[Samba] Authentication with trusted credentials
Rowland penny
rpenny at samba.org
Thu Jul 16 15:30:08 UTC 2020
On 16/07/2020 16:11, L.P.H. van Belle via samba wrote:
> First of all, why does the DOMAIN contains/shows a dot in it.
> ( i think its a wrong setting in sssd, but i dont know sssd )
> I know this is one of your REALMs and not the domain.
>
>
> Now your lines :
> Works Yes: Jul 16 11:23:48 uc-sssdlbox20 sshd[2048]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1 user=SVITLA5.ROOM\test01
> Works Not: Jul 16 11:24:01 uc-sssdlbox20 sshd[2157]: Invalid user APEX.CORP\\jake from 10.0.0.1 port 62970
> And i noticed this :
> OK: sshd[2048]: pam_sss(sshd:auth)
> Wrong: sshd[2157]: pam_unix(sshd:auth)
>
>
> ## Mapped ids from the domain SAMDOM and (*) the range may not overlap !
> idmap config ${VAR_SMB_WORKGROUP} : backend = ad
> idmap config ${VAR_SMB_WORKGROUP} : schema_mode = rfc2307
> idmap config ${VAR_SMB_WORKGROUP} : range = 10000-3999999
There is a big problem with all that, the only way to use sssd with
Samba >= 4.8.0 is to use:
idmap config ${VAR_SMB_WORKGROUP} : backend = sss
and not run winbind, you also do not get to use shares, it is
authentication only. It also will not work correctly on a Samba AD DC,
because you cannot change the backend and you cannot stop winbind from
running. I would advise dumping sssd if the OP is using it.
Rowland
More information about the samba
mailing list