[Samba] Samba not working with sssd on CentOS 6.5

Thu Sep 25 07:47:12 MDT 2014

Most interesting discussion!

Not long ago i've been moving our users (cca 400) from openLDAP server 
to 389 Directory server and replaced openLDAP clients on our Linux 
servers and workstations with SSSD.
I didn't think/know about possibility of authentication of Samba through 
SSSd.
Our samba PDC runs on CentOS 6.5 and there is no winbind, so ..
anyway
thank you

On 09/25/2014 12:07 PM, Rowland Penny wrote:
> On 25/09/14 09:38, AndreiV wrote:
>> I am sorry for the inaccurate information or questions. I am trying to
>> learn
>> more about Samba and I am doing that while setting up some servers.
>>
>> It is true that I should have red the manual first, but I a little bit
>> under
>> pressure. :D
>> But with the comments I got from everyone I think I finally started to
>> understand how things work.
>>
>> I was just digging through the samba wiki page and doing some tests
>> when I
>> saw the e-mail from Rowland explaining exactly what I just understood.
>> Here
>> is how I see things now, please correct me if I am wrong.
>>
>> There is no direct connection between sssd and samba. As Rowland said,
>> they
>> are different things. But why then setting up sssd makes Samba work
>> (perfectly on CentOS 7 and mostly on CentOS 6.5)?
>
> sssd is used for authentication and until recently this was all it could
> do for AD, winbind on the other hand does authentication and a lot more.
> So if you do not run the winbind daemon, samba can get the
> authentication from sssd.
>
>> The sssd setup process involves first joining the server to a AD domain
>> (using adcli), which in turn creates the keytab.
>> The next step is configuring the kerberos client to use the same AD
>> (/etc/krb5.conf)
>> The next config step is achieved with this command: authconfig
>> --enablesssd
>> --enablesssdauth --update that sets nsswitch and pam.
>> And the last step is to configure the sssd service (/etc/sssd/sssd.conf).
>
> there must be some difference between how samba does the join and how
> adcli does it.
>
>> The connection with samba is getting the keytab and setting up the
>> kerberos
>> client. Samba, when set to security = ads seems to use the kerberos
>> client
>> on the system to authenticate clients. This happens on both CentOS 6.5
>> and
>> 7. Without any winbind! I don't know why, but this works.
>
> Yes it works because instead of getting authentication from winbind, it
> gets it from sssd.
>
>> With one problem though on CentOS 6.5. My original issue: the server
>> can be
>> accessed only thorugh \\sambaserver and not through \\sambaserver_IP. On
>> CentOS 7 both access methods work.
>
> This is most probably a dns problem, try comparing the network files
> between the two versions, though the problem is usually the opposite way
> round.
>
> Rowland
>
>> Does anyone have any idea why?
>>
>>
>>
>> --
>> View this message in context:
>> http://samba.2283325.n4.nabble.com/Samba-not-working-with-sssd-on-CentOS-6-5-tp4673186p4673209.html
>>
>> Sent from the Samba - General mailing list archive at Nabble.com.
>