPLE.COM
log file = /var/log/samba/%m.log
log level = 1
template homedir = /home/%D/%U
template shell = /bin/bash
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
# - Adding just this is not enough
# - You must set a DOMAIN backend configuration, see below
idmap config * : backend = tdb
idmap config * : range = 1000000-2000000
Am 22.08.2017 um 11:34 schrieb L.P.H. van Belle via samba:
> Hai,
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Andreas Hauffe via samba
>> Verzonden: dinsdag 22 augustus 2017 11:26
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Winbind with krb5auth for trust users
>>
>> Hi,
>>
>> thanks for the fast answer.
>>
>> All DCs (local and trusted domain) running on Windows Server
>> 2012. The client is running on OpenSUSE Leap 42.3. The samba
>> version is 4.6.5.
>>
>> Right now I'm a step before nfs. At first I just want to
>> authorize users with krb5auth.
>>
>> The error is:
>>
>> mlrlinux:~ # wbinfo -K GLOBALDOM\\globdomuser Enter
>> GLOBALDOM\globdomuser's password:
>> plaintext kerberos password authentication for
>> [GLOBALDOM\globdomuser] failed (requesting cctype: FILE)
>> wbcLogonUser(GLOBALDOM\globdomuser): error code was
>> NT_STATUS_NO_LOGON_SERVERS (0xc000005e) error message was: No
>> logon servers Could not authenticate user
>> [GLOBALDOM\globdomuser] with Kerberos
>> (ccache: FILE)
>>
>> DNS resolution is working. I'm able to get the credentials
>> for a GLOBDOM-User with kinit, which should not work if DNS
>> resultion has errors, right?
> Depends on the member server setting.
> For example, do you have : kerberos method = secrets and keytab in smb.conf?
>
> Can you post the following files, sorry, we need to verify files. ( anonimize here needed )
>
> /etc/hostname
> /etc/hosts
> /etc/resolv.conf
> /etc/nsswitch.conf
> Your krb5.conf
>
> And smb.conf
>
> Greetz,
>
> Louis
>
>> Andreas
>>
>>
>> Am 22.08.2017 um 10:04 schrieb L.P.H. van Belle via samba:
>
--
Viele Grüße
Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"
----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering
D-01062 Dresden
Germany
phone : +49 (351) 463 38496
fax : +49 (351) 463 37263
mail : andreas.hauffe at tu-dresden.de
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------
Do you know our free laminate analysis code eLamX²? If not, please visit the following web address:
http://www.elamx.de
More information about the samba
mailing list