Diego Zuccato wrote:
Just replying to myself to give some more infos...
1) In our organization we have two "primary" domains (a lot of others,
but they're not interesting here). I tried changing the default
'PERSONALE' (where machine is joined) to 'STUDENTI' (most users are in
this one, but I'm not allowed to join a machine to it) with no luck.
Seems "default domain" gets ignored when security=ads ...
2) I can't make users login with their UPN ([email protected]
for users in STUDENTI domain, [email protected] for users in PERSONALE
domain)
Just tested again. But it seems even "wbinfo -n [email protected]"
isn't resolved. This seems to be a regression (I now updated to 3.4.3,
but it correctly resolved it in 3.3.8, but even then I couldn't login by
UPN).
3) It seems "winbind separator" is incompatible with Kerberos login: if
I specify it, then all logins fail.
And even this still applies.
Attached are the relevant configuration files (might be useful for
others, for example for the multi-domain consistent id mapping).
--
Diego Zuccato
Servizi Informatici
Dip. di Astronomia - Università di Bologna
Via Ranzani, 1 - 40126 Bologna - Italy
tel.: +39 051 20 95786
mail: [email protected]
[logging]
default = FILE:/var/log/krb5/libs.log
kdc = FILE:/var/log/krb5/kdc.log
admin_server = FILE:/var/log/krb5/admin.log
[libdefaults]
ticket_lifetime = 24000
default_realm = STUDENTI.DIR.UNIBO.IT
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
dns_lookup_realm = true
dns_lookup_kdc = true
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
UNIBO.IT = {
kdc = personale.dir.unibo.it
}
DIR.UNIBO.IT = {
kdc = personale.dir.unibo.it
}
PERSONALE.DIR.UNIBO.IT = {
kdc = personale.dir.unibo.it
}
STUDENTI.DIR.UNIBO.IT = {
kdc = studenti.dir.unibo.it
}
[domain_realm]
.personale.dir.unibo.it = PERSONALE.DIR.UNIBO.IT
personale.dir.unibo.it = PERSONALE.DIR.UNIBO.IT
.studenti.dir.unibo.it = STUDENTI.DIR.UNIBO.IT
studenti.dir.unibo.it = STUDENTI.DIR.UNIBO.IT
[login]
krb4_get_tickets = false
krb4_convers = false
#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#
[global]
# turn on debugging
#debug = yes
# turn on extended PAM state debugging
#debug_state = yes
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
cached_login = yes
# authenticate using kerberos
krb5_auth = yes
# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
krb5_ccache_type = FILE
# make successful authentication dependend on membership of one SID
# (can also take a name)
;require_membership_of =
# password expiry warning period in days
;warn_pwd_expire = 14
# omit pam conversations
;silent = no
# create homedirectory on the fly
;mkhomedir = no
[global]
security = ADS
workgroup = PERSONALE
realm = PERSONALE.DIR.UNIBO.IT
server string = %v
encrypt passwords = Yes
client use spnego = Yes
client ntlmv2 auth = Yes
restrict anonymous = 2
log file = /var/log/samba/log.%m
log level = 3
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = No
dns proxy = No
# winbind separator = -
winbind enum users = No
winbind enum groups = No
winbind offline logon = Yes
winbind nested groups = Yes
winbind normalize names = Yes
winbind refresh tickets = Yes
winbind use default domain = yes
winbind uid = 100000-100000000
winbind gid = 100000-100000000
# idmap domains = PERSONALE STUDENTI
idmap config PERSONALE:default = no
idmap config STUDENTI:default = yes
idmap config PERSONALE:backend = rid
idmap config PERSONALE:base_rid = 500
idmap config PERSONALE:range = 100000 - 49999999
idmap config STUDENTI:backend = rid
idmap config STUDENTI:base_rid = 500
idmap config STUDENTI:range = 50000000 - 99999999
template homedir = /home/%D/%U
template shell = /bin/bash
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
