[Samba] Question(s) about user mapping

steve steve at steve-ss.com
Fri Jul 18 15:15:54 MDT 2014 

On Fri, 2014-07-18 at 20:12 +0000, Jon Yeargers wrote:
> So there isn't a way for samba to use SSSD to authenticate?
> 
Yes, it is easy to configure sssd to authenticate both internally to the
AD LDAP and on a user login level via Kerberos. sssd ships with a full
set of PAM modules Many distros set the latter up automatically when you
install sssd. When or after you join the domain, samba can also set up a
suitable keytab for sssd to use for the former.
HTH,
Steve


> Yes, there are machines joined to the domain. What's the issue with un-joining them?
> 
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
> Sent: Friday, July 18, 2014 12:13 PM
> To: sambalist
> Subject: Re: [Samba] Question(s) about user mapping
> 
> On 18/07/14 19:59, Jon Yeargers wrote:
> > When I attempt to put 'security = ADS' in here the samba service won't start.  Is this what you are referring to?
> To get the smb.conf you posted, you must have run 'samba-tool domain provision' with various options, ergo you are now running an AD DC, you cannot add 'security = ADS', this belongs only on a client or member server.
> 
> >
> > This system is the PDC (beanbag). This system is running sssd to authenticate against a separate LDAP server. I can ssh to the machine using accounts from the LDAP machine. I just can't use windows logins in the same manner.
> 
> Have you joined ANY machines to your new AD DC ? if not, then don't, 
> until you decide where you want to end up.
> 
> If you have joined any machines, then there is no going back without 
> re-installing those windows machines.
> 
> You need to decide what you want, if you decide to use the AD DC, then 
> your clients will authenticate to this, an AD DC does not authenticate 
> to anything, it is the authenticator!
> 
> You can run samba4 just like samba3 i.e. in what is know as 'classic' mode.
> 
> So having said all that, where do you need to be from here ?? just what 
> are you trying to attain ??
> 
> Rowland
> 
> >
> > It's clear that I've done something incorrectly here. Hopefully it's obvious to someone on this list.
> >
> > -----Original Message-----
> > From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
> > Sent: Friday, July 18, 2014 11:56 AM
> > To: samba at lists.samba.org
> > Subject: Re: [Samba] Question(s) about user mapping
> >
> > On 18/07/14 19:47, Jon Yeargers wrote:
> >> (apologies)
> >> # Global parameters
> >> [global]
> >>           workgroup = BME
> >>           realm = DOMAIN.EDU
> >>           netbios name = BEANBAG
> >>
> >>           encrypt passwords = yes
> >>           log level = 5
> >>
> >>           server role = active directory domain controller
> >>           dns forwarder = 137.10.10.10
> >>           idmap_ldb:use rfc2307 = yes
> >>
> >>           map untrusted to domain = Yes
> >>
> >> [netlogon]
> >>           path = /usr/local/samba/var/locks/sysvol/domain.edu/scripts
> >>           read only = No
> >>
> >> [sysvol]
> >>           path = /usr/local/samba/var/locks/sysvol
> >>           read only = No
> >>
> >>
> >> What other configs are relevant here?
> >>
> >> -----Original Message-----
> >> From: samba-bounces at lists.samba.org
> >> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
> >> Sent: Friday, July 18, 2014 9:49 AM
> >> To: samba at lists.samba.org
> >> Subject: Re: [Samba] Question(s) about user mapping
> >>
> >> On 18/07/14 17:14, Jon Yeargers wrote:
> >>> I've setup samba4 to authenticate against a separate LDAP server. I can ssh to my server but attempts to login to a windows7 member server using the ldap domain are not working.
> >>>
> >>> Relevant errors:
> >>>
> >>> [2014/07/18 06:46:28.177400,  3] ../source4/auth/ntlm/auth.c:270(auth_check_password_send)     auth_check_password_send: Checking password for unmapped user [ldapdom]\[user]@[win7host]    auth_check_password_send: mapped user is: [sambadom]\[user]@[win7host]
> >>>
> >>> [2014/07/18 06:46:28.178098,  3] ../source4/auth/ntlm/auth_sam.c:61(authsam_search_account)      sam_search_user: Couldn't find user [user] in samdb, under C=dom,DC=server,DC=edu
> >>>
> >>> [2014/07/18 06:46:28.178184,  2] ../source4/auth/ntlm/auth.c:420(auth_check_password_recv)      auth_check_password_recv: sam_ignoredomain authentication for user [sambadom\user]    FAILED with error NT_STATUS_NO_SUCH_USER
> >>>
> >>>
> >>> It appears that some manner of user id mapping is being searched for. What I really want is for it to preserve and use the domain that was passed in rather than substituting it.
> >>>
> >>> CentOS 6.4 x64
> >>> Samba 4.1.0
> >>> Sssd 1.9.2
> >> Hi, I think that you are going to have to give us some more info here,
> >> smb.conf etc
> >>
> >> Rowland
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> > You posted 'I've setup samba4 to authenticate against a separate LDAP server' yet now you post that your samba4 server is running as an AD DC, I was expecting that you were running samba4 as an NT style PDC.
> >
> > Have you joined the windows machines to your AD DC ??
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list