[Samba] Domain member (2k8R2) server, problem mapping Kerberos/NSS users
Rowland Penny
rowlandpenny at googlemail.com
Mon Jul 21 08:35:05 MDT 2014
On 21/07/14 14:56, Elias Probst wrote:
> Hi list,
>
> I'm trying to set up a simple fileserver (Samba 4.1.6 on Ubuntu 14.04)
> as domain member, which delegates user authentication to AD (2k8R2) via
> Kerberos/NSS → SSSD without using Winbind.
>
> I have SSSD up and running and things like
> getent passwd some-domain-user
> getent group some-domain-group
> chown some-domain-user:some-domain-group /tmp/foobar
> work just fine and show the expected results.
>
> When trying to connect to a share (using MY-DOMAIN\kxmjd01 on a Win7
> client), my log (full log attached) shows some hints:
>> Found account name from PAC: kxmjd01 [Doe, John]
> which looks good… but then
>> Username MY-DOMAIN\kxmjd01 is invalid on this system
>> Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
>> Server exit (NT_STATUS_CONNECTION_RESET)
> The server was also joined to the domain and 'klist -ke' prints the
> following keytab:
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 4 host/mn1221-s0002.am15.my-domain.tld at MY-DOMAIN.TLD (des-cbc-crc)
> 4 host/mn1221-s0002.am15.my-domain.tld at MY-DOMAIN.TLD (des-cbc-md5)
> 4 host/mn1221-s0002.am15.my-domain.tld at MY-DOMAIN.TLD
> (aes128-cts-hmac-sha1-96)
> 4 host/mn1221-s0002.am15.my-domain.tld at MY-DOMAIN.TLD
> (aes256-cts-hmac-sha1-96)
> 4 host/mn1221-s0002.am15.my-domain.tld at MY-DOMAIN.TLD (arcfour-hmac)
> 4 host/MN1221-S0002 at MY-DOMAIN.TLD (des-cbc-crc)
> 4 host/MN1221-S0002 at MY-DOMAIN.TLD (des-cbc-md5)
> 4 host/MN1221-S0002 at MY-DOMAIN.TLD (aes128-cts-hmac-sha1-96)
> 4 host/MN1221-S0002 at MY-DOMAIN.TLD (aes256-cts-hmac-sha1-96)
> 4 host/MN1221-S0002 at MY-DOMAIN.TLD (arcfour-hmac)
> 4 MN1221-S0002$@MY-DOMAIN.TLD (des-cbc-crc)
> 4 MN1221-S0002$@MY-DOMAIN.TLD (des-cbc-md5)
> 4 MN1221-S0002$@MY-DOMAIN.TLD (aes128-cts-hmac-sha1-96)
> 4 MN1221-S0002$@MY-DOMAIN.TLD (aes256-cts-hmac-sha1-96)
> 4 MN1221-S0002$@MY-DOMAIN.TLD (arcfour-hmac)
>
>
> My smb.conf (testparm output) is:
> [global]
> workgroup = MY-DOMAIN
> realm = MY-DOMAIN.TLD
> security = ADS
> kerberos method = system keytab
> client signing = if_required
> load printers = No
> printcap name = /dev/null
> idmap config MY-DOMAIN.TLD : schema_mode = rfc2307bis
> idmap config MY-DOMAIN.TLD : range = 900-9999999999
> idmap config MY-DOMAIN.TLD : readonly = yes
> idmap config MY-DOMAIN.TLD : backend = nss
> idmap config MY-DOMAIN.TLD : default = yes
> idmap config * : backend = tdb
> printing = bsd
> print command = lpr -r -P'%p' %s
> lpq command = lpq -P'%p'
> lprm command = lprm -P'%p' %j
>
> [tdrive]
> comment = Team Drive
> path = /tmp/tdrive
> valid users = @dep0815-gdm_staff
>
> Any ideas what could be wrong with my setup?
> Is there something missing regarding the mapping of Kerberos principals
> to NSS accounts?
>
> Thanks!
> Elias P.
>
>
> -------
>
Hi, These appear to be possible problems:
idmap config MY-DOMAIN.TLD : schema_mode = rfc2307bis # this is only
used by the ad backend
idmap config MY-DOMAIN.TLD : readonly = yes # only used by the tdb, tdb2
and ldap backends
idmap config MY-DOMAIN.TLD : default = yes # where did this come from??
idmap config * : backend = tdb # no range given
Please have a look at 'man smb.conf' and 'man idmap_nss'
Rowland
More information about the samba
mailing list