Greetings
I am struggling to get Samba to authenticate against AD.
I have tried the config above, but without success.
My host is already on AD and authenticating, and is configured exactly as many others.
It is only Samba that I cannot get authenticating against AD.
I set my smb.conf up as above.
My sssd.conf and krb.conf are as shown below.
What could I be doing wrong/how can I debug this?
I have the book "Implementing Samba 4" , but it doesn't go into these types of nuts and bolts.
I have the O'Reilly "Using Samba", and it goes into great detail, but it's last updated 2007 and as far as I can tell, is one or more gyrations out of date. It is talking about Winbind and OpenLDAP and as far as I can tell that is old-skool, in RHEL land, replaced by SSSD, is that right? I mean, I have sssd in my nsswitch.conf, but would want to have winbind in there if I was using winbind, is that correct? So because I'm doing SSSD I do -not- want to run winbind, correct? But still I have not had success getting Samba to authenticate against my AD DC. All I can get is
session setup failed: NT_STATUS_LOGON_FAILURE
and
[2017/05/10 14:03:03.550796, 1] ../source3/param/loadparm.c:2377(lp_idmap_range)
idmap range not specified for domain '*'
The instructions above say to say "net ads join" even though a "realm join" has already been done, at least, in my case. Do I still want to do the net ads join? Here is what "realm list" showed before I said "net ads join":
[root@dwsftp10 etc]# realm list
westmarine.net
type: kerberos
realm-name: WESTMARINE.NET
domain-name: westmarine.net
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-realm-logins
Then I said "net join" as per kvashishta, in the thread, above. Now when I say "realm list" I get:
[root@dwsftp10 samba]# realm list
westmarine.net
type: kerberos
realm-name: WESTMARINE.NET
domain-name: westmarine.net
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: oddjob-mkhomedir
required-package: oddjob
required-package: samba-winbind-clients
required-package: samba-winbind
required-package: samba-common-tools
login-formats: WESTMARINE\%U
login-policy: allow-any-login
westmarine.net
type: kerberos
realm-name: WESTMARINE.NET
domain-name: westmarine.net
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-realm-logins
..I am now in there twice! The first listing for WESTMARINE.NET now shows winbind all over it. Why? That's not what I want, right? Also, now, it takes forever to SSH into this machine - it's like it goes away for a while while trying to authenticate.
Help!
Thanks very much in advance!!
-----------------------------------------------------------------------------
/etc/krb5.conf:
[root@dwsftp10 etc]# cat krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = WESTMARINE.NET
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
WESTMARINE.NET = {
kdc = 10.7.34.177
master_kdc = 10.7.34.177
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
admin_server = 10.7.34.177
default_domain = westmarine.net
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.westmarine.net = WESTMARINE.NET
westmarine.net = WESTMARINE.NET
[dbmodules]
WESTMARINE.NET = {
db_library = ipadb.so
}
----------------------------------------------------------------------------
[root@dwsftp10 etc]# cat sssd/sssd.conf
[sssd]
config_file_version = 2
domains = westmarine.net
services = nss, pam
[domain/westmarine.net]
ad_domain = westmarine.net
krb5_realm = WESTMARINE.NET
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
# OVERRIDES
auth_provider = ad
chpass_provider = ad
access_provider = ad
# defines user/group schema type
ldap_schema = ad
#
ldap_id_mapping = true
use_fully_qualified_names = False
override_shell = /bin/bash
fallback_homedir = /home/%u
# caching credentials
cache_credentials = true
# access controls
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
# performance
ldap_referrals = false
--------------------------------------------------------------
[root@dwsftp10 samba]# cat smb.conf
[global]
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
# server string is the equivalent of the NT Description field
# netbios name can be used to specify a server name not tied to the hostname
workgroup = WESTMARINE
realm = WESTMARINE.NET
netbios name = dwsftp10
password server = *
#password server = pwsdc03.westmarine.net
server string = Samba Server Version %v
security = ads
#kerberos method = secrets and keytab
#kerberos method = dedicated keytab
#dedicated keytab file = /etc/krb5.keytab
#encrypt passwords = yes
#idmap uid = 10000-20000
#idmap gid = 10000-20000
# max 50KB per log file, then rotate
max log size = 50000
log file = /var/log/samba/%m.log
log level = 3
#password backend = tdbsam
#idmap config WESTMARINE.NET: backend = rid
#idmap config WESTMARINE.NET: range = 10000-20000
#wins server = pwsdc03.westmarine.net
idmap config *: backend = tdb
local master = no
domain master = no
preferred master = no
wins support = no
wins proxy = no
dns proxy = yes
name resolve order = wins bcast host lmhosts
#client signing = yes
#client use spnego = yes
load printers = no
printcap name = /dev/null
disable spoolss = yes
#winbind use default domain = yes
[Moderator: split from original topic viewtopic.php?f=48&t=52872 which is too old]
SSSD and Samba
-
- Posts: 3
- Joined: 2015/06/11 14:29:46
- Location: Chateauguay, Qc, CANADA
- Contact:
Re: SSSD and Samba
Did you manage to fix it?
I had working servers using SSSD / Samba and suddenly all couldn't authenticate AD members... I saw your post Googling around.
I finally debugged it and now it's working as before.
Essentially, i found the solution almost by error! I had 2 servers that were almost identical: CentOS 7 with Samba / SSSD.
1st server wouldn't allow AD users to access its shares.
2nd server was ok.
Originally, i followed a guide like this one:
https://outsideit.net/realmd-sssd-ad-authentication/
Versions:
I check the faulting server:
1) id administrator (lookup AD administrator account) returned:
3) put in /var/samba/smb.conf
4) Checking realm:
6) Checking domain account "administrator":
8) my finally valid /var/samba/smb.conf:
NOTE: Added sections that are mentioned, added the non-indented lines too
I can't say what part of what i added made it work, didn't have the time to deepened my undetstanding of SSSD vs SAMBA. All i know is that the last updates i installed this week just killed the AD user checking vs SAMBA.
Hope this helps somebody!!!
Guy Boisvert
Senior Network Engineer / Sysadmin
IngTegration inc.
http://www.ingtegration.com
I had working servers using SSSD / Samba and suddenly all couldn't authenticate AD members... I saw your post Googling around.
I finally debugged it and now it's working as before.
Essentially, i found the solution almost by error! I had 2 servers that were almost identical: CentOS 7 with Samba / SSSD.
1st server wouldn't allow AD users to access its shares.
2nd server was ok.
Originally, i followed a guide like this one:
https://outsideit.net/realmd-sssd-ad-authentication/
Versions:
server1# uname -a
Linux server1.ntdomain.com 3.10.0-514.26.2.el7.x86_64 #1 SMP Tue Jul 4 15:04:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
server1# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
server1# rpm -qa |grep sssd
sssd-ad-1.14.0-43.el7_3.18.x86_64
python-sssdconfig-1.14.0-43.el7_3.18.noarch
sssd-krb5-common-1.14.0-43.el7_3.18.x86_64
sssd-common-pac-1.14.0-43.el7_3.18.x86_64
sssd-common-1.14.0-43.el7_3.18.x86_64
sssd-1.14.0-43.el7_3.18.x86_64
sssd-client-1.14.0-43.el7_3.18.x86_64
sssd-ldap-1.14.0-43.el7_3.18.x86_64
sssd-krb5-1.14.0-43.el7_3.18.x86_64
sssd-ipa-1.14.0-43.el7_3.18.x86_64
sssd-proxy-1.14.0-43.el7_3.18.x86_64
server1# rpm -qa |grep samba
samba-libs-4.4.4-14.el7_3.x86_64
samba-common-libs-4.4.4-14.el7_3.x86_64
samba-client-4.4.4-14.el7_3.x86_64
samba-common-4.4.4-14.el7_3.noarch
samba-4.4.4-14.el7_3.x86_64
samba-common-tools-4.4.4-14.el7_3.x86_64
samba-client-libs-4.4.4-14.el7_3.x86_64
I check the faulting server:
1) id administrator (lookup AD administrator account) returned:
2) ssh administrator@ntdomain.com@server1 (server1 is the non-working CentOS 7.3 server) worked.server1# id administrator
uid=684800500(administrator@ntdomain.com) gid=684800513(domain users@ntdomain.com) groups=684800513(domain users@ntdomain.com),684800520(group policy creator owners@ntdomain.com),684803109(organization management@ntdomain.com),684800519(enterprise admins@ntdomain.com),684800512(domain admins@ntdomain.com),684800518(schema admins@ntdomain.com),684801119(it@ntdomain.com),684800572(groupe de réplication dont le mot de passe rodc est refusé@ntdomain.com),684803131(certsvc_dcom_access@ntdomain.com)
3) put in /var/samba/smb.conf
Code: Select all
log file = /var/log/samba/log.%m
# maximum size of 50KB per log file, then rotate:
max log size = 50
log level =3
5) Checking domain infos with adcli:server1# realm list
ntdomain.com
type: kerberos
realm-name: NTDOMAIN.COM
domain-name: ntdomain.com
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: oddjob-mkhomedir
required-package: oddjob
required-package: samba-winbind-clients
required-package: samba-winbind
required-package: samba-common-tools
login-formats: NTDOMAIN#%U
login-policy: allow-any-login
ntdomain.com
type: kerberos
realm-name: NTDOMAIN.COM
domain-name: ntdomain.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U@ntdomain.com
login-policy: allow-realm-logins
DC1 is the name of the 1st Active Directory Domain Controller (we run Winblows 2008R2)server1# adcli info ntdomain.com
[domain]
domain-name = ntdomain.com
domain-short = NTDOMAIN
domain-forest = ntdomain.com
domain-controller = DC1.ntdomain.com
domain-controller-site = Default-First-Site-Name
domain-controller-flags = pdc gc ldap ds kdc timeserv closest writable good-timeserv full-secret ads-web
domain-controller-usable = yes
domain-controllers = DC1.ntdomain.com
[computer]
computer-site = Default-First-Site-Name
6) Checking domain account "administrator":
7) Inspecting log.10.0.2.131 (log of the Windows 7 test workstation, named KRYPTON) showed:server1# getent passwd administrator
administrator@ntdomain.com:*:684800500:684800513:Administrator:/home/administrator@ntdomain.com:/bin/bash
Code: Select all
[2017/09/08 14:44:18.832829, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [NTDOMAIN]\[administrator]@[KRYPTON] with the new passwo
rd interface
[2017/09/08 14:44:18.832866, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [SERVER1]\[administrator]@[KRYPTON]
[2017/09/08 14:44:18.832923, 3] ../source3/auth/check_samsec.c:400(check_sam_security)
check_sam_security: Couldn't find user 'administrator' in passdb.
[2017/09/08 14:44:18.832945, 3] ../source3/auth/auth_winbind.c:60(check_winbind_security)
check_winbind_security: Not using winbind, requested domain [SERVER1] was for this SAM.
[2017/09/08 14:44:18.832958, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [administrator] -> [administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2017/09/08 14:44:18.832988, 2] ../auth/gensec/spnego.c:719(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2017/09/08 14:44:18.833034, 3] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
[2017/09/08 14:44:18.833465, 3] ../source3/smbd/server_exit.c:246(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
8) my finally valid /var/samba/smb.conf:
NOTE: Added sections that are mentioned, added the non-indented lines too
Code: Select all
#======================= Global Settings =====================================
[global]
# max protocol = SMB2
socket options = TCP_NODELAY
# ----------------------- Other Options -------------------------
workgroup = NTDOMAIN
server string = Samba Server Version %v
hosts allow = 127. 10.
idmap config * : backend = tdb
idmap config *:range = 10000-49999
idmap config NTDOMAIN : backend = rid
idmap config NTDOMAIN : range = 10000-49999
winbind separator = #
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = no
; max protocol = SMB2
# --------------------------- Logging Options -----------------------------
#
# log file = specify where log files are written to and how they are split.
#
# max log size = specify the maximum size log files are allowed to reach. Log
# files are rotated when they reach the size specified with "max log size".
#
# log files split per-machine:
log file = /var/log/samba/log.%m
# maximum size of 50KB per log file, then rotate:
max log size = 50
log level =3
# ----------------------- Domain Members Options ------------------------
#
# security = must be set to domain or ads.
#
security = ads
encrypt passwords = yes
passdb backend = tdbsam
realm = NTDOMAIN.COM
map to guest = Bad User
name resolve order = bcast hosts
# ----------------------- Browser Control Options ----------------------------
#
# local master = when set to no, Samba does not become the master browser on
# your network. When set to yes, normal election rules apply.
#
# os level = determines the precedence the server has in master browser
# elections. The default value should be reasonable.
#
# preferred master = when set to yes, Samba forces a local browser election at
# start up (and gives itself a slightly higher chance of winning the election).
#
local master = no
os level = 33
preferred master = no
dns proxy = yes
# --------------------------- File System Options ---------------------------
;
; ---> I ADDED ALL LINES BELOW UP TO "Share Definitions" section
add user script = /usr/sbin/useradd "%u" -n -g users
add group script = /usr/sbin/groupadd "%g"
add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
delete user script = /usr/sbin/userdel "%u"
delete user from group script = /usr/sbin/userdel "%u" "%g"
delete group script = /usr/sbin/groupdel "%g"
template homedir = /home/data/NTDOMAIN.COM/%U
vfs objects = extd_audit
vfs objects = recycle
recycle:repository = .deletc/%U
recycle:keeptree = Yes
recycle:touch = Yes
recycle:maxsize = 0
recycle:exclude = *.tmp
recycle:exclude_dir = /tmp
recycle:noversions = *.doc
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
[data]
comment = 24TB data share
path = /home/data
public = yes
writable = yes
guest ok = yes
valid users = @"domain users@NTDOMAIN", "administrator@NTDOMAIN"
Hope this helps somebody!!!
Guy Boisvert
Senior Network Engineer / Sysadmin
IngTegration inc.
http://www.ingtegration.com