A. James Lewis
2017-Aug-21 14:32 UTC
[Samba] Windows pre-requisites for login with winbind?
Also, I see the following repeated in syslog:- ==> syslog <=Aug 21 15:25:41 hostname01 winbindd[691]: [2017/08/21 15:25:41.438959, 0] ../source3/libsmb/cliconnect.c:1895(cli_session_setup_spnego_send) Aug 21 15:25:41 hostname01 winbindd[691]: Kinit for HOSTNAME01$@DOMAIN.LOCAL to access cifs/LOCAL_AD02.domain.local at DOMAIN.LOCAL failed: Cannot contact any KDC for requested realm When one of the suspect users tries to log in I get:- ==> auth.log <=Aug 21 15:25:14 op-sdes-dsk01 su[690]: No passwd entry for user 'username' Aug 21 15:25:14 op-sdes-dsk01 su[690]: FAILED su for username by root Aug 21 15:25:14 op-sdes-dsk01 su[690]: - ??? root:username However, other AD users do work correctly. This is Samba 4.5.8 BTW... James August 21, 2017 2:56 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:> On Mon, 21 Aug 2017 13:14:16 +0000 > "A. James Lewis" <james at fsck.co.uk> wrote: > >> I'm slightly confused, you appear to have trimmed down the config, >> but not changed anything.... would you think this would affect the >> issue where long standing users are able to log in, but new users are >> not... even after a couple of weeks they are not able to log in via >> "winbind", although they can authenticate via Kerberos, and obviously >> log in to Windows desktops. >> >> James > > Yes I trimmed you /etc/krb5.conf down to all that is required, I also > removed all the unnecessary lines from your smb.conf, but I also > altered two lines and added two others. > > Your set up was putting everything into the '*' domain and nothing into > the 'DOMAIN' domain. You were also using the 'rid' backend for the '*' > domain and you MUST use 'tdb' for this. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."
Rowland Penny
2017-Aug-21 14:50 UTC
[Samba] Windows pre-requisites for login with winbind?
On Mon, 21 Aug 2017 14:32:16 +0000 "A. James Lewis" <james at fsck.co.uk> wrote:> Also, I see the following repeated in syslog:- > > ==> syslog <=> Aug 21 15:25:41 hostname01 winbindd[691]: [2017/08/21 > 15:25:41.438959, > 0] ../source3/libsmb/cliconnect.c:1895(cli_session_setup_spnego_send) > Aug 21 15:25:41 hostname01 winbindd[691]: Kinit for > HOSTNAME01$@DOMAIN.LOCAL to access > cifs/LOCAL_AD02.domain.local at DOMAIN.LOCAL failed: Cannot contact any > KDC for requested realm > > When one of the suspect users tries to log in I get:- > > ==> auth.log <=> Aug 21 15:25:14 op-sdes-dsk01 su[690]: No passwd entry for user > 'username' Aug 21 15:25:14 op-sdes-dsk01 su[690]: FAILED su for > username by root Aug 21 15:25:14 op-sdes-dsk01 su[690]: - ??? > root:username > > However, other AD users do work correctly. > > This is Samba 4.5.8 BTW... >OK, can you post the following files: /etc/hostname /etc/hosts /etc/resolv.conf /etc/nsswitch.conf Rowland
A. James Lewis
2017-Aug-21 15:37 UTC
[Samba] Windows pre-requisites for login with winbind?
OK, obviously I am slightly sanitising the output here, but I'm preserving the case, and just replacing local names with generic ones as I did for the config. # more /etc/hostname hostname01 # more /etc/hosts 127.0.0.1 localhost 127.0.1.1 hostname01 # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters # more /etc/resolv.conf search domain.local nameserver 10.0.3.1 # more /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis # James August 21, 2017 3:54 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:> On Mon, 21 Aug 2017 14:32:16 +0000 > "A. James Lewis" <james at fsck.co.uk> wrote: > >> Also, I see the following repeated in syslog:- >> >> ==> syslog <=>> Aug 21 15:25:41 hostname01 winbindd[691]: [2017/08/21 >> 15:25:41.438959, >> 0] ../source3/libsmb/cliconnect.c:1895(cli_session_setup_spnego_send) >> Aug 21 15:25:41 hostname01 winbindd[691]: Kinit for >> HOSTNAME01$@DOMAIN.LOCAL to access >> cifs/LOCAL_AD02.domain.local at DOMAIN.LOCAL failed: Cannot contact any >> KDC for requested realm >> >> When one of the suspect users tries to log in I get:- >> >> ==> auth.log <=>> Aug 21 15:25:14 op-sdes-dsk01 su[690]: No passwd entry for user >> 'username' Aug 21 15:25:14 op-sdes-dsk01 su[690]: FAILED su for >> username by root Aug 21 15:25:14 op-sdes-dsk01 su[690]: - ??? >> root:username >> >> However, other AD users do work correctly. >> >> This is Samba 4.5.8 BTW... > > OK, can you post the following files: > > /etc/hostname > /etc/hosts > /etc/resolv.conf > /etc/nsswitch.conf > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."
A. James Lewis
2017-Aug-21 16:15 UTC
[Samba] Windows pre-requisites for login with winbind?
Rowland, I guess you have probably uncovered an issue in the environment which is resulting in the kerberos issues, probably that there is nothing in "broadcast" range of the host which may be why I ended up having to explicitly state the password server etc... That said, the error says "cifs/LOCAL_AD02.domain.local at DOMAIN.LOCAL", and the host "LOCAL_AD02" is nowhere in the configuration and I can resolve the name "LOCAL_AD02.domain.local" and connect to it on port 88, so I don't see why it has an issue. This said, I still think there is also an issue in AD, such that the more recently created users are missing a group or some parameter that allows them to work in "winbind", since many users do work.... independently of the issue with finding a KDC, is there any property in AD that is required to log in with winbind that a user might be missing? James August 21, 2017 4:40 PM, "A. James Lewis via samba" <samba at lists.samba.org> wrote:> OK, obviously I am slightly sanitising the output here, but I'm preserving the case, and just > replacing local names with generic ones as I did for the config. > > # more /etc/hostname > hostname01 > > # more /etc/hosts > 127.0.0.1 localhost > 127.0.1.1 hostname01 > > # The following lines are desirable for IPv6 capable hosts > ::1 ip6-localhost ip6-loopback > fe00::0 ip6-localnet > ff00::0 ip6-mcastprefix > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > # more /etc/resolv.conf > search domain.local > nameserver 10.0.3.1 > > # more /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > # > > James > > August 21, 2017 3:54 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote: > >> On Mon, 21 Aug 2017 14:32:16 +0000 >> "A. James Lewis" <james at fsck.co.uk> wrote: >> >>> Also, I see the following repeated in syslog:- >>> >>> ==> syslog <=>>> Aug 21 15:25:41 hostname01 winbindd[691]: [2017/08/21 >>> 15:25:41.438959, >>> 0] ../source3/libsmb/cliconnect.c:1895(cli_session_setup_spnego_send) >>> Aug 21 15:25:41 hostname01 winbindd[691]: Kinit for >>> HOSTNAME01$@DOMAIN.LOCAL to access >>> cifs/LOCAL_AD02.domain.local at DOMAIN.LOCAL failed: Cannot contact any >>> KDC for requested realm >>> >>> When one of the suspect users tries to log in I get:- >>> >>> ==> auth.log <=>>> Aug 21 15:25:14 op-sdes-dsk01 su[690]: No passwd entry for user >>> 'username' Aug 21 15:25:14 op-sdes-dsk01 su[690]: FAILED su for >>> username by root Aug 21 15:25:14 op-sdes-dsk01 su[690]: - ??? >>> root:username >>> >>> However, other AD users do work correctly. >>> >>> This is Samba 4.5.8 BTW... >> >> OK, can you post the following files: >> >> /etc/hostname >> /etc/hosts >> /etc/resolv.conf >> /etc/nsswitch.conf >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > -- > A. James Lewis (james at fsck.co.uk) > "Engineering does not require science. Science helps a lot but people > built perfectly good brick walls long before they knew why cement works." > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."
Rowland Penny
2017-Aug-21 16:24 UTC
[Samba] Windows pre-requisites for login with winbind?
On Mon, 21 Aug 2017 15:37:03 +0000 "A. James Lewis" <james at fsck.co.uk> wrote:> OK, obviously I am slightly sanitising the output here, but I'm > preserving the case, and just replacing local names with generic ones > as I did for the config.Not a problem with doing that ;-)> # more /etc/hosts > 127.0.0.1 localhost > 127.0.1.1 hostname01OK, does this computer get its ip via dhcp ? if it does, just remove the '127.0.1.1' line. If it doesn't, remove the '127.0.1.1' line and add a line: <ip for hostname01> hostname01.domain.local hostname01> > # more /etc/resolv.conf > search domain.local > nameserver 10.0.3.1Is '10.0.3.1' the ipaddress of the AD DC (or something that will get you to the AD DC ? Rowland
A. James Lewis
2017-Aug-21 16:47 UTC
[Samba] Windows pre-requisites for login with winbind?
August 21, 2017 5:34 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:> On Mon, 21 Aug 2017 15:37:03 +0000 > "A. James Lewis" <james at fsck.co.uk> wrote: > >> OK, obviously I am slightly sanitising the output here, but I'm >> preserving the case, and just replacing local names with generic ones >> as I did for the config. > > Not a problem with doing that ;-) > >> # more /etc/hosts >> 127.0.0.1 localhost >> 127.0.1.1 hostname01 > > OK, does this computer get its ip via dhcp ? > if it does, just remove the '127.0.1.1' line. > If it doesn't, remove the '127.0.1.1' line and add a line: >Yes, it is an lxc container, so currently it does get it's IP from DHCP... none of that config was added by me, except the winbind in nsswitch.conf.> <ip for hostname01> hostname01.domain.local hostname01 > >> # more /etc/resolv.conf >> search domain.local >> nameserver 10.0.3.1 > > Is '10.0.3.1' the ipaddress of the AD DC (or something that will get > you to the AD DC ? >It's the resolveconf DNS server on the machine hosting LXC, but yes, it is definitely able to resolve the AD server. Everything seems to work as expected:- # nslookup LOCAL_AD03.domain.local Server: 10.0.3.1 Address: 10.0.3.1#53 Non-authoritative answer: Name: LOCAL_AD03.domain.local Address: 10.x.x.x # telnet LOCAL_AD03.domain.local 88 Trying 10.x.x.x... Connected to LOCAL_AD03.domain.local. Escape character is '^]'. Connection closed by foreign host. # getent passwd jlewis jlewis:*:54239:5513:Lewis, James:/home/DOMAIN/jlewis:/bin/bash Clearly it picked up the "LOCAL_AD03.domain.local" from somewhere, since that's not in the configuration, and I can look up (and log in as my own user). I don't know however why kinit is now having a problem (it did not when I explicitly specified the KDC servers). The 3 most recently added users simply cannot authenticate, and this is where I'm convinced it is related to their AD accounts:- # getent passwd otheruser # That said, I would much prefer not to explicitly specify stuff in the config if possible, since that's one less thing to maintain! James> > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."
A. James Lewis
2017-Aug-21 17:04 UTC
[Samba] Windows pre-requisites for login with winbind?
I've just observed a bizarre clue:- # su - newuser No passwd entry for user 'newuser' # wbinfo --user-groups newuser 72471 19108 72307 72516 19326 --- SNIP --- # So, it can see the groups that user is a member of, but it cannot see a "passwd entry", whatever that means in the context of winbind! James August 21, 2017 5:34 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:> On Mon, 21 Aug 2017 15:37:03 +0000 > "A. James Lewis" <james at fsck.co.uk> wrote: > >> OK, obviously I am slightly sanitising the output here, but I'm >> preserving the case, and just replacing local names with generic ones >> as I did for the config. > > Not a problem with doing that ;-) > >> # more /etc/hosts >> 127.0.0.1 localhost >> 127.0.1.1 hostname01 > > OK, does this computer get its ip via dhcp ? > if it does, just remove the '127.0.1.1' line. > If it doesn't, remove the '127.0.1.1' line and add a line: > > <ip for hostname01> hostname01.domain.local hostname01 > >> # more /etc/resolv.conf >> search domain.local >> nameserver 10.0.3.1 > > Is '10.0.3.1' the ipaddress of the AD DC (or something that will get > you to the AD DC ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."