samba - Aug 2017 - Windows pre-requisites for login with winbind?

I have krb5-config krb5-user, but not libpam-krb5... I'm slightly fuzzy
about how this works, but I thought the interaction with kerberos was
implemented via winbind, so I wasn't expecting this package to be
installed... certainly there is no dependency that has pulled it in.

James


August 22, 2017 1:15 PM, "Rowland Penny via samba" <samba at
lists.samba.org> wrote:
> On Tue, 22 Aug 2017 12:01:20 +0000
> "A. James Lewis via samba" <samba at lists.samba.org>
wrote:
> 
>> Indeed!... you are correct... this does appear to be the kerberos
>> issue uncovered by Rowlands pointing out that I should not need to be
>> manually defining "kdc =", in my krb5.conf.... so with that
resolved,
>> I'm hoping we can also find the cause of my original problem.
>> 
>> Incidentally, this was my solution to upgrading Samba on my 17.04
>> test server, I think moving to 17.10 will ultimately have to be the
>> solution, but this let me carry on debugging this problem quickly.
>> 
>> apt-get remove libnss-winbind libpam-winbind samba winbind
>> apt-get autoremove
>> cd /etc/apt/
>> sed -i "s,zesty,artful,g" sources.list
>> apt-get install samba libnss-winbind libpam-winbind winbind
>> sed -i "s,artful,zesty,g" sources.list
>> apt-get update
>> apt-get dist-upgrade
>> 
>> James
> 
> Do you also have the following packages installed:
> 
> libpam-krb5 krb5-config krb5-user
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

On Tue, 22 Aug 2017 13:02:03 +0000
"A. James Lewis" <james at fsck.co.uk> wrote:
> I have krb5-config krb5-user, but not libpam-krb5... I'm slightly
> fuzzy about how this works, but I thought the interaction with
> kerberos was implemented via winbind, so I wasn't expecting this
> package to be installed... certainly there is no dependency that has
> pulled it in.
> 
> James
Well, it is what makes PAM use kerberos with winbind, this is the
winbind line from /etc/pam.d/common-auth with it installed:

auth    [success=1 default=ignore]      pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass

And all the commands you have posted work for me.

Rowland

I think we're getting confused with the kerberos issue created by my errant
DNS server... with the original problem, all the commands I have sent showing an
issue with kerberos were working originally, with the config which explicitly
defined "kdc =", and are now working again, with your new config, now
that I have fixed the DNS... but the original problem is that I have a very
small number of users which don't work.... winbind says that they don't
exist, while every other user works just fine...

Those 3 users that don't work are the most recent 3 to be added, and since I
don't have control over the AD, I can't say if there's some
parameter or group they don't have which stops them from working, but I
don't think it's a co-incidence that they are not "random"
users, but only "new" users.

Obviously since they can log in to windows desktops, winbind behaviour must be
different to Windows... but surely there has to be an AD component to this too.

The common-auth line you have below is precisely what I have.

James

August 22, 2017 2:20 PM, "Rowland Penny via samba" <samba at
lists.samba.org> wrote:
> On Tue, 22 Aug 2017 13:02:03 +0000
> "A. James Lewis" <james at fsck.co.uk> wrote:
> 
>> I have krb5-config krb5-user, but not libpam-krb5... I'm slightly
>> fuzzy about how this works, but I thought the interaction with
>> kerberos was implemented via winbind, so I wasn't expecting this
>> package to be installed... certainly there is no dependency that has
>> pulled it in.
>> 
>> James
> 
> Well, it is what makes PAM use kerberos with winbind, this is the
> winbind line from /etc/pam.d/common-auth with it installed:
> 
> auth [success=1 default=ignore] pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login try_first_pass
> 
> And all the commands you have posted work for me.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

Did you already check the database replication Of the DC's. 
If one is out of sync, and the pc is connecting to that one, you have errors. 
And what does the windows event id tell you. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens A. 
> James Lewis via samba
> Verzonden: dinsdag 22 augustus 2017 16:36
> Aan: Rowland Penny; samba at lists.samba.org
> Onderwerp: Re: [Samba] Windows pre-requisites for login with winbind?
> 
> I think we're getting confused with the kerberos issue 
> created by my errant DNS server... with the original problem, 
> all the commands I have sent showing an issue with kerberos 
> were working originally, with the config which explicitly 
> defined "kdc =", and are now working again, with your new 
> config, now that I have fixed the DNS... but the original 
> problem is that I have a very small number of users which 
> don't work.... winbind says that they don't exist, while 
> every other user works just fine... 
> 
> Those 3 users that don't work are the most recent 3 to be 
> added, and since I don't have control over the AD, I can't 
> say if there's some parameter or group they don't have which 
> stops them from working, but I don't think it's a 
> co-incidence that they are not "random" users, but only
"new" users.
> 
> Obviously since they can log in to windows desktops, winbind 
> behaviour must be different to Windows... but surely there 
> has to be an AD component to this too.
> 
> The common-auth line you have below is precisely what I have.
> 
> James
> 
> August 22, 2017 2:20 PM, "Rowland Penny via samba" 
> <samba at lists.samba.org> wrote:
> 
> > On Tue, 22 Aug 2017 13:02:03 +0000
> > "A. James Lewis" <james at fsck.co.uk> wrote:
> > 
> >> I have krb5-config krb5-user, but not libpam-krb5... I'm
slightly
> >> fuzzy about how this works, but I thought the interaction with 
> >> kerberos was implemented via winbind, so I wasn't expecting
this
> >> package to be installed... certainly there is no 
> dependency that has 
> >> pulled it in.
> >> 
> >> James
> > 
> > Well, it is what makes PAM use kerberos with winbind, this is the 
> > winbind line from /etc/pam.d/common-auth with it installed:
> > 
> > auth [success=1 default=ignore] pam_winbind.so krb5_auth 
> > krb5_ccache_type=FILE cached_login try_first_pass
> > 
> > And all the commands you have posted work for me.
> > 
> > Rowland
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> 
> --
> A. James Lewis (james at fsck.co.uk)
> "Engineering does not require science. Science helps a lot 
> but people built perfectly good brick walls long before they 
> knew why cement works."
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Tue, 22 Aug 2017 14:35:59 +0000
"A. James Lewis" <james at fsck.co.uk> wrote:
> I think we're getting confused with the kerberos issue created by my
> errant DNS server... with the original problem, all the commands I
> have sent showing an issue with kerberos were working originally,
> with the config which explicitly defined "kdc =", and are now
working
> again, with your new config, now that I have fixed the DNS... but the
> original problem is that I have a very small number of users which
> don't work.... winbind says that they don't exist, while every
other
> user works just fine... 
> 
> Those 3 users that don't work are the most recent 3 to be added, and
> since I don't have control over the AD, I can't say if there's
some
> parameter or group they don't have which stops them from working, but
> I don't think it's a co-incidence that they are not
"random" users,
> but only "new" users.
> 
> Obviously since they can log in to windows desktops, winbind
> behaviour must be different to Windows... but surely there has to be
> an AD component to this too.
> 
> The common-auth line you have below is precisely what I have.
> 
Well, yes you probably have, that comes from the libpam-winbind
package, you just need the 'glue' that comes from the libpam-krb5
package.

Now that you are using the 'rid' backend, you do not need to add
anything to AD, so your new users should work.

Rowland

The team that run the AD say that there are no replication issues, and certainly
those users can log on to every other system, including some very old Samba 3.x
based systems... how would I go about determining if this is the case?

BTW, those users have been created around a month ago, I would imagine that
replication would have happened in that time.

James


August 22, 2017 3:53 PM, "L.P.H. van Belle via samba" <samba at
lists.samba.org> wrote:
> Did you already check the database replication Of the DC's. 
> If one is out of sync, and the pc is connecting to that one, you have
errors.
> And what does the windows event id tell you. 
> 
> Greetz, 
> 
> Louis
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens A.
>> James Lewis via samba
>> Verzonden: dinsdag 22 augustus 2017 16:36
>> Aan: Rowland Penny; samba at lists.samba.org
>> Onderwerp: Re: [Samba] Windows pre-requisites for login with winbind?
>> 
>> I think we're getting confused with the kerberos issue
>> created by my errant DNS server... with the original problem,
>> all the commands I have sent showing an issue with kerberos
>> were working originally, with the config which explicitly
>> defined "kdc =", and are now working again, with your new
>> config, now that I have fixed the DNS... but the original
>> problem is that I have a very small number of users which
>> don't work.... winbind says that they don't exist, while
>> every other user works just fine...
>> 
>> Those 3 users that don't work are the most recent 3 to be
>> added, and since I don't have control over the AD, I can't
>> say if there's some parameter or group they don't have which
>> stops them from working, but I don't think it's a
>> co-incidence that they are not "random" users, but only
"new" users.
>> 
>> Obviously since they can log in to windows desktops, winbind
>> behaviour must be different to Windows... but surely there
>> has to be an AD component to this too.
>> 
>> The common-auth line you have below is precisely what I have.
>> 
>> James
>> 
>> August 22, 2017 2:20 PM, "Rowland Penny via samba"
>> <samba at lists.samba.org> wrote:
>> 
>> On Tue, 22 Aug 2017 13:02:03 +0000
>> "A. James Lewis" <james at fsck.co.uk> wrote:
>> 
>> I have krb5-config krb5-user, but not libpam-krb5... I'm slightly
>> fuzzy about how this works, but I thought the interaction with
>> kerberos was implemented via winbind, so I wasn't expecting this
>> package to be installed... certainly there is no
>> dependency that has
>> pulled it in.
>> 
>> James
>> 
>> Well, it is what makes PAM use kerberos with winbind, this is the
>> winbind line from /etc/pam.d/common-auth with it installed:
>> 
>> auth [success=1 default=ignore] pam_winbind.so krb5_auth
>> krb5_ccache_type=FILE cached_login try_first_pass
>> 
>> And all the commands you have posted work for me.
>> 
>> Rowland
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>> 
>> --
>> A. James Lewis (james at fsck.co.uk)
>> "Engineering does not require science. Science helps a lot
>> but people built perfectly good brick walls long before they
>> knew why cement works."
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."