[Samba] Samba + SSSD: confirmed working for Samba versions 4.7.6 and 4, 8.3
L.P.H. van Belle
belle at bazuin.nl
Wed Jun 19 13:02:05 UTC 2019
Keep you naming conventions as they should.
wrong netbios name = cns-bio-krak1
right netbios name = CNS-BIO-KRAK1
If you resolving setup is correct.
Then you can use : disable netbios = yes and dns proxy = yes
Then your netbios name should be resolved over dns.
But you still need to set it as shown above.
> Still need to find out if there is a
> way to allow a few non-domain machines to mount shares.
Add the needed REALM in /etc/krb5.conf
Add the computername to the DNS (A+PTR), create a user that keeps the needed SPN/UPN for the computer, the no joined computer.
Add CIFS/spn to it. something like that, im just to buzy to have a good look at it. ( optional add root/spn )
But now you should be able todo cifs mounts with kerberos without joining the domain.
Or just just user= pass= domain= for the mount settings.
mount -t cifs -o credentials=/path/to/secret-info-file //host.FQDN/share /mnt/folder
>net rpc rights list -U cns-pgoetz
> Enter cns-pgoetz's password:
> Could not connect to server 127.0.0.1
> Connection failed: NT_STATUS_NO_LOGON_SERVERS
Thats most probley due to incorrect resolving setup.
Your on ubuntu?
Get this and run it/anonymize it.
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
Im very buzy atm, so when can spare a few min i'll have a look but you have 4 people with in front of you.
So if needed anonymize it, and ask the list to have a look at it if you in a hurry.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Goetz, Patrick G via samba
> Verzonden: woensdag 19 juni 2019 14:26
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Samba + SSSD: confirmed working for Samba
> versions 4.7.6 and 4, 8.3
>
> I thought I sent this, but didn't see it hit the list. Since this
> presented a considerable amount of frustration (requiring a
> netbios name
> seems illogical in an AD-only world), I'm sending it again.
> Apologies
> if this is a repost.
>
>
> -------- Forwarded Message --------
> Subject: Samba + SSSD: confirmed working for Samba versions
> 4.7.6 and 4,8.3
> Date: Tue, 18 Jun 2019 17:15:47 -0500
> From: Patrick Goetz <pgoetz at math.utexas.edu>
> To: samba at lists.samba.org
>
> A couple of days ago I posted about not being able to authenticate AD
> domain users when trying to mount SMB shares. Turns out my problem was
> that I hadn't set a netbios name in /etc/samba/smb.conf, even though I
> have netbios turned off! Understood that this isn't supported, but for
> the benefit of others searching this forum (and posts come up a lot in
> searches), here is the smb.conf configuration that works with sssd on
> Ubuntu 18.04:
>
>
> [global]
>
> netbios name = cns-bio-krak1
> workgroup = AUSTIN
> client signing = yes
> client use spnego = yes
> kerberos method = secrets and keytab
> realm = AUSTIN.UTEXAS.EDU
> security = ads
> allow trusted domains = yes
> disable netbios = yes
>
> log level = 1
> guest account = nobody
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> server role = auto
> obey pam restrictions = yes
>
> load printers = no
> cups options = raw
>
>
> Everything else is pretty much left at the defaults.
> Printing is turned
> off because we don't configure printers on these servers, and no
> idmap'ing is necessary. The nmbd service is off and masked, winbind
> isn't installed, and the only open port is 445. Share
> services are now
> mountable on SMB domain clients. Still need to find out if
> there is a
> way to allow a few non-domain machines to mount shares.
>
> The only thing not working properly with Samba 4.7.6 (this
> was working
> with 4.8.3, then we somehow broke it) is using some critical
> net commands:
>
> root at kraken:/etc/samba# net rpc rights list -U cns-pgoetz
> Enter cns-pgoetz's password:
> Could not connect to server 127.0.0.1
> Connection failed: NT_STATUS_NO_LOGON_SERVERS
>
> This is making it difficult to assign administrative rights from the
> Windows side (as per Rowland's suggestion). We were able to get this
> working with sssd and Samba 4.8.3, no luck yet with 4.7.6.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list