[Samba] Samba + SSSD: confirmed working for Samba versions 4.7.6 and 4, 8.3
Goetz, Patrick G
pgoetz at math.utexas.edu
Wed Jun 19 12:26:27 UTC 2019
I thought I sent this, but didn't see it hit the list. Since this
presented a considerable amount of frustration (requiring a netbios name
seems illogical in an AD-only world), I'm sending it again. Apologies
if this is a repost.
-------- Forwarded Message --------
Subject: Samba + SSSD: confirmed working for Samba versions 4.7.6 and 4,8.3
Date: Tue, 18 Jun 2019 17:15:47 -0500
From: Patrick Goetz <pgoetz at math.utexas.edu>
To: samba at lists.samba.org
A couple of days ago I posted about not being able to authenticate AD
domain users when trying to mount SMB shares. Turns out my problem was
that I hadn't set a netbios name in /etc/samba/smb.conf, even though I
have netbios turned off! Understood that this isn't supported, but for
the benefit of others searching this forum (and posts come up a lot in
searches), here is the smb.conf configuration that works with sssd on
Ubuntu 18.04:
[global]
netbios name = cns-bio-krak1
workgroup = AUSTIN
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = AUSTIN.UTEXAS.EDU
security = ads
allow trusted domains = yes
disable netbios = yes
log level = 1
guest account = nobody
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
server role = auto
obey pam restrictions = yes
load printers = no
cups options = raw
Everything else is pretty much left at the defaults. Printing is turned
off because we don't configure printers on these servers, and no
idmap'ing is necessary. The nmbd service is off and masked, winbind
isn't installed, and the only open port is 445. Share services are now
mountable on SMB domain clients. Still need to find out if there is a
way to allow a few non-domain machines to mount shares.
The only thing not working properly with Samba 4.7.6 (this was working
with 4.8.3, then we somehow broke it) is using some critical net commands:
root at kraken:/etc/samba# net rpc rights list -U cns-pgoetz
Enter cns-pgoetz's password:
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_NO_LOGON_SERVERS
This is making it difficult to assign administrative rights from the
Windows side (as per Rowland's suggestion). We were able to get this
working with sssd and Samba 4.8.3, no luck yet with 4.7.6.
More information about the samba
mailing list