[Samba] Using SSSD + AD with Samba seems to require Winbind be running
Robert Marcano
robert at marcanoonline.com
Wed Aug 12 12:24:53 UTC 2020
On 8/11/20 10:46 PM, Christian Kuntz via samba wrote:
> Hi all,
>
> Configuration information right off the bat:
> Debian Buster 10.5 and Samba 2:4.9.5+dfsg-5+deb10u1.
>
> Testparm is at the bottom
>
>
> I'm running into some interesting behavior on a server I've configured to
> use SSSD to bind to the AD domain. I've successfully bound using "net ads"
> and can get tickets and so on, and have samba configured to use kerberos
> through sssd. nsswitch has been configured to use sssd and not winbind as
> well.
> The tricky thing is, though local users work fine winbind has to be running
> in order for AD authentication to work, even though I believe I have
> configured samba to not use winbind at all. If winbind is not running, a
> "NT_STATUS_NO_LOGON_SERVER" error is generated when it fails to connect to
> winbind's local socket. This is only resolved by starting winbind, in which
> case auth moves along without issue. I was under the impression that my
> current configuration obviates the need for winbind, but I could very well
> be wrong.
>
> For any AD usage, is it required for winbind to be running even if the
> configuration doesn't use it? If not, what in my confguration needs to be
> changed so that winbind is no longer required?
>
> As always, thanks for your time and consideration,
If you are runnning a Samba server as a member of a domain, you need to
start winbind. The following is a not a Samba issue since Samba and SSSD
interactions are not part of Samba.
You can still run SSSD/realmd/adcli as your domain membership toolkit,
but you need to start winbind if a Samba server is started on the same
machine. Running winbind doesn't means you have to use winbind nsswitch
module, you can still use SSSD module there and let it provide the list
of users and groups to the system. In order to make SSSD and winbind
users match accordingly, you have to use something like:
idmap config MYDOMAIN : range = 278000000-278999999
idmap config MYDOMAIN : backend = rid
with a range that matches the range SSSD assigns to the domain users and
groups.
Use realmd to join the server and everything should work, Be careful
that SSSD properly updates the machine account password, and Samba could
be doing that too, but it doesn't with some combinations of the setting
"kerberos method". I use
kerberos method = secrets and keytab
Whe that setting is set, Samba doesn't try the machine password
periodically. but as SSSD will try to do it, the Samba server stores
password and the SSSD one are different and your Samba server start to
have authentication problems.
You can disable SSSD machine account password renewal
(ad_maximum_machine_account_password_age = 0) or run a cron job with
something like:
adcli update --add-samba-data -v --computer-password-lifetime=0 -D
<your domain>
The --add-samba-data is a new option that exists on adcli (at least on
RHEL/CentOS 8) but the SSSD configuration parameter
(ad_update_samba_machine_account_password) is upstream but not yet on
the distro version
See: https://pagure.io/SSSD/sssd/issue/3920
Hope this helps, but remember any problems with this configuration
should be tried without using SSSD in order to know if it is a Samba
issue of SSSD one.
>
> Christian
>
> Testparm output:
> [global]
> client signing = if_required
> disable spoolss = Yes
> dns proxy = No
> kerberos method = secrets and keytab
> load printers = No
> local master = No
> log file = /var/log/samba/clients/%m.log
> logging = syslog at 0 file
> max log size = 100
> max stat cache size = 65536
> max xmit = 1048676
> name resolve order = host wins bcast
> ntlm auth = ntlmv1-permitted
> printcap name = /dev/null
> realm = FOOBAR.COM
> security = ADS
> template homedir = /home/%U
> workgroup = FOOBAR
> idmap config foolab:range = 10000-9999999999
> idmap config foolab:schema_mode = rfc2307
> idmap config foolab:backend = ad
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
> include = /etc/samba/smb-shares.conf
> printing = bsd
>
More information about the samba
mailing list