[Samba] Winbind issues with AD member file server

Rowland penny rpenny at samba.org
Wed Jul 10 16:44:06 UTC 2019


On 10/07/2019 17:20, Eric Shell via samba wrote:
> I agree that this sounds like, and indeed is, a recipe for disaster.  I was
> going to explain some of the woes of our environment but I don't think it's
> actually relevant after looking at my problem a bit more.  If I'm way off
> base I'm happy to be herded back, but please tolerate me as I share what I
> am seeing today because I really hope to solve the narrow issue of SMB file
> access without delving too far into the proper long-term fixes we require.
>
> I can see now that authentication works fine and I can access shares on the
> local filesystem.  What seems to be failing is the mount performed by
> gssproxy when trying to access a share.  The NFS server isn't kerberized so
> the Samba server should be mounting everything with the sys mount option,
> but gssproxy appears to only perform mounts with krb5.  When I try to
> access even an already-mounted NFS directory to which I have permission,
> gssproxy complains:
>
> Jul 10 08:55:51 smb gssproxy: gssproxy[1469]: (OID: { 1 2 840 113554 1 2 2
> }) Unspecified GSS failure.  Minor code may provide more information,
> Client 'host/smb.soe.ucsc.edu at AD.SOE.UCSC.EDU' not found in Kerberos
> database

It would complain, GSS is a kerberos thing, so you need a ticket for it.

Can you kerberise NFS ?

> We have an existing Samba 4.8.3 server that is configured to use the ldap
> backend and does not run winbind, which gives us the desired behavior.  I
> was hoping to replace that server because it has its own issues, but with
> the ad backend since the ldap one is no longer recommended.  gssproxy's man
> page indicates that it cannot be configured to mount otherwise.  Am I out
> of luck with winbind?
So, it isn't an AD domain member, if it was, you would have to run winbind.

I think I have asked this twice already, but you never know, third time 
lucky ;-)

What do you use the openldap server for ?

Could you use an AD DC instead ?

Rowland





More information about the samba mailing list