[Samba] Samba not working with sssd on CentOS 6.5
Karel Lang AFD
lang at afd.cz
Thu Sep 25 01:51:19 MDT 2014
Rowland thank you for correcting me and Andrei sorry for inexact
explanatory / information.
I'm not familiar with my own experience with joining linux to windows AD
(i never had the pleasure to manage windows server environment) :].
So that option SECURITY = ADS wasn't familiar to me.
Nevertheless, still it is about samba and not sssd configuration - or?
Rowland - is there a way a Samba benefit from SSSD daemon authentication
process? I dont know about option in samba to 'tell' it so. (but again
i'm the samba apprentice here) :]
I think, Andrei - try to google for:
' Red Hat Enterprise Linux 7 Windows Integration Guide'
it's pdf, not even long to read and i think it has the answers :]
nice day folks
On 09/25/2014 08:55 AM, Rowland Penny wrote:
> On 24/09/14 23:35, Karel Lang AFD wrote:
>> i suggest that the subject 'Samba not working with sssd on CentOS 6.5'
>> is not quite correct.
>> You need to understand, that SSSD is responsible for posix level
>> authentication which has nothing to do with Samba.
>> From what you write, it is apparent that posix level authentication
>> works all right, meaning, that your /etc/sssd/sssd.conf is setup
>> right, because you can log onto your linux box with domain users via
>> eg. ssh etc.
>> What is not working is your Samba connection to the existing domain -
>> so the smb.conf has to be tuned up properly.
>> your 'passdb backend' can not be tdbsam (it is just local samba file
>> where samba stores info about users locally to 'passdb.tdb' file and
>> thus Samba can not be aware about any domain users.
>> you need to specify to your 'passdb backend' option in smb.conf your
>> PDC backend (usually ldap service etc) ..
>> eg. like:
>> passdb backend = ldapsam:ldaps://ipaddress (in case of ldap server
> Oh dear, somebody else who has never read the smb.conf manpage ;-)
> If you set 'security = ADS', you do not need to set the 'passdb backend'
> it will use the default, which is:
> passdb backend = tdbsam
>> On 09/24/2014 11:05 PM, Andrei Vida-Raţiu wrote:
>>> Hello everyone.
>>> I joined this list because I cannot find an answer to my problem. The
>>> setup is this:
>>> I installed CentOS release 6.5 (Final) minimal version
>>> Updated all packages
>>> Added the server to the Active Directory domain as a member server
>>> using the method described here (using adcli, kerberos and sssd):
>>> It worked, I tested by trying to connect through ssh with domain user
>>> credentials and by doing "su domain_user" from root ssh console. Both
>>> After that, I installed Samba (Version 3.6.9-169.el6_5). Created a
>>> minimal config file like this:
>>> workgroup = mydomain
>>> server string = Samba Server Version %v
>>> security = ads
>>> encrypt passwords = yes
>>> passdb backend = tdbsam
>>> realm = mydomain.ro
>>> # No printers needed
>>> load printers = no
>>> cups options = raw
>>> printcap name = /dev/null
>>> # logs split per machine
>>> log file = /var/log/samba/log.%m
>>> # max 50KB per log file, then rotate
>>> max log size = 50
>>> log level = 10
>>> # ############ THE SHARES ############ #
>>> comment = Home Directories
>>> browseable = no
>>> writable = yes
>>> It doesn't work. I get this eror in /var/log/messages:
>>> Sep 24 23:40:54 fs01 smbd: connect_to_domain_password_server:
>>> unable to open the domain client session to machine DC.MYDOMAIN.RO.
>>> Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
>>> Sep 24 23:40:54 fs01 smbd: [2014/09/24 23:40:54.406665, 0]
>>> Sep 24 23:40:54 fs01 smbd: get_schannel_session_key: could not
>>> fetch trust account password for domain 'MYDOMAIN'
>>> Sep 24 23:40:54 fs01 smbd: [2014/09/24 23:40:54.408207, 0]
>>> Sep 24 23:40:54 fs01 smbd: cli_rpc_pipe_open_schannel: failed
>>> to get schannel session key from server DC.MYDOMAIN.RO for domain
>>> Sep 24 23:40:54 fs01 smbd: [2014/09/24 23:40:54.408499, 0]
>>> However, if I add this:
>>> kerberos method = secrets and keytab
>>> to the smb.conf file it works. But it creates another strange problem.
>>> It works only when I connect using \\server. If I try that by IP, like
>>> \\192.168.1.5 the error above appears again in /var/log/messages.
>>> I really need the "access by IP" option. Are there any solutions?
>>> Also, it seems that, in this configuration, samba doesn't use sssd? I
>>> increased the debug level in sssd by the logs are empty!
More information about the samba