[Samba] Using SSSD + AD with Samba seems to require Winbind be running

L.P.H. van Belle belle at bazuin.nl
Wed Aug 12 13:11:17 UTC 2020 

What i dont get/understand .. 

Why ? Why such setup. 
Can TP explain this? 

Just trying to understand you idea why setup like this.. 
There must be a reason? 


Greetz, 

Louis


 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: woensdag 12 augustus 2020 14:41
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Using SSSD + AD with Samba seems to 
> require Winbind be running
> 
> On 12/08/2020 13:24, Robert Marcano via samba wrote:
> > If you are runnning a Samba server as a member of a domain, 
> you need 
> > to start winbind. The following is a not a Samba issue 
> since Samba and 
> > SSSD interactions are not part of Samba.
> >
> > You can still run SSSD/realmd/adcli as your domain 
> membership toolkit, 
> > but you need to start winbind if a Samba server is started 
> on the same 
> > machine. Running winbind doesn't means you have to use winbind 
> > nsswitch module, you can still use SSSD module there and let it 
> > provide the list of users and groups to the system. In 
> order to make 
> > SSSD and winbind users match accordingly, you have to use 
> something like:
> >
> > idmap config MYDOMAIN : range = 278000000-278999999
> > idmap config MYDOMAIN : backend = rid
> There is no reason to match the sssd ID's on a Samba domain 
> member, also 
> you shouldn't have sssd and winbind installed on the same 
> machine, they 
> both use different version of the winbind libs.
> >
> > Use realmd to join the server and everything should work,
> Just use 'net ads join', no need for realmd.
> > Be careful that SSSD properly updates the machine account password, 
> > and Samba could be doing that too, but it doesn't with some 
> > combinations of the setting "kerberos method". I use
> >
> >   kerberos method = secrets and keytab
> The kerberos method has nothing to do with updating the machine 
> passwords, it just tells Samba how to verify tickets, using 
> secrets.tdb 
> and the system keytab (the one in memory) in this case.
> >
> > Whe that setting is set, Samba doesn't try the machine password 
> > periodically. but as SSSD will try to do it, the Samba 
> server stores 
> > password and the SSSD one are different and your Samba 
> server start to 
> > have authentication problems.
> If that is the case, one of them is broken and it isn't Samba ;-)
> >
> > You can disable SSSD machine account password renewal 
> > (ad_maximum_machine_account_password_age = 0) or run a cron 
> job with 
> > something like:
> >
> >   adcli update --add-samba-data -v 
> --computer-password-lifetime=0 -D 
> > <your domain>
> >
> > The --add-samba-data is a new option that exists on adcli 
> (at least on 
> > RHEL/CentOS 8) but the SSSD configuration parameter 
> > (ad_update_samba_machine_account_password) is upstream but 
> not yet on 
> > the distro version
> I do not understand why the red-hat tools are used on a Samba server, 
> what is wrong with the Samba tools ?
> > Hope this helps, but remember any problems with this configuration 
> > should be tried without using SSSD in order to know if it 
> is a Samba 
> > issue of SSSD one.
> 
> Any sssd problems should be reported to sssd, we do not 
> produce it, so 
> we cannot fix it ;-)
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list