Web lists-archives.com

Re: [Samba] Samba 4.8 Config SMB.Conf File




On Fri, 15 Mar 2019 09:17:34 -0400
Tyrus Shivers <tyrus.shivers@xxxxxxxxxxxxxxx> wrote:

> Rowland,
> 
> These are all VMs I am working on. I have tried it on several
> different "test" VMs. Blew away VMs and created new ones, still does
> not work.

This is very, very, strange.
You are joining the domain with:

net ads join -U Administrator

Once joined, what does this produce:

net ads testjoin

> 
> It takes me a little time to type the info from the directories
> because I cannot copy/past due to network separation.

Can you explain 'network separation' ?

> 
> Contents below:
> 
> /etc/hostname
> testadmin

Nothing wrong there.

> 
> /etc/hosts
> 127.0.0.1 localhost localhost.localdomain localhost4
> localhost4.localdomain4 :1 localhost localhost.localdomain localhost6
> localhost6.localdomain6 IPADDR  testadmin.mydomain.com   testadmin
> IPADDR DC1.mydomain.com            DC1

Again. nothing really wrong, but you don't (or is that shouldn't) need
the DC info.

> 
> /etc/resolv.conf
> search mydomain.com
> nameserver "ipaddress for DC1"
> nameserver "ipaddress for DC2"

Nothing wrong there.

> 
> /etc/krb5.conf
> includedir /var/lib/sss/pubconf/krb5.include.d/
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE: /var/log/kadmind.log
> 
> [libdefaults]
> dns_lookup_realm = false
> ticket_lifetime = 24hr
> renew_lifetime = 7d
> forwardable = true
> rdsn = false
> # default_realm = EXAMPLE.COM
> default_ccache_name = KEYRING:persistent:%{uid}
> 
> default_realm = MYDOMAIN.COM
> [realms]
> #EXAMPLE.COM = {
> # kdc = kerberos.example.com
> # admin_server = kerberos.example.com
> #}
> 
> MYDOMAIN.COM = {
>  kdc = dc1.MYDOMAIN.COM
> }
> 
> MYDOMAIN.COM =
> kdc = dc1.MYDOMAIN.COM
> }
> 
> [domain_realm]
> #.example.com = EXAMPLE.COM
> #example.com = EXAMPLE.COM
>  mydomain.com = MYDOMAIN.COM
>  .mydomain.com = MYDOMAIN.COM
>

My is:

 [libdefaults]
         default_realm = SAMDOM.EXAMPLE.COM
         dns_lookup_realm = false
         dns_lookup_kdc = true

But yours should work.

> 
> /etc/samba/smb.conf
> workgroup = mydomain
> > realm = mydomain.com
> > security = ads
> > idmap config * : backend = tdb
> > idmap config * : range = 3000-7999
> > idmap config MYDOMAIN : backend = rid
> > idmap config MYDOMAIN : range = 10000-19999
> > allow trusted domain = no
> > template shell = /bin/bash
> > winbind refresh tickets = yes
> > restrict anonymous = 2  
> 

About the only real difference between yours and mine is this line in
mine:

    winbind use default domain = yes

and that only turns off the domain name in user & group searches i.e.
'DOMAIN\username' just becomes 'username'

> 
> /etc/nsswitch.conf
>  passwd:    files  winbind
>  shadow:    files
>  group:       files  winbind
>  #initgroups : files
> 
>  hosts: files  dns  myhostname
> 
>  bootparams:  nisplus [NOTFOUND=return]  files
> 
>  ethers:       files
>  netmasks: files
>  networks:  files
>  protocols:  files
>  rpc:            files
>  services:   files
> 
>  netgroup:   files
>  publickey:  nisplus
> 
>  automount:  files
>  aliases:        files  nisplus
>

Again nothing wrong.

But I get:

[root@cen7member ~]# getent passwd rowland
rowland:*:11107:10513::/home/rowland:/bin/bash
[root@cen7member ~]# id rowland
uid=11107(rowland) gid=10513(domain users) .............

I wonder if this is a 'time' problem, is the time the same on the DC
and this Unix domain member ?

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba