[Samba] Samba 4.4, sssd, adcli; windows hosts cannot authenticate

Rowland Penny rpenny at samba.org
Sun May 28 08:38:46 UTC 2017


On Sat, 27 May 2017 21:45:29 -0700
Steve Dainard via samba <samba at lists.samba.org> wrote:

> I'm running samba 4.4.4 on el7. I'm attempting to provide a share
> auth by Kerberos or for non-kerberos hosts auth by password on Linux
> or Windows (7)
> clients.
> 
> We have uid/gid/group memberships in AD and typically configure
> Linux hosts with a kerberos/sssd/ldap configuration which uses
> attributes from AD, but are not joined to domain.

You have 'security = ADS' in smb.conf and from 'man smb.conf'

SECURITY = ADS

In this mode, Samba will act as a domain member in an ADS realm. To
operate in this mode, the machine running Samba will need to have
Kerberos installed and configured and Samba will need to be joined
to the ADS realm using the net utility.


> 
> I need to be able to automate the domain join with salt stack, so I'm
> stuck using adcli to join the machine as it has a plain-text password
> option, I then push sssd.conf, /etc/krb5.conf, and /etc/samba/smb.conf
> to the samba host.

Never heard of 'salt' until now and I don't really understand what it
brings to the party ?

From what you have posted the default realm is
'AD.LOCALDOMAIN.COM' but your clients are in the dns domain 
'dhcp.localdomain.com', I am no kerberos expert, but this wouldn't work
with a Samba AD DC.

It sounds like you could replace the salt machine with a Samba AD DC
and then you wouldn't have all the problems you are having, but I
understand that you want to use salt. The only problem I can see, you
have set up smb.conf to connect to an AD DC.


> When I attempt to connect from a domain joined Windows client I get
> prompted for credentials, and domain credentials do not work. It seems
> like the id of the user isn't passed through or looked up correctly
> after Kerberos auth, and the user is labelled as a guest user. Guest
> users are mapped to bad user in samba config. Here's a bit of logging
> when the Windows client tries to access a
> share: https://pastebin.com/pbEqj9ZR

Actually unknown users (i.e. Bad User) are mapped to the Unix user
'nobody', they probably wouldn't be if you were using an AD DC with
the windows clients joined to the domain.

The other problem you have here is, sssd has nothing to do with Samba,
it is not Samba package, you may get better help from the sssd-users
mailing list, mainly because, if you are using sssd, it is this that
is doing your authentication.
 
Rowland



More information about the samba mailing list