Hi list ! I've been trying to get a fileserver with kerberised NFS4 and Samba going on a RHEL 6.3 box, with a 2k8r2 AD backend, using the rpm's provided by Redhat. (3.5.10-125) I also tried the rpms from sernet (both 3.6 and 3.5) with no success...
The Join to the domain works: # net ads join createcomputer="Servers/LINUX systems" createupn="host/<fqdn>@<DOM>.LOCAL" -U sa_join-srv works and generates a /etc/krb5.keytab # net ads keytab add nfs -P works and adds a NFS service principal to the AD # net ads status -P gives the machine account information that is looking good (only for NFS we have to disable the PAC by setting the Useraccountcontrol to : 33554432 After starting winbind I'm able to wbinfo -u, wbinfo -g, wbinfo -i <account> etc. getent passwb <account>, id <account> all works and give all the needed informataion uid, gid, etc. And with the nssswitch, idmapd and rpcsvcgssd correctly configured NFS works. So all seems ok. But then after some time (could be hours, even days, but mostly minutes) the TRUST is lost and the wbinfo -t fails and the $ smbclient -U <DOM>\\<account> //<fqdn>/<share> fails with NT_STATUS_NO_TRUST_SAM_ACCOUNT $ smbclient -k //<fqdn>/<share> still works but the ntlm version as above fails. We found out that the SamAccountType changes from machine account to useraccount # net ads testjoin Join is OK It is fixed by leaving/joining and re-setting the useraccountcontrol in the AD and waiting till it fails again... On a interesting side note is that a nfs clientbox that uses the same join to domain stuff and uses winbind to provide the backend to idmapd ( nssswitch etc.) does not seem to suffer from this TRUST loss.... I've been pulling my hair for the last days, and have a feeling that it is something 'simple' , something overlooked, assumed default but not working. Or I could try blaming it on the AD :o) Shares are registry based and are only consist of a homes$ and a groups$ share. -- smb.conf --- [global] workgroup = <DOM> realm = <DOM>.LOCAL netbios name = <Hostname> server string = Linux fileserver preferred master = no domain master = no server string = %h security = ADS encrypt passwords = yes registry shares = yes wide links = no kerberos method = system keytab create krb5 conf = no dedicated keytab file = /etc/krb5.keytab # disable CUPS warning load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes # log level depends on environment log level = 5 log file = /var/log/samba/%m.log max log size = 5000 winbind separator = + winbind use default domain = true winbind offline logon = false winbind refresh tickets = true winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind nss info = rfc2307 # deprecated, could be removed I think (is handled by idmap config * now I presume) idmap uid = 500-999 idmap gid = 500-999 idmap config <DOM> : backend = ad idmap config <DOM> : readonly = yes idmap config <DOM> : range = 1000-19999999999 idmap config <DOM> : schema_mode = rfc2307 idmap config * : backend = tdb idmap config * : range = 500-999 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
