[Samba] Samba not working with sssd on CentOS 6.5
rowlandpenny at googlemail.com
Thu Sep 25 00:55:40 MDT 2014
On 24/09/14 23:35, Karel Lang AFD wrote:
> i suggest that the subject 'Samba not working with sssd on CentOS 6.5'
> is not quite correct.
> You need to understand, that SSSD is responsible for posix level
> authentication which has nothing to do with Samba.
> From what you write, it is apparent that posix level authentication
> works all right, meaning, that your /etc/sssd/sssd.conf is setup
> right, because you can log onto your linux box with domain users via
> eg. ssh etc.
> What is not working is your Samba connection to the existing domain -
> so the smb.conf has to be tuned up properly.
> your 'passdb backend' can not be tdbsam (it is just local samba file
> where samba stores info about users locally to 'passdb.tdb' file and
> thus Samba can not be aware about any domain users.
> you need to specify to your 'passdb backend' option in smb.conf your
> PDC backend (usually ldap service etc) ..
> eg. like:
> passdb backend = ldapsam:ldaps://ipaddress (in case of ldap server
Oh dear, somebody else who has never read the smb.conf manpage ;-)
If you set 'security = ADS', you do not need to set the 'passdb backend'
it will use the default, which is:
passdb backend = tdbsam
> On 09/24/2014 11:05 PM, Andrei Vida-Raţiu wrote:
>> Hello everyone.
>> I joined this list because I cannot find an answer to my problem. The
>> setup is this:
>> I installed CentOS release 6.5 (Final) minimal version
>> Updated all packages
>> Added the server to the Active Directory domain as a member server
>> using the method described here (using adcli, kerberos and sssd):
>> It worked, I tested by trying to connect through ssh with domain user
>> credentials and by doing "su domain_user" from root ssh console. Both
>> After that, I installed Samba (Version 3.6.9-169.el6_5). Created a
>> minimal config file like this:
>> workgroup = mydomain
>> server string = Samba Server Version %v
>> security = ads
>> encrypt passwords = yes
>> passdb backend = tdbsam
>> realm = mydomain.ro
>> # No printers needed
>> load printers = no
>> cups options = raw
>> printcap name = /dev/null
>> # logs split per machine
>> log file = /var/log/samba/log.%m
>> # max 50KB per log file, then rotate
>> max log size = 50
>> log level = 10
>> # ############ THE SHARES ############ #
>> comment = Home Directories
>> browseable = no
>> writable = yes
>> It doesn't work. I get this eror in /var/log/messages:
>> Sep 24 23:40:54 fs01 smbd: connect_to_domain_password_server:
>> unable to open the domain client session to machine DC.MYDOMAIN.RO.
>> Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
>> Sep 24 23:40:54 fs01 smbd: [2014/09/24 23:40:54.406665, 0]
>> Sep 24 23:40:54 fs01 smbd: get_schannel_session_key: could not
>> fetch trust account password for domain 'MYDOMAIN'
>> Sep 24 23:40:54 fs01 smbd: [2014/09/24 23:40:54.408207, 0]
>> Sep 24 23:40:54 fs01 smbd: cli_rpc_pipe_open_schannel: failed
>> to get schannel session key from server DC.MYDOMAIN.RO for domain
>> Sep 24 23:40:54 fs01 smbd: [2014/09/24 23:40:54.408499, 0]
>> However, if I add this:
>> kerberos method = secrets and keytab
>> to the smb.conf file it works. But it creates another strange problem.
>> It works only when I connect using \\server. If I try that by IP, like
>> \\192.168.1.5 the error above appears again in /var/log/messages.
>> I really need the "access by IP" option. Are there any solutions?
>> Also, it seems that, in this configuration, samba doesn't use sssd? I
>> increased the debug level in sssd by the logs are empty!
More information about the samba