Re: [Samba] Winbind with krb5auth for trust users
- Date: Tue, 22 Aug 2017 10:04:04 +0200
- From: "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Winbind with krb5auth for trust users
Whats the os used?
The first things i would check.
Did you give both servers the nfs/spn. ?
The current search order for keytabs to be used for "machine credentials" :
So make sure one of these is know in the system keytab file.
The trusted domain, same REALM or other REALM, and if needed defined in krb5.conf?
And both servers have A and PTR records and are correct resolved?
If all of above does not work or is checked already.
You could configure idmap.conf like this. ( there might be things to improve below )
( from my debian jessie servers, the stretch servers dont have the idmap changes anymore. )
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if id differs from FQDN minus hostname
# Domain = localdomain
Domain = internal.domain.tld
Local-Realm = MY_REALM
Nobody-User = nobody
Nobody-Group = nogroup
Method = static,nsswitch
GSS-Methods = static,nsswitch
RTD-WEB1$@MY_REALM = root
host/rtd-web1.internal.domain.tld@MY_REALM = root
nfs/rtd-web1.internal.domain.tld@MY_REALM = root
nfs/rtd-web1.internal.domain.tld@ = root
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
> Andreas Hauffe via samba
> Verzonden: dinsdag 22 augustus 2017 9:36
> Aan: Andreas Hauffe via samba
> Onderwerp: [Samba] Winbind with krb5auth for trust users
> I'm having trouble realizing a krb5auth with pam_winbind with
> trusted domain users (external trust) on our clients. The
> client is joined to a local domain, which has a "external
> trust" to a global domain.
> The following things are working for all users (local and
> trusted domain):
> "wbinfo -i"
> "wbinfo --pam-logon"
> "wbinfo -a"
> Just "wbinfo -K" works only for local domain users. And that
> is the problem. I need the Kerberos ticket for NFS.
> smb.conf, krb5.conf and the other configs are taken from
> Just changed the domain/realm name to the local domain name.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the