Hi Jeremy,
I forgot to mention this. All these strange behaviors occurred when winbind was
turned off. If I turn on winbind, this problem could be resolved, i.e. at least
it allowed me to login as YALE\zs24, but it always said 'access is
denied' even I input the correct password. Maybe something wrong with the
Samba settings. Here is my smb.conf file. Anything looks unusual? I'm not
sure about the ipmap config part, especially the range and backend.
Thanks.
Zhongdong
[global]
netbios name = HECATE
workgroup = YALE
realm = YU.YALE.EDU
server string = PET Center Samba Server
security = ADS
#2017-11-23 zs24, allow ntlm which is still used by some local accounts
and old Windows XP machines.
ntlm auth = yes
client NTLMv2 auth = yes
client lanman auth = no
client plaintext auth = no
min protocol = NT1
kerberos method = secrets and keytab
idmap config * : backend = tdb
idmap config * : range = 10000-199999
idmap config YALE : backend = sss
idmap config YALE : range = 200000-2147483647
machine password timeout = 0
-----Original Message-----
From: Jeremy Allison <jra at samba.org>
Sent: Monday, May 6, 2024 5:50 PM
To: Sun, Zhongdong <zhongdong.sun at yale.edu>
Cc: samba at lists.samba.org
Subject: Re: [Samba] Samba domain name in short format
On Mon, May 06, 2024 at 09:03:14PM +0000, Sun, Zhongdong via samba
wrote:>Hi Rowland,
>
>Thanks for your quick response.
>
>Yes, it's Samba+sssd+krb5+AD. So many technologies wrapped together,
>and I don't know which part can go wrong. We managed to make them work
>together with the full domain name format such as yu.yale.edu\zs24.
>But it didn't work with short format as YALE\zs24. When I did this in a
>Windows computer, it reported "We can't sign you in with this
>credential because your domain isn't available."
>This seems a DNS issue, because it cannot convert 'YALE' to its full
name 'yu.yale.edu'.
Yep it's DNS. Client can't get a krb5 ticket for the server as the full
hostname isn't correct.
On Tue, 7 May 2024 01:34:58 +0000 "Sun, Zhongdong via samba" <samba at lists.samba.org> wrote:> Hi Jeremy, > > I forgot to mention this. All these strange behaviors occurred when > winbind was turned off.You cannot turn winbind off on a Samba AD domain member, it must be running and if winbind is running, you do not need sssd.> If I turn on winbind, this problem could be > resolved, i.e. at least it allowed me to login as YALE\zs24, but it > always said 'access is denied' even I input the correct password. > Maybe something wrong with the Samba settings. Here is my smb.conf > file. Anything looks unusual? I'm not sure about the ipmap config > part, especially the range and backend. > > Thanks. > Zhongdong > > [global] > > netbios name = HECATE > workgroup = YALE > realm = YU.YALE.EDU > server string = PET Center Samba Server > security = ADS > #2017-11-23 zs24, allow ntlm which is still used by some local > accounts and old Windows XP machines. ntlm auth = yes > client NTLMv2 auth = yes > client lanman auth = no > client plaintext auth = no > min protocol = NT1 > > kerberos method = secrets and keytab > idmap config * : backend = tdb > idmap config * : range = 10000-199999 > idmap config YALE : backend = sss > idmap config YALE : range = 200000-2147483647 > machine password timeout = 0 >I have very little knowledge about the 'sss' idmap backend, mainly because I do not use it, but the above appears to be correct. You say that 'yu.yale.edu\zs24' works, but 'YALE\zs24' doesn't. The first is using the dns domain and the second is using the NetBIOS domain name (aka workgroup). I use the 'rid' idmap backend with winbind and it is the opposite way around for me 'SAMDOM\rowland' works, 'samdom.example.com\rowland' doesn't. As you do not have a redhat contract, can I suggest you setup a Rocky Linux 9 machine (in a VM will do) and I will talk you through setting up a Unix domain member on it using winbind, that way you will be able to see what works. Rowland