[Samba] Winbind with krb5auth for trust users

Rowland Penny rpenny at samba.org
Tue Aug 22 10:59:59 UTC 2017 

See inline comments:

On Tue, 22 Aug 2017 12:20:04 +0200
Andreas Hauffe via samba <samba at lists.samba.org> wrote:

> Hi,
> 
> hier are the file. I replaced the real domain/realm name by 
> "search&replace", so there should not be a typping error in my file 
> concernig the realm or domain names.
> 
> Regards,
> Andreas
> 
> client:~ # more /etc/hostname
> client.loc.example.de

This should just be 'client'

> client:~ # more /etc/hosts
> 
> 127.0.0.1       localhost
> 
> # special IPv6 addresses
> ::1             localhost ipv6-localhost ipv6-loopback
> 
> fe00::0         ipv6-localnet
> 
> ff00::0         ipv6-mcastprefix
> ff02::1         ipv6-allnodes
> ff02::2         ipv6-allrouters
> ff02::3         ipv6-allhosts
> 192.168.1.4     client.loc.example.de client.loc.example.de

The line above should be:

192.168.1.4     client.loc.example.de client

> 
> client:~ # more /etc/resolv.conf

> search loc.example.de
> nameserver 192.168.1.2
> nameserver 192.168.1.3

I take it that the two ipaddresses are your DCs

> client:~ # more /etc/nsswitch.conf
> 
> passwd: compat winbind
> group:  compat winbind
> 
> hosts:          files mdns_minimal [NOTFOUND=return] dns

I would change the line above to:

hosts:          files dns

> client:~ # more /etc/samba/smb.conf
> [global]
>         security = ADS
>         workgroup = LOC
>         realm = LOC.EXAMPLE.COM
> 
>         log file = /var/log/samba/%m.log
>         log level = 1
> 
>         template homedir = /home/%D/%U
>         template shell = /bin/bash
> 
>         # Default ID mapping configuration for local BUILTIN accounts
>         # and groups on a domain member. The default (*) domain:
>         # - must not overlap with any domain ID mapping configuration!
>         # - must use a read-write-enabled back end, such as tdb.
>         # - Adding just this is not enough
>         # - You must set a DOMAIN backend configuration, see below
>         idmap config * : backend = tdb
>         idmap config * : range = 1000000-2000000

Hmm, do you not understand 'Adding just this is not enough' and 'You
must set a DOMAIN backend configuration, see below' ?

I would expect something like this:

        idmap config * : backend = tdb
        idmap config * : range = 3000-9999
        idmap config LOC : backend = rid
        idmap config LOC : range = 1000000-2000000

Rowland

More information about the samba mailing list