[Samba] I want a Fedora 20 system to be a member server and offer a share in a Windows 2008R2 Active Directory domain

Greg Scott GregScott at infrasupport.com
Sat Aug 30 13:14:26 MDT 2014 

I'm close to making this work.  The goal is to make this Fedora 20 system pretend to be a Windows member server in my Windows 2008R2 Active Directory domain and then I'll use it as a backup target.  When I run ADUC from my domain controller, I see my F20 system named nfsa.  But from Windows, when I do Start...\\nfsa, I get an Access Denied error and it prompts for credentials.  When I do Start...\\nfsa\backups, it just fails with an Access Denied error.  

I will paste in the output from testparms below, which has everything in my smb.conf.  This should all be OK.  I've gotta be missing the piece that sets up my F20 system to trust A/D for authentication for F20 can advertise this share.   The guidance on how to do that is contradictory and thin and I'm hopelessly confused.  I'm supposed to do some editing to some pam .conf files and nsswitch.conf, but everyone has different guidance.  And the edits look elaborate and prone to mistakes.  

So Red Hat includes a tool named authconfig that claims to handle this for me.  It is supposed to set up all the .conf files to make this work.  Pass authconfig the correct parameters and it all just happens.  In fact, it's all documented right here in the RHEL 7 Windows Integration Guide:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/winbind-auth.html

The example in section 4.3.2, step 4 uses a parameter named --enablewinbindkrb5 that doesn't exist. And a couple of the parameters in the example need equal signs (parameter=value instead of parameter [space] value).  In fairness, that book above is part of RHEL 7 and I'm doing this from Fedora 20 so maybe they are different. Working around that and based on the example, I put this little script together:

[root at nfsa gregs]# more test.sh
#!/bin/sh

authconfig \
      --enablewinbind \
      --enablewins \
      --enablewinbindauth \
      --smbsecurity=ads \
      --smbworkgroup=EHAC \
      --smbrealm=EHAC.LOCAL \
      --smbservers=ehcserver1.ehac.local \
      --krb5realm=EHAC.LOCAL \
      --enablewinbindoffline \
      --enablekrb5 \
      --winbindtemplateshell=/bin/sh \
      --winbindjoin=administrator \
      --update \
      --enablelocauthorize \
      --savebackup=/home/gregs/backups
[root at nfsa gregs]#

When I run it, it makes copies of a bunch of config files and saves them in my /home/gregs/backups directory.  But it never updates any of the real .conf files - just one big no-op.  

So how do I do this?  Surely there's nice, clean, easily reproducible way to make a Linux system offer a share as a member server in a modern A/D domain.

F20 can reach into the domain, but the domain cannot reach out to F20.

wbinfo -g and wbinfo -u show me the groups and users I expect to see.   And getent passwd domain\\user returns what I expect after I finally learned I need to escape that "\" character.  So F20 can reach into the domain, but the domain can't reach back to F20.  That's my problem.  

[root at nfsa gregs]#  getent passwd ehac\\gregs
gregs at ehac.local:*:762201118:762200513:Greg Scott:/home/ehac.local/gregs:/bin/bash

Finally, here is a copy of my smb.conf and krb5.conf.

[root at nfsa gregs]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[backups]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
        workgroup = EHAC
        realm = ehac.local
        server string = Samba Server nfsa Version %v
        security = ADS
        log file = /var/log/samba/log.%m
        max log size = 50
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nss info = rfc2307
        idmap config SAMDOM:range = 500-40000
        idmap config SAMDOM:schema_mode = rfc2307
        idmap config SAMDOM:backend = ad
        idmap config *:range = 70001-80000
        idmap config * : backend = tdb
        cups options = raw

[backups]
        comment = backups
        path = /data/nfsa
        read only = No
        guest ok = Yes
[root at nfsa gregs]#
[root at nfsa gregs]#
[root at nfsa gregs]# more /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
# default_realm = EXAMPLE.COM
default_realm = EHAC.LOCAL
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }

EHAC.LOCAL = {
  kdc = ehcserver1.ehac.local
  admin_server = ehcserver1.ehac.local
 }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM

.ehac.local = EHAC.LOCAL
ehac.local = EHAC.LOCAL
[root at nfsa gregs]#

Oh yes - I have no idea if this is relevant or not but I see these errors about printers in /var/log/messages when I restart smb.  I don't care about printing here and would be fine with just turning off all printing if there's a way to do it.  But maybe these printer errors contribute to my real problem.

[root at nfsa gregs]# tail /var/log/messages
Aug 30 13:42:36 nfsa smbd[7353]: [2014/08/30 13:42:36.137682,  0] ../source3/printing/print_cups.c:151(cups_connect)
Aug 30 13:42:36 nfsa smbd[7353]: Unable to connect to CUPS server localhost:631 - Bad file descriptor
Aug 30 13:42:36 nfsa smbd[7010]: [2014/08/30 13:42:36.137938,  0] ../source3/printing/print_cups.c:528(cups_async_callback)
Aug 30 13:42:36 nfsa smbd[7010]: failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
Aug 30 13:50:01 nfsa systemd: Starting Session 271 of user root.
Aug 30 13:50:02 nfsa systemd: Started Session 271 of user root.
Aug 30 13:55:36 nfsa smbd[7380]: [2014/08/30 13:55:36.883693,  0] ../source3/printing/print_cups.c:151(cups_connect)
Aug 30 13:55:36 nfsa smbd[7380]: Unable to connect to CUPS server localhost:631 - Bad file descriptor
Aug 30 13:55:36 nfsa smbd[7010]: [2014/08/30 13:55:36.883950,  0] ../source3/printing/print_cups.c:528(cups_async_callback)
Aug 30 13:55:36 nfsa smbd[7010]: failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
[root at nfsa gregs]#

I've installed winbind and winbind and smb are running.  SElinux is set to permissive.  I don't think I need nmb anymore but I can try turning it on.

[root at nfsa gregs]# systemctl list-unit-files | grep smb
smb.service                                 enabled
[root at nfsa gregs]# systemctl list-unit-files | grep nmb
nmb.service                                 disabled
[root at nfsa gregs]# systemctl list-unit-files | grep winbind
winbind.service                             enabled
[root at nfsa gregs]#

Oh - versions - everything came from Red Hat binaries a few days ago:

[root at nfsa gregs]# more /etc/issue
Fedora release 20 (Heisenbug)
Kernel \r on an \m (\l)

 [root at nfsa gregs]# rpm -qa | grep samba
samba-winbind-modules-4.1.9-4.fc20.x86_64
samba-common-4.1.9-4.fc20.x86_64
samba-4.1.9-4.fc20.x86_64
samba-winbind-4.1.9-4.fc20.x86_64
samba-libs-4.1.9-4.fc20.x86_64
samba-winbind-clients-4.1.9-4.fc20.x86_64
[root at nfsa gregs]#
[root at nfsa gregs]# rpm -qa | grep krb5
pam_krb5-2.4.8-1.fc20.x86_64
sssd-krb5-common-1.11.6-1.fc20.x86_64
sssd-krb5-1.11.6-1.fc20.x86_64
krb5-workstation-1.11.5-11.fc20.x86_64
krb5-libs-1.11.5-11.fc20.x86_64
[root at nfsa gregs]#

Thanks

- Greg Scott

More information about the samba mailing list