thr3ads.net - samba - [Samba] winbind_krb5

If this information is useful, please help other people find it:
Share via:

Felix Matouschek

2015-Aug-13 09:47 UTC

[Samba] winbind_krb5_locator usage

Hello,
 
I have different Sites in my domain and want the different members to use the
respective domain controller of their site.
 
I can't get this to work right. I have a member that is in site B but
executing "net ads info" outputs the DC of site A as active.
 
I read about enabling "winbind_krb5_locator", but it is already
located in "/usr/lib/x86_64-linux-gnu/krb5/plugins/krb5/".
 
Winbind also does not generate a krb5.conf, even with the option "create
krb5 conf" explicitly set to yes.
 
I am using SerNet Samba 4.2.3 as DC and Member.
 
Any suggestions?
 
Greetings,
Felix

Rowland Penny

2015-Aug-13 10:57 UTC

head link

[Samba] winbind_krb5_locator usage

On 13/08/15 10:47, Felix Matouschek wrote:> Hello,
>   
> I have different Sites in my domain and want the different members to use
the respective domain controller of their site.
>   
> I can't get this to work right. I have a member that is in site B but
executing "net ads info" outputs the DC of site A as active.
>   
> I read about enabling "winbind_krb5_locator", but it is already
located in "/usr/lib/x86_64-linux-gnu/krb5/plugins/krb5/".
>   
> Winbind also does not generate a krb5.conf, even with the option
"create krb5 conf" explicitly set to yes.
Have you tried looking in /var/run/samba/smb_krb5 on the member server ?

Rowland
>   
> I am using SerNet Samba 4.2.3 as DC and Member.
>   
> Any suggestions?
>   
> Greetings,
> Felix

Felix Matouschek

2015-Aug-13 11:14 UTC

head link

[Samba] winbind_krb5_locator usage

Hi Rowland,

/var/run/samba/smb_krb5 does not exist.

However /var/cache/samba/smb_krb5 exists, there is a file named
"krb5.conf.INTRANET".

Contents:

[libdefaults]
        default_realm = INTRANET.VIPCO.DE
        default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
RC4-HMAC DES-CBC-CRC DES-CBC-MD5
        default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
RC4-HMAC DES-CBC-CRC DES-CBC-MD5
        preferred_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
RC4-HMAC DES-CBC-CRC DES-CBC-MD5

[realms]
        INTRANET.VIPCO.DE = {
                kdc = 192.168.0.197
        kdc = 192.168.122.1
        }

Doesn't that mean 192.168.0.197 is the primary kdc? 192.168.122.1 should be
primary kdc for that machine.

Greetings,
Felix

-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland
Penny
Gesendet: Donnerstag, 13. August 2015 12:57
An: samba at lists.samba.org
Betreff: Re: [Samba] winbind_krb5_locator usage

On 13/08/15 10:47, Felix Matouschek wrote:> Hello,
>   
> I have different Sites in my domain and want the different members to use
the respective domain controller of their site.
>   
> I can't get this to work right. I have a member that is in site B but
executing "net ads info" outputs the DC of site A as active.
>   
> I read about enabling "winbind_krb5_locator", but it is already
located in "/usr/lib/x86_64-linux-gnu/krb5/plugins/krb5/".
>   
> Winbind also does not generate a krb5.conf, even with the option
"create krb5 conf" explicitly set to yes.
Have you tried looking in /var/run/samba/smb_krb5 on the member server ?

Rowland
>   
> I am using SerNet Samba 4.2.3 as DC and Member.
>   
> Any suggestions?
>   
> Greetings,
> Felix

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Felix Matouschek

2015-Aug-14 06:58 UTC

head link

[Samba] winbind_krb5_locator usage

Hello,

i investigated further and found out that other member servers do honor their AD
sites.

It is just that one machine that has both KDCs in it's
"/var/cache/samba/smb_krb5 exists/ krb5.conf.INTRANET".

I'm a bit puzzled... the smb.conf on this machine and on a machine that
works is 100% identical, only netbios names differ.

Is there another way to control this behaviour?

Greetings,
Felix

-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Felix
Matouschek
Gesendet: Donnerstag, 13. August 2015 13:14
An: samba at lists.samba.org
Betreff: [Samba] winbind_krb5_locator usage

Hi Rowland,

/var/run/samba/smb_krb5 does not exist.

However /var/cache/samba/smb_krb5 exists, there is a file named
"krb5.conf.INTRANET".

Contents:

[libdefaults]
        default_realm = INTRANET.VIPCO.DE
        default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
RC4-HMAC DES-CBC-CRC DES-CBC-MD5
        default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
RC4-HMAC DES-CBC-CRC DES-CBC-MD5
        preferred_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
RC4-HMAC DES-CBC-CRC DES-CBC-MD5

[realms]
        INTRANET.VIPCO.DE = {
                kdc = 192.168.0.197
        kdc = 192.168.122.1
        }

Doesn't that mean 192.168.0.197 is the primary kdc? 192.168.122.1 should be
primary kdc for that machine.

Greetings,
Felix

-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland
Penny
Gesendet: Donnerstag, 13. August 2015 12:57
An: samba at lists.samba.org
Betreff: Re: [Samba] winbind_krb5_locator usage

On 13/08/15 10:47, Felix Matouschek wrote:> Hello,
>   
> I have different Sites in my domain and want the different members to use
the respective domain controller of their site.
>   
> I can't get this to work right. I have a member that is in site B but
executing "net ads info" outputs the DC of site A as active.
>   
> I read about enabling "winbind_krb5_locator", but it is already
located in "/usr/lib/x86_64-linux-gnu/krb5/plugins/krb5/".
>   
> Winbind also does not generate a krb5.conf, even with the option
"create krb5 conf" explicitly set to yes.
Have you tried looking in /var/run/samba/smb_krb5 on the member server ?

Rowland
>   
> I am using SerNet Samba 4.2.3 as DC and Member.
>   
> Any suggestions?
>   
> Greetings,
> Felix

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

L.P.H. van Belle

2015-Aug-14 07:13 UTC

head link

[Samba] winbind_krb5_locator usage

Just a question. 
Did you create this server on site a and the moved it to site b? 



>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens Felix 
>Matouschek
>Verzonden: vrijdag 14 augustus 2015 8:58
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] winbind_krb5_locator usage
>
>Hello,
>
>i investigated further and found out that other member servers 
>do honor their AD sites.
>
>It is just that one machine that has both KDCs in it's 
>"/var/cache/samba/smb_krb5 exists/ krb5.conf.INTRANET".
>
>I'm a bit puzzled... the smb.conf on this machine and on a 
>machine that works is 100% identical, only netbios names differ.
>
>Is there another way to control this behaviour?
>
>Greetings,
>Felix
>
>-----Ursprüngliche Nachricht-----
>Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag 
>von Felix Matouschek
>Gesendet: Donnerstag, 13. August 2015 13:14
>An: samba at lists.samba.org
>Betreff: [Samba] winbind_krb5_locator usage
>
>Hi Rowland,
>
>/var/run/samba/smb_krb5 does not exist.
>
>However /var/cache/samba/smb_krb5 exists, there is a file 
>named "krb5.conf.INTRANET".
>
>Contents:
>
>[libdefaults]
>        default_realm = INTRANET.VIPCO.DE
>        default_tgs_enctypes = aes256-cts-hmac-sha1-96 
>aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
>        default_tkt_enctypes = aes256-cts-hmac-sha1-96 
>aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
>        preferred_enctypes = aes256-cts-hmac-sha1-96 
>aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
>
>[realms]
>        INTRANET.VIPCO.DE = {
>                kdc = 192.168.0.197
>        kdc = 192.168.122.1
>        }
>
>Doesn't that mean 192.168.0.197 is the primary kdc? 
>192.168.122.1 should be primary kdc for that machine.
>
>Greetings,
>Felix
>
>-----Ursprüngliche Nachricht-----
>Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag 
>von Rowland Penny
>Gesendet: Donnerstag, 13. August 2015 12:57
>An: samba at lists.samba.org
>Betreff: Re: [Samba] winbind_krb5_locator usage
>
>On 13/08/15 10:47, Felix Matouschek wrote:
>> Hello,
>>   
>> I have different Sites in my domain and want the different 
>members to use the respective domain controller of their site.
>>   
>> I can't get this to work right. I have a member that is in 
>site B but executing "net ads info" outputs the DC of site A as
active.
>>   
>> I read about enabling "winbind_krb5_locator", but it is 
>already located in "/usr/lib/x86_64-linux-gnu/krb5/plugins/krb5/".
>>   
>> Winbind also does not generate a krb5.conf, even with the 
>option "create krb5 conf" explicitly set to yes.
>
>Have you tried looking in /var/run/samba/smb_krb5 on the 
>member server ?
>
>Rowland
>
>>   
>> I am using SerNet Samba 4.2.3 as DC and Member.
>>   
>> Any suggestions?
>>   
>> Greetings,
>> Felix
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

Reasonably Related Threads

Search for more seemingly similar threads

samba - Aug 2015 - winbind_krb5_locator usage

[Samba] winbind_krb5_locator usage

[Samba] winbind_krb5_locator usage

[Samba] winbind_krb5_locator usage

[Samba] winbind_krb5_locator usage

[Samba] winbind_krb5_locator usage

Reasonably Related Threads