[Samba] (no subject)
L.P.H. van Belle
belle at bazuin.nl
Fri Mar 1 14:03:37 UTC 2019
Hai Jonathon,
in addition to Rowlands coment.. ..
He is always quicker in the resonse when im typing them..
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Jonathon Reinhart via samba
> Verzonden: vrijdag 1 maart 2019 14:22
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] (no subject)
>
> Hello,
>
> I'm running a Samba DC on Debian 9 (version 4.5.12-Debian) in a lab
> environment, set up like this:
> https://jonathonreinhart.com/posts/blog/2019/02/11/setting-up-
> a-samba-4-domain-controller-on-debian-9/
few minor points.
REALM="ad.onthefive.com"
Realm always in CAPS, this prevens problems with other programs. Most program's expect REALM in CAPS.
For example postfix expect REALM in CAPS.
I suggest you add a note here that the DNS-domain and REALM are 2 differnt things.
And the other sidenote on this is, often the dns-domain == REALM ( but in caps )
The krb5.conf. mv /etc/krb5.conf /etc/krb5.conf.old
The default from debian, if you enter the REALM in CAPS at install is sufficient.
Not really needed but not wrong.
I also suggest, add a check if the reverse zone exists.
>
> I would now like to configure this server to enable login via domain
> credentials. I'm aware that the Samba wiki recommends the following:
apt install ssh-krb5 libpam-krb5 libnss-winbind libpam-winbind
That configures 1-2 paramaters in sshd_config and gives you direct the ability to login with kerberos.
Note, not accounting for the missing "templates" paramters.
Default: template homedir = /home/%D/%U
Default: template shell = /bin/false
(man smb.conf)
And how are the homedirs created, through ADUC or mk_homedir
Needed on the DC's with logins and members that used RID setup also set in /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
>
> -
> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
> -
> https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM
>
> However, I'm familiar with using Realmd (using its default SSSD) to
> join Linux servers to a MS AD domain, to enable SSH and sudo using
> domain credentials. So I'm trying to use Realmd on my Samba DC, using
> windbind instead of sssd (because Samba already uses winbind).
If i may suggest. Go through these.
https://github.com/thctlo/samba4/tree/master/howtos
These are a bit older, im working on the update and nice layouts etc.
Its my git link, most thing your wanting/ask are in my scripts.
For example, what i dont see on the site is the check on /etc/hosts
If you installed with dhcp you need to change 127.0.1.1 to the real ip of the server in /etc/hosts
>
> I first installed libpam-winbind, and then attempted the following:
> # realm join --client-software=winbind
> --automatic-id-mapping=no ad.example.com
>
> After entering my domain Administrator password, I received
> this error message:
> realm: Couldn't join realm: Failed to enroll machine in
> realm. See diagnostics.
>
> Upon a second attempt, I got this error message:
> realm: Couldn't join realm: Joining the domain ad.example.com failed
>
> Looking in the realmd logs, I see the following:
>
> * LANG=C LOGNAME=root /usr/bin/net -s
> /var/cache/realmd/realmd-smb-conf.3D2AXZ -U Administrator ads join
> ad.example.com
> gss_init_sec_context failed with [ Miscellaneous failure (see
> text): Server (ldap/samba-dc.ad.example.com at AD.EXAMPLE.COM)
> unknown]
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: for
> ldap/samba-dc.ad.example.com user[Administrator]
> realm[AD.EXAMPLE.COM]: An internal error occurred.
>
> At this point, I'm stumped. This is on a very fresh install, so it
> should be very easy to reproduce.
>
> Is what I'm attempting to do a valid operation? Or is it weird that
> realmd is trying to "join" the DC to the domain?
No, not strange, but realmd is "joining" the AD-DC and its trying that with member settings.
That wont work on the DC itself ofcourse.
Greetz,
Louis
More information about the samba
mailing list