[Samba] authentication problem
L.P.H. van Belle
belle at bazuin.nl
Fri Jan 10 10:19:44 UTC 2020
Hai,
Not sysprepping is asking for problems.. Your computer SIDs are now the same.
Always sysprep, im currently rolling out new w10 pc's atm
Read: https://thesolving.com/server-room/when-and-how-to-use-sysprep/
Tip, use this order to setup.
- start a new computer, setup , at the first page the w10 install stops and is asking questions.
CTRL+SHIFT+F3, now it reboots and logs in as Administrator automaticly.
Configure the computer, install the needed software, everything you need/want.
( NOTE, i only install/remove software, all other parts are done in GPO's. )
Cleanup the crap from W10.
runas Administrator Powershell:
and run : Get-AppxPackage -allusers | where-object {$_.name ?notlike "*store*"} | Remove-AppxPackage
the removed all crap apps, excludeing windows store ( adviced to keep that, can give problem to get it back )
run sysprep.
- if you use fixed IP, first set the fixed IP, reboot
- Change PC name, reboot
- Add to domain, reboot
Done, resulting in , alway correct DNS entries. ;-)
Short version of how i setup my pc's.
Greetz
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Pisch Tamás via samba
> Verzonden: vrijdag 10 januari 2020 10:38
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] authentication problem
>
> > You also have these lines:
> >
> > logon path = ""
> > name resolve order = lmhosts host bcast
> >
> > You should remove these, they have no place in an AD smb.conf
>
> The smb.conf manpage mention that:
> 'Disable the use of roaming profiles by setting the value of this
> parameter to the empty string. For example, logon path = "".'
> I don't want roaming profiles, so I thought I need this parameter. Is
> it enough if user profiles has empty Profile Path entries?
> "Disabling of all roaming profile use requires that the user account
> settings must also be blank."
> What does it mean exactly?
> name resolve order: I removed this settings from dcs. man offers wins
> bcast settings for security = ADS, and SRV8 has that setting.
>
> > Now we come to a line that you should add to all the smb.conf files:
> >
> > winbind refresh tickets = yes
> >
> > This will ensure that your kerberos tickets will be refreshed.
>
> For this, I need libpam-winbind, according to the manual.
> I've read that:
> "Note: For a DC you do not need libpam-winbind libnss-winbind
> libpam-krb5, unless you require AD users to login "
> I think, to login locally. I don't want them to login locally, so I
> thought I don't want these on DCs. Do I really need libpam-winbind,
> and 'winbind refresh tickets' on DCs?
> I set it up on SRV8 and DC3.
No, but what if you want to login..
The solution to this is very simple, create an group on AD and/or on linux, give it and GID (incase of AD group)
And add something like the lines below in sshd_config.
# Allow groups ( samba/windows groups GID is a must )
AllowGroups ssh-allow-from-ad localAdminGroup
>
> I still have the auth problem. 1-2 months ago I reinstalled the
> computhers that had this problem, and after that the authentication
> problem disappeared, but I wouldn't like to do it frequently.
> Another question, but might be related to this problem.
> I usually reinstall computers from clone image file, but I don't use
> sysprep. What problem(s) can cause that?
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list