[Samba] Windows pre-requisites for login with winbind?

A. James Lewis james at fsck.co.uk
Tue Aug 22 14:59:20 UTC 2017


August 22, 2017 2:32 PM, "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> You did not look right it should be there. 
> 
# aptitude search libpam-krb5
p   libpam-krb5                                                                               - PAM module for MIT Kerberos                                                                        
p   libpam-krb5:i386                                                                          - PAM module for MIT Kerberos                          

Not installed.


> https://packages.ubuntu.com/zesty/libpam-krb5 
> https://packages.ubuntu.com/artful/libpam-krb5
> 
> Check this folder to see if "winbind unix krb5" is there. 
> ls /usr/share/pam-configs
> 
# ls /usr/share/pam-configs
capability  gnome-keyring  mkhomedir  systemd  unix  winbind


> And run pam-auth-update --force to update the files.
> ! Note, krb5 has by default set : minium_uid=1000 
> 

I have tried installing libpam-krb5, and it adds the following line to common-,auth,passwd,account and session:-

auth	[success=3 default=ignore]	pam_krb5.so minimum_uid=1000

However, with that configuration, no users can log in (could this be because the AD server had no RFC2307 unix extensions)... so I have removed the package, and now I'm back to the situation where only the 3 most recent users cannot log in.

Note that the users who can't log in, can authenticate with kinit!

> Greetz, 
> 

> Louis
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens A.
>> James Lewis via samba
>> Verzonden: dinsdag 22 augustus 2017 15:02
>> Aan: Rowland Penny; samba at lists.samba.org
>> Onderwerp: Re: [Samba] Windows pre-requisites for login with winbind?
>> 
>> I have krb5-config krb5-user, but not libpam-krb5... I'm
>> slightly fuzzy about how this works, but I thought the
>> interaction with kerberos was implemented via winbind, so I
>> wasn't expecting this package to be installed... certainly
>> there is no dependency that has pulled it in.
>> 
>> James
>> 
>> August 22, 2017 1:15 PM, "Rowland Penny via samba"
>> <samba at lists.samba.org> wrote:
>> 
>> On Tue, 22 Aug 2017 12:01:20 +0000
>> "A. James Lewis via samba" <samba at lists.samba.org> wrote:
>> 
>> Indeed!... you are correct... this does appear to be the kerberos
>> issue uncovered by Rowlands pointing out that I should not
>> need to be
>> manually defining "kdc =", in my krb5.conf.... so with
>> that resolved,
>> I'm hoping we can also find the cause of my original problem.
>> 
>> Incidentally, this was my solution to upgrading Samba on my 17.04
>> test server, I think moving to 17.10 will ultimately have
>> to be the
>> solution, but this let me carry on debugging this problem quickly.
>> 
>> apt-get remove libnss-winbind libpam-winbind samba winbind apt-get
>> autoremove cd /etc/apt/ sed -i "s,zesty,artful,g" sources.list
>> apt-get install samba libnss-winbind libpam-winbind winbind sed -i
>> "s,artful,zesty,g" sources.list apt-get update apt-get dist-upgrade
>> 
>> James
>> 
>> Do you also have the following packages installed:
>> 
>> libpam-krb5 krb5-config krb5-user
>> 
>> Rowland
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>> 
>> --
>> A. James Lewis (james at fsck.co.uk)
>> "Engineering does not require science. Science helps a lot but people
>> built perfectly good brick walls long before they knew why
>> cement works."
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."



More information about the samba mailing list