Hello,
Sorry for take so long to answer, but I was not able to do the tests
because the computer is in use and out of my office.
Finally I've progressed in this topic with realmd, sssd and autofs, but now
I'm locked on mounting shares from my member server.
I'm able to use autofs and smbclient to mount and connect to sysvol share
on my DC server, but when I try to connect to my member server I get this
error:
----------------
smbclient //server.domain.dom/escaner -U user -W DOMAIN.DOM -R host -k -d 3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
smbclient: Can't load /etc/samba/smb.conf - run testparm to debug it
added interface enp1s0 ip=192.168.0.xx bcast=192.168.0.255
netmask=255.255.255.0
Client started (version 4.3.11-Ubuntu).
tdb(/var/run/samba/gencache_notrans.tdb): tdb_open_ex: could not open file
/var/run/samba/gencache_notrans.tdb: Permiso denegado
tdb(/var/run/samba/gencache_notrans.tdb): tdb_open_ex: could not open file
/var/run/samba/gencache_notrans.tdb: Permiso denegado
resolve_hosts: Attempting host lookup for name server.domain.dom<0x20>
tdb(/var/run/samba/gencache_notrans.tdb): tdb_open_ex: could not open file
/var/run/samba/gencache_notrans.tdb: Permiso denegado
Connecting to 192.168.0.xxx at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server
principal=cifs/server.domain.dom at DOMAIN.DOM
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
gss_init_sec_context failed with [ Miscellaneous failure (see text): Server
(cifs/server at DOMAIN.DOM) unknown]
SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR
----------
I've missed something?.
My member server has joined Samba DC and is able to authenticate the
Windows clients.
Thanks!!
2017-10-11 16:52 GMT+02:00 L.P.H. van Belle via samba <samba at
lists.samba.org>:
> Wohoo, finaly i could help Rowland :-p ;-)
>
> I follow this as guidance:
>
> 1 server ( all in one ) use RID, easy to setup etc, but .. If you go to
> ... Or have plans to..
>
> 2 servers ( DC + a member )
> use backend RID if you dont need access with a windows account to
> a shared home folder. ( cifs or nfs )
> you use a dedicated local "linuxAdmin" for
maintanace. (
> often the first created user in linux )
> use backend AD if you do need access with ssh for example or
> shared homefolders.
>
> 3 server or more, all server where ssh or access to a server with a shared
> folder is needed, use backend AD.
> adviced is all servers with file shares.
> Optional, mix this with RID, for example for a dedicated print
> server, or proxy server (auth).
>
> I use setup 3.
> Multiple servers with AD and RID mixed on the members, based on function.
>
> A NFS pointer is.
> Make sure you set you home folder 755, kerberos ( MIT ), lookf or .klogin
> in the home dir.
> If the setup is to tight this fails. ( workaround: disable .klogin
> checking in krb5.conf )
> And nfs/hostname.FQDN needs to be added to HOSTNAME$ where its needed.
>
> For Cifs. You may need to add these lines in krb5.conf cifs uses them nfs
> not.
> ; for Windows 2008 with AES
> default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5
> default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5
> permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5
>
> Now here, if you see, Required keys not available, no matter what you do
> Then you probley are missing these line in krb5.conf.
>
> The source i use for above info :
> http://www.cs.rug.nl/~jurjen/ApprenticesNotes/mount_ms_
> cifs_using_ad_krb.html
> http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_nfs4.html
>
> Its a .nl domain but its in english ;-) and contains still good info.
> Just beware its based on debian squeeze.
> And a handy to know.
> https://support.microsoft.com/en-us/help/977321/kdc-event-
> id-16-or-27-is-logged-if-des-for-kerberos-is-disabled
>
> Greetz,
>
> Louis
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
_________________________________________
Daniel Carrasco Marín
Ingeniería para la Innovación i2TIC, S.L.
Tlf: +34 911 12 32 84 Ext: 223
www.i2tic.com
_________________________________________