[Samba] Winbind with krb5auth for trust users

Andreas Hauffe andreas.hauffe at tu-dresden.de
Tue Aug 22 11:51:24 UTC 2017


Hi,

sorry for not reading the comment above idmap config. I uninstalled and 
reinstalled samba and configs to remove all old id mappings and so on. 
Then changed all configs as adviced. The id mapping is working correctly 
(wbinfo -i) for local and trusted domain. But I still cannot logon with 
wbinfo -K with a trusted domain account.

Andreas


Am 22.08.2017 um 12:59 schrieb Rowland Penny via samba:
> See inline comments:
>
> On Tue, 22 Aug 2017 12:20:04 +0200
> Andreas Hauffe via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> hier are the file. I replaced the real domain/realm name by
>> "search&replace", so there should not be a typping error in my file
>> concernig the realm or domain names.
>>
>> Regards,
>> Andreas
>>
>> client:~ # more /etc/hostname
>> client.loc.example.de
> This should just be 'client'
>
>> client:~ # more /etc/hosts
>>
>> 127.0.0.1       localhost
>>
>> # special IPv6 addresses
>> ::1             localhost ipv6-localhost ipv6-loopback
>>
>> fe00::0         ipv6-localnet
>>
>> ff00::0         ipv6-mcastprefix
>> ff02::1         ipv6-allnodes
>> ff02::2         ipv6-allrouters
>> ff02::3         ipv6-allhosts
>> 192.168.1.4     client.loc.example.de client.loc.example.de
> The line above should be:
>
> 192.168.1.4     client.loc.example.de client
>
>> client:~ # more /etc/resolv.conf
>> search loc.example.de
>> nameserver 192.168.1.2
>> nameserver 192.168.1.3
> I take it that the two ipaddresses are your DCs
>
>> client:~ # more /etc/nsswitch.conf
>>
>> passwd: compat winbind
>> group:  compat winbind
>>
>> hosts:          files mdns_minimal [NOTFOUND=return] dns
> I would change the line above to:
>
> hosts:          files dns
>
>> client:~ # more /etc/samba/smb.conf
>> [global]
>>          security = ADS
>>          workgroup = LOC
>>          realm = LOC.EXAMPLE.COM
>>
>>          log file = /var/log/samba/%m.log
>>          log level = 1
>>
>>          template homedir = /home/%D/%U
>>          template shell = /bin/bash
>>
>>          # Default ID mapping configuration for local BUILTIN accounts
>>          # and groups on a domain member. The default (*) domain:
>>          # - must not overlap with any domain ID mapping configuration!
>>          # - must use a read-write-enabled back end, such as tdb.
>>          # - Adding just this is not enough
>>          # - You must set a DOMAIN backend configuration, see below
>>          idmap config * : backend = tdb
>>          idmap config * : range = 1000000-2000000
> Hmm, do you not understand 'Adding just this is not enough' and 'You
> must set a DOMAIN backend configuration, see below' ?
>
> I would expect something like this:
>
>          idmap config * : backend = tdb
>          idmap config * : range = 3000-9999
>          idmap config LOC : backend = rid
>          idmap config LOC : range = 1000000-2000000
>
> Rowland
>

-- 
Viele Grüße
Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"

----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering

D-01062 Dresden
Germany

phone : +49 (351) 463 38496
fax :  +49 (351) 463 37263
mail : andreas.hauffe at tu-dresden.de
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------
Do you know our free laminate analysis code eLamX²? If not, please visit the following web address:
http://www.elamx.de



More information about the samba mailing list