Rowland Penny
2017-Aug-22 12:13 UTC
[Samba] Windows pre-requisites for login with winbind?
On Tue, 22 Aug 2017 12:01:20 +0000 "A. James Lewis via samba" <samba at lists.samba.org> wrote:> Indeed!... you are correct... this does appear to be the kerberos > issue uncovered by Rowlands pointing out that I should not need to be > manually defining "kdc =", in my krb5.conf.... so with that resolved, > I'm hoping we can also find the cause of my original problem. > > Incidentally, this was my solution to upgrading Samba on my 17.04 > test server, I think moving to 17.10 will ultimately have to be the > solution, but this let me carry on debugging this problem quickly. > > apt-get remove libnss-winbind libpam-winbind samba winbind > apt-get autoremove > cd /etc/apt/ > sed -i "s,zesty,artful,g" sources.list > apt-get install samba libnss-winbind libpam-winbind winbind > sed -i "s,artful,zesty,g" sources.list > apt-get update > apt-get dist-upgrade > > James >Do you also have the following packages installed: libpam-krb5 krb5-config krb5-user Rowland
Nicolas Zuber
2017-Aug-22 12:46 UTC
[Samba] Mapping subfolder of a samba share in Windows fails with access denied
Am 22.08.2017 um 13:54 schrieb Rowland Penny via samba:> On Tue, 22 Aug 2017 13:21:31 +0200 > Nicolas Zuber <n.zuber at physik.uni-stuttgart.de> wrote: > > >>> I take that the workgroup name should be 'PI5' instead of 'TEST' >>> Also you have 'vfs objects = acl_xattr' in [global], so you don't >>> need it in the shares. Both shares seem to be the same path, so why >>> two shares ? >> You are right, the workgroup name is 'PI5' and I will remove the >> duplicated 'acl_xattr'. The path is the same, because samba is >> directly accessing the gluster via gluster vfs without the fuse >> layer. As far as I understood the path in this configuration is >> relative to the gluster volume rather than to the local filesystem. >> Because I have two different gluster volumes (users and shares), I >> need two different shares. > OK, never having used a cluster, I was not aware of this.I mounted the gluster volume with mount -t glusterfs -o acl localhost:/data /gluster/mnt/data and shared the mounted folder with samba. Now I am able to map subfolders of the share in Windows and also the messages in the samba.log file disappeared. I will use this as a workaround for now. It seems for me that the problem has something to do with the gluster vfs.>> Until know I set the permissions of files and folders with a Windows >> client. For this I set the three parameters in the '[global]' >> configuration section >> >> vfs objects = acl_xattr >> map acl inherit = yes >> store dos attributes = yes >> >> as described in the samba wiki : >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs >> >> What part of the configuration indicates the use of Posix ACLS? > create mask = 0700 > directory mask = 0700 > > If you are using Windows ACLs, you should remove them. > > Rowland >Thank you for your help, I will remove them. Nicolas
L.P.H. van Belle
2017-Aug-22 13:21 UTC
[Samba] Windows pre-requisites for login with winbind?
You did not look right it should be there. https://packages.ubuntu.com/zesty/libpam-krb5 https://packages.ubuntu.com/artful/libpam-krb5 Check this folder to see if "winbind unix krb5" is there. ls /usr/share/pam-configs And run pam-auth-update --force to update the files. ! Note, krb5 has by default set : minium_uid=1000 Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens A. > James Lewis via samba > Verzonden: dinsdag 22 augustus 2017 15:02 > Aan: Rowland Penny; samba at lists.samba.org > Onderwerp: Re: [Samba] Windows pre-requisites for login with winbind? > > I have krb5-config krb5-user, but not libpam-krb5... I'm > slightly fuzzy about how this works, but I thought the > interaction with kerberos was implemented via winbind, so I > wasn't expecting this package to be installed... certainly > there is no dependency that has pulled it in. > > James > > > August 22, 2017 1:15 PM, "Rowland Penny via samba" > <samba at lists.samba.org> wrote: > > > On Tue, 22 Aug 2017 12:01:20 +0000 > > "A. James Lewis via samba" <samba at lists.samba.org> wrote: > > > >> Indeed!... you are correct... this does appear to be the kerberos > >> issue uncovered by Rowlands pointing out that I should not > need to be > >> manually defining "kdc =", in my krb5.conf.... so with > that resolved, > >> I'm hoping we can also find the cause of my original problem. > >> > >> Incidentally, this was my solution to upgrading Samba on my 17.04 > >> test server, I think moving to 17.10 will ultimately have > to be the > >> solution, but this let me carry on debugging this problem quickly. > >> > >> apt-get remove libnss-winbind libpam-winbind samba winbind apt-get > >> autoremove cd /etc/apt/ sed -i "s,zesty,artful,g" sources.list > >> apt-get install samba libnss-winbind libpam-winbind winbind sed -i > >> "s,artful,zesty,g" sources.list apt-get update apt-get dist-upgrade > >> > >> James > > > > Do you also have the following packages installed: > > > > libpam-krb5 krb5-config krb5-user > > > > Rowland > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > -- > A. James Lewis (james at fsck.co.uk) > "Engineering does not require science. Science helps a lot but people > built perfectly good brick walls long before they knew why > cement works." > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
A. James Lewis
2017-Aug-22 14:59 UTC
[Samba] Windows pre-requisites for login with winbind?
August 22, 2017 2:32 PM, "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> You did not look right it should be there. ># aptitude search libpam-krb5 p libpam-krb5 - PAM module for MIT Kerberos p libpam-krb5:i386 - PAM module for MIT Kerberos Not installed.> https://packages.ubuntu.com/zesty/libpam-krb5 > https://packages.ubuntu.com/artful/libpam-krb5 > > Check this folder to see if "winbind unix krb5" is there. > ls /usr/share/pam-configs ># ls /usr/share/pam-configs capability gnome-keyring mkhomedir systemd unix winbind> And run pam-auth-update --force to update the files. > ! Note, krb5 has by default set : minium_uid=1000 >I have tried installing libpam-krb5, and it adds the following line to common-,auth,passwd,account and session:- auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 However, with that configuration, no users can log in (could this be because the AD server had no RFC2307 unix extensions)... so I have removed the package, and now I'm back to the situation where only the 3 most recent users cannot log in. Note that the users who can't log in, can authenticate with kinit!> Greetz, >> Louis > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens A. >> James Lewis via samba >> Verzonden: dinsdag 22 augustus 2017 15:02 >> Aan: Rowland Penny; samba at lists.samba.org >> Onderwerp: Re: [Samba] Windows pre-requisites for login with winbind? >> >> I have krb5-config krb5-user, but not libpam-krb5... I'm >> slightly fuzzy about how this works, but I thought the >> interaction with kerberos was implemented via winbind, so I >> wasn't expecting this package to be installed... certainly >> there is no dependency that has pulled it in. >> >> James >> >> August 22, 2017 1:15 PM, "Rowland Penny via samba" >> <samba at lists.samba.org> wrote: >> >> On Tue, 22 Aug 2017 12:01:20 +0000 >> "A. James Lewis via samba" <samba at lists.samba.org> wrote: >> >> Indeed!... you are correct... this does appear to be the kerberos >> issue uncovered by Rowlands pointing out that I should not >> need to be >> manually defining "kdc =", in my krb5.conf.... so with >> that resolved, >> I'm hoping we can also find the cause of my original problem. >> >> Incidentally, this was my solution to upgrading Samba on my 17.04 >> test server, I think moving to 17.10 will ultimately have >> to be the >> solution, but this let me carry on debugging this problem quickly. >> >> apt-get remove libnss-winbind libpam-winbind samba winbind apt-get >> autoremove cd /etc/apt/ sed -i "s,zesty,artful,g" sources.list >> apt-get install samba libnss-winbind libpam-winbind winbind sed -i >> "s,artful,zesty,g" sources.list apt-get update apt-get dist-upgrade >> >> James >> >> Do you also have the following packages installed: >> >> libpam-krb5 krb5-config krb5-user >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> -- >> A. James Lewis (james at fsck.co.uk) >> "Engineering does not require science. Science helps a lot but people >> built perfectly good brick walls long before they knew why >> cement works." >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."
L.P.H. van Belle
2017-Aug-23 06:25 UTC
[Samba] Windows pre-requisites for login with winbind?
Hai, Wel at least you did find something. This gets my attention.> I have tried installing libpam-krb5, and it adds the > following line to common-,auth,passwd,account and session:- > > auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 > > However, with that configuration, no users can log in (could > this be because the AD server had no RFC2307 unix > extensions)... so I have removed the package, and now I'm > back to the situation where only the 3 most recent users > cannot log in. > > Note that the users who can't log in, can authenticate with kinit!This is strange, if you install the libpam-krb5, you should still be able to login. What you can try here is run pam-auth-update Only enable unix winbind ( and if installed kerberos ) and if really needed mkhomedir. Now add Rowland comment :> Well, yes you probably have, that comes from the libpam-winbind package, > you just need the 'glue' that comes from the libpam-krb5 package.pam-auth-update does this. And what kind of messages are you seeing in auth.log when you tried the krb5 option and users where not able to login. Any messages there? And windows event id's ? Greetz, Louis> -----Oorspronkelijk bericht----- > Van: A. James Lewis [mailto:james at fsck.co.uk] > Verzonden: dinsdag 22 augustus 2017 16:59 > Aan: L.P.H. van Belle; samba at lists.samba.org > Onderwerp: Re: [Samba] Windows pre-requisites for login with winbind? > > August 22, 2017 2:32 PM, "L.P.H. van Belle via samba" > <samba at lists.samba.org> wrote: > > > You did not look right it should be there. > > > # aptitude search libpam-krb5 > p libpam-krb5 > - PAM module for MIT Kerberos > > > p libpam-krb5:i386 > - PAM module for MIT Kerberos > > > Not installed. > > > > https://packages.ubuntu.com/zesty/libpam-krb5 > > https://packages.ubuntu.com/artful/libpam-krb5 > > > > Check this folder to see if "winbind unix krb5" is there. > > ls /usr/share/pam-configs > > > # ls /usr/share/pam-configs > capability gnome-keyring mkhomedir systemd unix winbind > > > > And run pam-auth-update --force to update the files. > > ! Note, krb5 has by default set : minium_uid=1000 > > > > I have tried installing libpam-krb5, and it adds the > following line to common-,auth,passwd,account and session:- > > auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 > > However, with that configuration, no users can log in (could > this be because the AD server had no RFC2307 unix > extensions)... so I have removed the package, and now I'm > back to the situation where only the 3 most recent users > cannot log in. > > Note that the users who can't log in, can authenticate with kinit! > > > Greetz, > > > > > Louis > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens A. > >> James Lewis via samba > >> Verzonden: dinsdag 22 augustus 2017 15:02 > >> Aan: Rowland Penny; samba at lists.samba.org > >> Onderwerp: Re: [Samba] Windows pre-requisites for login > with winbind? > >> > >> I have krb5-config krb5-user, but not libpam-krb5... I'm > >> slightly fuzzy about how this works, but I thought the > >> interaction with kerberos was implemented via winbind, so I > >> wasn't expecting this package to be installed... certainly > >> there is no dependency that has pulled it in. > >> > >> James > >> > >> August 22, 2017 1:15 PM, "Rowland Penny via samba" > >> <samba at lists.samba.org> wrote: > >> > >> On Tue, 22 Aug 2017 12:01:20 +0000 > >> "A. James Lewis via samba" <samba at lists.samba.org> wrote: > >> > >> Indeed!... you are correct... this does appear to be the kerberos > >> issue uncovered by Rowlands pointing out that I should not > >> need to be > >> manually defining "kdc =", in my krb5.conf.... so with > >> that resolved, > >> I'm hoping we can also find the cause of my original problem. > >> > >> Incidentally, this was my solution to upgrading Samba on my 17.04 > >> test server, I think moving to 17.10 will ultimately have > >> to be the > >> solution, but this let me carry on debugging this problem quickly. > >> > >> apt-get remove libnss-winbind libpam-winbind samba winbind apt-get > >> autoremove cd /etc/apt/ sed -i "s,zesty,artful,g" sources.list > >> apt-get install samba libnss-winbind libpam-winbind winbind sed -i > >> "s,artful,zesty,g" sources.list apt-get update apt-get dist-upgrade > >> > >> James > >> > >> Do you also have the following packages installed: > >> > >> libpam-krb5 krb5-config krb5-user > >> > >> Rowland > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> -- > >> A. James Lewis (james at fsck.co.uk) > >> "Engineering does not require science. Science helps a lot > but people > >> built perfectly good brick walls long before they knew why > >> cement works." > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > -- > A. James Lewis (james at fsck.co.uk) > "Engineering does not require science. Science helps a lot but people > built perfectly good brick walls long before they knew why > cement works." > >
A. James Lewis
2017-Aug-23 13:27 UTC
[Samba] Windows pre-requisites for login with winbind?
I have to confess here, that on trying again, to get the error... I restarted everything to ensure there were no errant messages, and now installing libpam-krb5 does not cause a problem... the users are assigned a kerberos ticket when logging in which is nice too... I must thank you and Rowland both, since I have learned a lot about how Kerberos works in this process, and debugged some issues that would probably have bitten me in future. However, my original problem remains!... That problem is more clearly defined now, "Some users do not show up with 'getent passwd username', while most do." Those users can authenticate with Kerberos, and they are listed by wbinfo... but cannot log in, since they don't have a "password file entry". What I need to find out is how it is that some users can authenticate, and are listed by wbinfo... BUT do not get mapped into what would be the password map. Could it be that one side or the other is not supporting 32 bit UID's... how would I tell?... can I query what the output of IDMAP would be with something like wbinfo, rather than getent passwd... so that I can see if there is an issue here? How to go about debugging the IDMAP!?. James August 23, 2017 7:39 AM, "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai, > > Wel at least you did find something. > This gets my attention. > >> I have tried installing libpam-krb5, and it adds the >> following line to common-,auth,passwd,account and session:- >> >> auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 >> >> However, with that configuration, no users can log in (could >> this be because the AD server had no RFC2307 unix >> extensions)... so I have removed the package, and now I'm >> back to the situation where only the 3 most recent users >> cannot log in. >> >> Note that the users who can't log in, can authenticate with kinit! > > This is strange, if you install the libpam-krb5, you should still be able to login. > What you can try here is run pam-auth-update > Only enable unix winbind ( and if installed kerberos ) and if really needed mkhomedir. > > Now add Rowland comment : >> Well, yes you probably have, that comes from the libpam-winbind package, >> you just need the 'glue' that comes from the libpam-krb5 package. > > pam-auth-update does this. > > And what kind of messages are you seeing in auth.log when you tried the krb5 option and users where > not able to login. > Any messages there? > And windows event id's ? > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: A. James Lewis [mailto:james at fsck.co.uk] >> Verzonden: dinsdag 22 augustus 2017 16:59 >> Aan: L.P.H. van Belle; samba at lists.samba.org >> Onderwerp: Re: [Samba] Windows pre-requisites for login with winbind? >> >> August 22, 2017 2:32 PM, "L.P.H. van Belle via samba" >> <samba at lists.samba.org> wrote: >> >> You did not look right it should be there. >> >> # aptitude search libpam-krb5 >> p libpam-krb5 >> - PAM module for MIT Kerberos >> >> p libpam-krb5:i386 >> - PAM module for MIT Kerberos >> >> Not installed. >> >> https://packages.ubuntu.com/zesty/libpam-krb5 >> https://packages.ubuntu.com/artful/libpam-krb5 >> >> Check this folder to see if "winbind unix krb5" is there. >> ls /usr/share/pam-configs >> >> # ls /usr/share/pam-configs >> capability gnome-keyring mkhomedir systemd unix winbind >> >> And run pam-auth-update --force to update the files. >> ! Note, krb5 has by default set : minium_uid=1000 >> >> I have tried installing libpam-krb5, and it adds the >> following line to common-,auth,passwd,account and session:- >> >> auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 >> >> However, with that configuration, no users can log in (could >> this be because the AD server had no RFC2307 unix >> extensions)... so I have removed the package, and now I'm >> back to the situation where only the 3 most recent users >> cannot log in. >> >> Note that the users who can't log in, can authenticate with kinit! >> >> Greetz, >> >> Louis >> >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens A. >> James Lewis via samba >> Verzonden: dinsdag 22 augustus 2017 15:02 >> Aan: Rowland Penny; samba at lists.samba.org >> Onderwerp: Re: [Samba] Windows pre-requisites for login >> with winbind? >> >> I have krb5-config krb5-user, but not libpam-krb5... I'm >> slightly fuzzy about how this works, but I thought the >> interaction with kerberos was implemented via winbind, so I >> wasn't expecting this package to be installed... certainly >> there is no dependency that has pulled it in. >> >> James >> >> August 22, 2017 1:15 PM, "Rowland Penny via samba" >> <samba at lists.samba.org> wrote: >> >> On Tue, 22 Aug 2017 12:01:20 +0000 >> "A. James Lewis via samba" <samba at lists.samba.org> wrote: >> >> Indeed!... you are correct... this does appear to be the kerberos >> issue uncovered by Rowlands pointing out that I should not >> need to be >> manually defining "kdc =", in my krb5.conf.... so with >> that resolved, >> I'm hoping we can also find the cause of my original problem. >> >> Incidentally, this was my solution to upgrading Samba on my 17.04 >> test server, I think moving to 17.10 will ultimately have >> to be the >> solution, but this let me carry on debugging this problem quickly. >> >> apt-get remove libnss-winbind libpam-winbind samba winbind apt-get >> autoremove cd /etc/apt/ sed -i "s,zesty,artful,g" sources.list >> apt-get install samba libnss-winbind libpam-winbind winbind sed -i >> "s,artful,zesty,g" sources.list apt-get update apt-get dist-upgrade >> >> James >> >> Do you also have the following packages installed: >> >> libpam-krb5 krb5-config krb5-user >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> -- >> A. James Lewis (james at fsck.co.uk) >> "Engineering does not require science. Science helps a lot >> but people >> built perfectly good brick walls long before they knew why >> cement works." >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> -- >> A. James Lewis (james at fsck.co.uk) >> "Engineering does not require science. Science helps a lot but people >> built perfectly good brick walls long before they knew why >> cement works." > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."