[Samba] Samba not working with sssd on CentOS 6.5
Karel Lang AFD
lang at afd.cz
Wed Sep 24 16:35:47 MDT 2014
Hi,
i suggest that the subject 'Samba not working with sssd on CentOS 6.5'
is not quite correct.
You need to understand, that SSSD is responsible for posix level
authentication which has nothing to do with Samba.
From what you write, it is apparent that posix level authentication
works all right, meaning, that your /etc/sssd/sssd.conf is setup right,
because you can log onto your linux box with domain users via eg. ssh etc.
What is not working is your Samba connection to the existing domain - so
the smb.conf has to be tuned up properly.
your 'passdb backend' can not be tdbsam (it is just local samba file
where samba stores info about users locally to 'passdb.tdb' file and
thus Samba can not be aware about any domain users.
you need to specify to your 'passdb backend' option in smb.conf your PDC
backend (usually ldap service etc) ..
eg. like:
passdb backend = ldapsam:ldaps://ipaddress (in case of ldap server
backend)..
cheers,
Karel
On 09/24/2014 11:05 PM, Andrei Vida-Raţiu wrote:
> Hello everyone.
> I joined this list because I cannot find an answer to my problem. The
> setup is this:
> I installed CentOS release 6.5 (Final) minimal version
> Updated all packages
> Added the server to the Active Directory domain as a member server
> using the method described here (using adcli, kerberos and sssd):
> http://jhrozek.livejournal.com/3581.html
>
> It worked, I tested by trying to connect through ssh with domain user
> credentials and by doing "su domain_user" from root ssh console. Both
> worked.
>
> After that, I installed Samba (Version 3.6.9-169.el6_5). Created a
> minimal config file like this:
>
> [global]
> workgroup = mydomain
> server string = Samba Server Version %v
> security = ads
> encrypt passwords = yes
> passdb backend = tdbsam
> realm = mydomain.ro
>
> # No printers needed
> load printers = no
> cups options = raw
> printcap name = /dev/null
>
> # logs split per machine
> log file = /var/log/samba/log.%m
> # max 50KB per log file, then rotate
> max log size = 50
> log level = 10
>
> # ############ THE SHARES ############ #
>
> [homes]
> comment = Home Directories
> browseable = no
> writable = yes
>
> It doesn't work. I get this eror in /var/log/messages:
>
> Sep 24 23:40:54 fs01 smbd[1406]: connect_to_domain_password_server:
> unable to open the domain client session to machine DC.MYDOMAIN.RO.
> Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
> Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.406665, 0]
> rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
> Sep 24 23:40:54 fs01 smbd[1406]: get_schannel_session_key: could not
> fetch trust account password for domain 'MYDOMAIN'
> Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408207, 0]
> rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
> Sep 24 23:40:54 fs01 smbd[1406]: cli_rpc_pipe_open_schannel: failed
> to get schannel session key from server DC.MYDOMAIN.RO for domain
> MYDOMAIN.
> Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408499, 0]
> auth/auth_domain.c:193(connect_to_domain_password_server)
>
> However, if I add this:
>
> kerberos method = secrets and keytab
>
> to the smb.conf file it works. But it creates another strange problem.
> It works only when I connect using \\server. If I try that by IP, like
> \\192.168.1.5 the error above appears again in /var/log/messages.
>
> I really need the "access by IP" option. Are there any solutions?
>
> Also, it seems that, in this configuration, samba doesn't use sssd? I
> increased the debug level in sssd by the logs are empty!
>
> _______
>
> AndreiV
>
More information about the samba
mailing list