[Samba] Windows pre-requisites for login with winbind?

A. James Lewis james at fsck.co.uk
Tue Aug 22 12:01:20 UTC 2017


Indeed!... you are correct... this does appear to be the kerberos issue uncovered by Rowlands pointing out that I should not need to be manually defining "kdc =", in my krb5.conf.... so with that resolved, I'm hoping we can also find the cause of my original problem.

Incidentally, this was my solution to upgrading Samba on my 17.04 test server, I think moving to 17.10 will ultimately have to be the solution, but this let me carry on debugging this problem quickly.

apt-get remove libnss-winbind libpam-winbind samba winbind
apt-get autoremove
cd /etc/apt/
sed -i "s,zesty,artful,g" sources.list
apt-get install samba libnss-winbind libpam-winbind winbind
sed -i "s,artful,zesty,g" sources.list
apt-get update
apt-get dist-upgrade

James

August 22, 2017 12:51 PM, "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> Hai, 
> 
> Few extra checks/questions. 
> 
> Have you checked if the server time is in sync with the AD DC server? 
> 
> Check if : /etc/ldap/ldap.conf , Contains : TLS_REQCERT allow
> Are you using own certificates or samba generated (selfsigned) certs? 
> 
> If you use bind_dlz as dns, take note that you need to set in the global options: 
> check-names ignore; 
> Although underscores in hostnames are "illegal", according to RFC 952, and RFC 1123,
> also RFC about SRV records should be taken into account) they are complying to name restrictions
> for windows hostname.
> 
> Can you get this script. 
> https://github.com/thctlo/samba4/blob/master/samba-check-db-repl.sh 
> 
> Set : SAMBA_LDAPCMD_FILTER="whenChanged,dc,cn" 
> And run it on the dc with FSMO roles. 
> ( ! Note, only works if you have only samba DC's. ) 
> 
> What is does. 
> It checks which DC has the FSMO roles. 
> Then it checks your database replication with all other DC's. 
> It runs 2 check. 
> Samba-tool dbcheck and samba-tool ldapcmd ... 
> Let see if you have any errors there. 
> 
> Greetz, 
> 
> Louis
> 
>> -----Oorspronkelijk bericht-----
>> Van: A. James Lewis [mailto:james at fsck.co.uk]
>> Verzonden: dinsdag 22 augustus 2017 13:10
>> Aan: A. James Lewis via samba; L.P.H. van Belle
>> Onderwerp: Re: [Samba] Windows pre-requisites for login with winbind?
>> 
>> Ahh, upgrading to 4.6.5 did not change my problem
>> significantly, but it DID change the error message
>> significantly... this might give some much better information
>> to someone who knows how the code works!
>> 
>> Aug 22 11:59:01 hostname01 winbindd[451]: [2017/08/22
>> 11:59:01.055174, 0]
>> ../source3/libads/sasl.c:786(ads_sasl_spnego_bind)
>> Aug 22 11:59:01 hostname01 winbindd[451]: kinit succeeded
>> but ads_sasl_spnego_gensec_bind(KRB5) failed for
>> ldap/local_ad01.domain.local with user[HOSTNAME01$]
>> realm[DOMAIN.LOCAL]: No logon servers
>> 
>> I am still able to log in and list groups for long standing
>> users, and not log in for more recently created users... but
>> I am no-longer able to list groups for the users I can't log in with!
>> 
>> James
>> 
>> August 22, 2017 11:31 AM, "A. James Lewis via samba"
>> <samba at lists.samba.org> wrote:
>> 
>> Hi!
>> 
>> Indeed!, this sounds like good advice... there are
>> certainly bugs, I
>> had to get the 7.04.5 package from "proposed" to get resolve a PAM
>> library issue!... although I suppose that's a packaging problem.
>> 
>> What is the best way to get an updated Samba package here,
>> I'm trying
>> to make this system reproduceable, I have a single script
>> that builds
>> the entire container, and sets up an Xrdp terminal server
>> with everything configured... Ideally I'd like to do it in a
>> sustainable way!...
>> 
>> Perhaps migrating to 17.10 would be a good move at this point since
>> 4.6.5 is available there, and ultimately my goal would be
>> to have this
>> built on 18.04 for some level of stability.... I'm sitting
>> on 17.04 right now since the move to Gnome is not popular
>> around here....
>> 
>> I guess I could install the 17.10 package on 17.04 for
>> testing, watch
>> this space... feedback to follow.
>> 
>> James
>> 
>> August 22, 2017 8:13 AM, "L.P.H. van Belle via samba"
>> <samba at lists.samba.org> wrote:
>> 
>> Hai
>> 
>> Since your on ubuntu 17.04 (zesty) and samba
>> 2:4.5.8+dfsg-0ubuntu0.17.04.5.
>> Now i dont know if your able to upgrade you samba to
>> 4.5.12 or at least 4.6.5.
>> 
>> But I would really recommend trying to upgrade to a higher version.
>> I suggest go through the changelogs, and see the winbind
>> and kerberos
>> related fixes so you understand why i say upgrade.
>> I suspect you have hit one or more of these bugs.
>> 
>> Greetz,
>> 
>> Louis
>> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland
>> Penny via samba
>> Verzonden: maandag 21 augustus 2017 19:28
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Windows pre-requisites for login
>> with winbind?
>> 
>> On Mon, 21 Aug 2017 17:13:12 +0000
>> "A. James Lewis" <james at fsck.co.uk> wrote:
>> 
>> I'm inclined to agree with you regarding resolveconf, but I don't
>> think that's the issue here, clearly it was able to get
>> the name and
>> IP of the AD server.... and connect to it.
>> 
>> The error from kinit had the hostname of one of the AD servers in
>> it, that name is not in the config, and that address was
>> reachable... so I can't think that it's DNS.
>> 
>> What is worrying me is if this is valid, to have the domain in
>> twice:- cifs/LOCAL_AD02.domain.local at DOMAIN.LOCAL in the
>> kinit error
>> from auth.log
>> 
>> I'd love to solve this issue too... but I started with one issue,
>> and now I have 2... LOL!
>> 
>> That is perfectly normal, so stop worrying
>> 
>> There is an easy way to try and prove if it is a dns
>> problem (which
>> i am sure it is)
>> 
>> ADD
>> 
>> <the DCs ipaddress> <the DCs hostname>.domain.local <the DCs
>> hostname>
>> 
>> to /etc/hosts
>> 
>> Rowland
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>> 
>> --
>> A. James Lewis (james at fsck.co.uk)
>> "Engineering does not require science. Science helps a lot
>> but people
>> built perfectly good brick walls long before they knew why
>> cement works."
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>> 
>> --
>> A. James Lewis (james at fsck.co.uk)
>> "Engineering does not require science. Science helps a lot
>> but people built perfectly good brick walls long before they
>> knew why cement works."
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."



More information about the samba mailing list