Il giorno mer, 15/02/2017 alle 09.45 +0100, Dario Lesca via samba ha scritto:> Then Yesterday in 5 minutes I installed, configured and activated > winbind and now all work fine.Ok, ACLs now work, but I now it's appeared another problem. I can only access to my samba+winbind server from Windows Server AD DC and from itself (smbclient -Uadministrator -L server-dati). If I try to access to it from a windows PC into domain (\\server-dati) do not access and require a user and password If I try to access it via smbclient from samba on another Linux PC (es. my notebook) not in domain I can access only if I specify the domain+user like this:> smbclient -Usrl\\administrator%pwd //server-dati/datiIf I do not specify the domain but only user, I do not access and show this error:> smbclient -Uadministrator%pwd //server-dati/dati -d3 > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit > (16384) > Processing section "[global]" > added interface lo ip=::1 bcast> netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff > added interface lo ip=127.0.0.1 bcast=127.255.255.255 > netmask=255.0.0.0 > added interface enp10s0 ip=192.168.1.195 bcast=192.168.1.255 > netmask=255.255.255.0 > Client started (version 4.5.5). > resolve_lmhosts: Attempting lmhosts lookup for name server-dati<0x20> > resolve_wins: WINS server resolution selected and no WINS servers > listed. > resolve_hosts: Attempting host lookup for name server-dati<0x20> > Connecting to 192.168.1.5 at port 445 > Doing spnego session setup (blob length=96) > got OID=1.2.840.48018.1.2.2 > got OID=1.2.840.113554.1.2.2 > got OID=1.3.6.1.4.1.311.2.2.10 > got principal=not_defined_in_RFC4178 at please_ignore > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > Got challenge flags: > Got NTLMSSP neg_flags=0x62898215 > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x62088215 > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088215 > SPNEGO login failed: Logon failure > session setup failed: NT_STATUS_LOGON_FAILUREThis is my smb.conf [global] session:> # Global parameters > [global] > realm = SRL.LOCAL > workgroup = SRL > domain master = No > local master = No > preferred master = No > log file = /var/log/samba/log.%m > max log size = 50 > load printers = No > printcap name = /dev/null > client signing = if_required > password server = tx150s8.srl.local > security = ADS > template homedir = /u/samba/home/%U > template shell = /sbin/nologin > winbind use default domain = Yes > idmap config srl:schema_mode = rfc2307 > idmap config srl:range = 100000-199999 > idmap config srl:backend = tdb > idmap config * : range = 10000-99999 > idmap config * : backend = tdb > store dos attributes = Yes > cups options = raw > acl allow execute always = Yes > map acl inherit = Yes > hosts allow = 127. 192.168.1. > vfs objects = acl_xattr >This is my kbd5.conf> # Configuration snippets may be placed in this directory as well > #includedir /etc/krb5.conf.d/ > > #includedir /var/lib/sss/pubconf/krb5.include.d/ > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > dns_lookup_realm = false > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > rdns = false > default_ccache_name = KEYRING:persistent:%{uid} > > default_realm = SRL.LOCAL > # dns_lookup_kdc = false > [realms] > SRL.LOCAL = { > # kdc = tx150s8.srl.local > # admin_server = tx150s8.srl.local > } > > [domain_realm] > srl.local = SRL.LOCAL > .srl.local = SRL.LOCAL >Any suggest is appreciated Many thanks -- Dario Lesca (inviato dal mio Linux Fedora 25 Workstation)
Rowland Penny
2017-Feb-15 11:54 UTC
[Samba] Samba AD domain member with SSSD: ACL not work
On Wed, 15 Feb 2017 12:35:51 +0100 Dario Lesca via samba <samba at lists.samba.org> wrote:> Il giorno mer, 15/02/2017 alle 09.45 +0100, Dario Lesca via samba ha > scritto: > > Then Yesterday in 5 minutes I installed, configured and activated > > winbind and now all work fine. > > Ok, ACLs now work, but I now it's appeared another problem.Make your smb.conf look like this: [global] realm = SRL.LOCAL workgroup = SRL security = ADS domain master = No local master = No preferred master = No log file = /var/log/samba/log.%m max log size = 50 load printers = No printcap name = /dev/null client signing = if_required template homedir = /u/samba/home/%U template shell = /sbin/nologin winbind use default domain = Yes idmap config SRL:schema_mode = rfc2307 idmap config SRL:range = 100000-199999 idmap config SRL:backend = rid idmap config * : range = 10000-99999 idmap config * : backend = tdb store dos attributes = Yes cups options = raw acl allow execute always = Yes map acl inherit = Yes hosts allow = 127. 192.168.1. vfs objects = acl_xattr Make your /etc/krb5.conf look like this: [libdefaults] default_realm = SRL.LOCAL dns_lookup_realm = false dns_lookup_kdc = true Rowland
Il giorno mer, 15/02/2017 alle 11.54 +0000, Rowland Penny via samba ha scritto:> Make your .... look like this:Now my smb.conf and kbr5.conf is like your proposed. I reboot and now seem all work fine, I can connect to my server from windows PC.>From my Linux instead I must use domain, but this is not a problem.Many thanks -- Dario Lesca (inviato dal mio Linux Fedora 25 Workstation)