mourik jan c heupink
2015-Oct-26 20:22 UTC
[Samba] self compiled samba domain member, jessie, pam config
Hi, On 26-10-2015 21:03, Rowland Penny wrote:> How are you trying to log in with ssh ? I use it with plain passwords to > the DC all the time and don't have any problems.It seems that smb.conf cannot have > kerberos method = secrets and keytab If that line is in place, I cannot logon. If I take it out, I can logon. Is this normal..? (or..are you also seeing that?) Read about it here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784656
mourik jan c heupink
2015-Oct-26 20:35 UTC
[Samba] self compiled samba domain member, jessie, pam config
> It seems that smb.conf cannot have > > kerberos method = secrets and keytab > > If that line is in place, I cannot logon. If I take it out, I can logon. >Seems there is a samba bugreport about it here: https://bugzilla.samba.org/show_bug.cgi?id=10490 and the solution "chmod g+r /etc/krb5.keytab" works for me as well. Have a nice evening/day everybody. MJ
Rowland Penny
2015-Oct-26 20:46 UTC
[Samba] self compiled samba domain member, jessie, pam config
On 26/10/15 20:22, mourik jan c heupink wrote:> Hi, > > On 26-10-2015 21:03, Rowland Penny wrote: >> How are you trying to log in with ssh ? I use it with plain passwords to >> the DC all the time and don't have any problems. > It seems that smb.conf cannot have > > kerberos method = secrets and keytab > > If that line is in place, I cannot logon. If I take it out, I can logon. > > Is this normal..? (or..are you also seeing that?)No and never seen it.> > Read about it here: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784656 >Do you have /etc/krb5.keytab? This is my smb.conf from a domain member: [global] workgroup = SAMDOM realm = SAMDOM.EXAMPLE.COM security = ADS username map = /etc/samba/samba_usermapping dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab reset on zero vc = Yes unix extensions = No client signing = if_required domain master = No host msdfs = No winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 winbind refresh tickets = Yes # <-- do you have this line winbind offline logon = Yes idmap config SAMDOM:range = 10000-99999 idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:backend = ad idmap config *:range = 2000-9999 idmap config * : backend = tdb map acl inherit = Yes hide unreadable = Yes veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ store dos attributes = Yes vfs objects = acl_xattr This is on Debian Wheezy using Version 4.2.4-SerNet-Debian-7.wheezy If you don't have the keytab, try leaving the domain and re-joining, this should create the keytab, if you do have the keytab, remove it then, leave and re-join. Rowland
mourik jan c heupink
2015-Oct-26 21:01 UTC
[Samba] self compiled samba domain member, jessie, pam config
Hi, I have the keytab file, it just seems that: "technically "secrets and keytab" means that samba uses both the internal secrets and system keytab file for keytab storage. secrets is in memory (so this works even if changing uid). keytab on the other hand is only opened when needed." So I have the keytab, I just needed to chmod g+r for it to be readable after "winbindd forks, changes to the uid of the user that is logging in." Both quotes above are from the samba bugreport. (https://bugzilla.samba.org/show_bug.cgi?id=10490) And about your line > winbind refresh tickets = Yes # <-- do you have this line Yes I do. I pretty much took the domain member server smb.conf from the wiki. MJ On 26-10-2015 21:46, Rowland Penny wrote:> > If you don't have the keytab, try leaving the domain and re-joining, > this should create the keytab, if you do have the keytab, remove it > then, leave and re-join.
Apparently Analagous Threads
- self compiled samba domain member, jessie, pam config
- self compiled samba domain member, jessie, pam config
- self compiled samba domain member, jessie, pam config
- self compiled samba domain member, jessie, pam config
- self compiled samba domain member, jessie, pam config