[Samba] Samba not working with sssd on CentOS 6.5

Rowland Penny rowlandpenny at googlemail.com
Thu Sep 25 00:55:40 MDT 2014 

On 24/09/14 23:35, Karel Lang AFD wrote:
> Hi,
> i suggest that the subject 'Samba not working with sssd on CentOS 6.5' 
> is not quite correct.
> You need to understand, that SSSD is responsible for posix level 
> authentication which has nothing to do with Samba.
>
> From what you write, it is apparent that posix level authentication 
> works all right, meaning, that your /etc/sssd/sssd.conf is setup 
> right, because you can log onto your linux box with domain users via 
> eg. ssh etc.
>
> What is not working is your Samba connection to the existing domain - 
> so the smb.conf has to be tuned up properly.
>
> your 'passdb backend' can not be tdbsam (it is just local samba file 
> where samba stores info about users locally to 'passdb.tdb' file and 
> thus Samba can not be aware about any domain users.
>
> you need to specify to your 'passdb backend' option in smb.conf your 
> PDC backend (usually ldap service etc) ..
>
> eg. like:
> passdb backend = ldapsam:ldaps://ipaddress (in case of ldap server 
> backend)..

Oh dear, somebody else who has never read the smb.conf manpage ;-)

If you set 'security = ADS', you do not need to set the 'passdb backend' 
it will use the default, which is:

  passdb backend = tdbsam

Rowland
>
> cheers,
>
> Karel
>
>
> On 09/24/2014 11:05 PM, Andrei Vida-Raţiu wrote:
>> Hello everyone.
>> I joined this list because I cannot find an answer to my problem. The
>> setup is this:
>> I installed CentOS release 6.5 (Final) minimal version
>> Updated all packages
>> Added the server to the Active Directory domain as a member server
>> using the method described here (using adcli, kerberos and sssd):
>> http://jhrozek.livejournal.com/3581.html
>>
>> It worked, I tested by trying to connect through ssh with domain user
>> credentials and by doing "su domain_user" from root ssh console. Both
>> worked.
>>
>> After that, I installed Samba (Version 3.6.9-169.el6_5). Created a
>> minimal config file like this:
>>
>> [global]
>>          workgroup = mydomain
>>          server string = Samba Server Version %v
>>          security = ads
>>          encrypt passwords = yes
>>          passdb backend = tdbsam
>>          realm = mydomain.ro
>>
>> # No printers needed
>>          load printers = no
>>          cups options = raw
>>          printcap name = /dev/null
>>
>> # logs split per machine
>>          log file = /var/log/samba/log.%m
>> # max 50KB per log file, then rotate
>>          max log size = 50
>>          log level = 10
>>
>> # ############ THE SHARES ############ #
>>
>> [homes]
>>          comment = Home Directories
>>          browseable = no
>>          writable = yes
>>
>> It doesn't work. I get this eror in /var/log/messages:
>>
>> Sep 24 23:40:54 fs01 smbd[1406]: connect_to_domain_password_server:
>> unable to open the domain client session to machine DC.MYDOMAIN.RO.
>> Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
>> Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.406665, 0]
>> rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
>> Sep 24 23:40:54 fs01 smbd[1406]:   get_schannel_session_key: could not
>> fetch trust account password for domain 'MYDOMAIN'
>> Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408207, 0]
>> rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
>> Sep 24 23:40:54 fs01 smbd[1406]:   cli_rpc_pipe_open_schannel: failed
>> to get schannel session key from server DC.MYDOMAIN.RO for domain
>> MYDOMAIN.
>> Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408499, 0]
>> auth/auth_domain.c:193(connect_to_domain_password_server)
>>
>> However, if I add this:
>>
>> kerberos method = secrets and keytab
>>
>> to the smb.conf file it works. But it creates another strange problem.
>> It works only when I connect using \\server. If I try that by IP, like
>> \\192.168.1.5 the error above appears again in /var/log/messages.
>>
>> I really need the "access by IP" option. Are there any solutions?
>>
>> Also, it seems that, in this configuration, samba doesn't use sssd? I
>> increased the debug level in sssd by the logs are empty!
>>
>> _______
>>
>> AndreiV
>>
>

More information about the samba mailing list