[Samba] Winbind with krb5auth for trust users
Andreas Hauffe
andreas.hauffe at tu-dresden.de
Tue Aug 22 11:51:24 UTC 2017
Hi,
sorry for not reading the comment above idmap config. I uninstalled and
reinstalled samba and configs to remove all old id mappings and so on.
Then changed all configs as adviced. The id mapping is working correctly
(wbinfo -i) for local and trusted domain. But I still cannot logon with
wbinfo -K with a trusted domain account.
Andreas
Am 22.08.2017 um 12:59 schrieb Rowland Penny via samba:
> See inline comments:
>
> On Tue, 22 Aug 2017 12:20:04 +0200
> Andreas Hauffe via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> hier are the file. I replaced the real domain/realm name by
>> "search&replace", so there should not be a typping error in my file
>> concernig the realm or domain names.
>>
>> Regards,
>> Andreas
>>
>> client:~ # more /etc/hostname
>> client.loc.example.de
> This should just be 'client'
>
>> client:~ # more /etc/hosts
>>
>> 127.0.0.1 localhost
>>
>> # special IPv6 addresses
>> ::1 localhost ipv6-localhost ipv6-loopback
>>
>> fe00::0 ipv6-localnet
>>
>> ff00::0 ipv6-mcastprefix
>> ff02::1 ipv6-allnodes
>> ff02::2 ipv6-allrouters
>> ff02::3 ipv6-allhosts
>> 192.168.1.4 client.loc.example.de client.loc.example.de
> The line above should be:
>
> 192.168.1.4 client.loc.example.de client
>
>> client:~ # more /etc/resolv.conf
>> search loc.example.de
>> nameserver 192.168.1.2
>> nameserver 192.168.1.3
> I take it that the two ipaddresses are your DCs
>
>> client:~ # more /etc/nsswitch.conf
>>
>> passwd: compat winbind
>> group: compat winbind
>>
>> hosts: files mdns_minimal [NOTFOUND=return] dns
> I would change the line above to:
>
> hosts: files dns
>
>> client:~ # more /etc/samba/smb.conf
>> [global]
>> security = ADS
>> workgroup = LOC
>> realm = LOC.EXAMPLE.COM
>>
>> log file = /var/log/samba/%m.log
>> log level = 1
>>
>> template homedir = /home/%D/%U
>> template shell = /bin/bash
>>
>> # Default ID mapping configuration for local BUILTIN accounts
>> # and groups on a domain member. The default (*) domain:
>> # - must not overlap with any domain ID mapping configuration!
>> # - must use a read-write-enabled back end, such as tdb.
>> # - Adding just this is not enough
>> # - You must set a DOMAIN backend configuration, see below
>> idmap config * : backend = tdb
>> idmap config * : range = 1000000-2000000
> Hmm, do you not understand 'Adding just this is not enough' and 'You
> must set a DOMAIN backend configuration, see below' ?
>
> I would expect something like this:
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-9999
> idmap config LOC : backend = rid
> idmap config LOC : range = 1000000-2000000
>
> Rowland
>
--
Viele Grüße
Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"
----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering
D-01062 Dresden
Germany
phone : +49 (351) 463 38496
fax : +49 (351) 463 37263
mail : andreas.hauffe at tu-dresden.de
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------
Do you know our free laminate analysis code eLamX²? If not, please visit the following web address:
http://www.elamx.de
More information about the samba
mailing list