[Samba] Using SSSD + AD with Samba seems to require Winbind be running
Christian Kuntz
c.kuntz at opendrives.com
Wed Aug 12 02:46:09 UTC 2020
Hi all,
Configuration information right off the bat:
Debian Buster 10.5 and Samba 2:4.9.5+dfsg-5+deb10u1.
Testparm is at the bottom
I'm running into some interesting behavior on a server I've configured to
use SSSD to bind to the AD domain. I've successfully bound using "net ads"
and can get tickets and so on, and have samba configured to use kerberos
through sssd. nsswitch has been configured to use sssd and not winbind as
well.
The tricky thing is, though local users work fine winbind has to be running
in order for AD authentication to work, even though I believe I have
configured samba to not use winbind at all. If winbind is not running, a
"NT_STATUS_NO_LOGON_SERVER" error is generated when it fails to connect to
winbind's local socket. This is only resolved by starting winbind, in which
case auth moves along without issue. I was under the impression that my
current configuration obviates the need for winbind, but I could very well
be wrong.
For any AD usage, is it required for winbind to be running even if the
configuration doesn't use it? If not, what in my confguration needs to be
changed so that winbind is no longer required?
As always, thanks for your time and consideration,
Christian
Testparm output:
[global]
client signing = if_required
disable spoolss = Yes
dns proxy = No
kerberos method = secrets and keytab
load printers = No
local master = No
log file = /var/log/samba/clients/%m.log
logging = syslog at 0 file
max log size = 100
max stat cache size = 65536
max xmit = 1048676
name resolve order = host wins bcast
ntlm auth = ntlmv1-permitted
printcap name = /dev/null
realm = FOOBAR.COM
security = ADS
template homedir = /home/%U
workgroup = FOOBAR
idmap config foolab:range = 10000-9999999999
idmap config foolab:schema_mode = rfc2307
idmap config foolab:backend = ad
idmap config * : range = 3000-7999
idmap config * : backend = tdb
include = /etc/samba/smb-shares.conf
printing = bsd
--
<http://opendrives.com>
More information about the samba
mailing list