Dear, I really do not know, what is wrong.
Remembering, I add a linux in active directory domain and I need to add
local printers shared with AD authentication.
My tutorial and errors
########################################
# Install Packages
yum install perl gcc attr libacl-devel libblkid-devel gnutls-devel
readline-devel python-devel gdb pkgconfig krb5-workstation zlib-devel
setroubleshoot-server libaio-devel setroubleshoot-plugins
policycoreutils-python libsemanage-python perl-ExtUtils-MakeMaker
perl-Parse-Yapp popt-devel libxml2-devel libattr-devel keyutils-libs-devel
cups-devel bind-utils libxslt docbook-style-xsl openldap-devel autoconf
python-crypto pam-devel ntp wget vim
# Update Operation System
yum update -y
# Update ntp.conf
server rede.com.br iburst
# Syncronize time and start service
ntpdate redecamara.camara.gov.br
systemctl start ntpd.service
# Config Kerberos file
cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = REDE.COM.BR
dns_lookup_realm = false
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
# Show hots (OK)
getent hosts REDE
# Download last version Samba
wget https://download.samba.org/pub/samba/stable/samba-4.6.2.tar.gz
# Descompact
tar -vxf samba-4.6.2.tar.gz
# Configure and compile Samba
./configure --prefix /usr --enable-fhs --enable-cups --sysconfdir=/etc
--localstatedir=/var --with-privatedir=/var/lib/samba/private
--with-piddir=/var/run/samba --with-automount --datadir=/usr/share
--with-lockdir=/var/run/samba --with-statedir=/var/lib/samba
--with-cachedir=/var/cache/samba --with-systemd --with-winbind && make
&&
make install
# Update Libs
ldconfig
# Show Configs of Samba
smbd -b | grep CONFIGFILE
CONFIGFILE: /etc/samba/smb.conf
smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"
LOCKDIR: /var/run/samba
STATEDIR: /var/lib/samba
CACHEDIR: /var/cache/samba
PRIVATE_DIR: /var/lib/samba/private
smbd -b | grep "CUPS"
HAVE_CUPS_CUPS_H
HAVE_CUPS_LANGUAGE_H
HAVE_CUPS
HAVE_LIBCUPS
# Create smb.conf
[global]
security = ADS
workgroup = REDE
realm = REDE.COM.BR
log file = /var/log/samba/%m.log
log level = 1
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use an read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
winbind use default domain = yes
case sensitive = no
[printers]
path = /var/spool/samba/
printable = yes
print ok = yes
browseable = yes
# Create directory and permissions
mkdir -p /var/spool/samba/
chmod 1777 /var/spool/samba/
# Join Machine in Domain
net ads join -U user -W REDE
vim /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
# Start Winbind
winbindd
# Check Winbind
wbinfo -t
checking the trust secret for domain REDE via RPC calls succeeded
wbinfo --ping-dc
wbinfo -g (work)
wbinfo -u (work)
# Shared printers in CUPS
smbd
nmbd
netstat -lnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN
tcp6 0 0 :::139 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::631 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
tcp6 0 0 :::445 :::* LISTEN
#
smbclient -L localhost -U root
krb5_init_context failed (Invalid argument)
smb_krb5_context_init_basic failed (Invalid argument)
Enter REDE\root's password:
krb5_init_context failed (Invalid argument)
smb_krb5_context_init_basic failed (Invalid argument)
Domain=[REDE] OS=[] Server=[]
Sharename Type Comment
--------- ---- -------
krb5_init_context failed (Invalid argument)
smb_krb5_context_init_basic failed (Invalid argument)
IPC$ IPC IPC Service (Samba 4.6.2)
* Ricoh-Aficio-MP-5002 Printer CENIN03-13CP (work without Winbind)*
krb5_init_context failed (Invalid argument)
smb_krb5_context_init_basic failed (Invalid argument)
Domain=[REDE] OS=[] Server=[]
Server Comment
--------- -------
AGUA
DELOREAN1 Samba 4.6.2
Workgroup Master
--------- -------
REDE AGUA
# Error in Log
==> /var/log/samba/winbindd.log <=[2017/04/24 15:45:29.112300, 1]
../source3/winbindd/winbindd_pam.c:2494(extract_pac_vrfy_sigs)
Failed to initialize kerberos context: Invalid argument
[2017/04/24 15:45:29.112356, 1]
../source3/winbindd/winbindd_pam.c:2559(winbindd_pam_auth_pac_send)
Error during PAC signature verification: NT_STATUS_UNSUCCESSFUL
# Commands test Kerberos
kinit root
Password for root at REDE.COM.BR:
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root at REDE.COM.BR
Valid starting Expires Service principal
04/24/2017 16:17:24 04/25/2017 02:17:24 krbtgt/REDE.COM.BR at REDE.COM.BR
renew until 04/25/2017 16:17:22
2017-04-17 15:35 GMT-03:00 Luiz Guilherme Nunes Fernandes <
narutospinal at gmail.com>:
> Ok thanks, i make new tests.
>
> 2017-04-17 15:21 GMT-03:00 Rowland Penny <rpenny at samba.org>:
>
>> On Mon, 17 Apr 2017 14:57:45 -0300
>> Luiz Guilherme Nunes Fernandes <narutospinal at gmail.com> wrote:
>>
>> > Well, i dont have sssd installed.
>>
>> OK, now we know that ;-)
>>
>> >
>> > With winbind i install this packages:
>> > yum install realmd oddjob oddjob-mkhomedir adcli samba-common
>> > samba-common-tools krb5-workstation openldap-clients
>> > policycoreutils-python samba-winbind-clients
>>
>> I use Devuan and install these:
>>
>> samba acl attr quota fam winbind libpam-winbind libpam-krb5
>> libnss-winbind krb5-config krb5-user ntp dnsutils ldb-tools
>>
>> You probably have the red-hat versions of these packages installed, but
>> it might be worth checking.
>>
>> >
>> > My nsswitch.conf
>> >
>> > passwd: files ldap winbind
>> > shadow: files ldap winbind
>> > group: files ldap winbind
>>
>> Remove 'ldap' you do not need it and it will use 'ldap'
before 'winbind'
>>
>>
>> > > > # My mini tutorial
>> > > >
>> > > > #########################
>> > > > (First test)
>> > > > #########################
>> > > >
>> > > > realm join --client-software=winbind -U login
NONAME.COM.BR
>> > > > realm list
>> > > > authconfig --enablewinbindusedefaultdomain --update
>> > > >
>> > > > wbinfo -t
>> > > > wbinfo -g
>> > > > wbinfo -u
>> > > >
>> > > > Work (join in domain, and list groups and users)
>>
>> You need to get 'getent' to show your users & groups, until
they are
>> shown, your OS doesn't know them.
>>
>> > > >
>> > > > i can use for authentication ssh and apache (work)
>>
>> Use the info on the wiki page I posted for apache.
>>
>> > > >
>> > > > ### My problem
>> > > > Acually File with winbind
>> > > >
>> > > > workgroup = NONAME
>> > > > realm = NONAME.COM.BR
>> > > > security = ads
>> > > > idmap config * : range = 16777216-33554431
>> > > > template homedir = /home/%U@%D
>> > > > template shell = /bin/bash
>> > > > kerberos method = secrets only
>> > > > winbind use default domain = true
>> > > > winbind offline logon = true
>>
>> Use 'security = ads' and add something like
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 3000-7999
>> idmap config NONAME : backend = rid
>> idmap config NONAME : range = 10000-999999
>>
>> You can change the ranges if you like, but there is no real point.
>> Incidentally, the range you used '167777216-33554431' looks
like the
>> numbers sssd uses.
>>
>> Please read the wiki pages I pointed you to, if you follow them, you
>> should end up with a working system that does what you require.
>>
>> Rowland
>>
>>
>>
>
>
> --
>
<<<<<<<<<<<<<<<<<<<-----------------------------------------
>
-------------------------->>>>>>>>>>>>>>>>>>>
>
> < Disse-lhe Jesus: Eu sou o caminho, e a verdade e a vida; ninguém vem
ao
> Pai, senão por mim >
> (João 14:6)
>
> Att.
> ♪ ♫ Luiz Guilherme Nunes
> Fernandes ♫ ♪
>
>
<<<<<<<<<<<<<<<<<<<-----------------------------------------
>
-------------------------->>>>>>>>>>>>>>>>>>>
>
--
<<<<<<<<<<<<<<<<<<<------------------------------------------------------------------->>>>>>>>>>>>>>>>>>>
< Disse-lhe Jesus: Eu sou o caminho, e a verdade e a vida; ninguém vem ao
Pai, senão por mim >
(João 14:6)
Att.
♪ ♫ Luiz Guilherme Nunes
Fernandes ♫ ♪
<<<<<<<<<<<<<<<<<<<------------------------------------------------------------------->>>>>>>>>>>>>>>>>>>