Rowland Penny
2016-Sep-30 11:51 UTC
[Samba] Samba Member NT_STATUS_NETWORK_SESSION_EXPIRED
On Fri, 30 Sep 2016 13:32:18 +0200 Oliver Werner <oliver.werner at kontrast.de> wrote:> the interface part is ok. eth0 has another IP as eth0:35 > > DCs show me the profiles > > unix authentication > register user session in the systemd…. > inheritable capabilities management > OLIVER WERNER > Systemadministrator >I use Devuan and I get: Kerberos authentication Unix authentication Winbind NT/Active Directory authentication GNOME Keyring Daemon - Login keyring management ConsoleKit Session Management Inheritable Capabilities Management Ignore the last three. You are only using Unix authentication on your domain member and as you have compiled Samba yourself, you cannot install the distro packages to fix the winbind part. First install libpam-krb5, then create a file: /usr/share/pam-configs/winbind containing this: Name: Winbind NT/Active Directory authentication Default: yes Priority: 192 Auth-Type: Primary Auth: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login Account-Type: Primary Account: [success=end new_authtok_reqd=done default=ignore] pam_winbind.so Password-Type: Primary Password: [success=end default=ignore] pam_winbind.so use_authtok try_first_pass Password-Initial: [success=end default=ignore] pam_winbind.so Session-Type: Additional Session: optional pam_winbind.so run 'pam-auth-update' again Did you create the libnss_win* links ? Do you require your users to have home directories on the domain member ? Rowland
Oliver Werner
2016-Sep-30 12:31 UTC
[Samba] Samba Member NT_STATUS_NETWORK_SESSION_EXPIRED
Hi rowland, is pam really need? Users should not login via terminal to this system. this is only as Samba File-Server OLIVER WERNER Systemadministrator> Am 30.09.2016 um 13:51 schrieb Rowland Penny via samba <samba at lists.samba.org>: > > On Fri, 30 Sep 2016 13:32:18 +0200 > Oliver Werner <oliver.werner at kontrast.de> wrote: > >> the interface part is ok. eth0 has another IP as eth0:35 >> >> DCs show me the profiles >> >> unix authentication >> register user session in the systemd…. >> inheritable capabilities management >> OLIVER WERNER >> Systemadministrator >> > > I use Devuan and I get: > > Kerberos authentication > Unix authentication > Winbind NT/Active Directory authentication > GNOME Keyring Daemon - Login keyring management > ConsoleKit Session Management > Inheritable Capabilities Management > > > Ignore the last three. > > You are only using Unix authentication on your domain member and as > you have compiled Samba yourself, you cannot install the distro > packages to fix the winbind part. > > First install libpam-krb5, then create a > file: /usr/share/pam-configs/winbind > > containing this: > > Name: Winbind NT/Active Directory authentication > Default: yes > Priority: 192 > Auth-Type: Primary > Auth: > [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass > Auth-Initial: > [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login > Account-Type: Primary > Account: > [success=end new_authtok_reqd=done default=ignore] pam_winbind.so > Password-Type: Primary > Password: > [success=end default=ignore] pam_winbind.so use_authtok try_first_pass > Password-Initial: > [success=end default=ignore] pam_winbind.so > Session-Type: Additional > Session: > optional pam_winbind.so > > run 'pam-auth-update' again > > Did you create the libnss_win* links ? > > Do you require your users to have home directories on the domain > member ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2016-Sep-30 12:43 UTC
[Samba] Samba Member NT_STATUS_NETWORK_SESSION_EXPIRED
On Fri, 30 Sep 2016 14:31:06 +0200 Oliver Werner <oliver.werner at kontrast.de> wrote:> Hi rowland, > > is pam really need? > > Users should not login via terminal to this system. this is only as > Samba File-Server >Lets put it this way, to connect to the domain member your users must be known to the underlying OS. The domain member I am typing this on, uses a smb.conf very similar to yours and has been up for nearly 16 days. The only difference that I can see between your setup and mine, is the PAM configuration. Rowland