[Samba] Using SSSD + AD with Samba seems to require Winbind be running
Rowland penny
rpenny at samba.org
Wed Aug 12 07:12:46 UTC 2020
On 12/08/2020 03:46, Christian Kuntz via samba wrote:
> Hi all,
>
> Configuration information right off the bat:
> Debian Buster 10.5 and Samba 2:4.9.5+dfsg-5+deb10u1.
>
> Testparm is at the bottom
>
>
> I'm running into some interesting behavior on a server I've configured to
> use SSSD to bind to the AD domain. I've successfully bound using "net ads"
> and can get tickets and so on, and have samba configured to use kerberos
> through sssd. nsswitch has been configured to use sssd and not winbind as
> well.
> The tricky thing is, though local users work fine winbind has to be running
> in order for AD authentication to work, even though I believe I have
> configured samba to not use winbind at all. If winbind is not running, a
> "NT_STATUS_NO_LOGON_SERVER" error is generated when it fails to connect to
> winbind's local socket. This is only resolved by starting winbind, in which
> case auth moves along without issue. I was under the impression that my
> current configuration obviates the need for winbind, but I could very well
> be wrong.
>
> For any AD usage, is it required for winbind to be running even if the
> configuration doesn't use it? If not, what in my confguration needs to be
> changed so that winbind is no longer required?
>
> As always, thanks for your time and consideration,
>
> Christian
>
> Testparm output:
> [global]
> client signing = if_required
> disable spoolss = Yes
> dns proxy = No
> kerberos method = secrets and keytab
> load printers = No
> local master = No
> log file = /var/log/samba/clients/%m.log
> logging = syslog at 0 file
> max log size = 100
> max stat cache size = 65536
> max xmit = 1048676
> name resolve order = host wins bcast
> ntlm auth = ntlmv1-permitted
> printcap name = /dev/null
> realm = FOOBAR.COM
> security = ADS
> template homedir = /home/%U
> workgroup = FOOBAR
> idmap config foolab:range = 10000-9999999999
> idmap config foolab:schema_mode = rfc2307
> idmap config foolab:backend = ad
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
> include = /etc/samba/smb-shares.conf
> printing = bsd
>
You do not say which OS you are running, but the fix for your problem is
something like 'yum remove sssd' or 'apt purge sssd'.
If you are running Samba with 'security = ADS' you must run winbind and
if you run winbind, you cannot run sssd. They both do the same thing and
both use versions of the winbind libs.
Rowland
More information about the samba
mailing list