[Samba] problem authenticating with kerberos and smb

Michael Edwards michael.edwards at henderson-group.com
Thu Nov 27 10:13:32 MST 2014

Hi Rowland

Thanks for your reply.

I've modified the smb.shares.conf to remove the global tag, and moved
the settings into each share.  Tried accessing the machine after a
`service smb reload && service winbind reload && service sssd reload`,
and still getting the same error. 

Only sssd is set up in /etc/nsswitch.conf:
# /etc/nsswitch.conf
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
# Valid entries include:
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:     files sss
shadow:     files sss
group:      files sss

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files    

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   nisplus

publickey:  nisplus

automount:  files nisplus
aliases:    files nisplus

The realm was just a sanitizing error - they're inside.local &
INSIDE.LOCAL respectively, have also tried variations on caps and lower
case, but still no luck.

Many thanks

On 27/11/14 16:45, Rowland Penny wrote:
> On 27/11/14 16:07, Michael Edwards wrote:
>> snip
> OK, alter samba.shares.conf by removing the [global] tag and move
> **ALL** the settings to the shares where they belong.
> There is also this:     '# make winbind use NSS (and therefore SSSD)
> to resolve SIDs for domain users'
> There is **NO** connection between winbind and sssd, you need to user
> either one or the other in /etc/nsswitch.conf
> You have 'realm = inside.local' in smb.conf and 'default_realm =
> DOMAIN.LOCAL' in /etc/krb5.conf, now this may just be a sanitizing
> error, but if not you need to sort this.
> That's enough to be going on with
> Rowland

The information in this email is confidential and may be legally privileged.  It is intended solely for the addressee and access to the email by anyone else is unauthorised.
If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful.
When addressed to our clients, any opinions or advice contained in this e-mail are subject to the terms and conditions expressed  in the governing client engagement leter or contract.
If you have received this email in error please notify support at henderson-group.com

John Henderson (Holdings) Ltd
Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern Ireland, BT36 4RT.
Registered in Northern Ireland
Registration Number NI010588
Vat No.: 814 6399 12

More information about the samba mailing list