Web lists-archives.com

Re: [Samba] Windows pre-requisites for login with winbind?




On Mon, 21 Aug 2017 16:47:24 +0000
"A. James Lewis" <james@xxxxxxxxxx> wrote:

> August 21, 2017 5:34 PM, "Rowland Penny via samba"
> <samba@xxxxxxxxxxxxxxx> wrote:
> 
> > On Mon, 21 Aug 2017 15:37:03 +0000
> > "A. James Lewis" <james@xxxxxxxxxx> wrote:
> > 
> >> OK, obviously I am slightly sanitising the output here, but I'm
> >> preserving the case, and just replacing local names with generic
> >> ones as I did for the config.
> > 
> > Not a problem with doing that ;-)
> > 
> >> # more /etc/hosts
> >> 127.0.0.1 localhost
> >> 127.0.1.1 hostname01
> > 
> > OK, does this computer get its ip via dhcp ?
> > if it does, just remove the '127.0.1.1' line.
> > If it doesn't, remove the '127.0.1.1' line and add a line:
> > 
> Yes, it is an lxc container, so currently it does get it's IP from
> DHCP... none of that config was added by me, except the winbind in
> nsswitch.conf.
> 
> > <ip for hostname01> hostname01.domain.local hostname01
> > 
> >> # more /etc/resolv.conf
> >> search domain.local
> >> nameserver 10.0.3.1
> > 
> > Is '10.0.3.1' the ipaddress of the AD DC (or something that will get
> > you to the AD DC ?
> >
> It's the resolveconf DNS server on the machine hosting LXC, but yes,
> it is definitely able to resolve the AD server.
> 
> Everything seems to work as expected:-
> 
> # nslookup LOCAL_AD03.domain.local
> Server:		10.0.3.1
> Address:	10.0.3.1#53
> 
> Non-authoritative answer:
> Name:	LOCAL_AD03.domain.local
> Address: 10.x.x.x
> 
> # telnet LOCAL_AD03.domain.local 88
> Trying 10.x.x.x...
> Connected to LOCAL_AD03.domain.local.
> Escape character is '^]'.
> Connection closed by foreign host.
> 
> # getent passwd jlewis
> jlewis:*:54239:5513:Lewis, James:/home/DOMAIN/jlewis:/bin/bash
> 
> Clearly it picked up the "LOCAL_AD03.domain.local" from somewhere,
> since that's not in the configuration, and I can look up (and log in
> as my own user).
> 
> I don't know however why kinit is now having a problem (it did not
> when I explicitly specified the KDC servers).
> 
> The 3 most recently added users simply cannot authenticate, and this
> is where I'm convinced it is related to their AD accounts:-
> 
> # getent passwd otheruser
> #
> 
> That said, I would much prefer not to explicitly specify stuff in the
> config if possible, since that's one less thing to maintain!
> 

One of the first things I do when setting up a Samba AD DC or Unix
domain member is 'apt-get purge resolvconf'

Kinit depends on dns, you need to point the Unix domain member at the
AD DC (preferably) or a dns server that holds all the AD domain
records.

Rowland
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba