samba - Aug 2017 - Windows pre-requisites for login with winbind?

Hi all,

I've just been following a series of guides to set up "winbind"
authentication on a container build I'm working on, but I'm seeing some
strange behaviour....

After the "net ads join -k", some users can log in, but others cannot
(pam says their account does not exist)... although they can all authenticate
with kinit!

If someone has an idea why this might be, what I should change, or if users need
to be in particular groups on the Windows side, that would be really useful. The
users that don't work are the most recent ones.... which leads me to believe
that there is probably some group they have not been added to, but I don't
have much access to the AD to look.

My configs look like this:-
KRB5.CONF
[libdefaults]
 ticket_lifetime = 24000
 default_realm = DOMAIN.LOCAL
 default_tgs_entypes = rc4-hmac des-cbc-md5
 default_tkt__enctypes = rc4-hmac des-cbc-md5
 permitted_enctypes = rc4-hmac des-cbc-md5
 dns_lookup_realm = true
 dns_lookup_kdc = true
 dns_fallback = yes
[realms]
 DOMAIN.LOCAL = {
 kdc = local_dc01.domain.local
 kdc = local_dc02.domain.local
 kdc = local_dc03.domain.local
 kdc = remote_dc01.domain.local
 kdc = remote_dc02.domain.local
 kdc = remote_dc03.domain.local
 kdc = local_dc10.domain.local
 kdc = local_dc11.domain.local
 admin_server = local_dc01.domain.local
 default_domain = domain.local
 }

[domain_realm]
 .domain.local = DOMAIN.LOCAL
 domain.local = DOMAIN.LOCAL

[appdefaults]
 pam = {
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false
 }

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

SMB.CONF
[global]

# netbios name = %NETBIOS_NAME%
 workgroup = DOMAIN
 security = ADS
 password server = local_dc01.domain.local, local_dc02.domain.local,
local_dc03.domain.local, local_dc10.domain.local, local_dc11.domain.local,
remote_dc01.domain.local, remote_dc02.domain.local, remote_dc03.domain.local
 realm = DOMAIN.LOCAL
 encrypt passwords = yes

 idmap config *:backend = rid
 idmap config *:range = 5000-100000

# winbind allow trusted domains = no
 winbind trusted domains only = no
 winbind use default domain = yes
 winbind enum users = yes
 winbind enum groups = yes
 winbind refresh tickets = yes

 template shell = /bin/bash
 template homedir = /home/%D/%U
 winbind use default domain = yes
--
A. James Lewis (james at fsck.co.uk (mailto:james at fsck.co.uk))
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

On Mon, 21 Aug 2017 11:51:18 +0000
"A. James Lewis via samba" <samba at lists.samba.org> wrote:
> Hi all,
> 
> I've just been following a series of guides to set up
"winbind"
> authentication on a container build I'm working on, but I'm seeing
> some strange behaviour....
> 
> After the "net ads join -k", some users can log in, but others
cannot
> (pam says their account does not exist)... although they can all
> authenticate with kinit!
> 
> If someone has an idea why this might be, what I should change, or if
> users need to be in particular groups on the Windows side, that would
> be really useful. The users that don't work are the most recent
> ones.... which leads me to believe that there is probably some group
> they have not been added to, but I don't have much access to the AD
> to look.
> 
> My configs look like this:-
See my modifications:

KRB5.CONF
[libdefaults]
  default_realm = DOMAIN.LOCAL
  dns_lookup_realm = false
  dns_lookup_kdc = true

That is all you need in krb5.conf
> SMB.CONF
[global]
  workgroup = DOMAIN
  security = ADS
  realm = DOMAIN.LOCAL

  idmap config *:backend = tdb
  idmap config *:range = 5000-9999
  idmap config DOMAIN:backend = rid
  idmap config DOMAIN:range = 10000-999999

  winbind trusted domains only = no
  winbind use default domain = yes
  winbind refresh tickets = yes
 
  template shell = /bin/bash
  template homedir = /home/%D/%U

Rowland

I'm slightly confused, you appear to have trimmed down the config, but not
changed anything.... would you think this would affect the issue where long
standing users are able to log in, but new users are not... even after a couple
of weeks they are not able to log in via "winbind", although they can
authenticate via Kerberos, and obviously log in to Windows desktops.

James


August 21, 2017 1:45 PM, "Rowland Penny via samba" <samba at
lists.samba.org> wrote:
> On Mon, 21 Aug 2017 11:51:18 +0000
> "A. James Lewis via samba" <samba at lists.samba.org>
wrote:
> 
>> Hi all,
>> 
>> I've just been following a series of guides to set up
"winbind"
>> authentication on a container build I'm working on, but I'm
seeing
>> some strange behaviour....
>> 
>> After the "net ads join -k", some users can log in, but
others cannot
>> (pam says their account does not exist)... although they can all
>> authenticate with kinit!
>> 
>> If someone has an idea why this might be, what I should change, or if
>> users need to be in particular groups on the Windows side, that would
>> be really useful. The users that don't work are the most recent
>> ones.... which leads me to believe that there is probably some group
>> they have not been added to, but I don't have much access to the AD
>> to look.
>> 
>> My configs look like this:-
> 
> See my modifications:
> 
> KRB5.CONF
> [libdefaults]
> default_realm = DOMAIN.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = true
> 
> That is all you need in krb5.conf
> 
>> SMB.CONF
> 
> [global]
> workgroup = DOMAIN
> security = ADS
> realm = DOMAIN.LOCAL
> 
> idmap config *:backend = tdb
> idmap config *:range = 5000-9999
> idmap config DOMAIN:backend = rid
> idmap config DOMAIN:range = 10000-999999
> 
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind refresh tickets = yes
> 
> template shell = /bin/bash
> template homedir = /home/%D/%U
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

On Mon, 21 Aug 2017 13:14:16 +0000
"A. James Lewis" <james at fsck.co.uk> wrote:
> I'm slightly confused, you appear to have trimmed down the config,
> but not changed anything.... would you think this would affect the
> issue where long standing users are able to log in, but new users are
> not... even after a couple of weeks they are not able to log in via
> "winbind", although they can authenticate via Kerberos, and
obviously
> log in to Windows desktops.
> 
> James
> 
Yes I trimmed you /etc/krb5.conf down to all that is required, I also
removed all the unnecessary lines from your smb.conf, but I also
altered two lines and added two others.

Your set up was putting everything into the '*' domain and nothing into
the 'DOMAIN' domain. You were also using the 'rid' backend for
the '*'
domain and you MUST use 'tdb' for this.

Rowland

OK, I've made those changes, and now I cannot use kinit to verify
authentication, eg:-

$ kinit user at DOMAIN.LOCAL
kinit: Cannot find KDC for realm "DOMAIN.LOCAL" while getting initial
credentials
$

However, the winbind users that could log in before are still able to log in,
while the ones who were not able to log in still cannot log in!...

Just to make sure I've made the changes correctly, my config is now:-

# cat krb5.conf
[libdefaults]
	default_realm = DOMAIN.LOCAL
	dns_lookup_realm = false
	dns_lookup_kdc = true

# cat smb.conf
[global]
   workgroup = DOMAIN
   security = ADS
   realm = DOMAIN.LOCAL

   idmap config *:backend = tdb
   idmap config *:range = 4000-4999
   idmap config DOMAIN:backend = rid
   idmap config DOMAIN:range = 5000-100000

   winbind trusted domains only = no
   winbind use default domain = yes
   winbind refresh tickets = yes

   template shell = /bin/bash
   template homedir = /home/%D/%U
# 



August 21, 2017 2:56 PM, "Rowland Penny via samba" <samba at
lists.samba.org> wrote:
> On Mon, 21 Aug 2017 13:14:16 +0000
> "A. James Lewis" <james at fsck.co.uk> wrote:
> 
>> I'm slightly confused, you appear to have trimmed down the config,
>> but not changed anything.... would you think this would affect the
>> issue where long standing users are able to log in, but new users are
>> not... even after a couple of weeks they are not able to log in via
>> "winbind", although they can authenticate via Kerberos, and
obviously
>> log in to Windows desktops.
>> 
>> James
> 
> Yes I trimmed you /etc/krb5.conf down to all that is required, I also
> removed all the unnecessary lines from your smb.conf, but I also
> altered two lines and added two others.
> 
> Your set up was putting everything into the '*' domain and nothing
into
> the 'DOMAIN' domain. You were also using the 'rid' backend
for the '*'
> domain and you MUST use 'tdb' for this.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

Also, I see the following repeated in syslog:-

==> syslog <=Aug 21 15:25:41 hostname01 winbindd[691]: [2017/08/21
15:25:41.438959,  0]
../source3/libsmb/cliconnect.c:1895(cli_session_setup_spnego_send)
Aug 21 15:25:41 hostname01 winbindd[691]:   Kinit for HOSTNAME01$@DOMAIN.LOCAL
to access cifs/LOCAL_AD02.domain.local at DOMAIN.LOCAL failed: Cannot contact
any KDC for requested realm

When one of the suspect users tries to log in I get:-

==> auth.log <=Aug 21 15:25:14 op-sdes-dsk01 su[690]: No passwd entry for
user 'username'
Aug 21 15:25:14 op-sdes-dsk01 su[690]: FAILED su for username by root
Aug 21 15:25:14 op-sdes-dsk01 su[690]: - ??? root:username

However, other AD users do work correctly.

This is Samba 4.5.8 BTW...

James


August 21, 2017 2:56 PM, "Rowland Penny via samba" <samba at
lists.samba.org> wrote:
> On Mon, 21 Aug 2017 13:14:16 +0000
> "A. James Lewis" <james at fsck.co.uk> wrote:
> 
>> I'm slightly confused, you appear to have trimmed down the config,
>> but not changed anything.... would you think this would affect the
>> issue where long standing users are able to log in, but new users are
>> not... even after a couple of weeks they are not able to log in via
>> "winbind", although they can authenticate via Kerberos, and
obviously
>> log in to Windows desktops.
>> 
>> James
> 
> Yes I trimmed you /etc/krb5.conf down to all that is required, I also
> removed all the unnecessary lines from your smb.conf, but I also
> altered two lines and added two others.
> 
> Your set up was putting everything into the '*' domain and nothing
into
> the 'DOMAIN' domain. You were also using the 'rid' backend
for the '*'
> domain and you MUST use 'tdb' for this.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."