[Samba] Samba AD domain member with SSSD: ACL not work

Dario Lesca d.lesca at solinos.it
Wed Feb 15 11:35:51 UTC 2017 

Il giorno mer, 15/02/2017 alle 09.45 +0100, Dario Lesca via samba ha
scritto:
> Then Yesterday in 5 minutes I installed, configured and activated
> winbind and now all work fine.

Ok, ACLs now work, but I now it's appeared another problem.

I can only access to my samba+winbind server from Windows Server AD DC
and from itself (smbclient -Uadministrator -L server-dati).

If I try to access to it from a windows PC into domain (\\server-dati)
do not access and require a user and password

If I try to access it via smbclient from samba on another Linux PC (es.
my notebook) not in domain I can access only if I specify the
domain+user like this:

> smbclient -Usrl\\administrator%pwd //server-dati/dati

If I do not specify the domain but only user, I do not access and show
this error:

> smbclient -Uadministrator%pwd //server-dati/dati -d3
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384)
> Processing section "[global]"
> added interface lo ip=::1 bcast=
> netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
> added interface lo ip=127.0.0.1 bcast=127.255.255.255
> netmask=255.0.0.0
> added interface enp10s0 ip=192.168.1.195 bcast=192.168.1.255
> netmask=255.255.255.0
> Client started (version 4.5.5).
> resolve_lmhosts: Attempting lmhosts lookup for name server-dati<0x20>
> resolve_wins: WINS server resolution selected and no WINS servers
> listed.
> resolve_hosts: Attempting host lookup for name server-dati<0x20>
> Connecting to 192.168.1.5 at port 445
> Doing spnego session setup (blob length=96)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=not_defined_in_RFC4178 at please_ignore
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898215
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088215
> SPNEGO login failed: Logon failure
> session setup failed: NT_STATUS_LOGON_FAILURE

This is my smb.conf [global] session:

> # Global parameters
> [global]
>         realm = SRL.LOCAL
>         workgroup = SRL
>         domain master = No
>         local master = No
>         preferred master = No
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         load printers = No
>         printcap name = /dev/null
>         client signing = if_required
>         password server = tx150s8.srl.local
>         security = ADS
>         template homedir = /u/samba/home/%U
>         template shell = /sbin/nologin
>         winbind use default domain = Yes
>         idmap config srl:schema_mode = rfc2307
>         idmap config srl:range = 100000-199999
>         idmap config srl:backend = tdb
>         idmap config * : range = 10000-99999
>         idmap config * : backend = tdb
>         store dos attributes = Yes
>         cups options = raw
>         acl allow execute always = Yes
>         map acl inherit = Yes
>         hosts allow = 127. 192.168.1.
>         vfs objects = acl_xattr
> 
This is my kbd5.conf
> # Configuration snippets may be placed in this directory as well
> #includedir /etc/krb5.conf.d/
> 
> #includedir /var/lib/sss/pubconf/krb5.include.d/
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  dns_lookup_realm = false
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = true
>  rdns = false
>  default_ccache_name = KEYRING:persistent:%{uid}
> 
>  default_realm = SRL.LOCAL
>  # dns_lookup_kdc = false
> [realms]
>  SRL.LOCAL = {
>  # kdc = tx150s8.srl.local
>  # admin_server = tx150s8.srl.local
>  }
> 
> [domain_realm]
>  srl.local = SRL.LOCAL
>  .srl.local = SRL.LOCAL
> 

Any suggest is appreciated 

Many thanks

-- 
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)

More information about the samba mailing list