Web lists-archives.com

Re: [Samba] Opensolaris-ish joins but does not seem to be valid




On Mon, 9 Oct 2017 18:04:45 -0500 (CDT)
Mike Ray via samba <samba@xxxxxxxxxxxxxxx> wrote:

> We have a product that is similar to Opensolaris. It joins to the
> domain (Samba version 4.7.0) without error and I can verify that a
> computer object is created in the domain for it.
> 
> However, the command "getent passwd" which I would expect to return a
> list of all domain users, only returns a list of local users.
> 
> I am confident I do not have a misconfigured file because if I get a
> kerberos ticket as the Administrator (i.e. kinit -UAdministrator) and
> then issue "getent passwd", the list returns as I would expect.
> 
> The host is populated with a keytab after joining to the domain and
> it appears to have good entries:
> "host/hostname.example.com@xxxxxxxxxxx", etc. And when I do a "klist"
> with no prior kinit, it says it says the default principal is
> "host/hostname@xxxxxxxxxxx" which is listed in the keytab.
> 
> Since I am on 4.7.0, I've also turned on the authentication auditing
> and I can see the authentication attempt when I issue "getent
> passwd". But instead of being host specific, it registers the user as
> [NT AUTHORITY]\[ANONYMOUS LOGON].
> 
> There is an additional setup we have to run for this host, setting up
> directory based mappings for idmap to resolve UIDs
> (http://web.archive.org/web/20090416045554/http://docs.sun.com:80/app/docs/doc/820-2429/createidmappingstrategy?a=view).
> That command registers as the host authority in the DC logs, i.e.
> "[EXAMPLE]\[HOSTNAME$][SID]"; however, on the client side, the
> process returns as "sasl/GSSAPI bind" error. As above, if I do a
> kinit as Administrator beforehand, the command succeeds successfully. 
> 
> It seems like something is wrong with the computer account, but it's
> not like I can set the computer accounts password and manually trying
> kiniting as it. Any suggestions about what might be wrong or how to
> further troubleshoot?
> 
> Mike Ray
> 

Can you post your smb.conf 

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba