I made the correction to the krb5.conf to remove the duplicate entry and
add the DC IPs and it still does not work. No such user.
Any other ideas? Any other configs that should be in place?
On Sat, Mar 16, 2019 at 11:03 AM L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:
> since im not driving now..
>
> the krb5.conf is wrong.
> double entries, and put in the dc ip's
>
>
> MYDOMAIN.COM = {
> kdc = dc1.MYDOMAIN.COM
> kdc = dc2.MYDOMAIN.COM
> }
>
>
> but use as Rowland showed first and try adding the Domain and RealmDomain
> setting in idmapd.conf
> (man idmap.conf)
>
>
>
>
> Greetz
>
>
> Louis
>
>
>
>
>
> Op 15 mrt. 2019 14:59 schreef Rowland Penny via samba <
> samba at lists.samba.org>:
>
> On Fri, 15 Mar 2019 09:17:34 -0400
> Tyrus Shivers <tyrus.shivers at bestgateeng.com> wrote:
>
> > Rowland,
> >
> > These are all VMs I am working on. I have tried it on several
> > different "test" VMs. Blew away VMs and created new ones,
still does
> > not work.
>
> This is very, very, strange.
> You are joining the domain with:
>
> net ads join -U Administrator
>
> Once joined, what does this produce:
>
> net ads testjoin
>
> >
> > It takes me a little time to type the info from the directories
> > because I cannot copy/past due to network separation.
>
> Can you explain 'network separation' ?
>
> >
> > Contents below:
> >
> > /etc/hostname
> > testadmin
>
> Nothing wrong there.
>
> >
> > /etc/hosts
> > 127.0.0.1 localhost localhost.localdomain localhost4
> > localhost4.localdomain4 :1 localhost localhost.localdomain localhost6
> > localhost6.localdomain6 IPADDR testadmin.mydomain.com testadmin
> > IPADDR DC1.mydomain.com DC1
>
> Again. nothing really wrong, but you don't (or is that shouldn't)
need
> the DC info.
>
> >
> > /etc/resolv.conf
> > search mydomain.com
> > nameserver "ipaddress for DC1"
> > nameserver "ipaddress for DC2"
>
> Nothing wrong there.
>
> >
> > /etc/krb5.conf
> > includedir /var/lib/sss/pubconf/krb5.include.d/
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE: /var/log/kadmind.log
> >
> > [libdefaults]
> > dns_lookup_realm = false
> > ticket_lifetime = 24hr
> > renew_lifetime = 7d
> > forwardable = true
> > rdsn = false
> > # default_realm = EXAMPLE.COM
> > default_ccache_name = KEYRING:persistent:%{uid}
> >
> > default_realm = MYDOMAIN.COM
> > [realms]
> > #EXAMPLE.COM = {
> > # kdc = kerberos.example.com
> > # admin_server = kerberos.example.com
> > #}
> >
> > MYDOMAIN.COM = {
> > kdc = dc1.MYDOMAIN.COM
> > }
> >
> > MYDOMAIN.COM > > kdc = dc1.MYDOMAIN.COM
> > }
> >
> > [domain_realm]
> > #.example.com = EXAMPLE.COM
> > #example.com = EXAMPLE.COM
> > mydomain.com = MYDOMAIN.COM
> > .mydomain.com = MYDOMAIN.COM
> >
>
> My is:
>
> [libdefaults]
> default_realm = SAMDOM.EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> But yours should work.
>
> >
> > /etc/samba/smb.conf
> > workgroup = mydomain
> > > realm = mydomain.com
> > > security = ads
> > > idmap config * : backend = tdb
> > > idmap config * : range = 3000-7999
> > > idmap config MYDOMAIN : backend = rid
> > > idmap config MYDOMAIN : range = 10000-19999
> > > allow trusted domain = no
> > > template shell = /bin/bash
> > > winbind refresh tickets = yes
> > > restrict anonymous = 2
> >
>
> About the only real difference between yours and mine is this line in
> mine:
>
> winbind use default domain = yes
>
> and that only turns off the domain name in user & group searches i.e.
> 'DOMAIN\username' just becomes 'username'
>
> >
> > /etc/nsswitch.conf
> > passwd: files winbind
> > shadow: files
> > group: files winbind
> > #initgroups : files
> >
> > hosts: files dns myhostname
> >
> > bootparams: nisplus [NOTFOUND=return] files
> >
> > ethers: files
> > netmasks: files
> > networks: files
> > protocols: files
> > rpc: files
> > services: files
> >
> > netgroup: files
> > publickey: nisplus
> >
> > automount: files
> > aliases: files nisplus
> >
>
> Again nothing wrong.
>
> But I get:
>
> [root at cen7member ~]# getent passwd rowland
> rowland:*:11107:10513::/home/rowland:/bin/bash
> [root at cen7member ~]# id rowland
> uid=11107(rowland) gid=10513(domain users) .............
>
> I wonder if this is a 'time' problem, is the time the same on the
DC
> and this Unix domain member ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
V/R
Tyrus Shivers
Bestgate Engineering LLC
Direct: (410) 872-2457
tyrus.shivers at bestgateeng.com
<tyrus.shivers at bestgateeng.com>
This e-mail transmission and any documents, files or previous e-mail
messages attached to it, may be privileged and confidential and is intended
only for the use of the intended recipient of this message. If you are not
the intended recipient, or a person responsible for delivering it to the
intended recipient, you are hereby notified that any review, disclosure,
retention, copying, dissemination, distribution or use of any of the
information contained in, or attached to this e-mail transmission is
strictly prohibited. If you have received this transmission in error,
please immediately notify the sender by return e-mail or by telephone at
the above number and delete this e-mail message and its attachments.