[Samba] SSH SSO without keytab file

Rowland Penny rpenny at samba.org
Fri Jan 18 08:33:53 UTC 2019 

On Fri, 18 Jan 2019 08:24:03 +0000
Harpoon via samba <samba at lists.samba.org> wrote:

> Thanks for the prompt reply!
> 
> > I did see that you are using Administrator, and thats the problem.
> 
> > Administrator is mapped to root ( most of the time ),
> > if you assigned Administrator UID = 0 then you have a problem,
> > because only root = uid 0.
> >
> > Never ever give Administrator a UID/GID
> I am using tdb backend. It mapped administrator account to
> 12000:10000.
> 
> > So try again with a normal user, that does have a UID/GID.
> 
> I tried testing with normal users too whose UID/GID was mapped by tdb
> in ~10000 range. It produced the same problem.
> 
> > If that does not work, please share these, because this should work
> > fine. /etc/samba/smb.conf
> > /etc/krb5.conf
> > /etc/ssh/sshd_config
> 
> Please find these conf files here:
> 
> -----------------------------
> DC's /etc/samba/smb.conf
> -----------------------------
> [global]
>         netbios name = DC1
>         realm = SAMDOM.EXAMPLE.COM
>         workgroup = SAMDOM
>         dns forwarder = 10.0.5.200
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         winbind enum users = yes
>         winbind enum groups = yes
>         template shell = /bin/bash
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/samdom.example.com/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> --------------------------------
> Client's /etc/samba/smb.conf
> --------------------------------
> [global]
>         netbios name = client1
>         realm = SAMDOM.EXAMPLE.COM
>         workgroup = SAMDOM
>         security = ADS
>         kerberos method = secrets and keytab
>         winbind trusted domains only = no
>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind use default domain = yes
>         winbind nss info = rfc2307
> 
>         idmap config * : backend = tdb
>         idmap config * : range = 10000-200000
> 

There is your probable problem, you haven't set up 'idmao config'
correctly, see here :

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

You will probably want to use the winbind 'rid' backend

Rowland

More information about the samba mailing list