[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication

Rowland penny rpenny at samba.org
Tue Jun 18 14:06:20 UTC 2019 

On 18/06/2019 14:35, Edouard Guigné via samba wrote:
> Hello,
>
> On my system, nssswitch is like this :
> passwd:     files sss
> shadow:     files sss
> group:      files sss
>
> So I assumed that it works with SSSD, I do not notice any issue with 
> Samba.
> My share is accessible, permissions acls are working.
> The only thing I noticed is maybe NTLMv2 is always used by default 
> with Samba.
> /[2019/06/18 09:51:44.542476,  3] 
> ../auth/auth_log.c:760(log_authentication_event_human_readable)//
> //  Auth: [SMB2,(null)] user [MYDOMAIN]\[usertest] at [mar., 18 juin 
> 2019 09:51:44.542436 -03] with [*NTLMv2*] status [NT_STATUS_OK] 
> workstation [WORKSTATIONTEST] remote host [ipv4:x.x.x.x:53352] became 
> [MYDOMAIN]\[usertest] [S-1-5-21-88155730-3905377117-2757874379-2078]. 
> local host [ipv4:x.x.x.x:445]/
>
> I changed to :
>
> passwd:     files *winbind *
> shadow:     files
> group:      files *winbind *
>
> N.B. : According to 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> "/Do not add the //|winbind|//entry to the NSS //|shadow|//database. 
> This can cause the //|wbinfo|//utility fail./"
> Is that still true ?
>
> But now, I cannot connect to the share at all with winbind instead of 
> sss in nsswitch.conf
>
> I log, I get :
> */[2019/06/18 09:51:44.511561,  1] 
> ../source3/lib/util.c:1699(name_to_fqdn)/**/
> /**/  getaddrinfo: temporary failure in name resolution/*
>
> However, I well join my linux station to MYDOMAIN with "realm join" 
> command
>
> and
>
> # realm list
> mydomain.local
>   type: kerberos
>   realm-name: MYDOMAIN.LOCAL
>   domain-name: mydomain.local
>   configured: kerberos-member
>   server-software: active-directory
>   client-software: winbind
>   required-package: oddjob-mkhomedir
>   required-package: oddjob
>   required-package: samba-winbind-clients
>   required-package: samba-winbind
>   required-package: samba-common-tools
>   login-formats: MYDOMAIN\%U
>   login-policy: allow-any-login
> mydomain.local
>   type: kerberos
>   realm-name: MYDOMAIN.LOCAL
>   domain-name: mydomain.local
>   configured: kerberos-member
>   server-software: active-directory
>   client-software: sssd
>   required-package: oddjob
>   required-package: oddjob-mkhomedir
>   required-package: sssd
>   required-package: adcli
>   required-package: samba-common-tools
>   login-formats: %U
>   login-policy: allow-realm-logins
>
> I checked /etc/resolv.conf, for me everything is correct ; the DNS IPs 
> are the IPs of the domain controllers on where DNS services are running.
>
> I do not want to annoy anymore with my problem of a mixed 
> configuration SSSD / Winbindd ; but I would like to understand why 
> this is working only with SSSD and not with winbindd.
> Maybe because I first join my linux station to the domain with SSSD ? 
> And then rejoined it to the domain with winbindd ?
>
When you changed 'sss' to 'winbind', did you also reconfigure smb.conf ?

Is winbind installed ?

Rowland

More information about the samba mailing list