SSSD and Samba

[douglaslwm]

Greetings

I am struggling to get Samba to authenticate against AD.
I have tried the config above, but without success.
My host is already on AD and authenticating, and is configured exactly as many others.
It is only Samba that I cannot get authenticating against AD.
I set my smb.conf up as above.
My sssd.conf and krb.conf are as shown below.
What could I be doing wrong/how can I debug this?

I have the book "Implementing Samba 4" , but it doesn't go into these types of nuts and bolts.
I have the O'Reilly "Using Samba", and it goes into great detail, but it's last updated 2007 and as far as I can tell, is one or more gyrations out of date. It is talking about Winbind and OpenLDAP and as far as I can tell that is old-skool, in RHEL land, replaced by SSSD, is that right? I mean, I have sssd in my nsswitch.conf, but would want to have winbind in there if I was using winbind, is that correct? So because I'm doing SSSD I do -not- want to run winbind, correct? But still I have not had success getting Samba to authenticate against my AD DC. All I can get is

session setup failed: NT_STATUS_LOGON_FAILURE

and

[2017/05/10 14:03:03.550796, 1] ../source3/param/loadparm.c:2377(lp_idmap_range)
idmap range not specified for domain '*'


The instructions above say to say "net ads join" even though a "realm join" has already been done, at least, in my case. Do I still want to do the net ads join? Here is what "realm list" showed before I said "net ads join":

[root@dwsftp10 etc]# realm list
westmarine.net
type: kerberos
realm-name: WESTMARINE.NET
domain-name: westmarine.net
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-realm-logins

Then I said "net join" as per kvashishta, in the thread, above. Now when I say "realm list" I get:
[root@dwsftp10 samba]# realm list
westmarine.net
type: kerberos
realm-name: WESTMARINE.NET
domain-name: westmarine.net
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: oddjob-mkhomedir
required-package: oddjob
required-package: samba-winbind-clients
required-package: samba-winbind
required-package: samba-common-tools
login-formats: WESTMARINE\%U
login-policy: allow-any-login
westmarine.net
type: kerberos
realm-name: WESTMARINE.NET
domain-name: westmarine.net
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-realm-logins


..I am now in there twice! The first listing for WESTMARINE.NET now shows winbind all over it. Why? That's not what I want, right? Also, now, it takes forever to SSH into this machine - it's like it goes away for a while while trying to authenticate.


Help!
Thanks very much in advance!!


-----------------------------------------------------------------------------
/etc/krb5.conf:
[root@dwsftp10 etc]# cat krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = WESTMARINE.NET
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
WESTMARINE.NET = {
kdc = 10.7.34.177
master_kdc = 10.7.34.177
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
admin_server = 10.7.34.177
default_domain = westmarine.net
pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
.westmarine.net = WESTMARINE.NET
westmarine.net = WESTMARINE.NET

[dbmodules]
WESTMARINE.NET = {
db_library = ipadb.so
}
----------------------------------------------------------------------------
[root@dwsftp10 etc]# cat sssd/sssd.conf
[sssd]
config_file_version = 2
domains = westmarine.net
services = nss, pam


[domain/westmarine.net]
ad_domain = westmarine.net
krb5_realm = WESTMARINE.NET
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
# OVERRIDES
auth_provider = ad
chpass_provider = ad
access_provider = ad

# defines user/group schema type
ldap_schema = ad

#
ldap_id_mapping = true
use_fully_qualified_names = False

override_shell = /bin/bash
fallback_homedir = /home/%u

# caching credentials
cache_credentials = true

# access controls
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

# performance
ldap_referrals = false
--------------------------------------------------------------

[root@dwsftp10 samba]# cat smb.conf

[global]

# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
# server string is the equivalent of the NT Description field
# netbios name can be used to specify a server name not tied to the hostname

workgroup = WESTMARINE
realm = WESTMARINE.NET
netbios name = dwsftp10
password server = *
#password server = pwsdc03.westmarine.net
server string = Samba Server Version %v
security = ads

#kerberos method = secrets and keytab
#kerberos method = dedicated keytab
#dedicated keytab file = /etc/krb5.keytab

#encrypt passwords = yes

#idmap uid = 10000-20000
#idmap gid = 10000-20000

# max 50KB per log file, then rotate
max log size = 50000
log file = /var/log/samba/%m.log
log level = 3

#password backend = tdbsam

#idmap config WESTMARINE.NET: backend = rid
#idmap config WESTMARINE.NET: range = 10000-20000

#wins server = pwsdc03.westmarine.net

idmap config *: backend = tdb

local master = no
domain master = no
preferred master = no

wins support = no
wins proxy = no
dns proxy = yes
name resolve order = wins bcast host lmhosts

#client signing = yes
#client use spnego = yes

load printers = no
printcap name = /dev/null
disable spoolss = yes


#winbind use default domain = yes

[Moderator: split from original topic viewtopic.php?f=48&t=52872 which is too old]

[guyboisvert]

Did you manage to fix it?

I had working servers using SSSD / Samba and suddenly all couldn't authenticate AD members... I saw your post Googling around.

I finally debugged it and now it's working as before.

Essentially, i found the solution almost by error! I had 2 servers that were almost identical: CentOS 7 with Samba / SSSD.

1st server wouldn't allow AD users to access its shares.
2nd server was ok.

Originally, i followed a guide like this one:

https://outsideit.net/realmd-sssd-ad-authentication/

Versions:

server1# uname -a
Linux server1.ntdomain.com 3.10.0-514.26.2.el7.x86_64 #1 SMP Tue Jul 4 15:04:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

server1# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)

server1# rpm -qa |grep sssd
sssd-ad-1.14.0-43.el7_3.18.x86_64
python-sssdconfig-1.14.0-43.el7_3.18.noarch
sssd-krb5-common-1.14.0-43.el7_3.18.x86_64
sssd-common-pac-1.14.0-43.el7_3.18.x86_64
sssd-common-1.14.0-43.el7_3.18.x86_64
sssd-1.14.0-43.el7_3.18.x86_64
sssd-client-1.14.0-43.el7_3.18.x86_64
sssd-ldap-1.14.0-43.el7_3.18.x86_64
sssd-krb5-1.14.0-43.el7_3.18.x86_64
sssd-ipa-1.14.0-43.el7_3.18.x86_64
sssd-proxy-1.14.0-43.el7_3.18.x86_64

server1# rpm -qa |grep samba
samba-libs-4.4.4-14.el7_3.x86_64
samba-common-libs-4.4.4-14.el7_3.x86_64
samba-client-4.4.4-14.el7_3.x86_64
samba-common-4.4.4-14.el7_3.noarch
samba-4.4.4-14.el7_3.x86_64
samba-common-tools-4.4.4-14.el7_3.x86_64
samba-client-libs-4.4.4-14.el7_3.x86_64

I check the faulting server:

1) id administrator (lookup AD administrator account) returned:

server1# id administrator
uid=684800500(administrator@ntdomain.com) gid=684800513(domain users@ntdomain.com) groups=684800513(domain users@ntdomain.com),684800520(group policy creator owners@ntdomain.com),684803109(organization management@ntdomain.com),684800519(enterprise admins@ntdomain.com),684800512(domain admins@ntdomain.com),684800518(schema admins@ntdomain.com),684801119(it@ntdomain.com),684800572(groupe de réplication dont le mot de passe rodc est refusé@ntdomain.com),684803131(certsvc_dcom_access@ntdomain.com)

2) ssh administrator@ntdomain.com@server1 (server1 is the non-working CentOS 7.3 server) worked.

3) put in /var/samba/smb.conf

Code: Select all

       log file = /var/log/samba/log.%m
        # maximum size of 50KB per log file, then rotate:
        max log size = 50
        log level =3

4) Checking realm:

server1# realm list
ntdomain.com
type: kerberos
realm-name: NTDOMAIN.COM
domain-name: ntdomain.com
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: oddjob-mkhomedir
required-package: oddjob
required-package: samba-winbind-clients
required-package: samba-winbind
required-package: samba-common-tools
login-formats: NTDOMAIN#%U
login-policy: allow-any-login
ntdomain.com
type: kerberos
realm-name: NTDOMAIN.COM
domain-name: ntdomain.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U@ntdomain.com
login-policy: allow-realm-logins

5) Checking domain infos with adcli:

server1# adcli info ntdomain.com
[domain]
domain-name = ntdomain.com
domain-short = NTDOMAIN
domain-forest = ntdomain.com
domain-controller = DC1.ntdomain.com
domain-controller-site = Default-First-Site-Name
domain-controller-flags = pdc gc ldap ds kdc timeserv closest writable good-timeserv full-secret ads-web
domain-controller-usable = yes
domain-controllers = DC1.ntdomain.com
[computer]
computer-site = Default-First-Site-Name

DC1 is the name of the 1st Active Directory Domain Controller (we run Winblows 2008R2)


6) Checking domain account "administrator":

server1# getent passwd administrator
administrator@ntdomain.com:*:684800500:684800513:Administrator:/home/administrator@ntdomain.com:/bin/bash

7) Inspecting log.10.0.2.131 (log of the Windows 7 test workstation, named KRYPTON) showed:

Code: Select all

[2017/09/08 14:44:18.832829,  3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [NTDOMAIN]\[administrator]@[KRYPTON] with the new passwo
rd interface
[2017/09/08 14:44:18.832866,  3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [SERVER1]\[administrator]@[KRYPTON]
[2017/09/08 14:44:18.832923,  3] ../source3/auth/check_samsec.c:400(check_sam_security)
  check_sam_security: Couldn't find user 'administrator' in passdb.
[2017/09/08 14:44:18.832945,  3] ../source3/auth/auth_winbind.c:60(check_winbind_security)
  check_winbind_security: Not using winbind, requested domain [SERVER1] was for this SAM.
[2017/09/08 14:44:18.832958,  2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [administrator] -> [administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2017/09/08 14:44:18.832988,  2] ../auth/gensec/spnego.c:719(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2017/09/08 14:44:18.833034,  3] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
[2017/09/08 14:44:18.833465,  3] ../source3/smbd/server_exit.c:246(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)

8) my finally valid /var/samba/smb.conf:
NOTE: Added sections that are mentioned, added the non-indented lines too

Code: Select all

#======================= Global Settings =====================================
[global]
#       max protocol = SMB2
        socket options = TCP_NODELAY

# ----------------------- Other Options -------------------------
        workgroup = NTDOMAIN
        server string = Samba Server Version %v
        hosts allow = 127. 10.
        idmap config * : backend = tdb
idmap config *:range = 10000-49999
idmap config NTDOMAIN : backend = rid
idmap config NTDOMAIN : range = 10000-49999

winbind separator = #
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = no



;       max protocol = SMB2

# --------------------------- Logging Options -----------------------------
#
# log file = specify where log files are written to and how they are split.
#
# max log size = specify the maximum size log files are allowed to reach. Log
# files are rotated when they reach the size specified with "max log size".
#

        # log files split per-machine:
        log file = /var/log/samba/log.%m
        # maximum size of 50KB per log file, then rotate:
        max log size = 50
        log level =3


# ----------------------- Domain Members Options ------------------------
#
# security = must be set to domain or ads.
#
        security = ads
        encrypt passwords = yes
        passdb backend = tdbsam
        realm = NTDOMAIN.COM

map to guest = Bad User
name resolve order = bcast hosts

# ----------------------- Browser Control Options ----------------------------
#
# local master = when set to no, Samba does not become the master browser on
# your network. When set to yes, normal election rules apply.
#
# os level = determines the precedence the server has in master browser
# elections. The default value should be reasonable.
#
# preferred master = when set to yes, Samba forces a local browser election at
# start up (and gives itself a slightly higher chance of winning the election).
#
        local master = no
        os level = 33
        preferred master = no
dns proxy = yes


# --------------------------- File System Options ---------------------------
;
; ---> I ADDED ALL LINES BELOW UP TO "Share Definitions" section


add user script = /usr/sbin/useradd "%u" -n -g users
add group script = /usr/sbin/groupadd "%g"
add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
delete user script = /usr/sbin/userdel "%u"
delete user from group script = /usr/sbin/userdel "%u" "%g"
delete group script = /usr/sbin/groupdel "%g"

template homedir = /home/data/NTDOMAIN.COM/%U
vfs objects = extd_audit

vfs objects = recycle
        recycle:repository = .deletc/%U
        recycle:keeptree = Yes
        recycle:touch = Yes
        recycle:maxsize  = 0
        recycle:exclude = *.tmp
        recycle:exclude_dir = /tmp
        recycle:noversions = *.doc


#============================ Share Definitions ==============================
[homes]
        comment = Home Directories
        browseable = no
        writable = yes

[data]
	comment = 24TB data share
	path = /home/data
	public = yes
	writable = yes
	guest ok = yes
	valid users = @"domain users@NTDOMAIN", "administrator@NTDOMAIN"

I can't say what part of what i added made it work, didn't have the time to deepened my undetstanding of SSSD vs SAMBA. All i know is that the last updates i installed this week just killed the AD user checking vs SAMBA.

Hope this helps somebody!!!


Guy Boisvert
Senior Network Engineer / Sysadmin
IngTegration inc.
http://www.ingtegration.com