Hi Roger, [...]
This is the entire file (as made by Yast):
[...]
[appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false minimum_uid = 1 }
It seems not to have:
[libdefaults] dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes
most of these have been written to the appdefault section, as it seems. This is ok, I suppose. [...]
What happens, if you run "kinit <someuser>". Do you get a password prompt? And if you enter the password, do you get a ticket (klist)?
When I tried a user from the domain, it seems it was ok. There was no complaint:
sto-opq-src:~ # kinit roropq Password for roropq@RAMBOLL.RAMBOLL-GROUP.GLOBAL.NETWORK: sto-opq-src:~ #
When I tried a non-existent user, I got:
sto-opq-src:~ # kinit roger kinit: Client 'roger@RAMBOLL.RAMBOLL-GROUP.GLOBAL.NETWORK' not found in Kerberos database while getting initial credentials sto-opq-src:~ #
So if this is a test of the Kerberos part, it seems to be working.
Ok. Perfect. So you have to look further on the samba part.
smbclient, otoh, made the same complaint (as does Windows about an access error):
sto-opq-src:~ # smbclient --user=roropq //localhost/roger WARNING: The "idmap gid" option is deprecated WARNING: The "idmap uid" option is deprecated
use winbind uid and gid instead. Here are my settings: ; ===================================================================== ; WinBindD ; --------------------------------------------------------------------- # winbind use default domain = yes winbind uid = 50000-60000 winbind gid = 50000-60000 winbind separator = / winbind nested groups = yes winbind enum groups = yes winbind enum users = yes But this is not the reason for you problems, just cosmetics.
sto-opq-src:~ # smbclient --user=roropq //localhost/roger WARNING: The "idmap gid" option is deprecated WARNING: The "idmap uid" option is deprecated Domain=[RAMBOLL] OS=[Windows 6.1] Server=[Samba 4.5.3-0-SUSE-oS13.3-x86_64] tree connect failed: NT_STATUS_ACCESS_DENIED sto-opq-src:~ #
What if you add the domain to the user name: sto-opq-src:~ # smbclient --user=<domain>/roropq //localhost/roger or sto-opq-src:~ # smbclient --user=<domain>\\roropq //localhost/roger [...]
So the share is known on localhost...
Does all this imply that kerberos on my machine is ok, but that samba is the problem?
Seems so, yes. How does the according section in the smb.conf look like? Something like # Active Directory security = ADS realm = DOMAIN1 password server = <ip server 1> <ip server 2> server max protocol = smb3 where realm and password server have to match the entries in krb5.conf. Can you increase the log level for authentication in the samba config? log level = auth:10 If there is nothing more to see, increase all debug classes: log level = 10 And have a look into the security logs of your domain controllers. Perhaps you can find warnings or error messages regarding the problem there.
-- Roger Oberholtzer
Bye. Michael. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org