Web lists-archives.com

Re: [Samba] Windows pre-requisites for login with winbind?




I'm inclined to agree with you regarding resolveconf, but I don't think that's the issue here, clearly it was able to get the name and IP of the AD server.... and connect to it.

The error from kinit had the hostname of one of the AD servers in it, that name is not in the config, and that address was reachable... so I can't think that it's DNS.

What is worrying me is if this is valid, to have the domain in twice:- cifs/LOCAL_AD02.domain.local@DOMAIN.LOCAL in the kinit error from auth.log

I'd love to solve this issue too... but I started with one issue, and now I have 2... LOL!

James


August 21, 2017 6:02 PM, "Rowland Penny via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> On Mon, 21 Aug 2017 16:47:24 +0000
> "A. James Lewis" <james@xxxxxxxxxx> wrote:
> 
>> August 21, 2017 5:34 PM, "Rowland Penny via samba"
>> <samba@xxxxxxxxxxxxxxx> wrote:
>> 
>> On Mon, 21 Aug 2017 15:37:03 +0000
>> "A. James Lewis" <james@xxxxxxxxxx> wrote:
>> 
>> OK, obviously I am slightly sanitising the output here, but I'm
>> preserving the case, and just replacing local names with generic
>> ones as I did for the config.
>> 
>> Not a problem with doing that ;-)
>> 
>> # more /etc/hosts
>> 127.0.0.1 localhost
>> 127.0.1.1 hostname01
>> 
>> OK, does this computer get its ip via dhcp ?
>> if it does, just remove the '127.0.1.1' line.
>> If it doesn't, remove the '127.0.1.1' line and add a line:
>> 
>> Yes, it is an lxc container, so currently it does get it's IP from
>> DHCP... none of that config was added by me, except the winbind in
>> nsswitch.conf.
>> 
>> <ip for hostname01> hostname01.domain.local hostname01
>> 
>> # more /etc/resolv.conf
>> search domain.local
>> nameserver 10.0.3.1
>> 
>> Is '10.0.3.1' the ipaddress of the AD DC (or something that will get
>> you to the AD DC ?
>> 
>> It's the resolveconf DNS server on the machine hosting LXC, but yes,
>> it is definitely able to resolve the AD server.
>> 
>> Everything seems to work as expected:-
>> 
>> # nslookup LOCAL_AD03.domain.local
>> Server: 10.0.3.1
>> Address: 10.0.3.1#53
>> 
>> Non-authoritative answer:
>> Name: LOCAL_AD03.domain.local
>> Address: 10.x.x.x
>> 
>> # telnet LOCAL_AD03.domain.local 88
>> Trying 10.x.x.x...
>> Connected to LOCAL_AD03.domain.local.
>> Escape character is '^]'.
>> Connection closed by foreign host.
>> 
>> # getent passwd jlewis
>> jlewis:*:54239:5513:Lewis, James:/home/DOMAIN/jlewis:/bin/bash
>> 
>> Clearly it picked up the "LOCAL_AD03.domain.local" from somewhere,
>> since that's not in the configuration, and I can look up (and log in
>> as my own user).
>> 
>> I don't know however why kinit is now having a problem (it did not
>> when I explicitly specified the KDC servers).
>> 
>> The 3 most recently added users simply cannot authenticate, and this
>> is where I'm convinced it is related to their AD accounts:-
>> 
>> # getent passwd otheruser
>> #
>> 
>> That said, I would much prefer not to explicitly specify stuff in the
>> config if possible, since that's one less thing to maintain!
> 
> One of the first things I do when setting up a Samba AD DC or Unix
> domain member is 'apt-get purge resolvconf'
> 
> Kinit depends on dns, you need to point the Unix domain member at the
> AD DC (preferably) or a dns server that holds all the AD domain
> records.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
A. James Lewis (james@xxxxxxxxxx)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba