I have a problem with domain trust between Samba and AD

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  

I configured Samba PDC and AD Domain.
Here is my Topology.
And I saw that Samba PDC loading AD users.
With getent passwd command and wbinfo -ug command.
Here is my getent passwd result.
[email protected]:~# getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:103::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
user:x:1000:1000:user,,,:/home/user:/bin/bash
bind:x:103:106::/var/cache/bind:/bin/false
messagebus:x:104:109::/var/run/dbus:/bin/false
li01:x:1001:1001::/home/li01:/bin/bash
li02:x:1002:1002::/home/li02:/bin/bash
li03:x:1003:1003::/home/li03:/bin/bash
li04:x:1004:1004::/home/li04:/bin/bash
li05:x:1005:1005::/home/li05:/bin/bash
client-03$:x:1006:1006:client-03$ machine account:/var/lib/samba:/bin/false
client-04$:x:1007:1007:client-04$ machine account:/var/lib/samba:/bin/false
win$:x:1008:1008:win$ machine account:/var/lib/samba:/bin/false
WINadministrator:*:10005:10004:Administrator:/home/administrator:/bin/bash
WINguest:*:10006:10005:Guest:/home/guest:/bin/bash
WINkrbtgt:*:10007:10004:krbtgt:/home/krbtgt:/bin/bash
WINwi01:*:10004:10004:wi01:/home/wi01:/bin/bash
WINwi02:*:10008:10004:wi02:/home/wi02:/bin/bash
WINwi03:*:10009:10004:wi03:/home/wi03:/bin/bash
WINwi04:*:10010:10004:wi04:/home/wi04:/bin/bash
WINwi05:*:10011:10004:wi05:/home/wi05:/bin/bash
WINlin$:*:10012:10004:LIN$:/home/lin_:/bin/bash

And here is my wbinfo -ug result:
[email protected]:~# wbinfo -ug
root
li02
li04
li01
li03
li05
WINadministrator
WINguest
WINkrbtgt
WINwi01
WINwi02
WINwi03
WINwi04
WINwi05
WINlin$
WINdomain computers
WINdomain controller
WINschema admins
WINenterprise admins
WINdomain admins
WINdomain users
WINdomain guests
WINgroup policy creator owners
WINread-only domain controllers
WINenterprise read-only domain controllers
WINdnsupdateproxy

But there is problem with Samba client. I have two clients for each domain: one of them is a Windows 7 client and another one is Linux.
I can login to Trusted domain user with the Windows 7 client, but I can’t login to Trusted domain user with Linux Samba client.
I think there are problems with my smb.conf or krb5.conf.
So I post my Samba PDC’s smb.conf and krb5.conf, Samba Client’s smb.conf and krb5.conf
Here is my Samba PDC’s smb.conf:
[global]
workgroup = LIN
server string = %h server
wins server = 192.168.0.1
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
pam password change = yes
map to guest = bad user
domain logons = yes
logon path = \lin.com%Uprofile
logon drive = H:
logon home = \lin.com%U
add user script = /usr/sbin/adduser –quiet –disabled-password –gecos “” %u
add machine script = /usr/sbin/useradd -c “%u machine account” -d /var/lib/samba -s /bin/false %u
add group script = /usr/sbin/addgroup –force-badname %g
domain master = yes
local master = yes
prefered master = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
template homedir = /home/%U
winbind enum groups = yes
winbind enum users = yes
usershare allow guests = yes

[homes]
comment = Home Directories
browseable = no
read only = no
create mask = 0700
directory mask = 0700
valid users = %U

[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700

[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no

Here is my PDC’s krb5.conf (I skipped default setting.)
[libdefaults]
default_realm = LIN.COM

[realms]
WIN.NET = {
kdc = win.net
admin_server = win.net
}
LIN.COM = {
kdc = lin.com
admin_server = lin.com
}

[domain_realm]
.win.net = WIN.NET
win.net = WIN.NET
.lin.com = LIN.COM
lin.com = LIN.COM

Here is my Samba client’s smb.conf:
[global]
workgroup = LIN
realm = lin.com
netbios name = CLIENT-04
server string = %h server
wins server = 192.168.0.1
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = domain
password server = lin.com
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
pam password change = yes
map to guest = bad user
domain master = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
usershare allow guests = yes

[homes]
comment = Home Directories
browseable = no
read only = no
create mask = 0700
directory mask = 0700
valid users = %U

[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700

[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no

And My Samba client’s krb5.conf is same with PDC’s krb5.conf.
I need your help. What should I do?

X ITM Cloud News

Marisa

Leave a Reply

Next Post

Create randomly encrypted swap when installing 14.04.1?

Sun Sep 13 , 2020
Spread the love          How do I create a randomly encrypted swap partition when doing a clean install of 14.04.1? This option was available in the text-based partman in 12.04, but I can’t find it in the graphical partition editor in the 14.04.1 installer. My goal is three partitions: /boot, swap (random-key […]
X- ITM

Cloud Computing – Consultancy – Development – Hosting – APIs – Legacy Systems

X-ITM Technology helps our customers across the entire enterprise technology stack with differentiated industry solutions. We modernize IT, optimize data architectures, and make everything secure, scalable and orchestrated across public, private and hybrid clouds.

This image has an empty alt attribute; its file name is x-itmdc.jpg

The enterprise technology stack includes ITO; Cloud and Security Services; Applications and Industry IP; Data, Analytics and Engineering Services; and Advisory.

Watch an animation of  X-ITM‘s Enterprise Technology Stack

We combine years of experience running mission-critical systems with the latest digital innovations to deliver better business outcomes and new levels of performance, competitiveness and experiences for our customers and their stakeholders.

X-ITM invests in three key drivers of growth: People, Customers and Operational Execution.

The company’s global scale, talent and innovation platforms serve 6,000 private and public-sector clients in 70 countries.

X-ITM’s extensive partner network helps drive collaboration and leverage technology independence. The company has established more than 200 industry-leading global Partner Network relationships, including 15 strategic partners: Amazon Web Services, AT&T, Dell Technologies, Google Cloud, HCL, HP, HPE, IBM, Micro Focus, Microsoft, Oracle, PwC, SAP, ServiceNow and VMware

.

X ITM