[Samba] Samba not working with sssd on CentOS 6.5

Thu Sep 25 02:13:06 MDT 2014

On 25/09/14 08:51, Karel Lang AFD wrote:
> Hi all,
> Rowland thank you for correcting me and Andrei sorry for inexact 
> explanatory / information.
> I'm not familiar with my own experience with joining linux to windows 
> AD (i never had the pleasure to manage windows server environment) :].

I have never managed a windows server either, though whether it's a 
pleasure is debatable ;-)

> So that option SECURITY = ADS wasn't familiar to me.
>
> Nevertheless, still it is about samba and not sssd configuration - or? 
> Rowland - is there a way a Samba benefit from SSSD daemon 
> authentication process? I dont know about option in samba to 'tell' it 
> so. (but again i'm the samba apprentice here) :]
>

What you have to understand is that samba and sssd are complementary, 
you can use one without the other. If you use samba & sssd on a client, 
you do not need the winbind lines in smb.conf, but the samba devs say 
that you should use winbind.

The latest version of sssd can now use its own version of winbind, so 
you only need to run the smbd & nmbd daemons along with a correctly 
setup sssd. If you do not want to use sssd when you connect to AD, you 
need to run the winbind daemon and setup smb.conf to use it.

Rowland

> I think, Andrei - try to google for:
> ' Red Hat Enterprise Linux 7 Windows Integration Guide'
> it's pdf, not even long to read and i think it has the answers :]
>
> nice day folks
>
> Karel
>
>
> On 09/25/2014 08:55 AM, Rowland Penny wrote:
>> On 24/09/14 23:35, Karel Lang AFD wrote:
>>> Hi,
>>> i suggest that the subject 'Samba not working with sssd on CentOS 6.5'
>>> is not quite correct.
>>> You need to understand, that SSSD is responsible for posix level
>>> authentication which has nothing to do with Samba.
>>>
>>> From what you write, it is apparent that posix level authentication
>>> works all right, meaning, that your /etc/sssd/sssd.conf is setup
>>> right, because you can log onto your linux box with domain users via
>>> eg. ssh etc.
>>>
>>> What is not working is your Samba connection to the existing domain -
>>> so the smb.conf has to be tuned up properly.
>>>
>>> your 'passdb backend' can not be tdbsam (it is just local samba file
>>> where samba stores info about users locally to 'passdb.tdb' file and
>>> thus Samba can not be aware about any domain users.
>>>
>>> you need to specify to your 'passdb backend' option in smb.conf your
>>> PDC backend (usually ldap service etc) ..
>>>
>>> eg. like:
>>> passdb backend = ldapsam:ldaps://ipaddress (in case of ldap server
>>> backend)..
>>
>> Oh dear, somebody else who has never read the smb.conf manpage ;-)
>>
>> If you set 'security = ADS', you do not need to set the 'passdb backend'
>> it will use the default, which is:
>>
>>   passdb backend = tdbsam
>>
>> Rowland
>>>
>>> cheers,
>>>
>>> Karel
>>>
>>>
>>> On 09/24/2014 11:05 PM, Andrei Vida-Raţiu wrote:
>>>> Hello everyone.
>>>> I joined this list because I cannot find an answer to my problem. The
>>>> setup is this:
>>>> I installed CentOS release 6.5 (Final) minimal version
>>>> Updated all packages
>>>> Added the server to the Active Directory domain as a member server
>>>> using the method described here (using adcli, kerberos and sssd):
>>>> http://jhrozek.livejournal.com/3581.html
>>>>
>>>> It worked, I tested by trying to connect through ssh with domain user
>>>> credentials and by doing "su domain_user" from root ssh console. Both
>>>> worked.
>>>>
>>>> After that, I installed Samba (Version 3.6.9-169.el6_5). Created a
>>>> minimal config file like this:
>>>>
>>>> [global]
>>>>          workgroup = mydomain
>>>>          server string = Samba Server Version %v
>>>>          security = ads
>>>>          encrypt passwords = yes
>>>>          passdb backend = tdbsam
>>>>          realm = mydomain.ro
>>>>
>>>> # No printers needed
>>>>          load printers = no
>>>>          cups options = raw
>>>>          printcap name = /dev/null
>>>>
>>>> # logs split per machine
>>>>          log file = /var/log/samba/log.%m
>>>> # max 50KB per log file, then rotate
>>>>          max log size = 50
>>>>          log level = 10
>>>>
>>>> # ############ THE SHARES ############ #
>>>>
>>>> [homes]
>>>>          comment = Home Directories
>>>>          browseable = no
>>>>          writable = yes
>>>>
>>>> It doesn't work. I get this eror in /var/log/messages:
>>>>
>>>> Sep 24 23:40:54 fs01 smbd[1406]: connect_to_domain_password_server:
>>>> unable to open the domain client session to machine DC.MYDOMAIN.RO.
>>>> Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
>>>> Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.406665, 0]
>>>> rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
>>>> Sep 24 23:40:54 fs01 smbd[1406]:   get_schannel_session_key: could not
>>>> fetch trust account password for domain 'MYDOMAIN'
>>>> Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408207, 0]
>>>> rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
>>>> Sep 24 23:40:54 fs01 smbd[1406]: cli_rpc_pipe_open_schannel: failed
>>>> to get schannel session key from server DC.MYDOMAIN.RO for domain
>>>> MYDOMAIN.
>>>> Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408499, 0]
>>>> auth/auth_domain.c:193(connect_to_domain_password_server)
>>>>
>>>> However, if I add this:
>>>>
>>>> kerberos method = secrets and keytab
>>>>
>>>> to the smb.conf file it works. But it creates another strange problem.
>>>> It works only when I connect using \\server. If I try that by IP, like
>>>> \\192.168.1.5 the error above appears again in /var/log/messages.
>>>>
>>>> I really need the "access by IP" option. Are there any solutions?
>>>>
>>>> Also, it seems that, in this configuration, samba doesn't use sssd? I
>>>> increased the debug level in sssd by the logs are empty!
>>>>
>>>> _______
>>>>
>>>> AndreiV
>>>>
>>>
>>
>