[Samba] Using SSSD + AD with Samba seems to require Winbind be running

Rowland penny rpenny at samba.org
Wed Aug 12 10:40:38 UTC 2020

On 12/08/2020 10:35, Christian Naumer wrote:
>> Am 12.08.2020 um 09:18 schrieb Rowland penny via samba <samba at lists.samba.org>:
>> On 12/08/2020 03:46, Christian Kuntz via samba wrote:
>>> Hi all,
>>> Configuration information right off the bat:
>>>        Debian Buster 10.5 and Samba 2:4.9.5+dfsg-5+deb10u1.
>>> Testparm is at the bottom
>>> I'm running into some interesting behavior on a server I've configured to
>>> use SSSD to bind to the AD domain. I've successfully bound using "net ads"
>>> and can get tickets and so on, and have samba configured to use kerberos
>>> through sssd. nsswitch has been configured to use sssd and not winbind as
>>> well.
>>> The tricky thing is, though local users work fine winbind has to be running
>>> in order for AD authentication to work, even though I believe I have
>>> configured samba to not use winbind at all. If winbind is not running, a
>>> "NT_STATUS_NO_LOGON_SERVER" error is generated when it fails to connect to
>>> winbind's local socket. This is only resolved by starting winbind, in which
>>> case auth moves along without issue. I was under the impression that my
>>> current configuration obviates the need for winbind, but I could very well
>>> be wrong.
>>> For any AD usage, is it required for winbind to be running even if the
>>> configuration doesn't use it? If not, what in my confguration needs to be
>>> changed so that winbind is no longer required?
>>> As always, thanks for your time and consideration,
>>> Christian
>>> Testparm output:
>>> [global]
>>> client signing = if_required
>>> disable spoolss = Yes
>>> dns proxy = No
>>> kerberos method = secrets and keytab
>>> load printers = No
>>> local master = No
>>> log file = /var/log/samba/clients/%m.log
>>> logging = syslog at 0 file
>>> max log size = 100
>>> max stat cache size = 65536
>>> max xmit = 1048676
>>> name resolve order = host wins bcast
>>> ntlm auth = ntlmv1-permitted
>>> printcap name = /dev/null
>>> realm = FOOBAR.COM
>>> security = ADS
>>> template homedir = /home/%U
>>> workgroup = FOOBAR
>>> idmap config foolab:range = 10000-9999999999
>>> idmap config foolab:schema_mode = rfc2307
>>> idmap config foolab:backend = ad
>>> idmap config * : range = 3000-7999
>>> idmap config * : backend = tdb
>>> include = /etc/samba/smb-shares.conf
>>> printing = bsd
>> You do not say which OS you are running, but the fix for your problem is something like 'yum remove sssd' or 'apt purge sssd'.
> That depends on the OS. With Centos 7 you can remove sssd. With Centos 8 pam_krb5 is not available and you then need sssd and winbind. This works good. But coming back to the original question winbind needs to run.
> Regards
> Christian
This is just my opinion: it seems that RHEL does not want you to use Samba.

If you use 'security = ADS' with Samba >= 4.8.0 , then you must run 
winbind. Up until 4.8.0 , the smbd deamon could contact AD directly, 
this was removed and smbd now has to contact winbind to contact AD.

RHEL has a workaround using the 'sss' backend, but this only seems to 
work for authentication, so no shares.

So, (again in my opinion) if you want to use Samba as a fileserver, do 
not use RHEL/Centos 8

I can confirm that there is nothing stopping you from compiling pam_krb5 
from Centos 7 on Centos 8


Any opinions stated above are just my opinion and have nothing to do 
with anyone else's opinion.

More information about the samba mailing list