[Samba] problem authenticating with kerberos and smb

Rowland Penny rowlandpenny at googlemail.com
Thu Nov 27 10:48:46 MST 2014 

On 27/11/14 17:13, Michael Edwards wrote:
> Hi Rowland
>
> Thanks for your reply.
>
> I've modified the smb.shares.conf to remove the global tag, and moved
> the settings into each share.  Tried accessing the machine after a
> `service smb reload && service winbind reload && service sssd reload`,
> and still getting the same error.
>
> Only sssd is set up in /etc/nsswitch.conf:
> # /etc/nsswitch.conf
> #
> # An example Name Service Switch config file. This file should be
> # sorted with the most-used services at the beginning.
> #
> # The entry '[NOTFOUND=return]' means that the search for an
> # entry should stop if the search in the previous entry turned
> # up nothing. Note that if the search failed due to some other reason
> # (like no NIS server responding) then the search continues with the
> # next entry.
> #
> # Valid entries include:
> #
> #       nisplus                 Use NIS+ (NIS version 3)
> #       nis                     Use NIS (NIS version 2), also called YP
> #       dns                     Use DNS (Domain Name Service)
> #       files                   Use the local files
> #       db                      Use the local database (.db) files
> #       compat                  Use NIS on compat mode
> #       hesiod                  Use Hesiod for user lookups
> #       [NOTFOUND=return]       Stop searching if not found so far
> #
>
> # To use db, put the "db" in front of "files" for entries you want to be
> # looked up first in the databases
> #
> # Example:
> #passwd:    db files nisplus nis
> #shadow:    db files nisplus nis
> #group:     db files nisplus nis
>
> passwd:     files sss
> shadow:     files sss
> group:      files sss
>
> #hosts:     db files nisplus nis dns
> hosts:      files dns
>
> # Example - obey only what nisplus tells us...
> #services:   nisplus [NOTFOUND=return] files
> #networks:   nisplus [NOTFOUND=return] files
> #protocols:  nisplus [NOTFOUND=return] files
> #rpc:        nisplus [NOTFOUND=return] files
> #ethers:     nisplus [NOTFOUND=return] files
> #netmasks:   nisplus [NOTFOUND=return] files
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files
>
> netgroup:   nisplus
>
> publickey:  nisplus
>
> automount:  files nisplus
> aliases:    files nisplus
>
> The realm was just a sanitizing error - they're inside.local &
> INSIDE.LOCAL respectively, have also tried variations on caps and lower
> case, but still no luck.
>
> Many thanks
> Michael
>
>
> On 27/11/14 16:45, Rowland Penny wrote:
>> On 27/11/14 16:07, Michael Edwards wrote:
>>> snip
>> OK, alter samba.shares.conf by removing the [global] tag and move
>> **ALL** the settings to the shares where they belong.
>>
>> There is also this:     '# make winbind use NSS (and therefore SSSD)
>> to resolve SIDs for domain users'
>>
>> There is **NO** connection between winbind and sssd, you need to user
>> either one or the other in /etc/nsswitch.conf
>>
>> You have 'realm = inside.local' in smb.conf and 'default_realm =
>> DOMAIN.LOCAL' in /etc/krb5.conf, now this may just be a sanitizing
>> error, but if not you need to sort this.
>>
>> That's enough to be going on with
>>
>> Rowland
>>
>
>
> **********************************************************************************************
> The information in this email is confidential and may be legally privileged.  It is intended solely for the addressee and access to the email by anyone else is unauthorised.
> If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful.
> When addressed to our clients, any opinions or advice contained in this e-mail are subject to the terms and conditions expressed  in the governing client engagement leter or contract.
> If you have received this email in error please notify support at henderson-group.com
>
> John Henderson (Holdings) Ltd
> Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern Ireland, BT36 4RT.
> Registered in Northern Ireland
> Registration Number NI010588
> Vat No.: 814 6399 12
> *********************************************************************************
>
OK, you are not using winbind, you are using sssd, with the version of 
sssd that comes with Centos 6.5, you should be able to use the ad 
backend with sssd, see here: http://jhrozek.livejournal.com/3581.html 
and here: 
http://linuxcostablanca.blogspot.co.uk/2014/05/sssd-autofs-with-ad-backend.html

Rowland

More information about the samba mailing list