[Samba] Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.

Rowland penny rpenny at samba.org
Wed Oct 14 14:19:59 UTC 2020 

On 14/10/2020 15:07, Markus Jansen via samba wrote:
> Am 14.10.20 um 08:31 schrieb Nico Kadel-Garcia via samba:
>> On Tue, Oct 13, 2020 at 10:30 AM Rowland penny via samba
>> <samba at lists.samba.org> wrote:
>>> On 13/10/2020 15:01, Markus Jansen via samba wrote:
>>>> Thank you very much for your hints.
>>>>
>>>> I got rid of SSSD and managed to get a successful kerberos
>>>> authentication via wbinfo -K and the UPN.
>>>>
>>>> But accessing via SMB (using MAC OS' smbutil or Finder) still fails with
>>>> "FAILED with error NT_STATUS_NO_SUCH_USER".
>>>>
>>>> As I'm using CentOS 8, I used authselect to configure winbind
>>>> integration to PAM (do I really need this for SMB?) and enabled
>>>> "with-krb5" and "with-pamaccess" - features to let /etc/pam.d/-files be
>>>> configured automatically.
>>>>
>>>> I'm really confused. What's missing?
>>>>
>>> Probably libpam-krb5 that Red-Hat has removed from RHEL8 and hence
>>> Centos8, I had to compile the Centos7 package and install it before I
>>> could get Centos8 to work correctly.
>>>
>>> BIG NOTE: this is just my opinion.
>>>
>>> I really do not think that red-hat wants you to use Samba with RHEL8, I
>>> think they really want you to use sssd with freeipa instead. They have
>>> removed openldap, smbldap-tools  and libpam-krb5 that I am aware of,
>>> there may be others.
> Good hint. I switched to Debian Buster - same issue:
>
> Interestinly, "id tim-upn" (the userPrincipalname) works and refers to
> the sAMAccountName.
>
> "uid=3000(tim-sam) gid=3000(domain users) groups=3000(domain
> users),3001(storage-users),1000001(BUILTIN\users).
>
> "login tim-upn" works, "ssh tim-upn at localhost", too.  Also: "smbclient
> -L //localhost -W ADTEST -U tim-sam%Qwertz12345" works, but "smbclient
> -L //localhost -W ADTEST -U tim-upn%Qwertz12345" doesn't.
>
> Still confused.
>
So am I, '3000' for Domain Users and '1000001' for BUILTIN\users. Might 
help if you post the smb.conf you are using.

Rowland

More information about the samba mailing list