[Samba] Login to AD Member Fail
basti
mailinglist at unix-solution.de
Wed Jun 27 12:02:30 UTC 2018
On 27.06.2018 13:43, Rowland Penny via samba wrote:
> On Wed, 27 Jun 2018 13:04:12 +0200
> basti via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>> when I try to login to AD member via IP-Address from Windows Client it
>> works.
>>
>> Login to AD Member from Windows Client via DNS Name fail.
>> Windows Errorcode: 0x80070035
>>
>> Dc1: Samba 4.5.12+dfsg-2+deb9u2
>> AD Member: Samba 4.5.12+dfsg-2+deb9u2
>>
>> winbindd.log (AD Member)
>>
>> [2018/06/27 12:49:58.787087, 1]
>> ../source3/winbindd/winbindd_pam.c:2567(winbindd_pam_auth_pac_send)
>> Error during PAC signature verification: NT_STATUS_UNSUCCESSFUL
>> [2018/06/27 12:50:17.766117, 1]
>> ../source3/winbindd/winbindd_pam.c:2502(extract_pac_vrfy_sigs)
>> Failed to initialize kerberos context: Invalid argument
>>
>>
>> win-client.log (AD Member)
>>
>> [2018/06/27 12:49:13.354207, 1]
>> ../source3/printing/printer_list.c:234(printer_list_get_last_refresh)
>> Failed to fetch record!
>> [2018/06/27 12:49:13.354282, 1]
>> ../source3/smbd/server_reload.c:69(delete_and_reload_printers)
>> pcap cache not loaded
>>
>>
>> smb.conf (AD Member)
>>
>> security = ADS
>> workgroup = DOM
>> realm = DOM.EXAMPLE.COM
>>
>> bind interfaces only = yes
>> interfaces = lo eth0
>>
>> log file = /var/log/samba/%m.log
>> log level = 1
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 1000-1005
>
> The above range is much too small, there are more than 6 'Well known
> SIDs'
>
>>
>> # idmap config for the DOM domain
>> idmap config KES:backend = ad
>> idmap config KES:schema_mode = rfc2307
>> idmap config KES:range = 1006-999999
>
> I hope this is just a typo, but just in case it isn't, 'KES' != 'DOM'
>
> I also hope you don't use sudo on this machine, mainly because you
> cannot have any local Unix users with the set ranges.
>
>>
>> winbind enum users = yes
>> winbind enum groups = yes
>> template homedir = /home/users/%U
>> template shell = /bin/bash
>>
>> winbind use default domain = yes
>>
>> vfs objects = acl_xattr
>> map acl inherit = yes
>> store dos attributes = yes
>>
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>>
>
> Rowland
>
That is just a typo, and yes there is only one local user with id 1000.
More information about the samba
mailing list