Web lists-archives.com

Re: [Samba] Windows pre-requisites for login with winbind?




August 21, 2017 5:34 PM, "Rowland Penny via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> On Mon, 21 Aug 2017 15:37:03 +0000
> "A. James Lewis" <james@xxxxxxxxxx> wrote:
> 
>> OK, obviously I am slightly sanitising the output here, but I'm
>> preserving the case, and just replacing local names with generic ones
>> as I did for the config.
> 
> Not a problem with doing that ;-)
> 
>> # more /etc/hosts
>> 127.0.0.1 localhost
>> 127.0.1.1 hostname01
> 
> OK, does this computer get its ip via dhcp ?
> if it does, just remove the '127.0.1.1' line.
> If it doesn't, remove the '127.0.1.1' line and add a line:
> 
Yes, it is an lxc container, so currently it does get it's IP from DHCP... none of that config was added by me, except the winbind in nsswitch.conf.

> <ip for hostname01> hostname01.domain.local hostname01
> 
>> # more /etc/resolv.conf
>> search domain.local
>> nameserver 10.0.3.1
> 
> Is '10.0.3.1' the ipaddress of the AD DC (or something that will get
> you to the AD DC ?
>
It's the resolveconf DNS server on the machine hosting LXC, but yes, it is definitely able to resolve the AD server.

Everything seems to work as expected:-

# nslookup LOCAL_AD03.domain.local
Server:		10.0.3.1
Address:	10.0.3.1#53

Non-authoritative answer:
Name:	LOCAL_AD03.domain.local
Address: 10.x.x.x

# telnet LOCAL_AD03.domain.local 88
Trying 10.x.x.x...
Connected to LOCAL_AD03.domain.local.
Escape character is '^]'.
Connection closed by foreign host.

# getent passwd jlewis
jlewis:*:54239:5513:Lewis, James:/home/DOMAIN/jlewis:/bin/bash

Clearly it picked up the "LOCAL_AD03.domain.local" from somewhere, since that's not in the configuration, and I can look up (and log in as my own user).

I don't know however why kinit is now having a problem (it did not when I explicitly specified the KDC servers).

The 3 most recently added users simply cannot authenticate, and this is where I'm convinced it is related to their AD accounts:-

# getent passwd otheruser
#

That said, I would much prefer not to explicitly specify stuff in the config if possible, since that's one less thing to maintain!

James


> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
A. James Lewis (james@xxxxxxxxxx)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba