[Samba] Samba SSSD Integration

Rowland penny rpenny at samba.org
Fri Aug 30 18:53:37 UTC 2019


On 30/08/2019 19:03, Brian J Sullivan via samba wrote:
> Was hoping for a helping hand.  Trying to set up Samba on a domain member server.  The member server was previously joined to the kerberized domain using realm join and a system keytab file exists in the /etc.
>
> Subsequently I added samba along with winbind not being entirely sure if the latter was needed.  This is a Redhat 7.4 server.  My smb.conf appears as follows.
>
> [global]
>
> password server = *
>
>          security = ads
>          realm = DOMAIN.COM
>          workgroup = DOMAIN
>          netbios name = server1
>          kerberos method = system keytab
>          log file = /var/log/samba/%m.log
>          log level = 10
>          client use spnego = yes
>
>          idmap config * : backend = tdb
>          idmap config * : range = 1-199999
>          idmap config DOMAIN : backend = sss
>          idmap config DOMAIN : range = 200000-2147483647
>
>
>
> [share1]
>          comment = NMS Maximo ETL Directory
>          path = /opt/smbshare
>          guest ok = no
>          browseable = No
>          read only = No
>          inherit acls = Yes
>
> I have tried running it with many options and with and without winbind running.  Not sure if winbind is needed.  When I run it the output of the "systemctl status smb" is
>
> Aug 30 17:23:47 server1.domain.com systemd[1]: Starting Samba SMB Daemon...
> Aug 30 17:23:48 server1.domain.com smbd[40996]: [2019/08/30 17:23:48.513702,  0, pid=40996, effective(0, 0), real(0, 0)] ../lib/util/become_daemon.c:138(daemon_ready)
> Aug 30 17:23:48 server1.domain.com smbd[40996]:   daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to serve connections
> Aug 30 17:23:48 server1.domain.com systemd[1]: Started Samba SMB Daemon.
> Aug 30 17:23:49 server1.domain.com smbd[40996]: [2019/08/30 17:23:49.228538,  0, pid=40996, effective(0, 0), real(0, 0)] ../source3/libads/kerberos_util.c:74(ads_kinit_password)
> Aug 30 17:23:49 server1.domain.com smbd[40996]:   kerberos_kinit_password SERVER1$@DOMAIN.COM failed: Preauthentication failed
> Aug 30 17:23:49 server1.domain.com smbd[40996]: [2019/08/30 17:23:49.228990,  0, pid=40996, effective(0, 0), real(0, 0)] ../source3/printing/nt_printing.c:249(nt_printing_init)
> Aug 30 17:23:49 server1.domain.com smbd[40996]:   nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
>
> And when I do a
>
> smbclient -L server1.domain.com -W DOMAIN -U myuid
>
> I see a message in the logs "session setup failed: NT_STATUS_NO_LOGON_SERVERS"
>
> Any help would be appreciated.

yum remove sssd

make sure winbind is installed.

Set smb.conf like this:

[global]
     security = ads
     realm = DOMAIN.COM
     workgroup = DOMAIN
     netbios name = server1
     kerberos method = system keytab
     log file = /var/log/samba/%m.log
     log level = 0

     winbind use default domain = yes
     winbind expand groups = 2
     winbind refresh tickets = Yes

     idmap config * : backend = tdb
     idmap config * : range = 3000-7999
     idmap config DOMAIN : backend = rid
     idmap config DOMAIN : range = 10000-2147483647

     username map = /etc/samba/user.map

     # ACL Settings
     vfs objects = acl_xattr
     map acl inherit = yes
     store dos attributes = yes

[share1]
     comment = NMS Maximo ETL Directory
     path = /opt/smbshare
     browseable = No
     read only = No
     inherit acls = Yes

create /etc/samba/user.map with this content:

!root = DOMAIN\Administrator

Restart nmbd, smbd and winbind

change the the passwd & group lines in /etc/nsswitch.conf so that 
'winbind' comes after 'files'

e.g.

passwd files winbind

group files winbind

run 'net cache flush', then 'getent passwd username'

Sorry but using sssd with Samba >= 4.8.0 is not supported, not even by 
Red-Hat, Samba has never supported sssd, mainly because Samba does not 
produce it and knows nothing about it. For support for sssd, you should 
contact the sssd mailing list.

Rowland





More information about the samba mailing list