[Samba] Samba 4.8 Config SMB.Conf File
L.P.H. van Belle
belle at bazuin.nl
Sat Mar 16 15:02:29 UTC 2019
since im not driving now..
the krb5.conf is wrong.
double entries, and put in the dc ip's
MYDOMAIN.COM = {
kdc = dc1.MYDOMAIN.COM
kdc = dc2.MYDOMAIN.COM
}
but use as Rowland showed first and try adding the Domain and RealmDomain setting in idmapd.conf
(man idmap.conf)
Greetz
Louis
Op 15 mrt. 2019 14:59 schreef Rowland Penny via samba <samba at lists.samba.org>:
On Fri, 15 Mar 2019 09:17:34 -0400
Tyrus Shivers <tyrus.shivers at bestgateeng.com> wrote:
> Rowland,
>
> These are all VMs I am working on. I have tried it on several
> different "test" VMs. Blew away VMs and created new ones, still does
> not work.
This is very, very, strange.
You are joining the domain with:
net ads join -U Administrator
Once joined, what does this produce:
net ads testjoin
>
> It takes me a little time to type the info from the directories
> because I cannot copy/past due to network separation.
Can you explain 'network separation' ?
>
> Contents below:
>
> /etc/hostname
> testadmin
Nothing wrong there.
>
> /etc/hosts
> 127.0.0.1 localhost localhost.localdomain localhost4
> localhost4.localdomain4 :1 localhost localhost.localdomain localhost6
> localhost6.localdomain6 IPADDR testadmin.mydomain.com testadmin
> IPADDR DC1.mydomain.com DC1
Again. nothing really wrong, but you don't (or is that shouldn't) need
the DC info.
>
> /etc/resolv.conf
> search mydomain.com
> nameserver "ipaddress for DC1"
> nameserver "ipaddress for DC2"
Nothing wrong there.
>
> /etc/krb5.conf
> includedir /var/lib/sss/pubconf/krb5.include.d/
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE: /var/log/kadmind.log
>
> [libdefaults]
> dns_lookup_realm = false
> ticket_lifetime = 24hr
> renew_lifetime = 7d
> forwardable = true
> rdsn = false
> # default_realm = EXAMPLE.COM
> default_ccache_name = KEYRING:persistent:%{uid}
>
> default_realm = MYDOMAIN.COM
> [realms]
> #EXAMPLE.COM = {
> # kdc = kerberos.example.com
> # admin_server = kerberos.example.com
> #}
>
> MYDOMAIN.COM = {
> kdc = dc1.MYDOMAIN.COM
> }
>
> MYDOMAIN.COM =
> kdc = dc1.MYDOMAIN.COM
> }
>
> [domain_realm]
> #.example.com = EXAMPLE.COM
> #example.com = EXAMPLE.COM
> mydomain.com = MYDOMAIN.COM
> .mydomain.com = MYDOMAIN.COM
>
My is:
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
But yours should work.
>
> /etc/samba/smb.conf
> workgroup = mydomain
> > realm = mydomain.com
> > security = ads
> > idmap config * : backend = tdb
> > idmap config * : range = 3000-7999
> > idmap config MYDOMAIN : backend = rid
> > idmap config MYDOMAIN : range = 10000-19999
> > allow trusted domain = no
> > template shell = /bin/bash
> > winbind refresh tickets = yes
> > restrict anonymous = 2
>
About the only real difference between yours and mine is this line in
mine:
winbind use default domain = yes
and that only turns off the domain name in user & group searches i.e.
'DOMAIN\username' just becomes 'username'
>
> /etc/nsswitch.conf
> passwd: files winbind
> shadow: files
> group: files winbind
> #initgroups : files
>
> hosts: files dns myhostname
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files
>
> netgroup: files
> publickey: nisplus
>
> automount: files
> aliases: files nisplus
>
Again nothing wrong.
But I get:
[root at cen7member ~]# getent passwd rowland
rowland:*:11107:10513::/home/rowland:/bin/bash
[root at cen7member ~]# id rowland
uid=11107(rowland) gid=10513(domain users) .............
I wonder if this is a 'time' problem, is the time the same on the DC
and this Unix domain member ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list