Re: [Samba] Windows pre-requisites for login with winbind?
- Date: Tue, 22 Aug 2017 16:49:35 +0200
- From: "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Windows pre-requisites for login with winbind?
Did you already check the database replication Of the DC's.
If one is out of sync, and the pc is connecting to that one, you have errors.
And what does the windows event id tell you.
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens A.
> James Lewis via samba
> Verzonden: dinsdag 22 augustus 2017 16:36
> Aan: Rowland Penny; samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] Windows pre-requisites for login with winbind?
> I think we're getting confused with the kerberos issue
> created by my errant DNS server... with the original problem,
> all the commands I have sent showing an issue with kerberos
> were working originally, with the config which explicitly
> defined "kdc =", and are now working again, with your new
> config, now that I have fixed the DNS... but the original
> problem is that I have a very small number of users which
> don't work.... winbind says that they don't exist, while
> every other user works just fine...
> Those 3 users that don't work are the most recent 3 to be
> added, and since I don't have control over the AD, I can't
> say if there's some parameter or group they don't have which
> stops them from working, but I don't think it's a
> co-incidence that they are not "random" users, but only "new" users.
> Obviously since they can log in to windows desktops, winbind
> behaviour must be different to Windows... but surely there
> has to be an AD component to this too.
> The common-auth line you have below is precisely what I have.
> August 22, 2017 2:20 PM, "Rowland Penny via samba"
> <samba@xxxxxxxxxxxxxxx> wrote:
> > On Tue, 22 Aug 2017 13:02:03 +0000
> > "A. James Lewis" <james@xxxxxxxxxx> wrote:
> >> I have krb5-config krb5-user, but not libpam-krb5... I'm slightly
> >> fuzzy about how this works, but I thought the interaction with
> >> kerberos was implemented via winbind, so I wasn't expecting this
> >> package to be installed... certainly there is no
> dependency that has
> >> pulled it in.
> >> James
> > Well, it is what makes PAM use kerberos with winbind, this is the
> > winbind line from /etc/pam.d/common-auth with it installed:
> > auth [success=1 default=ignore] pam_winbind.so krb5_auth
> > krb5_ccache_type=FILE cached_login try_first_pass
> > And all the commands you have posted work for me.
> > Rowland
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> A. James Lewis (james@xxxxxxxxxx)
> "Engineering does not require science. Science helps a lot
> but people built perfectly good brick walls long before they
> knew why cement works."
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the