On 09/01/15 18:56, Bob of Donelson Trophy wrote:> > > On 2015-01-09 12:45, Rowland Penny wrote: > >> On 09/01/15 18:31, Bob of Donelson Trophy wrote: >> On 2015-01-09 11:40, Rowland Penny wrote: On 09/01/15 17:26, Bob of Donelson Trophy wrote: On 2015-01-09 10:23, Rowland Penny wrote: On 09/01/15 15:47, Bob of Donelson Trophy wrote: On 2015-01-09 09:27, Rowland Penny wrote: On 09/01/15 15:00, Bob of Donelson Trophy wrote: On 2015-01-09 08:44, Rowland Penny wrote: W7 client "Preferred DNS server" is set to my DC. My DC looks like this: root at dtdc01:~# cat /etc/resolv.conf search dtshrm.local domain dtshrm.local nameserver 192.168.16.54 root at dtdc01:~# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static address 192.168.16.54 netmask 255.255.255.0 network 192.168.16.0 broadcast 192.168.16.255 gateway 192.168.16.106 # dns-* options are implemented by the resolvconf package, if inst > alled > dns-nameservers 208.67.222.222 dns-search dtshrm.local root at dtdc01:~# cat /etc/hosts 127.0.0.1 localhost 192.168.16.54 dtdc01.dtshrm.lan dtdc01 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes f f 02::2 ip6-allrouters Should the /etc/resolv.conf be resolving to itself? (I chuckled at you "panic" comment. lol) Fix this first, checking for 'libnss_winbind.so.2' is next on my list for this morning. Firstly, what email client are you using ? it appears to be doing weird things :-) Don't bother about libnss_winbind.so.2, you have it, what you don't have is the pam config file that automatically sets pam. This is my /etc/resolv.conf from my DC: nameserver 127.0.0.1 search example.lan It needs to point to itself and you do not need the domain line. domain & search are mutually exclusive and the last one wins. This is my /etc/network/interfaces # This file describes the network interfaces available on your system > # and > how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.0.2 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.1 I also turn off NetworkManager and stop it from starting at boot. When you installed your member server via Louis's script, did you alter this line: ENABLEPAMAUTH=0 Rowland Email client - Louis' email came back looking weird. Don't know about that. How do I "turn off NetworkManager" in Debian? (I didn't think it was on a server non-gui install?) Ah, didn't know that, you do not have it running. And I have not altered any PAM lines so I have not changes ENABLEPAMAUTH=0 however, where is it so I can go check it? It is in Louis's script, line 100 and if you change it to 1 it runs a block of code starting at line 349, this modifies /etc/pam.d/samba. This is not what happens if you install libnss-winbind & libpam-winbin > d with > the debian samba4 packages, unfortunately you cannot install these with the sernet packages, but most of the contents of those two packages are in sernet-samba-libs, except for the pam config file: /usr/share/pam-configs/winbind Name: Winbind NT/Active Directory authentication Default: yes Priority: 192 Auth-Type: Primary Auth: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login Account-Type: Primary Account: [success=end new_authtok_reqd=done default=ignore] pam_winbind.so Password-Type: Primary Password: [success=end default=ignore] pam_winbind.so use_authtok try_first_pass Password-Initial: [success=end > default=ignore] pam_winbind.so Session-Type: Additional Session: > optional pam_winbind.so You may have to run 'pam-auth-update' and select > winbind. Rowland > >>> -- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1] [1] "Everyone deserves an award!!" >> Okay, I have resolved my (stupid Windows) "No internet access" issue on my lone W7 client. Moving forward with resolving my "getting NT_STATUS_LOGON_FAILURE" issue. I went to my (modified for me) script and I had "ENABLEPAMAUTH=0" and "ENABLEPAMSSH=0". Maybe I should simply restore my member server with 'pre-script backup' and re-run the script with these two options enabled (set to 1)? Should I enable both or just the "ENABLEAUTH"? Or can we (with your help, I hope) correct this issue? > As you have a backup, try creating the pam-config script I posted and > then run 'pam-auth-update --package', this should get you the same pam > setup as my member server. Rowland Maybe I about to do this incorrectly. > I create to config file (you sent me) with 'vi > /usr/share/pam-configs/winbind' and then started to run > "pam-auth-update". Now do I update all three all services listed > (Kerberos, Unix and Winbind) or just winbind only? > > All three > > Rowland > > Do I need to install libnss-winbind & libpam-winbind? And if so, with > apt-get?you cannot install them, this is because you are using the sernet packages, libnss-winbind & libpam-winbind depend on samba packages that don't start with 'sernet' If it of any help, I now have a sernet-samba member server running on Debian 7.7 in a VM and it works, I followed Louis's script (mostly), I changed the winbind ranges to match my setup. Rowland
On 2015-01-09 13:43, Rowland Penny wrote:> On 09/01/15 18:56, Bob of Donelson Trophy wrote: > On 2015-01-09 12:45, Rowland Penny wrote: On 09/01/15 18:31, Bob of Donelson Trophy wrote: On 2015-01-09 11:40, Rowland Penny wrote: On 09/01/15 17:26, Bob of Donelson Trophy wrote: On 2015-01-09 10:23, Rowland Penny wrote: On 09/01/15 15:47, Bob of Donelson Trophy wrote: On 2015-01-09 09:27, Rowland Penny wrote: On 09/01/15 15:00, Bob of Donelson Trophy wrote: On 2015-01-09 08:44, Rowland Penny wrote: W7 client "Preferred DNS server" is set to my DC. My DC looks like this: root at dtdc01:~# cat /etc/resolv.conf search dtshrm.local domain dtshrm.local nameserver 192.168.16.54 root at dtdc01:~# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static address 192.168.16.54 netmask 255.255.255.0 network 192.168.16.0 broadcast 192.168.16.255 gateway 192.168.16.106 # dns-* options are implemented by the resolvconf package, if ins t> alled dns-nameservers 208.67.222.222 dns-search dtshrm.local root at dtdc01:~# cat /etc/hosts 127.0.0.1 localhost 192.168.16.54 dtdc01.dtshrm.lan dtdc01 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes f f 02::2 ip6-allrouters Should the /etc/resolv.conf be resolving to itself? (I chuckled at you "panic" comment. lol) Fix this first, checking for 'libnss_winbind.so.2' is next on my list for this morning. Firstly, what email client are you using ? it appears to be doing weird things :-) Don't bother about libnss_winbind.so.2, you have it, what you don't have is the pam config file that automatically sets pam. This is my /etc/resolv.conf from my DC: nameserver 127.0.0.1 search example.lan It needs to point to itself and you do not need the domain line. domain & search are mutually exclusive and the last one wins. This is my /etc/network/interfaces # This file describes the network interfaces available on your syst em> # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.0.2 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.1 I also turn off NetworkManager and stop it from starting at boot. When you installed your member server via Louis's script, did you alter this line: ENABLEPAMAUTH=0 Rowland Email client - Louis' email came back looking weird. Don't know about that. How do I "turn off NetworkManager" in Debian? (I didn't think it was on a server non-gui install?) Ah, didn't know that, you do not have it running. And I have not altered any PAM lines so I have not changes ENABLEPAMAUTH=0 however, where is it so I can go check it? It is in Louis's script, line 100 and if you change it to 1 it runs a block of code starting at line 349, this modifies /etc/pam.d/samba. This is not what happens if you install libnss-winbind & libpam-winb in> d with the debian samba4 packages, unfortunately you cannot install these with the sernet packages, but most of the contents of those two packages are in sernet-samba-libs, except for the pam config file: /usr/share/pam-configs/winbind Name: Winbind NT/Active Directory authentication Default: yes Priority: 192 Auth-Type: Primary Auth: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login Account-Type: Primary Account: [success=end new_authtok_reqd=done default=ignore] pam_winbind.so Password-Type: Primary Password: [success=end default=ignore] pam_winbind.so use_authtok try_first_pass Password-Initial: [success=end default=ignore] pam_winbind.so Session-Type: Additional Session: optional pam_winbind.so You may have to run 'pam-auth-update' and select winbind. Rowland -- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1] [1] [1] "Everyone deserves an award!!" Okay, I have resolved my (stupid Windows) "No internet access" issue on my lone W7 client. Moving forward with resolving my "getting NT_STATUS_LOGON_FAILURE" issue. I went to my (modified for me) script and I had "ENABLEPAMAUTH=0" and "ENABLEPAMSSH=0". Maybe I should simply restore my member server with 'pre-script backup' and re-run the script with these two options enabled (set to 1)? Should I enable both or just the "ENABLEAUTH"? Or can we (with your help, I hope) correct this issue? As you have a backup, try creating the pam-config script I posted and then run 'pam-auth-update --package', this should get you the same pam setup as my member server. Rowland Maybe I about to do this incorrectly. I create to config file (you sent me) with 'vi /usr/share/pam-configs/winbind' and then started to run "pam-auth-update". Now do I update all three all services listed (Kerberos, Unix and Winbind) or just winbind only? All three Rowland Do I need to install libnss-winbind & libpam-winbind? And if so, with apt-get? you cannot install them, this is because you are using the sernet packages, libnss-winbind & libpam-winbind depend on samba packages that don't start with 'sernet' If it of any help, I now have a sernet-samba member server running on Debian 7.7 in a VM and it works, I followed Louis's script (mostly), I changed the winbind ranges to match my setup. Rowland Rowland, I like to keep life as simple as I can. What I think your saying is that Louis' scripts works (mostly) and it is very simple for me to return to a post installed sernet-samba state and re-run Louis' script with the ENABLEPAMAUTH=1 option engaged. At this point I only have profiles working so, I am not losing much. Last question for today, do I also ENABLEPAMAUTHSSH=1? I think yes, but . . . -- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] "Everyone deserves an award!!" Links: ------ [1] http://www.donelsontrophy.com
On 09/01/15 20:16, Bob of Donelson Trophy wrote:> > > On 2015-01-09 13:43, Rowland Penny wrote: > >> On 09/01/15 18:56, Bob of Donelson Trophy wrote: >> On 2015-01-09 12:45, Rowland Penny wrote: On 09/01/15 18:31, Bob of Donelson Trophy wrote: On 2015-01-09 11:40, Rowland Penny wrote: On 09/01/15 17:26, Bob of Donelson Trophy wrote: On 2015-01-09 10:23, Rowland Penny wrote: On 09/01/15 15:47, Bob of Donelson Trophy wrote: On 2015-01-09 09:27, Rowland Penny wrote: On 09/01/15 15:00, Bob of Donelson Trophy wrote: On 2015-01-09 08:44, Rowland Penny wrote: W7 client "Preferred DNS server" is set to my DC. My DC looks like this: root at dtdc01:~# cat /etc/resolv.conf search dtshrm.local domain dtshrm.local nameserver 192.168.16.54 root at dtdc01:~# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static address 192.168.16.54 netmask 255.255.255.0 network 192.168.16.0 broadcast 192.168.16.25 > 5 > gateway 192.168.16.106 # dns-* options are implemented by the resolvconf package, if ins > > t > >> alled dns-nameservers 208.67.222.222 dns-search dtshrm.local root at dtdc01:~# cat /etc/hosts 127.0.0.1 localhost 192.168.16.54 dtdc01.dtshrm.lan dtdc01 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes f f 02::2 ip6-allrouters Should the /etc/resolv.conf be resolving to itself? (I chuckled at you "panic" comment. lol) Fix this first, checking for 'libnss_winbind.so.2' is next on my list for this morning. Firstly, what email client are you using ? it appears to be doing weird things :-) Don't bother about libnss_winbind.so.2, you have it, what you don't have is the pam config file that automatically sets pam. This is my /etc/resolv.conf from my DC: nameserver 127.0.0.1 search example.lan It needs to point to itself and you do not need the domain line. domain & search are mutually exclusive and the last one wins. This is my /etc/network/interfaces # This file describes the network interfaces available on you > r syst > > em > >> # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.0.2 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.1 I also turn off NetworkManager and stop it from starting at boot. When you installed your member server via Louis's script, did you alter this line: ENABLEPAMAUTH=0 Rowland Email client - Louis' email came back looking weird. Don't know about that. How do I "turn off NetworkManager" in Debian? (I didn't think it was on a server non-gui install?) Ah, didn't know that, you do not have it running. And I have not altered any PAM lines so I have not changes ENABLEPAMAUTH=0 however, where is it so I can go check it? It is in Louis's script, line 100 and if you change it to 1 it runs a block of code starting at line 349, this modifies /etc/pam.d/samba. This is not what happens if you install libnss-winbind & libpa > m-winb > > in > >> d with the debian samba4 packages, unfortunately you cannot install these with the sernet packages, but most of the contents of those two packages are in sernet-samba-libs, except for the pam config file: /usr/share/pam-configs/winbind Name: Winbind NT/Active Directory authentication Default: yes Priority: 192 Auth-Type: Primary Auth: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login Account-Type: Primary Account: [success=end new_authtok_reqd=done default=ignore] pam_winbind.so Password-Type: Primary Password: [success=end default=ignore] pam_winbind.so use_authtok try_first_pass Password-Initial: [success=end default=ignore] pam_winbind.so Session-Type: Additional Session: optional pam_winbind.so You may have to run 'pam-auth-update' and select winbind. Rowland -- ------------------------- Bob Wooden of Donelson Troph > y > 615.885.2846 (main) www.donelsontrophy.com [1] [1] [1] [1] "Everyone deserves an award!!" Okay, I have resolved my (stupid Windows) "No internet access" issue on my lone W7 client. Moving forward with resolving my "getting NT_STATUS_LOGON_FAILURE" issue. I went to my (modified for me) script and I had "ENABLEPAMAUTH=0" and "ENABLEPAMSSH=0". Maybe I should simply restore my member server with 'pre-script backup' and re-run the script with these two options enabled (set to 1)? Should I enable both or just the "ENABLEAUTH"? Or can we (with your help, I hope) correct this issue? > As you have a backup, try creating the pam-config script I posted and > then run 'pam-auth-update --package', this should get you the same pam > setup as my member server. Rowland Maybe I about to do this incorrectly. > I create to config file (you sent me) with 'vi > /usr/share/pam-configs/winbind' and then started to run > "pam-auth-update". Now do I update all three all services listed > (Kerberos, Unix and Winbind) or just winbind only? All three Rowland Do > I need to install libnss-winbind & libpam-winbind? And if so, with > apt-get? > > you cannot install them, this is because you are using the sernet > packages, libnss-winbind & libpam-winbind depend on samba packages that > don't start with 'sernet' > > If it of any help, I now have a sernet-samba member server running on > Debian 7.7 in a VM and it works, I followed Louis's script (mostly), I > changed the winbind ranges to match my setup. > > Rowland > > Rowland, > > I like to keep life as simple as I can. What I think your saying is that > Louis' scripts works (mostly) and it is very simple for me to return to > a post installed sernet-samba state and re-run Louis' script with the > ENABLEPAMAUTH=1 option engaged. > > At this point I only have profiles working so, I am not losing much. > > Last question for today, do I also ENABLEPAMAUTHSSH=1? I think yes, but > . . .OK, to keep it simple, copy the attached tarball to your member server, untar it with 'tar zxf pam-update.sh.tar.gz' , then run the script with 'bash ./pam-update.sh', this must done as root. Your sernet-samba member server will then match mine. Rowland