Re: [tlug] Authenticating to Samba with AD account

[Nikolay Elenkov <goibniu@example.com>]

Hi,

Patrick Niessen wrote:

> First of all, ensure your samba machine is properly registered in the
> domain.  If necessary delete from Windows, and then add it again,
> following correct procedure as specified by Samba manual.  Ensure your
> time is synced!  You may need to use NTP using AD controller as a
> timesource.  Kerberos is very time sensitive!

Thanks for your reply. The machine is properly registered and time
synced. It also (kind of...) works now (see below).

> 
> I don't use this, so not sure whether it affects the system.  If you
> only need to provide Samba access there is no need to involve PAM !
> Authent will be handled only by samba.  Use Pam if you need to access
> other services like ssh or ftp with AD username & password. 

Ssh and some other services are needed, so we do need PAM.

>To have
> unified login from other services, it may be an option to use ldap
> instead of PAM (I use ldap from php to check passowrd and username are
> correct).

It is not exactly my machine and using LDAP requires installing stuff on
the domain controller. So LDAP is not an option, stuck with winbind, for
better or worse.

> 
> Check logfiles, also system logfiles to narrow down problem.
> 

It's been running with -d10 for a while and that did give some hints,
but I still haven't quite got to the bottom of it.

Anyway, as I said, kind of works now. Commenting out the 'default_realm'
in /etc/krb5.conf did the trick. Apparently newer versions of the
Kerberos library can find the realm automagically. Accessing shares when
you are logged on the domain works as expected. But logging in via ssh
takes quite some time. And it doesn't seem to be DNS related. When/if I
get the time, I'll try to track it down.