Web lists-archives.com

Re: [Samba] Windows pre-requisites for login with winbind?




I think we're getting confused with the kerberos issue created by my errant DNS server... with the original problem, all the commands I have sent showing an issue with kerberos were working originally, with the config which explicitly defined "kdc =", and are now working again, with your new config, now that I have fixed the DNS... but the original problem is that I have a very small number of users which don't work.... winbind says that they don't exist, while every other user works just fine... 

Those 3 users that don't work are the most recent 3 to be added, and since I don't have control over the AD, I can't say if there's some parameter or group they don't have which stops them from working, but I don't think it's a co-incidence that they are not "random" users, but only "new" users.

Obviously since they can log in to windows desktops, winbind behaviour must be different to Windows... but surely there has to be an AD component to this too.

The common-auth line you have below is precisely what I have.

James

August 22, 2017 2:20 PM, "Rowland Penny via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> On Tue, 22 Aug 2017 13:02:03 +0000
> "A. James Lewis" <james@xxxxxxxxxx> wrote:
> 
>> I have krb5-config krb5-user, but not libpam-krb5... I'm slightly
>> fuzzy about how this works, but I thought the interaction with
>> kerberos was implemented via winbind, so I wasn't expecting this
>> package to be installed... certainly there is no dependency that has
>> pulled it in.
>> 
>> James
> 
> Well, it is what makes PAM use kerberos with winbind, this is the
> winbind line from /etc/pam.d/common-auth with it installed:
> 
> auth [success=1 default=ignore] pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login try_first_pass
> 
> And all the commands you have posted work for me.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
A. James Lewis (james@xxxxxxxxxx)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba