[Samba] kerberos + winbind + AD authentication for samba 4 domain member

Kacper Wirski kacper.wirski at gmail.com
Wed Nov 1 19:28:05 UTC 2017 

I'm going to start with clean centos install, so I might as well use some
additional guidelines, thank You.

When You run kinit, does Your user have ticket already? What I noticed is
that when user has a ticket already, kinit works fine, uses as default
principal the one from ticket.
Can you do kdestroy - then kinit?

Also, on Fedora, did You install samba from source or from repo's RPM?

And last question - for PAM did You manually edit system-auth, or with
authconfig?
After I do some tests later on, I will update with whatever I manage to
find/debug.

1 lis 2017 18:51 "Rowland Penny via samba" <samba at lists.samba.org>
napisaƂ(a):

> On Wed, 1 Nov 2017 17:41:14 +0100 (CET)
> "k.wirski babkamedica.pl" <k.wirski at babkamedica.pl> wrote:
>
> > Thank You,
> >
> > /etc/hostname i set it myself, never seen issue with FQDN, I'll
> > change it
> >
> > localdomain in /etc/hosts is from the default config
> >
> > this auto krb5.conf.DOMAIN - could it be, that by default samba
> > builds with heimdall, and centos (as RHEL) uses MIT krb, and
> > something in /etc/krb5.conf was not ok  during join, for whatever
> > reason? The "auth_to_local" is MIT kerberos specific.
> >
> > Also auth_to_local is used when logging to machine, and my issue with
> > kinit is when mapping is done from local to UPN.
> >
> >
> > I removed whole /usr/local/samba dir, installed from scratch,
> > re-added to domain, recreated krb5.keytab, and issue is 100% the same.
> >
> >
> > I tried changing winbind separater from default to + and changed
> > krb5.conf rule accordingly, it changed nothing. Issue is not with
> > kerberos for login, it works a-ok. The issue is that for whatever
> > reason POSIX user is used with full name as principal.
> >
> > When i changed winbind separator, my posix user was
> > "DOMAIN+kacper_wirski", and "kinit" used
> >
> > DOMAIN+kacper_wirski at BMAD.BABKAMEDICA.PL as  principal.
> >
> >
> > I consider setting up new machine from scratch from centos minimal
> > and go from there or I'll take my risks and set "use default domain =
> > yes", then everything works perfectly.
> >
> >
> > Can this issue be caused by something outside this machine, and
> > something wrong with the domain overall? I don't believe it, since it
> > seems very local OS specific, but maybe it is?
> >
>
> All I can say is that when I set up Fedora 26 yesterday in the way I
> would set up a Devuan computer, 'kinit' works in the way you want.
>
> You are correct in that Samba uses Heimdal rather than MIT, but this is
> supplied with Samba and is only used if you compile for a DC, you
> haven't.
>
> Whilst it isn't recommended to use 'use default domain = yes' it is
> used rather a lot. The only time it definitely shouldn't be used is if
> you have more than one DOMAIN set in smb.conf
>
> If it helps, I can send you the notes I made whilst setting up Fedora 26
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list