Re: [Samba] kerberos + winbind + AD authentication for samba 4 domain member
- Date: Wed, 1 Nov 2017 20:28:05 +0100
- From: Kacper Wirski via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] kerberos + winbind + AD authentication for samba 4 domain member
I'm going to start with clean centos install, so I might as well use some
additional guidelines, thank You.
When You run kinit, does Your user have ticket already? What I noticed is
that when user has a ticket already, kinit works fine, uses as default
principal the one from ticket.
Can you do kdestroy - then kinit?
Also, on Fedora, did You install samba from source or from repo's RPM?
And last question - for PAM did You manually edit system-auth, or with
After I do some tests later on, I will update with whatever I manage to
1 lis 2017 18:51 "Rowland Penny via samba" <samba@xxxxxxxxxxxxxxx>
> On Wed, 1 Nov 2017 17:41:14 +0100 (CET)
> "k.wirski babkamedica.pl" <k.wirski@xxxxxxxxxxxxxx> wrote:
> > Thank You,
> > /etc/hostname i set it myself, never seen issue with FQDN, I'll
> > change it
> > localdomain in /etc/hosts is from the default config
> > this auto krb5.conf.DOMAIN - could it be, that by default samba
> > builds with heimdall, and centos (as RHEL) uses MIT krb, and
> > something in /etc/krb5.conf was not ok during join, for whatever
> > reason? The "auth_to_local" is MIT kerberos specific.
> > Also auth_to_local is used when logging to machine, and my issue with
> > kinit is when mapping is done from local to UPN.
> > I removed whole /usr/local/samba dir, installed from scratch,
> > re-added to domain, recreated krb5.keytab, and issue is 100% the same.
> > I tried changing winbind separater from default to + and changed
> > krb5.conf rule accordingly, it changed nothing. Issue is not with
> > kerberos for login, it works a-ok. The issue is that for whatever
> > reason POSIX user is used with full name as principal.
> > When i changed winbind separator, my posix user was
> > "DOMAIN+kacper_wirski", and "kinit" used
> > DOMAIN+kacper_wirski@xxxxxxxxxxxxxxxxxxx as principal.
> > I consider setting up new machine from scratch from centos minimal
> > and go from there or I'll take my risks and set "use default domain =
> > yes", then everything works perfectly.
> > Can this issue be caused by something outside this machine, and
> > something wrong with the domain overall? I don't believe it, since it
> > seems very local OS specific, but maybe it is?
> All I can say is that when I set up Fedora 26 yesterday in the way I
> would set up a Devuan computer, 'kinit' works in the way you want.
> You are correct in that Samba uses Heimdal rather than MIT, but this is
> supplied with Samba and is only used if you compile for a DC, you
> Whilst it isn't recommended to use 'use default domain = yes' it is
> used rather a lot. The only time it definitely shouldn't be used is if
> you have more than one DOMAIN set in smb.conf
> If it helps, I can send you the notes I made whilst setting up Fedora 26
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the