[Samba] Samba SSSD Integration
rpenny at samba.org
Fri Aug 30 18:53:37 UTC 2019
On 30/08/2019 19:03, Brian J Sullivan via samba wrote:
> Was hoping for a helping hand. Trying to set up Samba on a domain member server. The member server was previously joined to the kerberized domain using realm join and a system keytab file exists in the /etc.
> Subsequently I added samba along with winbind not being entirely sure if the latter was needed. This is a Redhat 7.4 server. My smb.conf appears as follows.
> password server = *
> security = ads
> realm = DOMAIN.COM
> workgroup = DOMAIN
> netbios name = server1
> kerberos method = system keytab
> log file = /var/log/samba/%m.log
> log level = 10
> client use spnego = yes
> idmap config * : backend = tdb
> idmap config * : range = 1-199999
> idmap config DOMAIN : backend = sss
> idmap config DOMAIN : range = 200000-2147483647
> comment = NMS Maximo ETL Directory
> path = /opt/smbshare
> guest ok = no
> browseable = No
> read only = No
> inherit acls = Yes
> I have tried running it with many options and with and without winbind running. Not sure if winbind is needed. When I run it the output of the "systemctl status smb" is
> Aug 30 17:23:47 server1.domain.com systemd: Starting Samba SMB Daemon...
> Aug 30 17:23:48 server1.domain.com smbd: [2019/08/30 17:23:48.513702, 0, pid=40996, effective(0, 0), real(0, 0)] ../lib/util/become_daemon.c:138(daemon_ready)
> Aug 30 17:23:48 server1.domain.com smbd: daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to serve connections
> Aug 30 17:23:48 server1.domain.com systemd: Started Samba SMB Daemon.
> Aug 30 17:23:49 server1.domain.com smbd: [2019/08/30 17:23:49.228538, 0, pid=40996, effective(0, 0), real(0, 0)] ../source3/libads/kerberos_util.c:74(ads_kinit_password)
> Aug 30 17:23:49 server1.domain.com smbd: kerberos_kinit_password SERVER1$@DOMAIN.COM failed: Preauthentication failed
> Aug 30 17:23:49 server1.domain.com smbd: [2019/08/30 17:23:49.228990, 0, pid=40996, effective(0, 0), real(0, 0)] ../source3/printing/nt_printing.c:249(nt_printing_init)
> Aug 30 17:23:49 server1.domain.com smbd: nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
> And when I do a
> smbclient -L server1.domain.com -W DOMAIN -U myuid
> I see a message in the logs "session setup failed: NT_STATUS_NO_LOGON_SERVERS"
> Any help would be appreciated.
yum remove sssd
make sure winbind is installed.
Set smb.conf like this:
security = ads
realm = DOMAIN.COM
workgroup = DOMAIN
netbios name = server1
kerberos method = system keytab
log file = /var/log/samba/%m.log
log level = 0
winbind use default domain = yes
winbind expand groups = 2
winbind refresh tickets = Yes
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000-2147483647
username map = /etc/samba/user.map
# ACL Settings
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
comment = NMS Maximo ETL Directory
path = /opt/smbshare
browseable = No
read only = No
inherit acls = Yes
create /etc/samba/user.map with this content:
!root = DOMAIN\Administrator
Restart nmbd, smbd and winbind
change the the passwd & group lines in /etc/nsswitch.conf so that
'winbind' comes after 'files'
passwd files winbind
group files winbind
run 'net cache flush', then 'getent passwd username'
Sorry but using sssd with Samba >= 4.8.0 is not supported, not even by
Red-Hat, Samba has never supported sssd, mainly because Samba does not
produce it and knows nothing about it. For support for sssd, you should
contact the sssd mailing list.
More information about the samba