[Samba] Using SSSD + AD with Samba seems to require Winbind be running

Robert Marcano robert at marcanoonline.com
Wed Aug 12 12:24:53 UTC 2020 

On 8/11/20 10:46 PM, Christian Kuntz via samba wrote:
> Hi all,
> 
> Configuration information right off the bat:
>        Debian Buster 10.5 and Samba 2:4.9.5+dfsg-5+deb10u1.
> 
> Testparm is at the bottom
> 
> 
> I'm running into some interesting behavior on a server I've configured to
> use SSSD to bind to the AD domain. I've successfully bound using "net ads"
> and can get tickets and so on, and have samba configured to use kerberos
> through sssd. nsswitch has been configured to use sssd and not winbind as
> well.
> The tricky thing is, though local users work fine winbind has to be running
> in order for AD authentication to work, even though I believe I have
> configured samba to not use winbind at all. If winbind is not running, a
> "NT_STATUS_NO_LOGON_SERVER" error is generated when it fails to connect to
> winbind's local socket. This is only resolved by starting winbind, in which
> case auth moves along without issue. I was under the impression that my
> current configuration obviates the need for winbind, but I could very well
> be wrong.
> 
> For any AD usage, is it required for winbind to be running even if the
> configuration doesn't use it? If not, what in my confguration needs to be
> changed so that winbind is no longer required?
> 
> As always, thanks for your time and consideration,

If you are runnning a Samba server as a member of a domain, you need to 
start winbind. The following is a not a Samba issue since Samba and SSSD 
interactions are not part of Samba.

You can still run SSSD/realmd/adcli as your domain membership toolkit, 
but you need to start winbind if a Samba server is started on the same 
machine. Running winbind doesn't means you have to use winbind nsswitch 
module, you can still use SSSD module there and let it provide the list 
of users and groups to the system. In order to make SSSD and winbind 
users match accordingly, you have to use something like:

idmap config MYDOMAIN : range = 278000000-278999999
idmap config MYDOMAIN : backend = rid

with a range that matches the range SSSD assigns to the domain users and 
groups.

Use realmd to join the server and everything should work, Be careful 
that SSSD properly updates the machine account password, and Samba could 
be doing that too, but it doesn't with some combinations of the setting 
"kerberos method". I use

   kerberos method = secrets and keytab

Whe that setting is set, Samba doesn't try the machine password 
periodically. but as SSSD will try to do it, the Samba server stores 
password and the SSSD one are different and your Samba server start to 
have authentication problems.

You can disable SSSD machine account password renewal 
(ad_maximum_machine_account_password_age = 0) or run a cron job with 
something like:

   adcli update --add-samba-data -v --computer-password-lifetime=0 -D 
<your domain>

The --add-samba-data is a new option that exists on adcli (at least on 
RHEL/CentOS 8) but the SSSD configuration parameter 
(ad_update_samba_machine_account_password) is upstream but not yet on 
the distro version

See: https://pagure.io/SSSD/sssd/issue/3920

Hope this helps, but remember any problems with this configuration 
should be tried without using SSSD in order to know if it is a Samba 
issue of SSSD one.

> 
> Christian
> 
> Testparm output:
> [global]
> client signing = if_required
> disable spoolss = Yes
> dns proxy = No
> kerberos method = secrets and keytab
> load printers = No
> local master = No
> log file = /var/log/samba/clients/%m.log
> logging = syslog at 0 file
> max log size = 100
> max stat cache size = 65536
> max xmit = 1048676
> name resolve order = host wins bcast
> ntlm auth = ntlmv1-permitted
> printcap name = /dev/null
> realm = FOOBAR.COM
> security = ADS
> template homedir = /home/%U
> workgroup = FOOBAR
> idmap config foolab:range = 10000-9999999999
> idmap config foolab:schema_mode = rfc2307
> idmap config foolab:backend = ad
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
> include = /etc/samba/smb-shares.conf
> printing = bsd
>

More information about the samba mailing list