[Samba] I want a Fedora 20 system to be a member server and offer a share in a Windows 2008R2 Active Directory domain

Greg Scott GregScott at infrasupport.com
Sat Aug 30 16:30:37 MDT 2014 

>From Rowland:
> Have you tried typing the above in a terminal and running it, if you do, it may print an error message.

Pasting it in my putty window - same as typing by hand - no output.  It just makes backup copies of a bunch of .conf files but doesn't change the real ones.  So authconfig blows up and leaves no visible footprints?

[root at nfsa gregs]# authconfig \
>       --enablewinbind \
>       --enablewins \
>       --enablewinbindauth \
>       --smbsecurity=ads \
>       --smbworkgroup=EHAC \
>       --smbrealm=EHAC.LOCAL \
>       --smbservers=ehcserver1.ehac.local \
>       --krb5realm=EHAC.LOCAL \
>       --enablewinbindoffline \
>       --enablekrb5 \
>       --winbindtemplateshell=/bin/sh \
>       --winbindjoin=administrator \
>       --update \
>       --enablelocauthorize \
>       --savebackup=/home/gregs/backups
[root at nfsa gregs]# ls backups -al
total 108
drwxr-xr-x. 2 root  root   4096 Aug 30 17:16 .
drwx------. 4 gregs gregs  4096 Aug 30 11:13 ..
-rw-r--r--. 1 root  root    417 Aug 30 17:16 authconfig
-rw-r--r--. 1 root  root      1 Aug 30 17:16 cacheenabled.conf
-rw-r--r--. 1 root  root    857 Aug 30 17:16 fingerprint-auth-ac
-rw-r--r--. 1 root  root    517 Aug 30 17:16 group
----------. 1 root  root    410 Aug 30 17:16 gshadow
-rw-r--r--. 1 root  root    660 Aug 30 17:16 krb5.conf
-rw-r--r--. 1 root  root   2391 Aug 30 17:16 libuser.conf
-rw-r--r--. 1 root  root   2028 Aug 30 17:16 login.defs
-rw-r--r--. 1 root  root     22 Aug 30 17:16 network
-rw-r--r--. 1 root  root   1715 Aug 30 17:16 nsswitch.conf
-rw-r--r--. 1 root  root    364 Aug 30 17:16 openldap.conf
-rw-r--r--. 1 root  root   9028 Aug 30 17:16 pam_pkcs11.conf
-rw-r--r--. 1 root  root   1167 Aug 30 17:16 passwd
-rw-r--r--. 1 root  root   1230 Aug 30 17:16 password-auth-ac
-rw-r--r--. 1 root  root    330 Aug 30 17:16 postlogin-ac
-rw-r--r--. 1 root  root   1718 Aug 30 17:16 pwquality.conf
----------. 1 root  root    800 Aug 30 17:16 shadow
-rw-r--r--. 1 root  root    909 Aug 30 17:16 smartcard-auth-ac
-rw-r--r--. 1 root  root  12275 Aug 30 17:16 smb.conf
-rw-------. 1 root  root    403 Aug 30 17:16 sssd.conf
-rw-r--r--. 1 root  root   1271 Aug 30 17:16 system-auth-ac
[root at nfsa gregs]# date
Sat Aug 30 17:16:10 CDT 2014
[root at nfsa gregs]#

>From Steve:

> What does your keytab look like?
> klist -k
>
> If that returns at least a host/ key then direct samba to use it:
> kerberos method = system keytab

[root at nfsa gregs]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/nfsa.ehac.local at EHAC.LOCAL
   2 host/nfsa.ehac.local at EHAC.LOCAL
   2 host/nfsa.ehac.local at EHAC.LOCAL
   2 host/nfsa.ehac.local at EHAC.LOCAL
   2 host/nfsa.ehac.local at EHAC.LOCAL
   2 host/nfsa at EHAC.LOCAL
   2 host/nfsa at EHAC.LOCAL
   2 host/nfsa at EHAC.LOCAL
   2 host/nfsa at EHAC.LOCAL
   2 host/nfsa at EHAC.LOCAL
   2 NFSA$@EHAC.LOCAL
   2 NFSA$@EHAC.LOCAL
   2 NFSA$@EHAC.LOCAL
   2 NFSA$@EHAC.LOCAL
   2 NFSA$@EHAC.LOCAL
[root at nfsa gregs]#

Not sure what this is telling me but I put in the change to smb.conf.  You can see the Kerberos method inserted below.  No change in behavior - Windows still sees Access Denied when I try to connect to it.  

[root at nfsa gregs]# cd /etc/samba
[root at nfsa samba]# nano smb.conf
[root at nfsa samba]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[backups]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
        workgroup = EHAC
        realm = ehac.local
        server string = Samba Server nfsa Version %v
        security = ADS
        kerberos method = system keytab
        log file = /var/log/samba/log.%m
        max log size = 50
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nss info = rfc2307
        idmap config SAMDOM:range = 500-40000
        idmap config SAMDOM:schema_mode = rfc2307
        idmap config SAMDOM:backend = ad
        idmap config *:range = 70001-80000
        idmap config * : backend = tdb
        cups options = raw

[backups]
        comment = backups
        path = /data/nfsa
        read only = No
        guest ok = Yes

[root at nfsa samba]#
[root at nfsa samba]#
[root at nfsa samba]# systemctl restart smb
[root at nfsa samba]# systemctl restart winbind
[root at nfsa samba]#

More information about the samba mailing list