[Samba] 4.5 -> 4.8 samba fails to start

Chad William Seys cwseys at physics.wisc.edu
Tue Jun 26 21:22:36 UTC 2018 

Hi Rowland,
   Thanks for your explanation.
   We have set up Samba to authenticate users against an external MIT 
Kerberos server and usernames match those in Unix password files.

   The setup was almost exactly like the Ubuntu help page:
https://help.ubuntu.com/community/Samba/Kerberos#MIT_Kerberos
   There are others who have also set up Samba this way:
https://serverfault.com/questions/659017/possible-to-authenticate-samba-via-kerberos-but-without-domain-join
   and others who have contacted the mailing list for help in setting up 
Samba this way:
https://lists.samba.org/archive/samba/2017-April/207728.html

   After a hint from the Debian bug report (thanks Dan!) I was able to 
get Samba working with the external MIT KDC using SSSD.  (A working 
config is below for the interested.)
   However, it would be great if this would function using all Samba 
software as previously.
   Is there a way to set up winbind/idmap to restore the behavior that 
"smbd directly contacts domain controllers"? (Quoted phrase from the 4.8 
release notes.)

Thanks for the great software!
Chad.

smb.conf:
# Global parameters
# Note that some of these will vary depending on your setup!
# E.g. do you  use vfs_fruit?
[global]
         dns proxy = No
         hostname lookups = Yes
         kerberos method = secrets and keytab
         logging = syslog at 1 /var/log/samba/log.%m
         map to guest = Bad User
         max log size = 100000
         panic action = /usr/share/samba/panic-action %d
         realm = YOUR.KERB.REALM
         security = USER
         server signing = required
         server string = %h server
         workgroup = MYWORKGR
         fruit:nfs_aces = no
         idmap config * : backend = tdb
--------------------------------------------
sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
debug_level = 7
domains = YOUR.KERB.REALM

[nss]
filter_groups = root
filter_users = root
debug_level = 7

[pam]
debug_level = 7

[domain/YOUR.KERB.REALM]
debug_level = 7
enumerate = false

# use Unix password files for username validation
id_provider = proxy
proxy_lib_name = files

More information about the samba mailing list