Re: [Samba] Windows pre-requisites for login with winbind?
- Date: Mon, 21 Aug 2017 18:00:23 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Windows pre-requisites for login with winbind?
On Mon, 21 Aug 2017 16:47:24 +0000
"A. James Lewis" <james@xxxxxxxxxx> wrote:
> August 21, 2017 5:34 PM, "Rowland Penny via samba"
> <samba@xxxxxxxxxxxxxxx> wrote:
> > On Mon, 21 Aug 2017 15:37:03 +0000
> > "A. James Lewis" <james@xxxxxxxxxx> wrote:
> >> OK, obviously I am slightly sanitising the output here, but I'm
> >> preserving the case, and just replacing local names with generic
> >> ones as I did for the config.
> > Not a problem with doing that ;-)
> >> # more /etc/hosts
> >> 127.0.0.1 localhost
> >> 127.0.1.1 hostname01
> > OK, does this computer get its ip via dhcp ?
> > if it does, just remove the '127.0.1.1' line.
> > If it doesn't, remove the '127.0.1.1' line and add a line:
> Yes, it is an lxc container, so currently it does get it's IP from
> DHCP... none of that config was added by me, except the winbind in
> > <ip for hostname01> hostname01.domain.local hostname01
> >> # more /etc/resolv.conf
> >> search domain.local
> >> nameserver 10.0.3.1
> > Is '10.0.3.1' the ipaddress of the AD DC (or something that will get
> > you to the AD DC ?
> It's the resolveconf DNS server on the machine hosting LXC, but yes,
> it is definitely able to resolve the AD server.
> Everything seems to work as expected:-
> # nslookup LOCAL_AD03.domain.local
> Server: 10.0.3.1
> Address: 10.0.3.1#53
> Non-authoritative answer:
> Name: LOCAL_AD03.domain.local
> Address: 10.x.x.x
> # telnet LOCAL_AD03.domain.local 88
> Trying 10.x.x.x...
> Connected to LOCAL_AD03.domain.local.
> Escape character is '^]'.
> Connection closed by foreign host.
> # getent passwd jlewis
> jlewis:*:54239:5513:Lewis, James:/home/DOMAIN/jlewis:/bin/bash
> Clearly it picked up the "LOCAL_AD03.domain.local" from somewhere,
> since that's not in the configuration, and I can look up (and log in
> as my own user).
> I don't know however why kinit is now having a problem (it did not
> when I explicitly specified the KDC servers).
> The 3 most recently added users simply cannot authenticate, and this
> is where I'm convinced it is related to their AD accounts:-
> # getent passwd otheruser
> That said, I would much prefer not to explicitly specify stuff in the
> config if possible, since that's one less thing to maintain!
One of the first things I do when setting up a Samba AD DC or Unix
domain member is 'apt-get purge resolvconf'
Kinit depends on dns, you need to point the Unix domain member at the
AD DC (preferably) or a dns server that holds all the AD domain
To unsubscribe from this list go to the following URL and read the