[Samba] Samba not working with sssd on CentOS 6.5

Karel Lang AFD lang at afd.cz
Thu Sep 25 01:51:19 MDT 2014 

Hi all,
Rowland thank you for correcting me and Andrei sorry for inexact 
explanatory / information.
I'm not familiar with my own experience with joining linux to windows AD 
(i never had the pleasure to manage windows server environment) :].
So that option SECURITY = ADS wasn't familiar to me.

Nevertheless, still it is about samba and not sssd configuration - or? 
Rowland - is there a way a Samba benefit from SSSD daemon authentication 
process? I dont know about option in samba to 'tell' it so. (but again 
i'm the samba apprentice here) :]

I think, Andrei - try to google for:
' Red Hat Enterprise Linux 7 Windows Integration Guide'
it's pdf, not even long to read and i think it has the answers :]

nice day folks

Karel


On 09/25/2014 08:55 AM, Rowland Penny wrote:
> On 24/09/14 23:35, Karel Lang AFD wrote:
>> Hi,
>> i suggest that the subject 'Samba not working with sssd on CentOS 6.5'
>> is not quite correct.
>> You need to understand, that SSSD is responsible for posix level
>> authentication which has nothing to do with Samba.
>>
>> From what you write, it is apparent that posix level authentication
>> works all right, meaning, that your /etc/sssd/sssd.conf is setup
>> right, because you can log onto your linux box with domain users via
>> eg. ssh etc.
>>
>> What is not working is your Samba connection to the existing domain -
>> so the smb.conf has to be tuned up properly.
>>
>> your 'passdb backend' can not be tdbsam (it is just local samba file
>> where samba stores info about users locally to 'passdb.tdb' file and
>> thus Samba can not be aware about any domain users.
>>
>> you need to specify to your 'passdb backend' option in smb.conf your
>> PDC backend (usually ldap service etc) ..
>>
>> eg. like:
>> passdb backend = ldapsam:ldaps://ipaddress (in case of ldap server
>> backend)..
>
> Oh dear, somebody else who has never read the smb.conf manpage ;-)
>
> If you set 'security = ADS', you do not need to set the 'passdb backend'
> it will use the default, which is:
>
>   passdb backend = tdbsam
>
> Rowland
>>
>> cheers,
>>
>> Karel
>>
>>
>> On 09/24/2014 11:05 PM, Andrei Vida-Raţiu wrote:
>>> Hello everyone.
>>> I joined this list because I cannot find an answer to my problem. The
>>> setup is this:
>>> I installed CentOS release 6.5 (Final) minimal version
>>> Updated all packages
>>> Added the server to the Active Directory domain as a member server
>>> using the method described here (using adcli, kerberos and sssd):
>>> http://jhrozek.livejournal.com/3581.html
>>>
>>> It worked, I tested by trying to connect through ssh with domain user
>>> credentials and by doing "su domain_user" from root ssh console. Both
>>> worked.
>>>
>>> After that, I installed Samba (Version 3.6.9-169.el6_5). Created a
>>> minimal config file like this:
>>>
>>> [global]
>>>          workgroup = mydomain
>>>          server string = Samba Server Version %v
>>>          security = ads
>>>          encrypt passwords = yes
>>>          passdb backend = tdbsam
>>>          realm = mydomain.ro
>>>
>>> # No printers needed
>>>          load printers = no
>>>          cups options = raw
>>>          printcap name = /dev/null
>>>
>>> # logs split per machine
>>>          log file = /var/log/samba/log.%m
>>> # max 50KB per log file, then rotate
>>>          max log size = 50
>>>          log level = 10
>>>
>>> # ############ THE SHARES ############ #
>>>
>>> [homes]
>>>          comment = Home Directories
>>>          browseable = no
>>>          writable = yes
>>>
>>> It doesn't work. I get this eror in /var/log/messages:
>>>
>>> Sep 24 23:40:54 fs01 smbd[1406]: connect_to_domain_password_server:
>>> unable to open the domain client session to machine DC.MYDOMAIN.RO.
>>> Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
>>> Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.406665, 0]
>>> rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
>>> Sep 24 23:40:54 fs01 smbd[1406]:   get_schannel_session_key: could not
>>> fetch trust account password for domain 'MYDOMAIN'
>>> Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408207, 0]
>>> rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
>>> Sep 24 23:40:54 fs01 smbd[1406]:   cli_rpc_pipe_open_schannel: failed
>>> to get schannel session key from server DC.MYDOMAIN.RO for domain
>>> MYDOMAIN.
>>> Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408499, 0]
>>> auth/auth_domain.c:193(connect_to_domain_password_server)
>>>
>>> However, if I add this:
>>>
>>> kerberos method = secrets and keytab
>>>
>>> to the smb.conf file it works. But it creates another strange problem.
>>> It works only when I connect using \\server. If I try that by IP, like
>>> \\192.168.1.5 the error above appears again in /var/log/messages.
>>>
>>> I really need the "access by IP" option. Are there any solutions?
>>>
>>> Also, it seems that, in this configuration, samba doesn't use sssd? I
>>> increased the debug level in sssd by the logs are empty!
>>>
>>> _______
>>>
>>> AndreiV
>>>
>>
>

More information about the samba mailing list