[Samba] Samba + SSSD: confirmed working for Samba versions 4.7.6 and 4, 8.3

L.P.H. van Belle belle at bazuin.nl
Wed Jun 19 13:02:05 UTC 2019 

Keep you naming conventions as they should. 

wrong    netbios name = cns-bio-krak1 
right    netbios name = CNS-BIO-KRAK1

If you resolving setup is correct. 
Then you can use : disable netbios = yes  and dns proxy = yes 
Then your netbios name should be resolved over dns. 
But you still need to set it as shown above. 

> Still need to find out if there is a
> way to allow a few non-domain machines to mount shares.

Add the needed REALM in /etc/krb5.conf 
Add the computername to the DNS (A+PTR), create a user that keeps the needed SPN/UPN for the computer, the no joined computer.
Add CIFS/spn to it. something like that, im just to buzy to have a good look at it. ( optional add root/spn ) 
But now you should be able todo cifs mounts with kerberos without joining the domain. 
Or just just user= pass= domain= for the mount settings. 
mount -t cifs -o credentials=/path/to/secret-info-file //host.FQDN/share /mnt/folder



>net rpc rights list -U cns-pgoetz
>    Enter cns-pgoetz's password:
>    Could not connect to server 127.0.0.1
>    Connection failed: NT_STATUS_NO_LOGON_SERVERS

Thats most probley due to incorrect resolving setup. 

Your on ubuntu? 
Get this and run it/anonymize it. 
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh

Im very buzy atm, so when can spare a few min i'll have a look but you have 4 people with in front of you. 
So if needed anonymize it, and ask the list to have a look at it if you in a hurry. 


Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Goetz, Patrick G via samba
> Verzonden: woensdag 19 juni 2019 14:26
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Samba + SSSD: confirmed working for Samba 
> versions 4.7.6 and 4, 8.3
> 
> I thought I sent this, but didn't see it hit the list.  Since this 
> presented a considerable amount of frustration (requiring a 
> netbios name 
> seems illogical in an AD-only world), I'm sending it again.  
> Apologies 
> if this is a repost.
> 
> 
> -------- Forwarded Message --------
> Subject: Samba + SSSD: confirmed working for Samba versions 
> 4.7.6 and 4,8.3
> Date: Tue, 18 Jun 2019 17:15:47 -0500
> From: Patrick Goetz <pgoetz at math.utexas.edu>
> To: samba at lists.samba.org
> 
> A couple of days ago I posted about not being able to authenticate AD 
> domain users when trying to mount SMB shares.  Turns out my problem was 
> that I hadn't set a netbios name in /etc/samba/smb.conf, even though I 
> have netbios turned off!  Understood that this isn't supported, but for 
> the benefit of others searching this forum (and posts come up a lot in 
> searches), here is the smb.conf configuration that works with sssd on 
> Ubuntu 18.04:
> 
> 
> [global]
> 
>    netbios name = cns-bio-krak1
>    workgroup = AUSTIN
>    client signing = yes
>    client use spnego = yes
>    kerberos method = secrets and keytab
>    realm = AUSTIN.UTEXAS.EDU
>    security = ads
>    allow trusted domains = yes
>    disable netbios = yes
> 
>    log level = 1
>    guest account = nobody
> 
>    vfs objects = acl_xattr
>    map acl inherit = yes
>    store dos attributes = yes
> 
>    server role = auto
>    obey pam restrictions = yes
> 
>    load printers = no
>    cups options = raw
> 
> 
> Everything else is pretty much left at the defaults.  
> Printing is turned 
> off because we don't configure printers on these servers, and no 
> idmap'ing is necessary.  The nmbd service is off and masked, winbind 
> isn't installed, and the only open port is 445.  Share 
> services are now 
> mountable on SMB domain clients.  Still need to find out if 
> there is a 
> way to allow a few non-domain machines to mount shares.
> 
> The only thing not working properly with Samba 4.7.6  (this 
> was working 
> with 4.8.3, then we somehow broke it) is using some critical 
> net commands:
> 
>    root at kraken:/etc/samba# net rpc rights list -U cns-pgoetz
>    Enter cns-pgoetz's password:
>    Could not connect to server 127.0.0.1
>    Connection failed: NT_STATUS_NO_LOGON_SERVERS
> 
> This is making it difficult to assign administrative rights from the 
> Windows side (as per Rowland's suggestion).  We were able to get this 
> working with sssd and Samba 4.8.3, no luck yet with 4.7.6.
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list