Web lists-archives.com

Re: [Samba] Windows pre-requisites for login with winbind?




Also, I see the following repeated in syslog:-

==> syslog <==
Aug 21 15:25:41 hostname01 winbindd[691]: [2017/08/21 15:25:41.438959,  0] ../source3/libsmb/cliconnect.c:1895(cli_session_setup_spnego_send)
Aug 21 15:25:41 hostname01 winbindd[691]:   Kinit for HOSTNAME01$@DOMAIN.LOCAL to access cifs/LOCAL_AD02.domain.local@DOMAIN.LOCAL failed: Cannot contact any KDC for requested realm

When one of the suspect users tries to log in I get:-

==> auth.log <==
Aug 21 15:25:14 op-sdes-dsk01 su[690]: No passwd entry for user 'username'
Aug 21 15:25:14 op-sdes-dsk01 su[690]: FAILED su for username by root
Aug 21 15:25:14 op-sdes-dsk01 su[690]: - ??? root:username

However, other AD users do work correctly.

This is Samba 4.5.8 BTW...

James


August 21, 2017 2:56 PM, "Rowland Penny via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> On Mon, 21 Aug 2017 13:14:16 +0000
> "A. James Lewis" <james@xxxxxxxxxx> wrote:
> 
>> I'm slightly confused, you appear to have trimmed down the config,
>> but not changed anything.... would you think this would affect the
>> issue where long standing users are able to log in, but new users are
>> not... even after a couple of weeks they are not able to log in via
>> "winbind", although they can authenticate via Kerberos, and obviously
>> log in to Windows desktops.
>> 
>> James
> 
> Yes I trimmed you /etc/krb5.conf down to all that is required, I also
> removed all the unnecessary lines from your smb.conf, but I also
> altered two lines and added two others.
> 
> Your set up was putting everything into the '*' domain and nothing into
> the 'DOMAIN' domain. You were also using the 'rid' backend for the '*'
> domain and you MUST use 'tdb' for this.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
A. James Lewis (james@xxxxxxxxxx)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba