On 10.07.20 12:25, Rowland penny via samba wrote:> On 10/07/2020 11:10, basti via samba wrote: >> Hello, >> i try to setup a linux laptop for homeoffice with login for ad users. >> The last few days it work like expected. >> >> today wbinfo -u return no user, getent passwd <username> also. >> >> wbinfo -a "SAMDOM\user" >> Enter SAMDOM\user's password: >> plaintext password authentication succeeded >> Enter SAMDOM\user's password: >> challenge/response password authentication succeeded >> >> wbinfo -D SAMDOM also works. >> >> laptop smb.conf: >> >> [global] >> ??????? security = ADS >> ??????? workgroup = SAMDOM >> ??????? realm = SAMDOM.EXAMPLE.COM >> >> ??????? log file = /var/log/samba/%m.log >> ??????? log level = 1 >> >> ??????? winbind refresh tickets = Yes >> ??????? dedicated keytab file = /etc/krb5.keytab >> ??????? kerberos method = secrets and keytab >> ??????? winbind use default domain = yes >> >> ??????? load printers = no >> ??????? printing = bsd >> ??????? printcap name = /dev/null >> ??????? disable spoolss = yes >> >> ??????? # Default ID mapping configuration for local BUILTIN accounts >> ??????? # and groups on a domain member. The default (*) domain: >> ??????? # - must not overlap with any domain ID mapping configuration! >> ??????? # - must use an read-write-enabled back end, such as tdb. >> ??????? idmap config * : backend = tdb >> ??????? idmap config * : range = 1000-2000 >> >> ??????? # idmap config for the SAMDOM domain >> ??????? # alf has uid 1006 >> ??????? idmap config SAMDOM:backend = ad >> ??????? idmap config SAMDOM:schema_mode = rfc2307 >> ??????? idmap config SAMDOM:range = 2001-999999 >> >> ??????? template homedir = /home/%U >> ??????? template shell = /bin/bash >> >> ??????? client use spnego = yes >> ??????? client ntlmv2 auth = yes >> ??????? encrypt passwords = yes >> ??????? restrict anonymous = 2 >> >> ??????? # fix dfs error's in log ? >> ??????? host msdfs = no >> >> ??????? # https://wiki.samba.org/index.php/PAM_Offline_Authentication >> ??????? winbind offline logon = yes >> ??????? winbind cache time = 15768000 >> >> ??????? winbind enum users = yes >> ??????? winbind enum groups = yes >> >> cat /etc/krb5.conf >> [libdefaults] >> ???? default_realm = SAMDOM.EXAMPLE.COM >> ???? dns_lookup_realm = false >> ???? dns_lookup_kdc = true >> >> > What OS and version is this ?debian 10> > What Samba version ?2:4.9.5+dfsg-5+deb10u1 only winbind installed.> > Why are you using such low ID numbers, is your domain a classicupgraded > one ?yes> > Rowland > > >
On 10/07/2020 11:31, basti via samba wrote:> > On 10.07.20 12:25, Rowland penny via samba wrote: >> On 10/07/2020 11:10, basti via samba wrote: >>> Hello, >>> i try to setup a linux laptop for homeoffice with login for ad users. >>> The last few days it work like expected. >>> >>> today wbinfo -u return no user, getent passwd <username> also. >>> >>> wbinfo -a "SAMDOM\user" >>> Enter SAMDOM\user's password: >>> plaintext password authentication succeeded >>> Enter SAMDOM\user's password: >>> challenge/response password authentication succeeded >>> >>> wbinfo -D SAMDOM also works. >>> >>> laptop smb.conf: >>> >>> [global] >>> ??????? security = ADS >>> ??????? workgroup = SAMDOM >>> ??????? realm = SAMDOM.EXAMPLE.COM >>> >>> ??????? log file = /var/log/samba/%m.log >>> ??????? log level = 1 >>> >>> ??????? winbind refresh tickets = Yes >>> ??????? dedicated keytab file = /etc/krb5.keytab >>> ??????? kerberos method = secrets and keytab >>> ??????? winbind use default domain = yes >>> >>> ??????? load printers = no >>> ??????? printing = bsd >>> ??????? printcap name = /dev/null >>> ??????? disable spoolss = yes >>> >>> ??????? # Default ID mapping configuration for local BUILTIN accounts >>> ??????? # and groups on a domain member. The default (*) domain: >>> ??????? # - must not overlap with any domain ID mapping configuration! >>> ??????? # - must use an read-write-enabled back end, such as tdb. >>> ??????? idmap config * : backend = tdb >>> ??????? idmap config * : range = 1000-2000 >>> >>> ??????? # idmap config for the SAMDOM domain >>> ??????? # alf has uid 1006 >>> ??????? idmap config SAMDOM:backend = ad >>> ??????? idmap config SAMDOM:schema_mode = rfc2307 >>> ??????? idmap config SAMDOM:range = 2001-999999 >>> >>> ??????? template homedir = /home/%U >>> ??????? template shell = /bin/bash >>> >>> ??????? client use spnego = yes >>> ??????? client ntlmv2 auth = yes >>> ??????? encrypt passwords = yes >>> ??????? restrict anonymous = 2 >>> >>> ??????? # fix dfs error's in log ? >>> ??????? host msdfs = no >>> >>> ??????? # https://wiki.samba.org/index.php/PAM_Offline_Authentication >>> ??????? winbind offline logon = yes >>> ??????? winbind cache time = 15768000 >>> >>> ??????? winbind enum users = yes >>> ??????? winbind enum groups = yes >>> >>> cat /etc/krb5.conf >>> [libdefaults] >>> ???? default_realm = SAMDOM.EXAMPLE.COM >>> ???? dns_lookup_realm = false >>> ???? dns_lookup_kdc = true >>> >>> >> What OS and version is this ? > debian 10 >> What Samba version ? > 2:4.9.5+dfsg-5+deb10u1 > > only winbind installed.So you only require authentication Have you tried restarting winbind ? Rowland
On 10.07.20 12:39, Rowland penny via samba wrote:>>> What OS and version is this ? >> debian 10 >>> What Samba version ? >> 2:4.9.5+dfsg-5+deb10u1 >> >> only winbind installed. > So you only require authentication > > Have you tried restarting winbind ?yes, restart winbind, network and the hole system does not help I have start winbind in debug level 3 and get the following: ... Successfully contacted LDAP server 192.168.30.2 get_dc_list: preferred server list: "dc1.samdom.example.com, *" [ 2073]: request interface version (version = 30) [ 2073]: request interface version (version = 30) [ 2073]: request misc info [ 2073]: request netbios name [ 2073]: request domain name [ 2073]: domain_info [KES] list_groups SAMDOM [ 2075]: request interface version (version = 30) [ 2075]: request interface version (version = 30) [ 2075]: request misc info [ 2075]: request netbios name [ 2075]: request domain name [ 2075]: domain_info [KES] list_users SAMDOM <<<-- no result> > Rowland > > >