[Samba] (no subject)

Rowland Penny rpenny at samba.org
Fri Mar 1 14:42:10 UTC 2019


On Fri, 1 Mar 2019 15:03:37 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> Hai Jonathon,  
> 
> in addition to Rowlands coment.. ..
> He is always quicker in the resonse when im typing them.. 
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > Jonathon Reinhart via samba
> > Verzonden: vrijdag 1 maart 2019 14:22
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] (no subject)
> > 
> > Hello,
> > 
> > I'm running a Samba DC on Debian 9 (version 4.5.12-Debian) in a lab
> > environment, set up like this:
> > https://jonathonreinhart.com/posts/blog/2019/02/11/setting-up-
> > a-samba-4-domain-controller-on-debian-9/
> 
> few minor points. 
> 
> REALM="ad.onthefive.com" 
> Realm always in CAPS, this prevens problems with other programs. Most
> program's expect REALM in CAPS. For example postfix expect REALM in
> CAPS. 
> 
> I suggest you add a note here that the DNS-domain and REALM are 2
> differnt things. And the other sidenote on this is, often the
> dns-domain == REALM ( but in caps ) 
> 
> The krb5.conf.  mv /etc/krb5.conf /etc/krb5.conf.old
> The default from debian, if you enter the REALM in CAPS at install is
> sufficient. Not really needed but not wrong. 
> 
> I also suggest, add a check if the reverse zone exists. 
> 
> > 
> > I would now like to configure this server to enable login via domain
> > credentials. I'm aware that the Samba wiki recommends the following:
> 
> apt install ssh-krb5 libpam-krb5 libnss-winbind libpam-winbind 
> 
> That configures 1-2 paramaters in sshd_config and gives you direct
> the ability to login with kerberos. Note, not accounting for the
> missing "templates" paramters. 
> 
> Default: template homedir = /home/%D/%U
> Default: template shell = /bin/false
> (man smb.conf) 
> And how are the homedirs created, through ADUC or mk_homedir 
> 
> Needed on the DC's with logins and members that used RID setup also
> set in /etc/nsswitch.conf passwd:         compat winbind
> group:          compat winbind
> 
> > 
> > - 
> > https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
> > - 
> > https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM
> > 
> > However, I'm familiar with using Realmd (using its default SSSD) to
> > join Linux servers to a MS AD domain, to enable SSH and sudo using
> > domain credentials.  So I'm trying to use Realmd on my Samba DC,
> > using windbind instead of sssd (because Samba already uses winbind).
> 
> If i may suggest. Go through these. 
> https://github.com/thctlo/samba4/tree/master/howtos
> These are a bit older, im working on the update and nice layouts etc. 
> Its my git link, most thing your wanting/ask are in my scripts. 
> 
> For example, what i dont see on the site is the check on /etc/hosts 
> If you installed with dhcp you need to change 127.0.1.1 to the real
> ip of the server in /etc/hosts
> 
> > 
> > I first installed libpam-winbind, and then attempted the following:
> > # realm join --client-software=winbind 
> > --automatic-id-mapping=no ad.example.com
> > 
> > After entering my domain Administrator password, I received 
> > this error message:
> > realm: Couldn't join realm: Failed to enroll machine in 
> > realm. See diagnostics.
> > 
> > Upon a second attempt, I got this error message:
> > realm: Couldn't join realm: Joining the domain ad.example.com failed
> > 
> > Looking in the realmd logs, I see the following:
> > 
> >     * LANG=C LOGNAME=root /usr/bin/net -s
> > /var/cache/realmd/realmd-smb-conf.3D2AXZ -U Administrator ads join
> > ad.example.com
> >     gss_init_sec_context failed with [ Miscellaneous failure (see
> > text): Server (ldap/samba-dc.ad.example.com at AD.EXAMPLE.COM)
> > unknown]
> >     kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed:
> > for ldap/samba-dc.ad.example.com user[Administrator]
> > realm[AD.EXAMPLE.COM]: An internal error occurred.
> > 
> > At this point, I'm stumped. This is on a very fresh install, so it
> > should be very easy to reproduce.
> > 
> > Is what I'm attempting to do a valid operation? Or is it weird that
> > realmd is trying to "join" the DC to the domain?
> 
> No, not strange, but realmd is "joining" the AD-DC and its trying
> that with member settings. That wont work on the DC itself ofcourse. 
> 

Not strange ? 
He is trying to join the DC to the domain and it is already joined.

Rowland





More information about the samba mailing list