Web lists-archives.com

Re: [Samba] Winbind with krb5auth for trust users




Hi,

hier are the file. I replaced the real domain/realm name by "search&replace", so there should not be a typping error in my file concernig the realm or domain names.

Regards,
Andreas

client:~ # more /etc/hostname
client.loc.example.de
client:~ # more /etc/hosts
#
# hosts         This file describes a number of hostname-to-address
#               mappings for the TCP/IP subsystem.  It is mostly
#               used at boot time, when no name servers are running.
#               On small systems, this file can be used instead of a
#               "named" name server.
# Syntax:
#
# IP-Address  Full-Qualified-Hostname  Short-Hostname
#

127.0.0.1       localhost

# special IPv6 addresses
::1             localhost ipv6-localhost ipv6-loopback

fe00::0         ipv6-localnet

ff00::0         ipv6-mcastprefix
ff02::1         ipv6-allnodes
ff02::2         ipv6-allrouters
ff02::3         ipv6-allhosts
192.168.1.4     client.loc.example.de client.loc.example.de

client:~ # more /etc/resolv.conf
### /etc/resolv.conf file autogenerated by netconfig!
#
# Before you change this file manually, consider to define the
# static DNS configuration using the following variables in the
# /etc/sysconfig/network/config file:
#     NETCONFIG_DNS_STATIC_SEARCHLIST
#     NETCONFIG_DNS_STATIC_SERVERS
#     NETCONFIG_DNS_FORWARDER
# or disable DNS configuration updates via netconfig by setting:
#     NETCONFIG_DNS_POLICY=''
#
# See also the netconfig(8) manual page and other documentation.
#
# Note: Manual change of this file disables netconfig too, but
# may get lost when this file contains comments or empty lines
# only, the netconfig settings are same with settings in this
# file and in case of a "netconfig update -f" call.
#
### Please remove (at least) this line when you modify the file!
search loc.example.de
nameserver 192.168.1.2
nameserver 192.168.1.3
client:~ # more /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       compat                  Use compatibility setup
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       [NOTFOUND=return]       Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#

passwd: compat winbind
group:  compat winbind

hosts:          files mdns_minimal [NOTFOUND=return] dns
networks:       files dns

services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files nis
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files

client:~ # more /etc/krb5.conf
[libdefaults]
        default_realm = LOC.EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true
client:~ # more /etc/samba/smb.conf
[global]
       security = ADS
       workgroup = LOC
       realm = LOC.EXAMPLE.COM

       log file = /var/log/samba/%m.log
       log level = 1

       template homedir = /home/%D/%U
       template shell = /bin/bash

       # Default ID mapping configuration for local BUILTIN accounts
       # and groups on a domain member. The default (*) domain:
       # - must not overlap with any domain ID mapping configuration!
       # - must use a read-write-enabled back end, such as tdb.
       # - Adding just this is not enough
       # - You must set a DOMAIN backend configuration, see below
       idmap config * : backend = tdb
       idmap config * : range = 1000000-2000000


Am 22.08.2017 um 11:34 schrieb L.P.H. van Belle via samba:
Hai,


-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
Andreas Hauffe via samba
Verzonden: dinsdag 22 augustus 2017 11:26
Aan: samba@xxxxxxxxxxxxxxx
Onderwerp: Re: [Samba] Winbind with krb5auth for trust users

Hi,

thanks for the fast answer.

All DCs (local and trusted domain) running on Windows Server
2012. The client is running on OpenSUSE Leap 42.3. The samba
version is 4.6.5.

Right now I'm a step before nfs. At first I just want to
authorize users with krb5auth.

The error is:

mlrlinux:~ # wbinfo -K GLOBALDOM\\globdomuser Enter
GLOBALDOM\globdomuser's password:
plaintext kerberos password authentication for
[GLOBALDOM\globdomuser] failed (requesting cctype: FILE)
wbcLogonUser(GLOBALDOM\globdomuser): error code was
NT_STATUS_NO_LOGON_SERVERS (0xc000005e) error message was: No
logon servers Could not authenticate user
[GLOBALDOM\globdomuser] with Kerberos
(ccache: FILE)

DNS resolution is working. I'm able to get the credentials
for a GLOBDOM-User with kinit, which should not work if DNS
resultion has errors, right?
Depends on the member server setting.
For example, do you have : kerberos method = secrets and keytab in smb.conf?

Can you post the following files, sorry, we need to verify files. ( anonimize here needed )

/etc/hostname
/etc/hosts
/etc/resolv.conf
/etc/nsswitch.conf
Your krb5.conf

And smb.conf
Greetz,

Louis

Andreas


Am 22.08.2017 um 10:04 schrieb L.P.H. van Belle via samba:


--
Viele Grüße
Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"

----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering

D-01062 Dresden
Germany

phone : +49 (351) 463 38496
fax :  +49 (351) 463 37263
mail : andreas.hauffe@xxxxxxxxxxxxx
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------
Do you know our free laminate analysis code eLamX²? If not, please visit the following web address:
http://www.elamx.de

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba