Hello Samba list!
I have installed samba, joined it to the AD domain (lets say EXAMPLE.COM)
and can auth against it with kinit.
There are also 2 domains that we have a trust established with. Lets say
trust1 and trust2.
When I do a wbinfo -u I get:
Trust1+username
Trust2+username
I get nothing from the local domain.
I have a share set up for testing, but I cannot access it at all, I get
prompted for a username and password.
I will include the configs from everything at the bottom of this email.
I'm sure it's something that I'm just overlooking, it usually is ;)
TIA
-reno
Configs:
Smb.conf
[global]
netbios name = sambaserver
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind gid = 10000-20000
workgroup = WORKGROUP <changed name to protect the innocent>
os level = 20
winbind enum groups = yes
socket address = 192.168.1.2
password server = ADSERVER
preferred master = no
winbind separator = +
max log size = 50
log file = /var/log/samba3/log.%m
encrypt passwords = yes
dns proxy = no
realm = EXAMPLE.COM <once again, name change>
security = ADSERVER
wins server = 192.168.1.1
wins proxy = no
[test]
comment = Test Share
writeable = yes
path = /samba/test
force user = DOMAIN+user
browsable = yes
available = yes
krb5.conf
[libdefaults]
ticket_lifetime = 600
default_realm = EXAMPLE.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
EXAMPLE.COM = {
kdc = adserver.example.com:88
nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files dns
protocols: db files
services: db files
ethers: db files
rpc: db files
kdc.conf
[kdcdefaults]
kdc_ports = 88,750
[realms]
EXAMPLE.COM = {
database_name = /etc/krb5kdc/principal
admin_keytab = /etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
dict_file = /etc/krb5kdc/kadm5.dict
key_stash_file = /etc/krb5kdc/.k5.EXAMPLE.COM
kadmind_port = 749
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
}
I was getting the same thing here until I used this: wbinfo --set-auth-user=user%password and gave it a valid user account on the primary domain to authenticate with. Not sure if I still need it or not for regular authentication to shares. Romanin, Reno wrote:> Hello Samba list! > > > I have installed samba, joined it to the AD domain (lets say EXAMPLE.COM) > and can auth against it with kinit. > > There are also 2 domains that we have a trust established with. Lets say > trust1 and trust2. > > When I do a wbinfo -u I get: > > Trust1+username > Trust2+username > > I get nothing from the local domain. > > I have a share set up for testing, but I cannot access it at all, I get > prompted for a username and password. > > I will include the configs from everything at the bottom of this email. > > I'm sure it's something that I'm just overlooking, it usually is ;) > > TIA > > -reno > > Configs: > > Smb.conf > > [global] > netbios name = sambaserver > socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind enum users = yes > winbind gid = 10000-20000 > workgroup = WORKGROUP <changed name to protect the innocent> > os level = 20 > winbind enum groups = yes > socket address = 192.168.1.2 > password server = ADSERVER > preferred master = no > winbind separator = + > max log size = 50 > log file = /var/log/samba3/log.%m > encrypt passwords = yes > dns proxy = no > realm = EXAMPLE.COM <once again, name change> > security = ADSERVER > wins server = 192.168.1.1 > wins proxy = no > > > [test] > comment = Test Share > writeable = yes > path = /samba/test > force user = DOMAIN+user > browsable = yes > available = yes > > > > krb5.conf > > > [libdefaults] > ticket_lifetime = 600 > default_realm = EXAMPLE.COM > default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc > default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc > > [realms] > EXAMPLE.COM = { > kdc = adserver.example.com:88 > > > nsswitch.conf > > passwd: compat winbind > group: compat winbind > shadow: compat > hosts: files dns wins > networks: files dns > protocols: db files > services: db files > ethers: db files > rpc: db files > > > > kdc.conf > > [kdcdefaults] > kdc_ports = 88,750 > > [realms] > EXAMPLE.COM = { > database_name = /etc/krb5kdc/principal > admin_keytab = /etc/krb5kdc/kadm5.keytab > acl_file = /etc/krb5kdc/kadm5.acl > dict_file = /etc/krb5kdc/kadm5.dict > key_stash_file = /etc/krb5kdc/.k5.EXAMPLE.COM > kadmind_port = 749 > max_life = 10h 0m 0s > max_renewable_life = 7d 0h 0m 0s > master_key_type = des3-hmac-sha1 > supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal > } > > > > > >
Please disregard. Wrong e-mail. ---- "Thomas M. Skeren III" <tms3@fsklaw.com> wrote:> SNIP > > >> > >> > >> I have a share set up for testing, but I cannot access it at all, I get > >> prompted for a username and password. > > > Um...have you changed PAM to allow logins authenticated from ADS. If > not, you will get exactly that message when accessing a share. > > >> > >> I will include the configs from everything at the bottom of this email. > >> I'm sure it's something that I'm just overlooking, it usually is ;) > >> > >> TIA > >> > >> -reno > >> > >> Configs: > >> > >> Smb.conf > >> > >> [global] > >> netbios name = sambaserver > >> socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 > >> idmap uid = 10000-20000 > >> idmap gid = 10000-20000 > >> winbind enum users = yes > >> winbind gid = 10000-20000 > >> workgroup = WORKGROUP <changed name to protect the innocent> > >> os level = 20 > >> winbind enum groups = yes > >> socket address = 192.168.1.2 > >> password server = ADSERVER > >> preferred master = no > >> winbind separator = + > >> max log size = 50 > >> log file = /var/log/samba3/log.%m > >> encrypt passwords = yes > >> dns proxy = no > >> realm = EXAMPLE.COM <once again, name change> > >> security = ADSERVER > >> wins server = 192.168.1.1 > >> wins proxy = no > >> > >> > >> [test] > >> comment = Test Share > >> writeable = yes > >> path = /samba/test > >> force user = DOMAIN+user > >> browsable = yes > >> available = yes > >> > >> > >> > >> krb5.conf > >> > >> > >> [libdefaults] > >> ticket_lifetime = 600 > >> default_realm = EXAMPLE.COM > >> default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc > >> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc > >> > >> [realms] > >> EXAMPLE.COM = { > >> kdc = adserver.example.com:88 > >> > >> > >> nsswitch.conf > >> > >> passwd: compat winbind > >> group: compat winbind > >> shadow: compat > >> hosts: files dns wins > >> networks: files dns > >> protocols: db files > >> services: db files > >> ethers: db files > >> rpc: db files > >> > >> > >> > >> kdc.conf > >> > >> [kdcdefaults] > >> kdc_ports = 88,750 > >> > >> [realms] > >> EXAMPLE.COM = { > >> database_name = /etc/krb5kdc/principal > >> admin_keytab = /etc/krb5kdc/kadm5.keytab > >> acl_file = /etc/krb5kdc/kadm5.acl > >> dict_file = /etc/krb5kdc/kadm5.dict > >> key_stash_file = /etc/krb5kdc/.k5.EXAMPLE.COM > >> kadmind_port = 749 > >> max_life = 10h 0m 0s > >> max_renewable_life = 7d 0h 0m 0s > >> master_key_type = des3-hmac-sha1 > >> supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal > >> } > >> > >> > >> > >> > >> > >> > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba