Re: [Samba] Windows pre-requisites for login with winbind?
- Date: Tue, 22 Aug 2017 13:40:48 +0200
- From: "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Windows pre-requisites for login with winbind?
Few extra checks/questions.
Have you checked if the server time is in sync with the AD DC server?
Check if : /etc/ldap/ldap.conf , Contains : TLS_REQCERT allow
Are you using own certificates or samba generated (selfsigned) certs?
If you use bind_dlz as dns, take note that you need to set in the global options:
Although underscores in hostnames are "illegal", according to RFC 952, and RFC 1123,
also RFC about SRV records should be taken into account) they are complying to name restrictions for windows hostname.
Can you get this script.
Set : SAMBA_LDAPCMD_FILTER="whenChanged,dc,cn"
And run it on the dc with FSMO roles.
( ! Note, only works if you have only samba DC's. )
What is does.
It checks which DC has the FSMO roles.
Then it checks your database replication with all other DC's.
It runs 2 check.
Samba-tool dbcheck and samba-tool ldapcmd ...
Let see if you have any errors there.
> -----Oorspronkelijk bericht-----
> Van: A. James Lewis [mailto:james@xxxxxxxxxx]
> Verzonden: dinsdag 22 augustus 2017 13:10
> Aan: A. James Lewis via samba; L.P.H. van Belle
> Onderwerp: Re: [Samba] Windows pre-requisites for login with winbind?
> Ahh, upgrading to 4.6.5 did not change my problem
> significantly, but it DID change the error message
> significantly... this might give some much better information
> to someone who knows how the code works!
> Aug 22 11:59:01 hostname01 winbindd: [2017/08/22
> 11:59:01.055174, 0]
> Aug 22 11:59:01 hostname01 winbindd: kinit succeeded
> but ads_sasl_spnego_gensec_bind(KRB5) failed for
> ldap/local_ad01.domain.local with user[HOSTNAME01$]
> realm[DOMAIN.LOCAL]: No logon servers
> I am still able to log in and list groups for long standing
> users, and not log in for more recently created users... but
> I am no-longer able to list groups for the users I can't log in with!
> August 22, 2017 11:31 AM, "A. James Lewis via samba"
> <samba@xxxxxxxxxxxxxxx> wrote:
> > Hi!
> > Indeed!, this sounds like good advice... there are
> certainly bugs, I
> > had to get the 7.04.5 package from "proposed" to get resolve a PAM
> > library issue!... although I suppose that's a packaging problem.
> > What is the best way to get an updated Samba package here,
> I'm trying
> > to make this system reproduceable, I have a single script
> that builds
> > the entire container, and sets up an Xrdp terminal server
> with everything configured... Ideally I'd like to do it in a
> sustainable way!...
> > Perhaps migrating to 17.10 would be a good move at this point since
> > 4.6.5 is available there, and ultimately my goal would be
> to have this
> > built on 18.04 for some level of stability.... I'm sitting
> on 17.04 right now since the move to Gnome is not popular
> around here....
> > I guess I could install the 17.10 package on 17.04 for
> testing, watch
> > this space... feedback to follow.
> > James
> > August 22, 2017 8:13 AM, "L.P.H. van Belle via samba"
> <samba@xxxxxxxxxxxxxxx> wrote:
> >> Hai
> >> Since your on ubuntu 17.04 (zesty) and samba
> >> Now i dont know if your able to upgrade you samba to
> 4.5.12 or at least 4.6.5.
> >> But I would really recommend trying to upgrade to a higher version.
> >> I suggest go through the changelogs, and see the winbind
> and kerberos
> >> related fixes so you understand why i say upgrade.
> >> I suspect you have hit one or more of these bugs.
> >> Greetz,
> >> Louis
> >>> -----Oorspronkelijk bericht-----
> >>> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Rowland
> >>> Penny via samba
> >>> Verzonden: maandag 21 augustus 2017 19:28
> >>> Aan: samba@xxxxxxxxxxxxxxx
> >>> Onderwerp: Re: [Samba] Windows pre-requisites for login
> with winbind?
> >>> On Mon, 21 Aug 2017 17:13:12 +0000
> >>> "A. James Lewis" <james@xxxxxxxxxx> wrote:
> >>> I'm inclined to agree with you regarding resolveconf, but I don't
> >>> think that's the issue here, clearly it was able to get
> the name and
> >>> IP of the AD server.... and connect to it.
> >>> The error from kinit had the hostname of one of the AD servers in
> >>> it, that name is not in the config, and that address was
> >>> reachable... so I can't think that it's DNS.
> >>> What is worrying me is if this is valid, to have the domain in
> >>> twice:- cifs/LOCAL_AD02.domain.local@DOMAIN.LOCAL in the
> kinit error
> >>> from auth.log
> >>> I'd love to solve this issue too... but I started with one issue,
> >>> and now I have 2... LOL!
> >>> That is perfectly normal, so stop worrying
> >>> There is an easy way to try and prove if it is a dns
> problem (which
> >>> i am sure it is)
> >>> ADD
> >>> <the DCs ipaddress> <the DCs hostname>.domain.local <the DCs
> >>> hostname>
> >>> to /etc/hosts
> >>> Rowland
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions: https://lists.samba.org/mailman/options/samba
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> > --
> > A. James Lewis (james@xxxxxxxxxx)
> > "Engineering does not require science. Science helps a lot
> but people
> > built perfectly good brick walls long before they knew why
> cement works."
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> A. James Lewis (james@xxxxxxxxxx)
> "Engineering does not require science. Science helps a lot
> but people built perfectly good brick walls long before they
> knew why cement works."
To unsubscribe from this list go to the following URL and read the