[Samba] Centos 7 member server login fails
Paul R. Ganci
ganci at nurdog.com
Thu Dec 28 02:00:27 UTC 2017
0n 12/27/2017 02:39 AM, Rowland Penny via samba wrote:
>
> Have you actually given your users & groups a uidNumber or gidNumber
> attribute, or are you using the 'rid' backend
Yes I am using the AD backend and they have these uidNumber &gidNumbers.
They come from when I was originally using rid (back in the 4.0 days)
and switched to the AD backend. I just happened to make the
uidNumber/gidNumber the number one would get if using rid. I never
changed them to anything more reasonable since I didn't want to deal
with the issues that creates. So yes it seems strange but everything is
correct.
There is actually another list message in the archives where the use of
these uidNumber/gidNumber caused confusion. Maybe one of these days I
will changeover to something more reasonable if just to avoid that
confusion.
> This gets stranger and stranger, if you are using the 'rid' backend,
> why does 'Administrator' have the 'RID' 1107 ? and if you aren't, why
> isn't it '0:0' ?
The kinit command was issued from the testuser1 account. I will go out
on a limb and suggest that 3001107 is correct since that is the keyring
owner. If it makes you feel better here is the same getent passwd on the
DC (note the "0" in the administrator user):
> getent passwd
MYDC\administrator:*:0:3000513::/home/administrator:/bin/bash
MYDC\testuser2:*:3001108:3000513::/home/testuser2:/bin/bash
MYDC\testuser1:*:3001107:3000513::/home/testuser1:/bin/bash
I did give domain users and domain admin groups gidNumbers so that is
what you see. That is why it is not 0:0. My understanding is that is
okay. You just cannot give administrator a uidNumber if I recall other
list messages correctly.
Also if I do the kinit/klist commands on the member server as root I get
this:
> kinit administrator
Password for administrator at MYDC.TEST.COM:
> klist
Ticket cache: KEYRING:persistent:0:krb_ccache_kgkyAS7
Default principal: administrator at MYDC.TEST.COM
Valid starting Expires Service principal
12/27/2017 18:24:49 12/28/2017 04:24:49 krbtgt/MYDC.TEST.COM at MYDC.TEST.COM
renew until 01/03/2018 18:24:46
> Winbind cannot find your user
Yes sssd was completely removed. The SERNET samba distribution will not
install if sssd is installed. Yum errors will occur. And as I said in my
other message the problem disappears once I re-ran authconfig-tui.
Authconfig-tui changes /etc/nsswitch.conf file per your suggestion, and
it recreates /etc/pam.d/passwd-auth-ac file and
/etc/pam.d/system-auth-ac for use with winbind. I had been using
/etc/pam.d/ files created from those used by sssd and hand edited with
vi to change over to winbind. While that worked at one time it failed
this time with my upgrade from samba 4.6 to 4.7. They were admittedly
pretty old versions of the PAM files so I guess I should have expected
this day to come.
In any event, I will reiterate that everything is working like it is
supposed to now. Thank you for your help.
--
Paul (ganci at nurdog.com)
Cell: (303)257-5208
More information about the samba
mailing list