[Samba] Samba + sssd deployment: success and failure

Rowland penny rpenny at samba.org
Tue Jun 11 19:48:00 UTC 2019 

On 11/06/2019 20:38, Goetz, Patrick G via samba wrote:
> So, we have Samba file sharing working on CentOS 7.6 with sssd:
>
>     [root at cns-srv-lnode2 samba]# cat /etc/redhat-release
>     CentOS Linux release 7.6.1810 (Core)
>     [root at cns-srv-lnode2 samba]# smbd --version
>     Version 4.8.3
>
> Some smb.conf configuration details:
>
>    - security = user
>    - an idmap entry is unnecessary
>    - disable netbios = yes
>      works fine
>    - pretty sure nmbd is unnecessary as well.

How are you actually running samba ?

As a standalone server or as a Unix domain member ?

If it is a Unix domain member, then you need to run winbind from Samba 4.8.0

>
> Unfortunately the same smb.conf/sssd.conf configuration does not work on
> Ubuntu 18.04:
>
>     root at kraken:/var/log/samba# cat /etc/lsb-release
>     DISTRIB_ID=Ubuntu
>     DISTRIB_RELEASE=18.04
>     DISTRIB_CODENAME=bionic
>     DISTRIB_DESCRIPTION="Ubuntu 18.04.2 LTS"
>     root at kraken:/var/log/samba# smbd --version
>     Version 4.7.6-Ubuntu
>
> It appears there were some major changes between Samba 4.7.6 and Samba
> 4.8.3 ?  On the functional CentOS system, when I try to map a share I
> see something like this in the log files:
>
> [2019/06/11 13:09:35.088714,  3]
> ../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
>     Found account name from PAC: pgoetz [Goetz, Patrick G]
>
>
> On the Ubuntu system I see
>
> [2019/06/11 13:58:47.535611,  3]
> ../auth/ntlmssp/ntlmssp_server.c:454(ntlmssp_server_preauth)
>     Got user=[pgoetz] domain=[austin] workstation=[CNS-VM-PGOETZ1]
> len1=24 len2=332
>
> What then happens is it looks for user pgoetz in a non-existent passdb
> file, maps the username to guest, which is mapped to nobody, and then
> the authentication fails.
>
> Just want to confirm that the problem is with the Samba version before
> upgrading from a PPA.
Looks to me like the problem is with sssd that doesn't use ntlm.
>
> Aside:  Looks like the Samba team had a PPA for daily releases which was
> abandoned about a year ago: what happened with that?
>
Didn't know we had one, care to post a link ?

Rowland

More information about the samba mailing list