Web lists-archives.com

Re: [Samba] Opensolaris-ish joins but does not seem to be valid




On Tue, 10 Oct 2017 09:39:43 -0500 (CDT)
Andrew Martin <amartin@xxxxxxxxxxx> wrote:

> ----- Original Message -----
> > From: "samba" <samba@xxxxxxxxxxxxxxx>
> > To: "samba" <samba@xxxxxxxxxxxxxxx>
> > Sent: Tuesday, October 10, 2017 2:23:02 AM
> > Subject: Re: [Samba] Opensolaris-ish joins but does not seem to be
> > valid
> 
> > On Mon, 9 Oct 2017 18:04:45 -0500 (CDT)
> > Mike Ray via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > 
> >> We have a product that is similar to Opensolaris. It joins to the
> >> domain (Samba version 4.7.0) without error and I can verify that a
> >> computer object is created in the domain for it.
> >> 
> >> However, the command "getent passwd" which I would expect to
> >> return a list of all domain users, only returns a list of local
> >> users.
> >> 
> >> I am confident I do not have a misconfigured file because if I get
> >> a kerberos ticket as the Administrator (i.e. kinit
> >> -UAdministrator) and then issue "getent passwd", the list returns
> >> as I would expect.
> >> 
> >> The host is populated with a keytab after joining to the domain and
> >> it appears to have good entries:
> >> "host/hostname.example.com@xxxxxxxxxxx", etc. And when I do a
> >> "klist" with no prior kinit, it says it says the default principal
> >> is "host/hostname@xxxxxxxxxxx" which is listed in the keytab.
> >> 
> >> Since I am on 4.7.0, I've also turned on the authentication
> >> auditing and I can see the authentication attempt when I issue
> >> "getent passwd". But instead of being host specific, it registers
> >> the user as [NT AUTHORITY]\[ANONYMOUS LOGON].
> >> 
> >> There is an additional setup we have to run for this host, setting
> >> up directory based mappings for idmap to resolve UIDs
> >> (http://web.archive.org/web/20090416045554/http://docs.sun.com:80/app/docs/doc/820-2429/createidmappingstrategy?a=view).
> >> That command registers as the host authority in the DC logs, i.e.
> >> "[EXAMPLE]\[HOSTNAME$][SID]"; however, on the client side, the
> >> process returns as "sasl/GSSAPI bind" error. As above, if I do a
> >> kinit as Administrator beforehand, the command succeeds
> >> successfully.
> >> 
> >> It seems like something is wrong with the computer account, but
> >> it's not like I can set the computer accounts password and
> >> manually trying kiniting as it. Any suggestions about what might
> >> be wrong or how to further troubleshoot?
> >> 
> >> Mike Ray
> >> 
> > 
> > Can you post your smb.conf
> > 
> > Rowland
> > 
> 
> Rowland,
> 
> Here's the smb.conf for one of the DCs (I'm working with Mike on
> this): [global]
>         netbios name = DC3
>         realm = EXAMPLE.COM
>         workgroup = EXAMPLE
>         server role = active directory domain controller
>         allow dns updates = nonsecure
>         dns forwarder = 192.168.0.2
>         idmap_ldb:use rfc2307 = Yes
>         printcap name = /dev/null
>         load printers = no
>         printing = bsd
>         ntp signd socket directory = /var/run/samba/ntp_signd
>         #acl:search = no
>         ldap server require strong auth = no
>         winbind sealed pipes = false
>         client signing = off
>         require strong key = false
>         client ldap sasl wrapping = plain
>         log level = 1 auth_audit:10
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/example.com/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> Thanks,
> 
> Andrew

Is this from the Opensolaris-ish machine ?

I expected to see a smb.conf file from a Unix domain member.

If it is from the machine where you are getting '[NT
AUTHORITY]\[ANONYMOUS LOGON]', then can you try 'getent passwd
username'. By default winbind doesn't enumerate users and groups.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba