[Samba] Login to AD Member Fail

basti mailinglist at unix-solution.de
Wed Jun 27 12:02:30 UTC 2018 


On 27.06.2018 13:43, Rowland Penny via samba wrote:
> On Wed, 27 Jun 2018 13:04:12 +0200
> basti via samba <samba at lists.samba.org> wrote:
> 
>> Hello,
>> when I try to login to AD member via IP-Address from Windows Client it
>> works.
>>
>> Login to AD Member from Windows Client via DNS Name fail.
>> Windows Errorcode: 0x80070035
>>
>> Dc1: Samba 4.5.12+dfsg-2+deb9u2
>> AD Member: Samba 4.5.12+dfsg-2+deb9u2
>>
>> winbindd.log (AD Member)
>>
>> [2018/06/27 12:49:58.787087,  1]
>> ../source3/winbindd/winbindd_pam.c:2567(winbindd_pam_auth_pac_send)
>>   Error during PAC signature verification: NT_STATUS_UNSUCCESSFUL
>> [2018/06/27 12:50:17.766117,  1]
>> ../source3/winbindd/winbindd_pam.c:2502(extract_pac_vrfy_sigs)
>>   Failed to initialize kerberos context: Invalid argument
>>
>>
>> win-client.log (AD Member)
>>
>> [2018/06/27 12:49:13.354207,  1]
>> ../source3/printing/printer_list.c:234(printer_list_get_last_refresh)
>>   Failed to fetch record!
>> [2018/06/27 12:49:13.354282,  1]
>> ../source3/smbd/server_reload.c:69(delete_and_reload_printers)
>>   pcap cache not loaded
>>
>>
>> smb.conf (AD Member)
>>
>>   security = ADS
>>    workgroup = DOM
>>    realm = DOM.EXAMPLE.COM
>>
>>    bind interfaces only = yes
>>    interfaces = lo eth0
>>
>>    log file = /var/log/samba/%m.log
>>    log level = 1
>>
>>    idmap config * : backend = tdb
>>    idmap config * : range = 1000-1005
> 
> The above range is much too small, there are more than 6 'Well known
> SIDs'
> 
>>
>>    # idmap config for the DOM domain
>>    idmap config KES:backend = ad
>>    idmap config KES:schema_mode = rfc2307
>>    idmap config KES:range = 1006-999999
> 
> I hope this is just a typo, but just in case it isn't, 'KES' != 'DOM'
> 
> I also hope you don't use sudo on this machine, mainly because you
> cannot have any local Unix users with the set ranges.
> 
>>
>>     winbind enum users = yes
>>     winbind enum groups = yes
>>     template homedir = /home/users/%U
>>     template shell = /bin/bash
>>
>>     winbind use default domain = yes
>>
>>     vfs objects = acl_xattr
>>     map acl inherit = yes
>>     store dos attributes = yes
>>
>>     dedicated keytab file = /etc/krb5.keytab
>>     kerberos method = secrets and keytab
>>
>>
> 
> Rowland
> 
That is just a typo, and yes there is only one local user with id 1000.

More information about the samba mailing list