[Samba] Authentication with trusted credentials

Rowland penny rpenny at samba.org
Thu Jul 16 15:30:08 UTC 2020

On 16/07/2020 16:11, L.P.H. van Belle via samba wrote:
> First of all, why does the DOMAIN contains/shows a dot in it.
> ( i think its a wrong setting in sssd, but i dont know sssd )
> I know this is one of your REALMs and not the domain.
> Now your lines :
> Works Yes: Jul 16 11:23:48 uc-sssdlbox20 sshd[2048]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost= user=SVITLA5.ROOM\test01
> Works Not: Jul 16 11:24:01 uc-sssdlbox20 sshd[2157]: Invalid user APEX.CORP\\jake from port 62970
> And i noticed this :
> OK:    sshd[2048]: pam_sss(sshd:auth)
> Wrong: sshd[2157]: pam_unix(sshd:auth)
>      ## Mapped ids from the domain SAMDOM and (*) the range may not overlap !
>      idmap config ${VAR_SMB_WORKGROUP} : backend = ad
>      idmap config ${VAR_SMB_WORKGROUP} : schema_mode = rfc2307
>      idmap config ${VAR_SMB_WORKGROUP} : range = 10000-3999999

There is a big problem with all that, the only way to use sssd with 
Samba >= 4.8.0 is to use:

   idmap config ${VAR_SMB_WORKGROUP} : backend = sss

and not run winbind, you also do not get to use shares, it is 
authentication only. It also will not work correctly on a Samba AD DC, 
because you cannot change the backend and you cannot stop winbind from 
running. I would advise dumping sssd if the OP is using it.


More information about the samba mailing list