Am 2016-02-24 um 13:32 schrieb Rowland penny:> I would add a few extra lines: > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind refresh tickets = Yes > idmap config CUST:schema_mode = rfc2307 > > The first three should ensure the tickets never expire and the last one > defines the schema that idmap will use.I had crashes as the /etc/krb5.keytab does not yet exist and the howto looked complicated. Will attack that one again, OK.> Is PAM setup correctly ?I tried my best. The examples in the docs always look slightly different from the files in the various distros. ran pam-auth-update now (as recommended for Debian)> Do you have libpam-winbind, libpam-krb5 and libnss-winbind installed ?3x yes>> 3) in turn I only see UIDs and GIDs in the linux filesystem, no >> ADS-user/group-names. > > This looks like something set up incorrectly in PAM.hmm -- status on the production machine: I get users and groups via wbinfo AND via getent clients are connected and tell me things work so far In the shell I still see only numbers for owners of files # ls -l [..] -rwxrwxr--. 1 1026 1009 1037630 Jän 24 2013 20130102.txt [..] This is better than people not able to access their files ;) but still not satisfying as mentioned in my other reply I think of using "rid" later, ok?
On 24/02/16 13:05, Stefan G. Weichinger wrote:> Am 2016-02-24 um 13:32 schrieb Rowland penny: >> I would add a few extra lines: >> >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> winbind refresh tickets = Yes >> idmap config CUST:schema_mode = rfc2307 >> >> The first three should ensure the tickets never expire and the last one >> defines the schema that idmap will use. > I had crashes as the /etc/krb5.keytab does not yet exist and the howto > looked complicated. Will attack that one again, OK.with those lines in smb.conf, the keytab will be created when the machine is joined to the domain.> >> Is PAM setup correctly ? > I tried my best. The examples in the docs always look slightly different > from the files in the various distros. > > ran pam-auth-update now (as recommended for Debian) > >> Do you have libpam-winbind, libpam-krb5 and libnss-winbind installed ? > 3x yes > >>> 3) in turn I only see UIDs and GIDs in the linux filesystem, no >>> ADS-user/group-names. >> This looks like something set up incorrectly in PAM. > hmm > > -- > > status on the production machine: > > I get users and groups via wbinfo AND via getent > > clients are connected and tell me things work so far > > In the shell I still see only numbers for owners of files > > # ls -l > > [..] > -rwxrwxr--. 1 1026 1009 1037630 Jän 24 2013 20130102.txt > [..] > > This is better than people not able to access their files ;) > but still not satisfying > > as mentioned in my other reply I think of using "rid" later, ok?As your other post proves, you didn't have any uidNumber & gidNumber attributes in AD, the 'ad' backend *will not* work without these attributes. Rowland> > > > >
On Wed, 24 Feb 2016, Stefan G. Weichinger wrote:> Am 2016-02-24 um 13:32 schrieb Rowland penny: >> I would add a few extra lines: >> >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> winbind refresh tickets = Yes >> idmap config CUST:schema_mode = rfc2307 >> >> The first three should ensure the tickets never expire and the last one >> defines the schema that idmap will use. > > I had crashes as the /etc/krb5.keytab does not yet exist and the howto > looked complicated. Will attack that one again, OK.If you have "secrets and keytab" set before you do the "net ads join", it will create /etc/krb5.keytab automatically. I would just do the join again to create the keytab file. There is no harm in rejoining a machine to the domain as far as I'm aware.
Am 2016-02-24 um 14:18 schrieb Sketch:> If you have "secrets and keytab" set before you do the "net ads join", > it will create /etc/krb5.keytab automatically. I would just do the join > again to create the keytab file. There is no harm in rejoining a > machine to the domain as far as I'm aware.Yes, cool! Worked. So I added the recommended lines on the testbox: done. It still says in log.smbd: [2016/02/24 14:23:52.558588, 2] ../source3/auth/token_util.c:557(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate gids? [2016/02/24 14:23:52.559881, 2] ../source3/auth/token_util.c:581(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? [2016/02/24 14:23:52.651268, 0] ../lib/util/become_daemon.c:136(daemon_ready) btw: the testbox displays users/groups correctly in "ls" etc