Re: [Samba] Windows pre-requisites for login with winbind?
- Date: Mon, 21 Aug 2017 14:18:00 +0000
- From: "A. James Lewis via samba" <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Windows pre-requisites for login with winbind?
OK, I've made those changes, and now I cannot use kinit to verify authentication, eg:-
$ kinit user@DOMAIN.LOCAL
kinit: Cannot find KDC for realm "DOMAIN.LOCAL" while getting initial credentials
However, the winbind users that could log in before are still able to log in, while the ones who were not able to log in still cannot log in!...
Just to make sure I've made the changes correctly, my config is now:-
# cat krb5.conf
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
# cat smb.conf
workgroup = DOMAIN
security = ADS
realm = DOMAIN.LOCAL
idmap config *:backend = tdb
idmap config *:range = 4000-4999
idmap config DOMAIN:backend = rid
idmap config DOMAIN:range = 5000-100000
winbind trusted domains only = no
winbind use default domain = yes
winbind refresh tickets = yes
template shell = /bin/bash
template homedir = /home/%D/%U
August 21, 2017 2:56 PM, "Rowland Penny via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> On Mon, 21 Aug 2017 13:14:16 +0000
> "A. James Lewis" <james@xxxxxxxxxx> wrote:
>> I'm slightly confused, you appear to have trimmed down the config,
>> but not changed anything.... would you think this would affect the
>> issue where long standing users are able to log in, but new users are
>> not... even after a couple of weeks they are not able to log in via
>> "winbind", although they can authenticate via Kerberos, and obviously
>> log in to Windows desktops.
> Yes I trimmed you /etc/krb5.conf down to all that is required, I also
> removed all the unnecessary lines from your smb.conf, but I also
> altered two lines and added two others.
> Your set up was putting everything into the '*' domain and nothing into
> the 'DOMAIN' domain. You were also using the 'rid' backend for the '*'
> domain and you MUST use 'tdb' for this.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
A. James Lewis (james@xxxxxxxxxx)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."
To unsubscribe from this list go to the following URL and read the