Web lists-archives.com

Re: [Samba] Winbind with krb5auth for trust users




Hi,

sorry for not reading the comment above idmap config. I uninstalled and reinstalled samba and configs to remove all old id mappings and so on. Then changed all configs as adviced. The id mapping is working correctly (wbinfo -i) for local and trusted domain. But I still cannot logon with wbinfo -K with a trusted domain account.

Andreas


Am 22.08.2017 um 12:59 schrieb Rowland Penny via samba:
See inline comments:

On Tue, 22 Aug 2017 12:20:04 +0200
Andreas Hauffe via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hi,

hier are the file. I replaced the real domain/realm name by
"search&replace", so there should not be a typping error in my file
concernig the realm or domain names.

Regards,
Andreas

client:~ # more /etc/hostname
client.loc.example.de
This should just be 'client'

client:~ # more /etc/hosts

127.0.0.1       localhost

# special IPv6 addresses
::1             localhost ipv6-localhost ipv6-loopback

fe00::0         ipv6-localnet

ff00::0         ipv6-mcastprefix
ff02::1         ipv6-allnodes
ff02::2         ipv6-allrouters
ff02::3         ipv6-allhosts
192.168.1.4     client.loc.example.de client.loc.example.de
The line above should be:

192.168.1.4     client.loc.example.de client

client:~ # more /etc/resolv.conf
search loc.example.de
nameserver 192.168.1.2
nameserver 192.168.1.3
I take it that the two ipaddresses are your DCs

client:~ # more /etc/nsswitch.conf

passwd: compat winbind
group:  compat winbind

hosts:          files mdns_minimal [NOTFOUND=return] dns
I would change the line above to:

hosts:          files dns

client:~ # more /etc/samba/smb.conf
[global]
         security = ADS
         workgroup = LOC
         realm = LOC.EXAMPLE.COM

         log file = /var/log/samba/%m.log
         log level = 1

         template homedir = /home/%D/%U
         template shell = /bin/bash

         # Default ID mapping configuration for local BUILTIN accounts
         # and groups on a domain member. The default (*) domain:
         # - must not overlap with any domain ID mapping configuration!
         # - must use a read-write-enabled back end, such as tdb.
         # - Adding just this is not enough
         # - You must set a DOMAIN backend configuration, see below
         idmap config * : backend = tdb
         idmap config * : range = 1000000-2000000
Hmm, do you not understand 'Adding just this is not enough' and 'You
must set a DOMAIN backend configuration, see below' ?

I would expect something like this:

         idmap config * : backend = tdb
         idmap config * : range = 3000-9999
         idmap config LOC : backend = rid
         idmap config LOC : range = 1000000-2000000

Rowland


--
Viele Grüße
Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"

----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering

D-01062 Dresden
Germany

phone : +49 (351) 463 38496
fax :  +49 (351) 463 37263
mail : andreas.hauffe@xxxxxxxxxxxxx
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------
Do you know our free laminate analysis code eLamX²? If not, please visit the following web address:
http://www.elamx.de

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba