[Samba] Windows pre-requisites for login with winbind?
A. James Lewis
james at fsck.co.uk
Tue Aug 22 15:03:39 UTC 2017
The team that run the AD say that there are no replication issues, and certainly those users can log on to every other system, including some very old Samba 3.x based systems... how would I go about determining if this is the case?
BTW, those users have been created around a month ago, I would imagine that replication would have happened in that time.
James
August 22, 2017 3:53 PM, "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Did you already check the database replication Of the DC's.
> If one is out of sync, and the pc is connecting to that one, you have errors.
> And what does the windows event id tell you.
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens A.
>> James Lewis via samba
>> Verzonden: dinsdag 22 augustus 2017 16:36
>> Aan: Rowland Penny; samba at lists.samba.org
>> Onderwerp: Re: [Samba] Windows pre-requisites for login with winbind?
>>
>> I think we're getting confused with the kerberos issue
>> created by my errant DNS server... with the original problem,
>> all the commands I have sent showing an issue with kerberos
>> were working originally, with the config which explicitly
>> defined "kdc =", and are now working again, with your new
>> config, now that I have fixed the DNS... but the original
>> problem is that I have a very small number of users which
>> don't work.... winbind says that they don't exist, while
>> every other user works just fine...
>>
>> Those 3 users that don't work are the most recent 3 to be
>> added, and since I don't have control over the AD, I can't
>> say if there's some parameter or group they don't have which
>> stops them from working, but I don't think it's a
>> co-incidence that they are not "random" users, but only "new" users.
>>
>> Obviously since they can log in to windows desktops, winbind
>> behaviour must be different to Windows... but surely there
>> has to be an AD component to this too.
>>
>> The common-auth line you have below is precisely what I have.
>>
>> James
>>
>> August 22, 2017 2:20 PM, "Rowland Penny via samba"
>> <samba at lists.samba.org> wrote:
>>
>> On Tue, 22 Aug 2017 13:02:03 +0000
>> "A. James Lewis" <james at fsck.co.uk> wrote:
>>
>> I have krb5-config krb5-user, but not libpam-krb5... I'm slightly
>> fuzzy about how this works, but I thought the interaction with
>> kerberos was implemented via winbind, so I wasn't expecting this
>> package to be installed... certainly there is no
>> dependency that has
>> pulled it in.
>>
>> James
>>
>> Well, it is what makes PAM use kerberos with winbind, this is the
>> winbind line from /etc/pam.d/common-auth with it installed:
>>
>> auth [success=1 default=ignore] pam_winbind.so krb5_auth
>> krb5_ccache_type=FILE cached_login try_first_pass
>>
>> And all the commands you have posted work for me.
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>> --
>> A. James Lewis (james at fsck.co.uk)
>> "Engineering does not require science. Science helps a lot
>> but people built perfectly good brick walls long before they
>> knew why cement works."
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."
More information about the samba
mailing list