Kolijn, P.
2012-12-08 10:00:59 UTC
Hi list !
I've been trying to get a fileserver with kerberised NFS4 and Samba going on a RHEL 6.3 box, with a 2k8r2 AD backend, using the rpm's provided by Redhat. (3.5.10-125) I also tried the rpms from sernet (both 3.6 and 3.5) with no success...
The Join to the domain works:
# net ads join createcomputer="Servers/LINUX systems" createupn="host/<fqdn>@<DOM>.LOCAL" -U sa_join-srv
works and generates a /etc/krb5.keytab
# net ads keytab add nfs -P
works and adds a NFS service principal to the AD
# net ads status -P gives the machine account information that is looking good (only for NFS we have to disable the PAC by setting the Useraccountcontrol to : 33554432
After starting winbind I'm able to wbinfo -u, wbinfo -g, wbinfo -i <account> etc. getent passwb <account>, id <account> all works and give all the needed informataion uid, gid, etc.
And with the nssswitch, idmapd and rpcsvcgssd correctly configured NFS works. So all seems ok.
But then after some time (could be hours, even days, but mostly minutes) the TRUST is lost and the wbinfo -t fails and the $ smbclient -U <DOM>\\<account> //<fqdn>/<share> fails with NT_STATUS_NO_TRUST_SAM_ACCOUNT
$ smbclient -k //<fqdn>/<share> still works but the ntlm version as above fails.
We found out that the SamAccountType changes from machine account to useraccount
# net ads testjoin
Join is OK
It is fixed by leaving/joining and re-setting the useraccountcontrol in the AD and waiting till it fails again...
On a interesting side note is that a nfs clientbox that uses the same join to domain stuff and uses winbind to provide the backend to idmapd ( nssswitch etc.) does not seem to suffer from this TRUST loss....
I've been pulling my hair for the last days, and have a feeling that it is something 'simple' , something overlooked, assumed default but not working.
Or I could try blaming it on the AD :o)
Shares are registry based and are only consist of a homes$ and a groups$ share.
-- smb.conf ---
[global]
workgroup = <DOM>
realm = <DOM>.LOCAL
netbios name = <Hostname>
server string = Linux fileserver
preferred master = no
domain master = no
server string = %h
security = ADS
encrypt passwords = yes
registry shares = yes
wide links = no
kerberos method = system keytab
create krb5 conf = no
dedicated keytab file = /etc/krb5.keytab
# disable CUPS warning
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# log level depends on environment
log level = 5
log file = /var/log/samba/%m.log
max log size = 5000
winbind separator = +
winbind use default domain = true
winbind offline logon = false
winbind refresh tickets = true
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind nss info = rfc2307
# deprecated, could be removed I think (is handled by idmap config * now I presume)
idmap uid = 500-999
idmap gid = 500-999
idmap config <DOM> : backend = ad
idmap config <DOM> : readonly = yes
idmap config <DOM> : range = 1000-19999999999
idmap config <DOM> : schema_mode = rfc2307
idmap config * : backend = tdb
idmap config * : range = 500-999
I've been trying to get a fileserver with kerberised NFS4 and Samba going on a RHEL 6.3 box, with a 2k8r2 AD backend, using the rpm's provided by Redhat. (3.5.10-125) I also tried the rpms from sernet (both 3.6 and 3.5) with no success...
The Join to the domain works:
# net ads join createcomputer="Servers/LINUX systems" createupn="host/<fqdn>@<DOM>.LOCAL" -U sa_join-srv
works and generates a /etc/krb5.keytab
# net ads keytab add nfs -P
works and adds a NFS service principal to the AD
# net ads status -P gives the machine account information that is looking good (only for NFS we have to disable the PAC by setting the Useraccountcontrol to : 33554432
After starting winbind I'm able to wbinfo -u, wbinfo -g, wbinfo -i <account> etc. getent passwb <account>, id <account> all works and give all the needed informataion uid, gid, etc.
And with the nssswitch, idmapd and rpcsvcgssd correctly configured NFS works. So all seems ok.
But then after some time (could be hours, even days, but mostly minutes) the TRUST is lost and the wbinfo -t fails and the $ smbclient -U <DOM>\\<account> //<fqdn>/<share> fails with NT_STATUS_NO_TRUST_SAM_ACCOUNT
$ smbclient -k //<fqdn>/<share> still works but the ntlm version as above fails.
We found out that the SamAccountType changes from machine account to useraccount
# net ads testjoin
Join is OK
It is fixed by leaving/joining and re-setting the useraccountcontrol in the AD and waiting till it fails again...
On a interesting side note is that a nfs clientbox that uses the same join to domain stuff and uses winbind to provide the backend to idmapd ( nssswitch etc.) does not seem to suffer from this TRUST loss....
I've been pulling my hair for the last days, and have a feeling that it is something 'simple' , something overlooked, assumed default but not working.
Or I could try blaming it on the AD :o)
Shares are registry based and are only consist of a homes$ and a groups$ share.
-- smb.conf ---
[global]
workgroup = <DOM>
realm = <DOM>.LOCAL
netbios name = <Hostname>
server string = Linux fileserver
preferred master = no
domain master = no
server string = %h
security = ADS
encrypt passwords = yes
registry shares = yes
wide links = no
kerberos method = system keytab
create krb5 conf = no
dedicated keytab file = /etc/krb5.keytab
# disable CUPS warning
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# log level depends on environment
log level = 5
log file = /var/log/samba/%m.log
max log size = 5000
winbind separator = +
winbind use default domain = true
winbind offline logon = false
winbind refresh tickets = true
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind nss info = rfc2307
# deprecated, could be removed I think (is handled by idmap config * now I presume)
idmap uid = 500-999
idmap gid = 500-999
idmap config <DOM> : backend = ad
idmap config <DOM> : readonly = yes
idmap config <DOM> : range = 1000-19999999999
idmap config <DOM> : schema_mode = rfc2307
idmap config * : backend = tdb
idmap config * : range = 500-999
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba