Re: [Samba] Opensolaris-ish joins but does not seem to be valid
- Date: Tue, 10 Oct 2017 09:39:43 -0500 (CDT)
- From: Andrew Martin via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Opensolaris-ish joins but does not seem to be valid
----- Original Message -----
> From: "samba" <samba@xxxxxxxxxxxxxxx>
> To: "samba" <samba@xxxxxxxxxxxxxxx>
> Sent: Tuesday, October 10, 2017 2:23:02 AM
> Subject: Re: [Samba] Opensolaris-ish joins but does not seem to be valid
> On Mon, 9 Oct 2017 18:04:45 -0500 (CDT)
> Mike Ray via samba <samba@xxxxxxxxxxxxxxx> wrote:
>> We have a product that is similar to Opensolaris. It joins to the
>> domain (Samba version 4.7.0) without error and I can verify that a
>> computer object is created in the domain for it.
>> However, the command "getent passwd" which I would expect to return a
>> list of all domain users, only returns a list of local users.
>> I am confident I do not have a misconfigured file because if I get a
>> kerberos ticket as the Administrator (i.e. kinit -UAdministrator) and
>> then issue "getent passwd", the list returns as I would expect.
>> The host is populated with a keytab after joining to the domain and
>> it appears to have good entries:
>> "host/hostname.example.com@xxxxxxxxxxx", etc. And when I do a "klist"
>> with no prior kinit, it says it says the default principal is
>> "host/hostname@xxxxxxxxxxx" which is listed in the keytab.
>> Since I am on 4.7.0, I've also turned on the authentication auditing
>> and I can see the authentication attempt when I issue "getent
>> passwd". But instead of being host specific, it registers the user as
>> [NT AUTHORITY]\[ANONYMOUS LOGON].
>> There is an additional setup we have to run for this host, setting up
>> directory based mappings for idmap to resolve UIDs
>> That command registers as the host authority in the DC logs, i.e.
>> "[EXAMPLE]\[HOSTNAME$][SID]"; however, on the client side, the
>> process returns as "sasl/GSSAPI bind" error. As above, if I do a
>> kinit as Administrator beforehand, the command succeeds successfully.
>> It seems like something is wrong with the computer account, but it's
>> not like I can set the computer accounts password and manually trying
>> kiniting as it. Any suggestions about what might be wrong or how to
>> further troubleshoot?
>> Mike Ray
> Can you post your smb.conf
Here's the smb.conf for one of the DCs (I'm working with Mike on this):
netbios name = DC3
realm = EXAMPLE.COM
workgroup = EXAMPLE
server role = active directory domain controller
allow dns updates = nonsecure
dns forwarder = 192.168.0.2
idmap_ldb:use rfc2307 = Yes
printcap name = /dev/null
load printers = no
printing = bsd
ntp signd socket directory = /var/run/samba/ntp_signd
#acl:search = no
ldap server require strong auth = no
winbind sealed pipes = false
client signing = off
require strong key = false
client ldap sasl wrapping = plain
log level = 1 auth_audit:10
path = /var/lib/samba/sysvol/example.com/scripts
read only = No
path = /var/lib/samba/sysvol
read only = No
To unsubscribe from this list go to the following URL and read the