[Samba] Samba + SSSD: confirmed working for Samba versions 4.7.6 and 4, 8.3

Goetz, Patrick G pgoetz at math.utexas.edu
Wed Jun 19 12:26:27 UTC 2019 

I thought I sent this, but didn't see it hit the list.  Since this 
presented a considerable amount of frustration (requiring a netbios name 
seems illogical in an AD-only world), I'm sending it again.  Apologies 
if this is a repost.


-------- Forwarded Message --------
Subject: Samba + SSSD: confirmed working for Samba versions 4.7.6 and 4,8.3
Date: Tue, 18 Jun 2019 17:15:47 -0500
From: Patrick Goetz <pgoetz at math.utexas.edu>
To: samba at lists.samba.org

A couple of days ago I posted about not being able to authenticate AD 
domain users when trying to mount SMB shares.  Turns out my problem was 
that I hadn't set a netbios name in /etc/samba/smb.conf, even though I 
have netbios turned off!  Understood that this isn't supported, but for 
the benefit of others searching this forum (and posts come up a lot in 
searches), here is the smb.conf configuration that works with sssd on 
Ubuntu 18.04:


[global]

   netbios name = cns-bio-krak1
   workgroup = AUSTIN
   client signing = yes
   client use spnego = yes
   kerberos method = secrets and keytab
   realm = AUSTIN.UTEXAS.EDU
   security = ads
   allow trusted domains = yes
   disable netbios = yes

   log level = 1
   guest account = nobody

   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes

   server role = auto
   obey pam restrictions = yes

   load printers = no
   cups options = raw


Everything else is pretty much left at the defaults.  Printing is turned 
off because we don't configure printers on these servers, and no 
idmap'ing is necessary.  The nmbd service is off and masked, winbind 
isn't installed, and the only open port is 445.  Share services are now 
mountable on SMB domain clients.  Still need to find out if there is a 
way to allow a few non-domain machines to mount shares.

The only thing not working properly with Samba 4.7.6  (this was working 
with 4.8.3, then we somehow broke it) is using some critical net commands:

   root at kraken:/etc/samba# net rpc rights list -U cns-pgoetz
   Enter cns-pgoetz's password:
   Could not connect to server 127.0.0.1
   Connection failed: NT_STATUS_NO_LOGON_SERVERS

This is making it difficult to assign administrative rights from the 
Windows side (as per Rowland's suggestion).  We were able to get this 
working with sssd and Samba 4.8.3, no luck yet with 4.7.6.

More information about the samba mailing list