Web lists-archives.com

Re: [Samba] Winbind with krb5auth for trust users




Hi,

thanks for the fast answer.

All DCs (local and trusted domain) running on Windows Server 2012. The client is running on OpenSUSE Leap 42.3. The samba version is 4.6.5.

Right now I'm a step before nfs. At first I just want to authorize users with krb5auth.

The error is:

mlrlinux:~ # wbinfo -K GLOBALDOM\\globdomuser
Enter GLOBALDOM\globdomuser's password:
plaintext kerberos password authentication for [GLOBALDOM\globdomuser] failed (requesting cctype: FILE) wbcLogonUser(GLOBALDOM\globdomuser): error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error message was: No logon servers
Could not authenticate user [GLOBALDOM\globdomuser] with Kerberos (ccache: FILE)

DNS resolution is working. I'm able to get the credentials for a GLOBDOM-User with kinit, which should not work if DNS resultion has errors, right?

Andreas


Am 22.08.2017 um 10:04 schrieb L.P.H. van Belle via samba:
Hai,

Whats the os used?

The first things i would check.

Did you give both servers the nfs/spn. ?
The current search order for keytabs to be used for "machine credentials" :
<HOSTNAME>$@<REALM>
root/<hostname>@<REALM>
nfs/<hostname>@<REALM>
host/<hostname>@<REALM>
root/<anyname>@<REALM>
nfs/<anyname>@<REALM>
host/<anyname>@<REALM>

So make sure one of these is know in the system keytab file.
The trusted domain, same REALM or other REALM, and if needed defined in krb5.conf?

And both servers have A and PTR records and are correct resolved?

If all of above does not work or is checked already.
You could configure idmap.conf like this. ( there might be things to improve below )
( from my debian jessie servers, the stretch servers dont have the idmap changes anymore. )

[General]

Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs

# set your own domain here, if id differs from FQDN minus hostname
# Domain = localdomain
Domain = internal.domain.tld
Local-Realm = MY_REALM

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup

[Translation]
Method = static,nsswitch
GSS-Methods = static,nsswitch

[Static]
RTD-WEB1$@MY_REALM = root
host/rtd-web1.internal.domain.tld@MY_REALM = root
nfs/rtd-web1.internal.domain.tld@MY_REALM = root
nfs/rtd-web1.internal.domain.tld@ = root



Greetz,

Louis


-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
Andreas Hauffe via samba
Verzonden: dinsdag 22 augustus 2017 9:36
Aan: Andreas Hauffe via samba
Onderwerp: [Samba] Winbind with krb5auth for trust users

Hi,

I'm having trouble realizing a krb5auth with pam_winbind with
trusted domain users (external trust) on our clients. The
client is joined to a local domain, which has a "external
trust" to a global domain.

The following things are working for all users (local and
trusted domain):

"wbinfo -i"
"wbinfo --pam-logon"
"wbinfo -a"
"kinit"


Just "wbinfo -K" works only for local domain users. And that
is the problem. I need the Kerberos ticket for NFS.

smb.conf, krb5.conf and the other configs are taken from
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member.
Just changed the domain/realm name to the local domain name.

Regards
Andreas


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



--
Viele Grüße
Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"

----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering

D-01062 Dresden
Germany

phone : +49 (351) 463 38496
fax :  +49 (351) 463 37263
mail : andreas.hauffe@xxxxxxxxxxxxx
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------
Do you know our free laminate analysis code eLamX²? If not, please visit the following web address:
http://www.elamx.de


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba