[Samba] Windows pre-requisites for login with winbind?

L.P.H. van Belle belle at bazuin.nl
Wed Aug 23 06:25:57 UTC 2017 

Hai, 

Wel at least you did find something. 
This gets my attention.

> I have tried installing libpam-krb5, and it adds the 
> following line to common-,auth,passwd,account and session:-
> 
> auth	[success=3 default=ignore]	pam_krb5.so minimum_uid=1000
> 
> However, with that configuration, no users can log in (could 
> this be because the AD server had no RFC2307 unix 
> extensions)... so I have removed the package, and now I'm 
> back to the situation where only the 3 most recent users 
> cannot log in.
> 
> Note that the users who can't log in, can authenticate with kinit!
This is strange, if you install the libpam-krb5, you should still be able to login.
What you can try here is run pam-auth-update 
Only enable unix winbind ( and if installed kerberos ) and if really needed mkhomedir.

Now add Rowland comment : 
> Well, yes you probably have, that comes from the libpam-winbind package, 
> you just need the 'glue' that comes from the libpam-krb5 package.

pam-auth-update does this.


And what kind of messages are you seeing in auth.log when you tried the krb5 option and users where not able to login. 
Any messages there? 
And windows event id's ? 


Greetz, 

Louis
 

> -----Oorspronkelijk bericht-----
> Van: A. James Lewis [mailto:james at fsck.co.uk] 
> Verzonden: dinsdag 22 augustus 2017 16:59
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Windows pre-requisites for login with winbind?
> 
> August 22, 2017 2:32 PM, "L.P.H. van Belle via samba" 
> <samba at lists.samba.org> wrote:
> 
> > You did not look right it should be there. 
> > 
> # aptitude search libpam-krb5
> p   libpam-krb5                                               
>                                 - PAM module for MIT Kerberos 
>                                                               
>          
> p   libpam-krb5:i386                                          
>                                 - PAM module for MIT Kerberos 
>                          
> 
> Not installed.
> 
> 
> > https://packages.ubuntu.com/zesty/libpam-krb5
> > https://packages.ubuntu.com/artful/libpam-krb5
> > 
> > Check this folder to see if "winbind unix krb5" is there. 
> > ls /usr/share/pam-configs
> > 
> # ls /usr/share/pam-configs
> capability  gnome-keyring  mkhomedir  systemd  unix  winbind
> 
> 
> > And run pam-auth-update --force to update the files.
> > ! Note, krb5 has by default set : minium_uid=1000
> > 
> 
> I have tried installing libpam-krb5, and it adds the 
> following line to common-,auth,passwd,account and session:-
> 
> auth	[success=3 default=ignore]	pam_krb5.so minimum_uid=1000
> 
> However, with that configuration, no users can log in (could 
> this be because the AD server had no RFC2307 unix 
> extensions)... so I have removed the package, and now I'm 
> back to the situation where only the 3 most recent users 
> cannot log in.
> 
> Note that the users who can't log in, can authenticate with kinit!
> 
> > Greetz, 
> > 
> 
> > Louis
> > 
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens A.
> >> James Lewis via samba
> >> Verzonden: dinsdag 22 augustus 2017 15:02
> >> Aan: Rowland Penny; samba at lists.samba.org
> >> Onderwerp: Re: [Samba] Windows pre-requisites for login 
> with winbind?
> >> 
> >> I have krb5-config krb5-user, but not libpam-krb5... I'm
> >> slightly fuzzy about how this works, but I thought the
> >> interaction with kerberos was implemented via winbind, so I
> >> wasn't expecting this package to be installed... certainly
> >> there is no dependency that has pulled it in.
> >> 
> >> James
> >> 
> >> August 22, 2017 1:15 PM, "Rowland Penny via samba"
> >> <samba at lists.samba.org> wrote:
> >> 
> >> On Tue, 22 Aug 2017 12:01:20 +0000
> >> "A. James Lewis via samba" <samba at lists.samba.org> wrote:
> >> 
> >> Indeed!... you are correct... this does appear to be the kerberos
> >> issue uncovered by Rowlands pointing out that I should not
> >> need to be
> >> manually defining "kdc =", in my krb5.conf.... so with
> >> that resolved,
> >> I'm hoping we can also find the cause of my original problem.
> >> 
> >> Incidentally, this was my solution to upgrading Samba on my 17.04
> >> test server, I think moving to 17.10 will ultimately have
> >> to be the
> >> solution, but this let me carry on debugging this problem quickly.
> >> 
> >> apt-get remove libnss-winbind libpam-winbind samba winbind apt-get
> >> autoremove cd /etc/apt/ sed -i "s,zesty,artful,g" sources.list
> >> apt-get install samba libnss-winbind libpam-winbind winbind sed -i
> >> "s,artful,zesty,g" sources.list apt-get update apt-get dist-upgrade
> >> 
> >> James
> >> 
> >> Do you also have the following packages installed:
> >> 
> >> libpam-krb5 krb5-config krb5-user
> >> 
> >> Rowland
> >> 
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >> 
> >> --
> >> A. James Lewis (james at fsck.co.uk)
> >> "Engineering does not require science. Science helps a lot 
> but people
> >> built perfectly good brick walls long before they knew why
> >> cement works."
> >> 
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> 
> --
> A. James Lewis (james at fsck.co.uk)
> "Engineering does not require science. Science helps a lot but people
> built perfectly good brick walls long before they knew why 
> cement works."
> 
>

More information about the samba mailing list