[Samba] Sharing directory via Samba using AD credentials

Zach Doman zjdoman at gmail.com
Tue Jun 11 13:01:32 UTC 2019

Hi List,

I’m attempting to configure an Active Directory joined CentOS 7 host to share directories with Windows clients using Samba. The machine has been joined to the domain via: “adcli join --stdin-password --domain-ou=’OU=Servers,DC=domain,DC=com' --login-user={{ private_ad_username }} -S dc1 DOMAIN.COM". Logging in to the host via ssh with AD user credentials works fine. I have SSSD configured to use the Linux attributes specified in the AD user object (uidNumber, gidNumber, unixHomeDirectory, loginShell). The end goal here is to be able to mount the linux home directories on Windows using those same Active Directory credentials. To be clear, it is the same user account used for ssh login to the linux host and mounting the linux share from Windows.

The problem:
When initiating an smb map request from my Windows client, with the command “net use X: \\centos0000\homes”, Windows presents the error messages (after prompting for credentials): System error 86 has occurred. // The specified network password is not correct.

Within /var/log/samba/, the following items seem notable:
[2019/06/1015:05:10.230921,  2] ../source3/librpc/crypto/gse_krb5.c:196(fill_mem_keytab_from_secrets)
  ../source3/librpc/crypto/gse_krb5.c:196: failed to fetch machine password
[2019/06/1015:05:10.230941,  1] ../source3/librpc/crypto/gse_krb5.c:594(gse_krb5_get_server_keytab)
  ../source3/librpc/crypto/gse_krb5.c:594: Error! Unable to set mem keytab - -1765328254
[2019/06/1015:05:10.230968,  1] ../auth/gensec/gensec_start.c:697(gensec_start_mech)
  Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
[2019/06/1015:05:22.103832, 10, pid=4335, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_winbind.c:105(check_winbind_security)
  check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_NOT_IMPLEMENTED
[2019/06/1015:09:18.069675,  3] ../source3/libads/ldap.c:618(ads_connect)
  Successfully contacted LDAP server
[2019/06/10 15:23:26.676743, 10, pid=4750, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_info.c:159(make_user_info)
  made a user_info for test_user (test_user)
[2019/06/10 15:23:26.676751,  3, pid=4750, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:178(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [DOMAIN]\[test_user]@[WIN0000] with the new password interface
[2019/06/10 15:23:26.676763,  3, pid=4750, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:181(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [DOMAIN]\[test_user]@[WIN0000]
[2019/06/10 15:05:22.103840,  5, pid=4335, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password)
  check_ntlm_password: winbind authentication for user [test_user] FAILED with error NT_STATUS_LOGON_FAILURE
[2019/06/10 15:05:22.103848,  2, pid=4335, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [test_user] -> [test_user] FAILED with error NT_STATUS_LOGON_FAILURE
[2019/06/10 15:05:22.103860,  2] ../auth/gensec/spnego.c:719(gensec_spnego_server_negTokenTarg)

Some additional notes:
I do not have winbind running. It was my understanding that sssd and winbind do not play well together: is it one or the other in this case?
The AD user objects have the four linux attributes specified above populated. AD groups have gidNumer populated.
I do not have selinux or firewalld running.
Kinit –k CENTOS0000$ returns fine
Can perform id lookups on active directory users.


My current configuration is as follows:

cat /etc/sssd/conf.d/100_ad.conf
ad_server = dc1, dc2
ad_domain = DOMAIN.COM
krb5_realm = DOMAIN.COM
dyndns_update = false
id_provider = ad
auth_provider = ad
access_provider = ad
cache_credentials = True
ad_access_filter = (uidNumber=*)
ldap_id_mapping = False
ldap_sudo_search_base = OU=Linux,DC=domain,DC=com
debug_level = 8

domains = ad_domain
services = nss, sudo, pam
config_file_version = 2

homedir_substring = /home
vetoed_shells = /usr/local/bin/bash
shell_fallback = /usr/bin/bash

cat /etc/krb5.conf
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = DOMAIN.COM
default_ccache_name = KEYRING:persistent:%{uid}

  kdc = dc1.domain.com
  admin_server = dc1.domain.com

.domain.com= DOMAIN.COM
domain.com= DOMAIN.COM

cat /etc/smb.conf
#======================= Global Settings =====================================

        interfaces = enp3s0f0
        bind interfaces only = yes
        security = ads
        realm = DOMAIN.COM
        workgroup = DOMAIN
        password server = *
        local master = no
        domain master = no
        preferred master = no
        wins support = no
        wins proxy = no
        dns proxy = yes
        server string = Samba Server Version %v
        log level = 3 auth:10

        printing = cups
        printcap name = /dev/null
        load printers = no
        cups options = raw

# --------------------------- Logging Options -----------------------------
# Log File let you specify where to put logs and how to split them up.
        # logs split per machine
        log file = /var/log/samba/%m.log
        # max 100KB per log file, then rotate
        max log size = 100

#============================ Share Definitions ==============================

        comment = Home Directories
        browseable = yes
        writable = yes
        force create mode = 0640
        force directory mode = 0750

More information about the samba mailing list