Hi, I'm having trouble realizing a krb5auth with pam_winbind with trusted domain users (external trust) on our clients. The client is joined to a local domain, which has a "external trust" to a global domain. The following things are working for all users (local and trusted domain): "wbinfo -i" "wbinfo --pam-logon" "wbinfo -a" "kinit" Just "wbinfo -K" works only for local domain users. And that is the problem. I need the Kerberos ticket for NFS. smb.conf, krb5.conf and the other configs are taken from https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member. Just changed the domain/realm name to the local domain name. Regards Andreas
Hai, Whats the os used? The first things i would check. Did you give both servers the nfs/spn. ? The current search order for keytabs to be used for "machine credentials" : <HOSTNAME>$@<REALM> root/<hostname>@<REALM> nfs/<hostname>@<REALM> host/<hostname>@<REALM> root/<anyname>@<REALM> nfs/<anyname>@<REALM> host/<anyname>@<REALM> So make sure one of these is know in the system keytab file. The trusted domain, same REALM or other REALM, and if needed defined in krb5.conf? And both servers have A and PTR records and are correct resolved? If all of above does not work or is checked already. You could configure idmap.conf like this. ( there might be things to improve below ) ( from my debian jessie servers, the stretch servers dont have the idmap changes anymore. ) [General] Verbosity = 0 Pipefs-Directory = /run/rpc_pipefs # set your own domain here, if id differs from FQDN minus hostname # Domain = localdomain Domain = internal.domain.tld Local-Realm = MY_REALM [Mapping] Nobody-User = nobody Nobody-Group = nogroup [Translation] Method = static,nsswitch GSS-Methods = static,nsswitch [Static] RTD-WEB1$@MY_REALM = root host/rtd-web1.internal.domain.tld at MY_REALM = root nfs/rtd-web1.internal.domain.tld at MY_REALM = root nfs/rtd-web1.internal.domain.tld@ = root Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Andreas Hauffe via samba > Verzonden: dinsdag 22 augustus 2017 9:36 > Aan: Andreas Hauffe via samba > Onderwerp: [Samba] Winbind with krb5auth for trust users > > Hi, > > I'm having trouble realizing a krb5auth with pam_winbind with > trusted domain users (external trust) on our clients. The > client is joined to a local domain, which has a "external > trust" to a global domain. > > The following things are working for all users (local and > trusted domain): > > "wbinfo -i" > "wbinfo --pam-logon" > "wbinfo -a" > "kinit" > > > Just "wbinfo -K" works only for local domain users. And that > is the problem. I need the Kerberos ticket for NFS. > > smb.conf, krb5.conf and the other configs are taken from > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member. > Just changed the domain/realm name to the local domain name. > > Regards > Andreas > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hi, thanks for the fast answer. All DCs (local and trusted domain) running on Windows Server 2012. The client is running on OpenSUSE Leap 42.3. The samba version is 4.6.5. Right now I'm a step before nfs. At first I just want to authorize users with krb5auth. The error is: mlrlinux:~ # wbinfo -K GLOBALDOM\\globdomuser Enter GLOBALDOM\globdomuser's password: plaintext kerberos password authentication for [GLOBALDOM\globdomuser] failed (requesting cctype: FILE) wbcLogonUser(GLOBALDOM\globdomuser): error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) error message was: No logon servers Could not authenticate user [GLOBALDOM\globdomuser] with Kerberos (ccache: FILE) DNS resolution is working. I'm able to get the credentials for a GLOBDOM-User with kinit, which should not work if DNS resultion has errors, right? Andreas Am 22.08.2017 um 10:04 schrieb L.P.H. van Belle via samba:> Hai, > > Whats the os used? > > The first things i would check. > > Did you give both servers the nfs/spn. ? > The current search order for keytabs to be used for "machine credentials" : > <HOSTNAME>$@<REALM> > root/<hostname>@<REALM> > nfs/<hostname>@<REALM> > host/<hostname>@<REALM> > root/<anyname>@<REALM> > nfs/<anyname>@<REALM> > host/<anyname>@<REALM> > > So make sure one of these is know in the system keytab file. > The trusted domain, same REALM or other REALM, and if needed defined in krb5.conf? > > And both servers have A and PTR records and are correct resolved? > > If all of above does not work or is checked already. > You could configure idmap.conf like this. ( there might be things to improve below ) > ( from my debian jessie servers, the stretch servers dont have the idmap changes anymore. ) > > [General] > > Verbosity = 0 > Pipefs-Directory = /run/rpc_pipefs > > # set your own domain here, if id differs from FQDN minus hostname > # Domain = localdomain > Domain = internal.domain.tld > Local-Realm = MY_REALM > > [Mapping] > > Nobody-User = nobody > Nobody-Group = nogroup > > [Translation] > Method = static,nsswitch > GSS-Methods = static,nsswitch > > [Static] > RTD-WEB1$@MY_REALM = root > host/rtd-web1.internal.domain.tld at MY_REALM = root > nfs/rtd-web1.internal.domain.tld at MY_REALM = root > nfs/rtd-web1.internal.domain.tld@ = root > > > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Andreas Hauffe via samba >> Verzonden: dinsdag 22 augustus 2017 9:36 >> Aan: Andreas Hauffe via samba >> Onderwerp: [Samba] Winbind with krb5auth for trust users >> >> Hi, >> >> I'm having trouble realizing a krb5auth with pam_winbind with >> trusted domain users (external trust) on our clients. The >> client is joined to a local domain, which has a "external >> trust" to a global domain. >> >> The following things are working for all users (local and >> trusted domain): >> >> "wbinfo -i" >> "wbinfo --pam-logon" >> "wbinfo -a" >> "kinit" >> >> >> Just "wbinfo -K" works only for local domain users. And that >> is the problem. I need the Kerberos ticket for NFS. >> >> smb.conf, krb5.conf and the other configs are taken from >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member. >> Just changed the domain/realm name to the local domain name. >> >> Regards >> Andreas >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >-- Viele Grüße Andreas Hauffe Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge" ---------------------------------------------------------------------------------------------------- Technische Universität Dresden Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering D-01062 Dresden Germany phone : +49 (351) 463 38496 fax : +49 (351) 463 37263 mail : andreas.hauffe at tu-dresden.de Website : http://tu-dresden.de/mw/ilr/lft ---------------------------------------------------------------------------------------------------- Do you know our free laminate analysis code eLamX²? If not, please visit the following web address: http://www.elamx.de
Hai,> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Andreas Hauffe via samba > Verzonden: dinsdag 22 augustus 2017 11:26 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Winbind with krb5auth for trust users > > Hi, > > thanks for the fast answer. > > All DCs (local and trusted domain) running on Windows Server > 2012. The client is running on OpenSUSE Leap 42.3. The samba > version is 4.6.5. > > Right now I'm a step before nfs. At first I just want to > authorize users with krb5auth. > > The error is: > > mlrlinux:~ # wbinfo -K GLOBALDOM\\globdomuser Enter > GLOBALDOM\globdomuser's password: > plaintext kerberos password authentication for > [GLOBALDOM\globdomuser] failed (requesting cctype: FILE) > wbcLogonUser(GLOBALDOM\globdomuser): error code was > NT_STATUS_NO_LOGON_SERVERS (0xc000005e) error message was: No > logon servers Could not authenticate user > [GLOBALDOM\globdomuser] with Kerberos > (ccache: FILE) > > DNS resolution is working. I'm able to get the credentials > for a GLOBDOM-User with kinit, which should not work if DNS > resultion has errors, right?Depends on the member server setting. For example, do you have : kerberos method = secrets and keytab in smb.conf? Can you post the following files, sorry, we need to verify files. ( anonimize here needed ) /etc/hostname /etc/hosts /etc/resolv.conf /etc/nsswitch.conf Your krb5.conf And smb.conf Greetz, Louis> > Andreas > > > Am 22.08.2017 um 10:04 schrieb L.P.H. van Belle via samba: