Hello
Client users cannot login. They get the message "incorrect password" on the Xubuntu 16.04 login (lightdm-gtk-greeter).
I set the Xubuntu client up as follows:
Installed the packages
apt-get install samba-common smbclient krb5-user krb5-config libpam-heimdal libpam-winbind libnss-winbind winbind
Copied the krb5.conf from the Zentyal 4.1 Server
[libdefaults]
default_realm = SCHOOL.ZONE
dns_lookup_kdc = true
dns_lookup_realm = false
rdns = no
Configured the smb.conf
[global]
workgroup = SCHOOL
realm = SCHOOL.ZONE
security = ADS
encrypt passwords = Yes
idmap config *:backend = rid
idmap config *:range = 10000-20000
winbind use default domain = Yes
winbind refresh tickets = Yes
winbind enum users = Yes
winbind enum groups = Yes
template shell = /bin/bash
Configured the /etc/hosts
127.0.0.1 localhost
#127.0.1.1 pc4-students.school.zone pc4-students
192.168.20.104 pc4-students.school.zone pc4-students
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
configured /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat winbind
gshadow: files
#hosts: files mdns4_minimal [NOTFOUND=return] dns
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
installed the packages
apt-get install cifs-utils libpam-mount
configured /etc/security/pam_mount.conf.xml
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
See pam_mount.conf(5) for a description.
-->
<pam_mount>
<!-- debug should come before everything else,
since this file is still processed in a single pass
from top-to-bottom -->
<debug enable="0" />
<!-- Volume definitions -->
<volume
fstype="cifs"
server="srv1-server.school.zone"
path="%(USER)"
mountpoint="/home/SCHOOL/%(USER)"
user="*"
options="sec=krb5,cruid=%(USERUID),domain={full domain},uid=%(USERUID),gid=%(USERGID),rw"
/>
<!-- pam_mount parameters: General tunables -->
<umount>umount -l %(MNTPT)</umount>
<!--
<luserconf name=".pam_mount.conf.xml" />
-->
<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<logout wait="0" hup="0" term="0" kill="0" />
<!-- pam_mount parameters: Volume-related -->
<mkmountpoint enable="1" remove="true" />
</pam_mount>
stopped the services
systemctl stop winbind
systemctl stop smbd
systemctl stop nmbd
Joined the client to the Zentyal 4.1 server
net ads join -U administrator
started the services again
systemctl start winbind
systemctl start smbd
systemctl start nmbd
made some tests
root@pc4-students:~# wbinfo -u
dns-srv1-server
administrator
jandoe
jodoe
krbtgt
guest
root@pc4-students:~# wbinfo -u
dns-srv1-server
administrator
jandoe
jodoe
krbtgt
guest
root@pc4-students:~# wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins
root@pc4-students:~# kinit administrator@SCHOOL.ZONE
Password for administrator@SCHOOL.ZONE:
root@pc4-students:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@SCHOOL.ZONE
Valid starting Expires Service principal
2016-09-26T17:29:49 2016-09-27T03:29:49 krbtgt/SCHOOL.ZONE@SCHOOL.ZONE
renew until 2016-09-27T17:29:44
root@pc4-students:~# getent passwd jodoe
jodoe:*:11105:10513:John Doe:/home/SCHOOL/jodoe:/bin/bash
So, for me as a newbie everything seems fine. But when I try to login as jodoe - of which the password I of course know. The login page says "incorrect password".
I also checked time/date on the client and the server. they seem to be in sync.
So, any hints are welcome!!
Kind regards, Roland