[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
Edouard Guigné
eguigne at pasteur-cayenne.fr
Tue Jun 18 14:25:02 UTC 2019
Winbind is installed and started :
/# yum list samba-winbind samba-winbind-clients pam_krb5
pam_krb5.x86_64 2.4.8-6.el7 @base
samba-winbind.x86_64 4.8.3-4.el7 @base
samba-winbind-clients.x86_64 4.8.3-4.el7 @base
# systemctl status winbind -l
● winbind.service - Samba Winbind Daemon
Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled;
vendor preset: disabled)
Active: active (running) since mar. 2019-06-18 09:50:43 -03; 1h
29min ago
Docs: man:winbindd(8)
man:samba(7)
man:smb.conf(5)
Main PID: 5430 (winbindd)
Status: "winbindd: ready to serve connections..."
CGroup: /system.slice/winbind.service
├─5430 /usr/sbin/winbindd --foreground --no-process-group
├─5478 /usr/sbin/winbindd --foreground --no-process-group
├─5535 /usr/sbin/winbindd --foreground --no-process-group
├─5538 /usr/sbin/winbindd --foreground --no-process-group
└─5540 /usr/sbin/winbindd --foreground --no-process-group
juin 18 09:50:43 myserver systemd[1]: Starting Samba Winbind Daemon...
juin 18 09:50:43 myserver winbindd[5430]: [2019/06/18 09:50:43.238610,
0] ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
juin 18 09:50:43 myserver winbindd[5430]: initialize_winbindd_cache:
clearing cache and re-creating with version number 2
juin 18 09:50:43 myserver systemd[1]: Started Samba Winbind Daemon.
juin 18 09:50:43 myserver winbindd[5430]: [2019/06/18 09:50:43.255256,
0] ../lib/util/become_daemon.c:138(daemon_ready)
juin 18 09:50:43 myserver winbindd[5430]: daemon_ready: STATUS=daemon
'winbindd' finished starting up and ready to serve connections/
I did not changed smb.cnf :
[global]
security = ads
realm = MYDOMAIN.LOCAL
workgroup = MYDOMAIN
kerberos method = secrets and keytab
server signing = mandatory
client signing = mandatory
hosts allow = 127. 10.X.X.
hosts deny = 10.X.X.
log level = 1 auth_audit:3
local master = no
domain master = no
preferred master = no
use sendfile = true
load printers = no
cups options = raw
printcap name = /dev/null
disable spoolss = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
idmap config * : backend = tdb
idmap config * : range = 15000-99999
winbind nss info = rfc2307
idmap config MYDOMAIN : backend = ad
idmap config MYDOMAIN : schema_mode = rfc2307
idmap config MYDOMAIN : range = 10000-14999
idmap config MYDOMAIN : unix_nss_info = yes
idmap config MYDOMAIN : unix_primary_group = yes
client min protocol = SMB2
username map = /etc/samba/user.map
[groups]
comment = mycomment
path = /var/datashared
public = no
writable = yes
valid users = @"utilisateurs du domaine at MYDOMAIN.LOCAL"
vfs objects = acl_xattr streams_xattr
[homes]
comment = Home Directories
read only = No
create mask = 0700
directory mask = 0700
valid users = @"utilisateurs du domaine at MYDOMAIN.LOCAL"
path = /home
hide files = /~*.tmp/profile/desktop.ini/~$*/
browseable = no
public = no
guest ok = no
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = root
create mask = 0664
directory mask = 0775
Le 18/06/2019 à 11:06, Rowland penny via samba a écrit :
> On 18/06/2019 14:35, Edouard Guigné via samba wrote:
>> Hello,
>>
>> On my system, nssswitch is like this :
>> passwd: files sss
>> shadow: files sss
>> group: files sss
>>
>> So I assumed that it works with SSSD, I do not notice any issue with
>> Samba.
>> My share is accessible, permissions acls are working.
>> The only thing I noticed is maybe NTLMv2 is always used by default
>> with Samba.
>> /[2019/06/18 09:51:44.542476, 3]
>> ../auth/auth_log.c:760(log_authentication_event_human_readable)//
>> // Auth: [SMB2,(null)] user [MYDOMAIN]\[usertest] at [mar., 18 juin
>> 2019 09:51:44.542436 -03] with [*NTLMv2*] status [NT_STATUS_OK]
>> workstation [WORKSTATIONTEST] remote host [ipv4:x.x.x.x:53352] became
>> [MYDOMAIN]\[usertest] [S-1-5-21-88155730-3905377117-2757874379-2078].
>> local host [ipv4:x.x.x.x:445]/
>>
>> I changed to :
>>
>> passwd: files *winbind *
>> shadow: files
>> group: files *winbind *
>>
>> N.B. : According to
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>> "/Do not add the //|winbind|//entry to the NSS //|shadow|//database.
>> This can cause the //|wbinfo|//utility fail./"
>> Is that still true ?
>>
>> But now, I cannot connect to the share at all with winbind instead of
>> sss in nsswitch.conf
>>
>> I log, I get :
>> */[2019/06/18 09:51:44.511561, 1]
>> ../source3/lib/util.c:1699(name_to_fqdn)/**/
>> /**/ getaddrinfo: temporary failure in name resolution/*
>>
>> However, I well join my linux station to MYDOMAIN with "realm join"
>> command
>>
>> and
>>
>> # realm list
>> mydomain.local
>> type: kerberos
>> realm-name: MYDOMAIN.LOCAL
>> domain-name: mydomain.local
>> configured: kerberos-member
>> server-software: active-directory
>> client-software: winbind
>> required-package: oddjob-mkhomedir
>> required-package: oddjob
>> required-package: samba-winbind-clients
>> required-package: samba-winbind
>> required-package: samba-common-tools
>> login-formats: MYDOMAIN\%U
>> login-policy: allow-any-login
>> mydomain.local
>> type: kerberos
>> realm-name: MYDOMAIN.LOCAL
>> domain-name: mydomain.local
>> configured: kerberos-member
>> server-software: active-directory
>> client-software: sssd
>> required-package: oddjob
>> required-package: oddjob-mkhomedir
>> required-package: sssd
>> required-package: adcli
>> required-package: samba-common-tools
>> login-formats: %U
>> login-policy: allow-realm-logins
>>
>> I checked /etc/resolv.conf, for me everything is correct ; the DNS
>> IPs are the IPs of the domain controllers on where DNS services are
>> running.
>>
>> I do not want to annoy anymore with my problem of a mixed
>> configuration SSSD / Winbindd ; but I would like to understand why
>> this is working only with SSSD and not with winbindd.
>> Maybe because I first join my linux station to the domain with SSSD ?
>> And then rejoined it to the domain with winbindd ?
>>
> When you changed 'sss' to 'winbind', did you also reconfigure smb.conf ?
>
> Is winbind installed ?
>
> Rowland
>
>
>
More information about the samba
mailing list