[Samba] Login to AD Member Fail
Rowland Penny
rpenny at samba.org
Wed Jun 27 12:12:02 UTC 2018
On Wed, 27 Jun 2018 14:02:30 +0200
basti via samba <samba at lists.samba.org> wrote:
>
>
> On 27.06.2018 13:43, Rowland Penny via samba wrote:
> > On Wed, 27 Jun 2018 13:04:12 +0200
> > basti via samba <samba at lists.samba.org> wrote:
> >
> >> Hello,
> >> when I try to login to AD member via IP-Address from Windows
> >> Client it works.
> >>
> >> Login to AD Member from Windows Client via DNS Name fail.
> >> Windows Errorcode: 0x80070035
> >>
> >> Dc1: Samba 4.5.12+dfsg-2+deb9u2
> >> AD Member: Samba 4.5.12+dfsg-2+deb9u2
> >>
> >> winbindd.log (AD Member)
> >>
> >> [2018/06/27 12:49:58.787087, 1]
> >> ../source3/winbindd/winbindd_pam.c:2567(winbindd_pam_auth_pac_send)
> >> Error during PAC signature verification: NT_STATUS_UNSUCCESSFUL
> >> [2018/06/27 12:50:17.766117, 1]
> >> ../source3/winbindd/winbindd_pam.c:2502(extract_pac_vrfy_sigs)
> >> Failed to initialize kerberos context: Invalid argument
> >>
> >>
> >> win-client.log (AD Member)
> >>
> >> [2018/06/27 12:49:13.354207, 1]
> >> ../source3/printing/printer_list.c:234(printer_list_get_last_refresh)
> >> Failed to fetch record!
> >> [2018/06/27 12:49:13.354282, 1]
> >> ../source3/smbd/server_reload.c:69(delete_and_reload_printers)
> >> pcap cache not loaded
> >>
> >>
> >> smb.conf (AD Member)
> >>
> >> security = ADS
> >> workgroup = DOM
> >> realm = DOM.EXAMPLE.COM
> >>
> >> bind interfaces only = yes
> >> interfaces = lo eth0
> >>
> >> log file = /var/log/samba/%m.log
> >> log level = 1
> >>
> >> idmap config * : backend = tdb
> >> idmap config * : range = 1000-1005
> >
> > The above range is much too small, there are more than 6 'Well known
> > SIDs'
> >
> >>
> >> # idmap config for the DOM domain
> >> idmap config KES:backend = ad
> >> idmap config KES:schema_mode = rfc2307
> >> idmap config KES:range = 1006-999999
> >
> > I hope this is just a typo, but just in case it isn't, 'KES' !=
> > 'DOM'
> >
> > I also hope you don't use sudo on this machine, mainly because you
> > cannot have any local Unix users with the set ranges.
> >
> >>
> >> winbind enum users = yes
> >> winbind enum groups = yes
> >> template homedir = /home/users/%U
> >> template shell = /bin/bash
> >>
> >> winbind use default domain = yes
> >>
> >> vfs objects = acl_xattr
> >> map acl inherit = yes
> >> store dos attributes = yes
> >>
> >> dedicated keytab file = /etc/krb5.keytab
> >> kerberos method = secrets and keytab
> >>
> >>
> >
> > Rowland
> >
> That is just a typo, and yes there is only one local user with id
> 1000.
>
Sorry, but, no there isn't, 'idmap config * : range = 1000-1005' has
seen to that, you cannot have two users with the ID '1000'
Can I also point that if you can only connect by IP, then you probably
have a DNS issue.
Rowland
More information about the samba
mailing list