[Samba] AD authentication on samba server using sssd

Wed Jun 15 17:24:13 UTC 2016

I am trying to run samba with sssd service and AD authentication.
I have joined the linux server to the AD domain using realmd and using sssd
to authenticate to the AD. I am able to get user list from AD using "getent
passwd <username>".
The samba servers starts but i am unable to get the authentication working.

I referred the samba dos for centos7 and also installed  sssd-libwbclient.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad-integration.html

Any pointers would be appreciated. thanks :)

OS: Centos:  7.2.1511 (Core)
Samba version: 4.2.10
sssd version: 1.13.0

Below are the files
sssd.conf
------------------
[sssd]
services = nss, pam, pac
config_file_version = 2
domains = xx.xxx.com

[nss]
allowed_shells = /bin/bash, /bin/hgcsh
shell_fallback = /bin/bash
default_shell = /bin/bash

[domain/corp.endurance.com]
ad_domain = xx.xxx.com
krb5_realm = XX.XXX.COM
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
krb5_store_password_if_offline = True
override_homedir = /home/%u

smb.conf
------------------

[global]
security = ads
workgroup = XXX
realm = XXX.XXX.COM
kerberos method = system keytab

log file = /var/log/samba/log.%m
log level = 10
max log size = 50
load printers = no
cups options = raw
printcap name = /dev/null

[myshare]
comment = My shared folder
path = /var/myshare
public = no
writable = yes
guest ok = no
valid users = @"tt at xx.xx.com"

"realmd list" output
--------------------
xx.xxx.com
  type: kerberos
  realm-name: XXX.XXX.COM
  domain-name: xx.xx.com
  configured: kerberos-member
  server-software: active-directory
  client-software: winbind
  required-package: oddjob-mkhomedir
  required-package: oddjob
  required-package: samba-winbind-clients
  required-package: samba-winbind
  required-package: samba-common
  login-formats: XXX\%U
  login-policy: allow-any-login
xx.xxx.com
  type: kerberos
  realm-name: XXX.XXX.COM
  domain-name: xx.xx.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common
  login-formats: %U
  login-policy: allow-realm-logins