Hi All,
I am in the developing this network.
Rocky is widely used -
One of the problems I’ve had is with total AD integration.
Validating user logins seems best with SSSD - but delivering shares works better with Winbind.
One of the issues I’m trying to find a solution for - with thanks to Linde and Hortimech is that a recent Rocky AD Intergrated file server will not validate windows users who connect to its shares.
I don’t think I need to use Kerberos with Winbind, that Winbind should be capable of doing this on its own. Users can log in and UID and GID and groups are being enumerated correctly.
The www. research is misleading and is telling me kerberos may be the answer.
The Error Windows reports - you have permissions to access a resource - “Target Account name is incorrect"
Ive uplifed the log levels and Winbind reports …
LOGS >>>>>>>>>>>>>>>>>>>>>
Allowed connection from 10.30.0.108 (10.30.0.108)
[2024/06/28 15:21:33.134823, 3] …/…/source3/smbd/smb2_oplock.c:1408(init_oplocks)
init_oplocks: initializing messages.
[2024/06/28 15:21:33.135893, 3] …/…/source3/smbd/smb2_negprot.c:1133(smb2_multi_protocol_reply_negprot)
Requested protocol [NT LM 0.12]
[2024/06/28 15:21:33.135922, 3] …/…/source3/smbd/smb2_negprot.c:1133(smb2_multi_protocol_reply_negprot)
Requested protocol [SMB 2.002]
[2024/06/28 15:21:33.135931, 3] …/…/source3/smbd/smb2_negprot.c:1133(smb2_multi_protocol_reply_negprot)
Requested protocol [SMB 2.???]
[2024/06/28 15:21:33.136075, 3] …/…/source3/smbd/smb2_negprot.c:345(smbd_smb2_request_process_negprot)
Selected protocol SMB2_FF
[2024/06/28 15:21:33.136124, 5] …/…/source3/auth/auth.c:575(make_auth3_context_for_ntlm)
make_auth3_context_for_ntlm: Making default auth method list for server role = ‘domain member’
[2024/06/28 15:21:33.136143, 5] …/…/source3/auth/auth.c:52(smb_register_auth)
Attempting to register auth backend anonymous
[2024/06/28 15:21:33.136157, 5] …/…/source3/auth/auth.c:64(smb_register_auth)
Successfully added auth method ‘anonymous’
[2024/06/28 15:21:33.136166, 5] …/…/source3/auth/auth.c:52(smb_register_auth)
Attempting to register auth backend sam
[2024/06/28 15:21:33.136173, 5] …/…/source3/auth/auth.c:64(smb_register_auth)
Successfully added auth method ‘sam’
[2024/06/28 15:21:33.136180, 5] …/…/source3/auth/auth.c:52(smb_register_auth)
Attempting to register auth backend sam_ignoredomain
[2024/06/28 15:21:33.136187, 5] …/…/source3/auth/auth.c:64(smb_register_auth)
Successfully added auth method ‘sam_ignoredomain’
[2024/06/28 15:21:33.136194, 5] …/…/source3/auth/auth.c:52(smb_register_auth)
Attempting to register auth backend sam_netlogon3
[2024/06/28 15:21:33.136207, 5] …/…/source3/auth/auth.c:64(smb_register_auth)
Successfully added auth method ‘sam_netlogon3’
[2024/06/28 15:21:33.136215, 5] …/…/source3/auth/auth.c:52(smb_register_auth)
Attempting to register auth backend winbind
[2024/06/28 15:21:33.136223, 5] …/…/source3/auth/auth.c:64(smb_register_auth)
Successfully added auth method ‘winbind’
[2024/06/28 15:21:33.136229, 5] …/…/source3/auth/auth.c:436(load_auth_module)
load_auth_module: Attempting to find an auth method to match anonymous
[2024/06/28 15:21:33.136238, 5] …/…/source3/auth/auth.c:461(load_auth_module)
load_auth_module: auth method anonymous has a valid init
[2024/06/28 15:21:33.136245, 5] …/…/source3/auth/auth.c:436(load_auth_module)
load_auth_module: Attempting to find an auth method to match sam
[2024/06/28 15:21:33.136253, 5] …/…/source3/auth/auth.c:461(load_auth_module)
load_auth_module: auth method sam has a valid init
[2024/06/28 15:21:33.136260, 5] …/…/source3/auth/auth.c:436(load_auth_module)
load_auth_module: Attempting to find an auth method to match winbind
[2024/06/28 15:21:33.136267, 5] …/…/source3/auth/auth.c:461(load_auth_module)
load_auth_module: auth method winbind has a valid init
[2024/06/28 15:21:33.136274, 5] …/…/source3/auth/auth.c:436(load_auth_module)
load_auth_module: Attempting to find an auth method to match sam_ignoredomain
[2024/06/28 15:21:33.136282, 5] …/…/source3/auth/auth.c:461(load_auth_module)
load_auth_module: auth method sam_ignoredomain has a valid init
[2024/06/28 15:21:33.137002, 3] …/…/auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend ‘gssapi_spnego’ registered
[2024/06/28 15:21:33.137035, 3] …/…/auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend ‘gssapi_krb5’ registered
[2024/06/28 15:21:33.137043, 3] …/…/auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend ‘gssapi_krb5_sasl’ registered
[2024/06/28 15:21:33.137051, 3] …/…/auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend ‘spnego’ registered
[2024/06/28 15:21:33.137058, 3] …/…/auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend ‘schannel’ registered
[2024/06/28 15:21:33.137067, 3] …/…/auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend ‘ncalrpc_as_system’ registered
[2024/06/28 15:21:33.137079, 3] …/…/auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend ‘sasl-EXTERNAL’ registered
[2024/06/28 15:21:33.137088, 3] …/…/auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend ‘ntlmssp’ registered
[2024/06/28 15:21:33.137095, 3] …/…/auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend ‘ntlmssp_resume_ccache’ registered
[2024/06/28 15:21:33.137103, 3] …/…/auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend ‘http_basic’ registered
[2024/06/28 15:21:33.137110, 3] …/…/auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend ‘http_ntlm’ registered
[2024/06/28 15:21:33.137123, 3] …/…/auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend ‘http_negotiate’ registered
[2024/06/28 15:21:33.137215, 5] …/…/auth/gensec/gensec_start.c:844(gensec_start_mech)
Starting GENSEC mechanism spnego
[2024/06/28 15:21:33.137248, 5] …/…/auth/gensec/gensec_start.c:844(gensec_start_mech)
Starting GENSEC submechanism gse_krb5
[2024/06/28 15:21:33.137934, 3] …/…/source3/smbd/smb2_negprot.c:1198(smb2_multi_protocol_reply_negprot)
Selected protocol SMB 2.???
[2024/06/28 15:21:33.140112, 3] …/…/source3/smbd/smb2_negprot.c:345(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2024/06/28 15:21:33.140224, 5] …/…/source3/auth/auth.c:575(make_auth3_context_for_ntlm)
make_auth3_context_for_ntlm: Making default auth method list for server role = ‘domain member’
[2024/06/28 15:21:33.140260, 5] …/…/source3/auth/auth.c:436(load_auth_module)
load_auth_module: Attempting to find an auth method to match anonymous
[2024/06/28 15:21:33.140280, 5] …/…/source3/auth/auth.c:461(load_auth_module)
load_auth_module: auth method anonymous has a valid init
[2024/06/28 15:21:33.140298, 5] …/…/source3/auth/auth.c:436(load_auth_module)
load_auth_module: Attempting to find an auth method to match sam
[2024/06/28 15:21:33.140317, 5] …/…/source3/auth/auth.c:461(load_auth_module)
load_auth_module: auth method sam has a valid init
[2024/06/28 15:21:33.140335, 5] …/…/source3/auth/auth.c:436(load_auth_module)
load_auth_module: Attempting to find an auth method to match winbind
[2024/06/28 15:21:33.140353, 5] …/…/source3/auth/auth.c:461(load_auth_module)
load_auth_module: auth method winbind has a valid init
[2024/06/28 15:21:33.140371, 5] …/…/source3/auth/auth.c:436(load_auth_module)
load_auth_module: Attempting to find an auth method to match sam_ignoredomain
[2024/06/28 15:21:33.140389, 5] …/…/source3/auth/auth.c:461(load_auth_module)
load_auth_module: auth method sam_ignoredomain has a valid init
[2024/06/28 15:21:33.140480, 5] …/…/auth/gensec/gensec_start.c:844(gensec_start_mech)
Starting GENSEC mechanism spnego
[2024/06/28 15:21:33.140501, 5] …/…/auth/gensec/gensec_start.c:844(gensec_start_mech)
Starting GENSEC submechanism gse_krb5
[2024/06/28 15:21:33.146785, 5] …/…/source3/auth/auth.c:575(make_auth3_context_for_ntlm)
make_auth3_context_for_ntlm: Making default auth method list for server role = ‘domain member’
[2024/06/28 15:21:33.146814, 5] …/…/source3/auth/auth.c:436(load_auth_module)
load_auth_module: Attempting to find an auth method to match anonymous
[2024/06/28 15:21:33.146824, 5] …/…/source3/auth/auth.c:461(load_auth_module)
load_auth_module: auth method anonymous has a valid init
[2024/06/28 15:21:33.146831, 5] …/…/source3/auth/auth.c:436(load_auth_module)
load_auth_module: Attempting to find an auth method to match sam
[2024/06/28 15:21:33.146839, 5] …/…/source3/auth/auth.c:461(load_auth_module)
load_auth_module: auth method sam has a valid init
[2024/06/28 15:21:33.146861, 5] …/…/source3/auth/auth.c:436(load_auth_module)
load_auth_module: Attempting to find an auth method to match winbind
[2024/06/28 15:21:33.146869, 5] …/…/source3/auth/auth.c:461(load_auth_module)
load_auth_module: auth method winbind has a valid init
[2024/06/28 15:21:33.146877, 5] …/…/source3/auth/auth.c:436(load_auth_module)
load_auth_module: Attempting to find an auth method to match sam_ignoredomain
[2024/06/28 15:21:33.146885, 5] …/…/source3/auth/auth.c:461(load_auth_module)
load_auth_module: auth method sam_ignoredomain has a valid init
[2024/06/28 15:21:33.146933, 5] …/…/auth/gensec/gensec_start.c:844(gensec_start_mech)
Starting GENSEC mechanism spnego
[2024/06/28 15:21:33.147007, 5] …/…/auth/gensec/gensec_start.c:844(gensec_start_mech)
Starting GENSEC submechanism gse_krb5
[2024/06/28 15:21:33.147274, 1] …/…/source3/librpc/crypto/gse.c:712(gse_get_server_auth_token)
gss_accept_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Request ticket server cifs/gsl-svr-cifs.DOMAIN.local@DOMAIN.LOCAL not found in keytab (ticket kvno 1)]
[2024/06/28 15:21:33.155834, 3] …/…/lib/util/access.c:372(allow_access)
I messaged Hortimech - sorry if this is against protocol I am really looking for a solution here.
Kind Regards
Jake