[Samba] Windows pre-requisites for login with winbind?
A. James Lewis
james at fsck.co.uk
Tue Aug 22 14:59:20 UTC 2017
August 22, 2017 2:32 PM, "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> You did not look right it should be there.
>
# aptitude search libpam-krb5
p libpam-krb5 - PAM module for MIT Kerberos
p libpam-krb5:i386 - PAM module for MIT Kerberos
Not installed.
> https://packages.ubuntu.com/zesty/libpam-krb5
> https://packages.ubuntu.com/artful/libpam-krb5
>
> Check this folder to see if "winbind unix krb5" is there.
> ls /usr/share/pam-configs
>
# ls /usr/share/pam-configs
capability gnome-keyring mkhomedir systemd unix winbind
> And run pam-auth-update --force to update the files.
> ! Note, krb5 has by default set : minium_uid=1000
>
I have tried installing libpam-krb5, and it adds the following line to common-,auth,passwd,account and session:-
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
However, with that configuration, no users can log in (could this be because the AD server had no RFC2307 unix extensions)... so I have removed the package, and now I'm back to the situation where only the 3 most recent users cannot log in.
Note that the users who can't log in, can authenticate with kinit!
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens A.
>> James Lewis via samba
>> Verzonden: dinsdag 22 augustus 2017 15:02
>> Aan: Rowland Penny; samba at lists.samba.org
>> Onderwerp: Re: [Samba] Windows pre-requisites for login with winbind?
>>
>> I have krb5-config krb5-user, but not libpam-krb5... I'm
>> slightly fuzzy about how this works, but I thought the
>> interaction with kerberos was implemented via winbind, so I
>> wasn't expecting this package to be installed... certainly
>> there is no dependency that has pulled it in.
>>
>> James
>>
>> August 22, 2017 1:15 PM, "Rowland Penny via samba"
>> <samba at lists.samba.org> wrote:
>>
>> On Tue, 22 Aug 2017 12:01:20 +0000
>> "A. James Lewis via samba" <samba at lists.samba.org> wrote:
>>
>> Indeed!... you are correct... this does appear to be the kerberos
>> issue uncovered by Rowlands pointing out that I should not
>> need to be
>> manually defining "kdc =", in my krb5.conf.... so with
>> that resolved,
>> I'm hoping we can also find the cause of my original problem.
>>
>> Incidentally, this was my solution to upgrading Samba on my 17.04
>> test server, I think moving to 17.10 will ultimately have
>> to be the
>> solution, but this let me carry on debugging this problem quickly.
>>
>> apt-get remove libnss-winbind libpam-winbind samba winbind apt-get
>> autoremove cd /etc/apt/ sed -i "s,zesty,artful,g" sources.list
>> apt-get install samba libnss-winbind libpam-winbind winbind sed -i
>> "s,artful,zesty,g" sources.list apt-get update apt-get dist-upgrade
>>
>> James
>>
>> Do you also have the following packages installed:
>>
>> libpam-krb5 krb5-config krb5-user
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>> --
>> A. James Lewis (james at fsck.co.uk)
>> "Engineering does not require science. Science helps a lot but people
>> built perfectly good brick walls long before they knew why
>> cement works."
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."
More information about the samba
mailing list