[Samba] SSH SSO without keytab file
Rowland Penny
rpenny at samba.org
Fri Jan 18 08:33:53 UTC 2019
On Fri, 18 Jan 2019 08:24:03 +0000
Harpoon via samba <samba at lists.samba.org> wrote:
> Thanks for the prompt reply!
>
> > I did see that you are using Administrator, and thats the problem.
>
> > Administrator is mapped to root ( most of the time ),
> > if you assigned Administrator UID = 0 then you have a problem,
> > because only root = uid 0.
> >
> > Never ever give Administrator a UID/GID
> I am using tdb backend. It mapped administrator account to
> 12000:10000.
>
> > So try again with a normal user, that does have a UID/GID.
>
> I tried testing with normal users too whose UID/GID was mapped by tdb
> in ~10000 range. It produced the same problem.
>
> > If that does not work, please share these, because this should work
> > fine. /etc/samba/smb.conf
> > /etc/krb5.conf
> > /etc/ssh/sshd_config
>
> Please find these conf files here:
>
> -----------------------------
> DC's /etc/samba/smb.conf
> -----------------------------
> [global]
> netbios name = DC1
> realm = SAMDOM.EXAMPLE.COM
> workgroup = SAMDOM
> dns forwarder = 10.0.5.200
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> winbind enum users = yes
> winbind enum groups = yes
> template shell = /bin/bash
>
> [netlogon]
> path = /var/lib/samba/sysvol/samdom.example.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> --------------------------------
> Client's /etc/samba/smb.conf
> --------------------------------
> [global]
> netbios name = client1
> realm = SAMDOM.EXAMPLE.COM
> workgroup = SAMDOM
> security = ADS
> kerberos method = secrets and keytab
> winbind trusted domains only = no
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind nss info = rfc2307
>
> idmap config * : backend = tdb
> idmap config * : range = 10000-200000
>
There is your probable problem, you haven't set up 'idmao config'
correctly, see here :
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
You will probably want to use the winbind 'rid' backend
Rowland
More information about the samba
mailing list