A. James Lewis
2017-Aug-21 16:47 UTC
[Samba] Windows pre-requisites for login with winbind?
August 21, 2017 5:34 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:> On Mon, 21 Aug 2017 15:37:03 +0000 > "A. James Lewis" <james at fsck.co.uk> wrote: > >> OK, obviously I am slightly sanitising the output here, but I'm >> preserving the case, and just replacing local names with generic ones >> as I did for the config. > > Not a problem with doing that ;-) > >> # more /etc/hosts >> 127.0.0.1 localhost >> 127.0.1.1 hostname01 > > OK, does this computer get its ip via dhcp ? > if it does, just remove the '127.0.1.1' line. > If it doesn't, remove the '127.0.1.1' line and add a line: >Yes, it is an lxc container, so currently it does get it's IP from DHCP... none of that config was added by me, except the winbind in nsswitch.conf.> <ip for hostname01> hostname01.domain.local hostname01 > >> # more /etc/resolv.conf >> search domain.local >> nameserver 10.0.3.1 > > Is '10.0.3.1' the ipaddress of the AD DC (or something that will get > you to the AD DC ? >It's the resolveconf DNS server on the machine hosting LXC, but yes, it is definitely able to resolve the AD server. Everything seems to work as expected:- # nslookup LOCAL_AD03.domain.local Server: 10.0.3.1 Address: 10.0.3.1#53 Non-authoritative answer: Name: LOCAL_AD03.domain.local Address: 10.x.x.x # telnet LOCAL_AD03.domain.local 88 Trying 10.x.x.x... Connected to LOCAL_AD03.domain.local. Escape character is '^]'. Connection closed by foreign host. # getent passwd jlewis jlewis:*:54239:5513:Lewis, James:/home/DOMAIN/jlewis:/bin/bash Clearly it picked up the "LOCAL_AD03.domain.local" from somewhere, since that's not in the configuration, and I can look up (and log in as my own user). I don't know however why kinit is now having a problem (it did not when I explicitly specified the KDC servers). The 3 most recently added users simply cannot authenticate, and this is where I'm convinced it is related to their AD accounts:- # getent passwd otheruser # That said, I would much prefer not to explicitly specify stuff in the config if possible, since that's one less thing to maintain! James> > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."
Rowland Penny
2017-Aug-21 17:00 UTC
[Samba] Windows pre-requisites for login with winbind?
On Mon, 21 Aug 2017 16:47:24 +0000 "A. James Lewis" <james at fsck.co.uk> wrote:> August 21, 2017 5:34 PM, "Rowland Penny via samba" > <samba at lists.samba.org> wrote: > > > On Mon, 21 Aug 2017 15:37:03 +0000 > > "A. James Lewis" <james at fsck.co.uk> wrote: > > > >> OK, obviously I am slightly sanitising the output here, but I'm > >> preserving the case, and just replacing local names with generic > >> ones as I did for the config. > > > > Not a problem with doing that ;-) > > > >> # more /etc/hosts > >> 127.0.0.1 localhost > >> 127.0.1.1 hostname01 > > > > OK, does this computer get its ip via dhcp ? > > if it does, just remove the '127.0.1.1' line. > > If it doesn't, remove the '127.0.1.1' line and add a line: > > > Yes, it is an lxc container, so currently it does get it's IP from > DHCP... none of that config was added by me, except the winbind in > nsswitch.conf. > > > <ip for hostname01> hostname01.domain.local hostname01 > > > >> # more /etc/resolv.conf > >> search domain.local > >> nameserver 10.0.3.1 > > > > Is '10.0.3.1' the ipaddress of the AD DC (or something that will get > > you to the AD DC ? > > > It's the resolveconf DNS server on the machine hosting LXC, but yes, > it is definitely able to resolve the AD server. > > Everything seems to work as expected:- > > # nslookup LOCAL_AD03.domain.local > Server: 10.0.3.1 > Address: 10.0.3.1#53 > > Non-authoritative answer: > Name: LOCAL_AD03.domain.local > Address: 10.x.x.x > > # telnet LOCAL_AD03.domain.local 88 > Trying 10.x.x.x... > Connected to LOCAL_AD03.domain.local. > Escape character is '^]'. > Connection closed by foreign host. > > # getent passwd jlewis > jlewis:*:54239:5513:Lewis, James:/home/DOMAIN/jlewis:/bin/bash > > Clearly it picked up the "LOCAL_AD03.domain.local" from somewhere, > since that's not in the configuration, and I can look up (and log in > as my own user). > > I don't know however why kinit is now having a problem (it did not > when I explicitly specified the KDC servers). > > The 3 most recently added users simply cannot authenticate, and this > is where I'm convinced it is related to their AD accounts:- > > # getent passwd otheruser > # > > That said, I would much prefer not to explicitly specify stuff in the > config if possible, since that's one less thing to maintain! >One of the first things I do when setting up a Samba AD DC or Unix domain member is 'apt-get purge resolvconf' Kinit depends on dns, you need to point the Unix domain member at the AD DC (preferably) or a dns server that holds all the AD domain records. Rowland
A. James Lewis
2017-Aug-21 17:13 UTC
[Samba] Windows pre-requisites for login with winbind?
I'm inclined to agree with you regarding resolveconf, but I don't think that's the issue here, clearly it was able to get the name and IP of the AD server.... and connect to it. The error from kinit had the hostname of one of the AD servers in it, that name is not in the config, and that address was reachable... so I can't think that it's DNS. What is worrying me is if this is valid, to have the domain in twice:- cifs/LOCAL_AD02.domain.local at DOMAIN.LOCAL in the kinit error from auth.log I'd love to solve this issue too... but I started with one issue, and now I have 2... LOL! James August 21, 2017 6:02 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:> On Mon, 21 Aug 2017 16:47:24 +0000 > "A. James Lewis" <james at fsck.co.uk> wrote: > >> August 21, 2017 5:34 PM, "Rowland Penny via samba" >> <samba at lists.samba.org> wrote: >> >> On Mon, 21 Aug 2017 15:37:03 +0000 >> "A. James Lewis" <james at fsck.co.uk> wrote: >> >> OK, obviously I am slightly sanitising the output here, but I'm >> preserving the case, and just replacing local names with generic >> ones as I did for the config. >> >> Not a problem with doing that ;-) >> >> # more /etc/hosts >> 127.0.0.1 localhost >> 127.0.1.1 hostname01 >> >> OK, does this computer get its ip via dhcp ? >> if it does, just remove the '127.0.1.1' line. >> If it doesn't, remove the '127.0.1.1' line and add a line: >> >> Yes, it is an lxc container, so currently it does get it's IP from >> DHCP... none of that config was added by me, except the winbind in >> nsswitch.conf. >> >> <ip for hostname01> hostname01.domain.local hostname01 >> >> # more /etc/resolv.conf >> search domain.local >> nameserver 10.0.3.1 >> >> Is '10.0.3.1' the ipaddress of the AD DC (or something that will get >> you to the AD DC ? >> >> It's the resolveconf DNS server on the machine hosting LXC, but yes, >> it is definitely able to resolve the AD server. >> >> Everything seems to work as expected:- >> >> # nslookup LOCAL_AD03.domain.local >> Server: 10.0.3.1 >> Address: 10.0.3.1#53 >> >> Non-authoritative answer: >> Name: LOCAL_AD03.domain.local >> Address: 10.x.x.x >> >> # telnet LOCAL_AD03.domain.local 88 >> Trying 10.x.x.x... >> Connected to LOCAL_AD03.domain.local. >> Escape character is '^]'. >> Connection closed by foreign host. >> >> # getent passwd jlewis >> jlewis:*:54239:5513:Lewis, James:/home/DOMAIN/jlewis:/bin/bash >> >> Clearly it picked up the "LOCAL_AD03.domain.local" from somewhere, >> since that's not in the configuration, and I can look up (and log in >> as my own user). >> >> I don't know however why kinit is now having a problem (it did not >> when I explicitly specified the KDC servers). >> >> The 3 most recently added users simply cannot authenticate, and this >> is where I'm convinced it is related to their AD accounts:- >> >> # getent passwd otheruser >> # >> >> That said, I would much prefer not to explicitly specify stuff in the >> config if possible, since that's one less thing to maintain! > > One of the first things I do when setting up a Samba AD DC or Unix > domain member is 'apt-get purge resolvconf' > > Kinit depends on dns, you need to point the Unix domain member at the > AD DC (preferably) or a dns server that holds all the AD domain > records. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."
Rowland Penny
2017-Aug-21 17:28 UTC
[Samba] Windows pre-requisites for login with winbind?
On Mon, 21 Aug 2017 17:13:12 +0000 "A. James Lewis" <james at fsck.co.uk> wrote:> I'm inclined to agree with you regarding resolveconf, but I don't > think that's the issue here, clearly it was able to get the name and > IP of the AD server.... and connect to it. > > The error from kinit had the hostname of one of the AD servers in it, > that name is not in the config, and that address was reachable... so > I can't think that it's DNS. > > What is worrying me is if this is valid, to have the domain in > twice:- cifs/LOCAL_AD02.domain.local at DOMAIN.LOCAL in the kinit error > from auth.log > > I'd love to solve this issue too... but I started with one issue, and > now I have 2... LOL! >That is perfectly normal, so stop worrying There is an easy way to try and prove if it is a dns problem (which i am sure it is) ADD <the DCs ipaddress> <the DCs hostname>.domain.local <the DCs hostname> to /etc/hosts Rowland
L.P.H. van Belle
2017-Aug-22 07:10 UTC
[Samba] Windows pre-requisites for login with winbind?
Hai Since your on ubuntu 17.04 (zesty) and samba 2:4.5.8+dfsg-0ubuntu0.17.04.5. Now i dont know if your able to upgrade you samba to 4.5.12 or at least 4.6.5. But I would really recommend trying to upgrade to a higher version. I suggest go through the changelogs, and see the winbind and kerberos related fixes so you understand why i say upgrade. I suspect you have hit one or more of these bugs. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: maandag 21 augustus 2017 19:28 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Windows pre-requisites for login with winbind? > > On Mon, 21 Aug 2017 17:13:12 +0000 > "A. James Lewis" <james at fsck.co.uk> wrote: > > > I'm inclined to agree with you regarding resolveconf, but I don't > > think that's the issue here, clearly it was able to get the > name and > > IP of the AD server.... and connect to it. > > > > The error from kinit had the hostname of one of the AD > servers in it, > > that name is not in the config, and that address was > reachable... so I > > can't think that it's DNS. > > > > What is worrying me is if this is valid, to have the domain in > > twice:- cifs/LOCAL_AD02.domain.local at DOMAIN.LOCAL in the > kinit error > > from auth.log > > > > I'd love to solve this issue too... but I started with one > issue, and > > now I have 2... LOL! > > > > That is perfectly normal, so stop worrying > > There is an easy way to try and prove if it is a dns problem > (which i am sure it is) > > ADD > > <the DCs ipaddress> <the DCs hostname>.domain.local <the DCs hostname> > > to /etc/hosts > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
A. James Lewis
2017-Aug-22 10:27 UTC
[Samba] Windows pre-requisites for login with winbind?
Hi! Indeed!, this sounds like good advice... there are certainly bugs, I had to get the 7.04.5 package from "proposed" to get resolve a PAM library issue!... although I suppose that's a packaging problem. What is the best way to get an updated Samba package here, I'm trying to make this system reproduceable, I have a single script that builds the entire container, and sets up an Xrdp terminal server with everything configured... Ideally I'd like to do it in a sustainable way!... Perhaps migrating to 17.10 would be a good move at this point since 4.6.5 is available there, and ultimately my goal would be to have this built on 18.04 for some level of stability.... I'm sitting on 17.04 right now since the move to Gnome is not popular around here.... I guess I could install the 17.10 package on 17.04 for testing, watch this space... feedback to follow. James August 22, 2017 8:13 AM, "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai > > Since your on ubuntu 17.04 (zesty) and samba 2:4.5.8+dfsg-0ubuntu0.17.04.5. > Now i dont know if your able to upgrade you samba to 4.5.12 or at least 4.6.5. > > But I would really recommend trying to upgrade to a higher version. > I suggest go through the changelogs, and see the winbind and kerberos related fixes so you > understand why i say upgrade. > I suspect you have hit one or more of these bugs. > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Rowland Penny via samba >> Verzonden: maandag 21 augustus 2017 19:28 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Windows pre-requisites for login with winbind? >> >> On Mon, 21 Aug 2017 17:13:12 +0000 >> "A. James Lewis" <james at fsck.co.uk> wrote: >> >> I'm inclined to agree with you regarding resolveconf, but I don't >> think that's the issue here, clearly it was able to get the >> name and >> IP of the AD server.... and connect to it. >> >> The error from kinit had the hostname of one of the AD >> servers in it, >> that name is not in the config, and that address was >> reachable... so I >> can't think that it's DNS. >> >> What is worrying me is if this is valid, to have the domain in >> twice:- cifs/LOCAL_AD02.domain.local at DOMAIN.LOCAL in the >> kinit error >> from auth.log >> >> I'd love to solve this issue too... but I started with one >> issue, and >> now I have 2... LOL! >> >> That is perfectly normal, so stop worrying >> >> There is an easy way to try and prove if it is a dns problem >> (which i am sure it is) >> >> ADD >> >> <the DCs ipaddress> <the DCs hostname>.domain.local <the DCs hostname> >> >> to /etc/hosts >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."
A. James Lewis
2017-Aug-22 11:09 UTC
[Samba] Windows pre-requisites for login with winbind?
Ahh, upgrading to 4.6.5 did not change my problem significantly, but it DID change the error message significantly... this might give some much better information to someone who knows how the code works! Aug 22 11:59:01 hostname01 winbindd[451]: [2017/08/22 11:59:01.055174, 0] ../source3/libads/sasl.c:786(ads_sasl_spnego_bind) Aug 22 11:59:01 hostname01 winbindd[451]: kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/local_ad01.domain.local with user[HOSTNAME01$] realm[DOMAIN.LOCAL]: No logon servers I am still able to log in and list groups for long standing users, and not log in for more recently created users... but I am no-longer able to list groups for the users I can't log in with! James August 22, 2017 11:31 AM, "A. James Lewis via samba" <samba at lists.samba.org> wrote:> Hi! > > Indeed!, this sounds like good advice... there are certainly bugs, I had to get the 7.04.5 package > from "proposed" to get resolve a PAM library issue!... although I suppose that's a packaging > problem. > > What is the best way to get an updated Samba package here, I'm trying to make this system > reproduceable, I have a single script that builds the entire container, and sets up an Xrdp > terminal server with everything configured... Ideally I'd like to do it in a sustainable way!... > > Perhaps migrating to 17.10 would be a good move at this point since 4.6.5 is available there, and > ultimately my goal would be to have this built on 18.04 for some level of stability.... I'm sitting > on 17.04 right now since the move to Gnome is not popular around here.... > > I guess I could install the 17.10 package on 17.04 for testing, watch this space... feedback to > follow. > > James > > August 22, 2017 8:13 AM, "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > >> Hai >> >> Since your on ubuntu 17.04 (zesty) and samba 2:4.5.8+dfsg-0ubuntu0.17.04.5. >> Now i dont know if your able to upgrade you samba to 4.5.12 or at least 4.6.5. >> >> But I would really recommend trying to upgrade to a higher version. >> I suggest go through the changelogs, and see the winbind and kerberos related fixes so you >> understand why i say upgrade. >> I suspect you have hit one or more of these bugs. >> >> Greetz, >> >> Louis >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>> Rowland Penny via samba >>> Verzonden: maandag 21 augustus 2017 19:28 >>> Aan: samba at lists.samba.org >>> Onderwerp: Re: [Samba] Windows pre-requisites for login with winbind? >>> >>> On Mon, 21 Aug 2017 17:13:12 +0000 >>> "A. James Lewis" <james at fsck.co.uk> wrote: >>> >>> I'm inclined to agree with you regarding resolveconf, but I don't >>> think that's the issue here, clearly it was able to get the >>> name and >>> IP of the AD server.... and connect to it. >>> >>> The error from kinit had the hostname of one of the AD >>> servers in it, >>> that name is not in the config, and that address was >>> reachable... so I >>> can't think that it's DNS. >>> >>> What is worrying me is if this is valid, to have the domain in >>> twice:- cifs/LOCAL_AD02.domain.local at DOMAIN.LOCAL in the >>> kinit error >>> from auth.log >>> >>> I'd love to solve this issue too... but I started with one >>> issue, and >>> now I have 2... LOL! >>> >>> That is perfectly normal, so stop worrying >>> >>> There is an easy way to try and prove if it is a dns problem >>> (which i am sure it is) >>> >>> ADD >>> >>> <the DCs ipaddress> <the DCs hostname>.domain.local <the DCs hostname> >>> >>> to /etc/hosts >>> >>> Rowland >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > -- > A. James Lewis (james at fsck.co.uk) > "Engineering does not require science. Science helps a lot but people > built perfectly good brick walls long before they knew why cement works." > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."