----- Forwarded message from Alexander Fieroch alexander.fieroch@mpi-dortmund.mpg.de -----
Date: Mon, 20 May 2019 15:52:30 +0200 From: Alexander Fieroch alexander.fieroch@mpi-dortmund.mpg.de To: sssd-users-owner@lists.fedorahosted.org Subject: SSSD + samba shares
Hi,
I'm using SSSD for my AD integration and samba shares. Since my last upgrade (ubuntu 18.10 -> 19.04) to samba 4.10.0 and sssd 1.16.3 samba shares are not working anymore and I got the error message in /var/log/samba/log.smbd:
[2019/05/20 12:09:23.022488, 0] ../../source3/auth/auth_util.c:1386(make_new_session_info_guest) create_local_token failed: NT_STATUS_NO_MEMORY [2019/05/20 12:09:23.022542, 0] ../../source3/smbd/server.c:2041(main) ERROR: failed to setup guest info.
Newer samba versions require a running winbindd but I use SSSD instead of winbindd which was working before. The samba team says SSSD is not supported by samba and I should use winbindd. But I want to stay with SSSD. So what is the recommended SSSD and samba configuration to get samba shares working while using SSSD? Or is it not possible anymore to use only SSSD with samba shares without winbind?
Thanks! Best regards
/etc/samba/smb.conf: [global] disable netbios = Yes dns proxy = No domain master = No kerberos method = system keytab local master = No log file = /var/log/samba/log.%m map to guest = Bad User max log size = 1000 obey pam restrictions = Yes pam password change = Yes panic action = /usr/share/samba/panic-action %d passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . passwd program = /usr/bin/passwd %u realm = DOMAIN security = ADS server role = member server server string = %h %a syslog = 0 unix password sync = Yes usershare allow guests = Yes workgroup = DOMAIN
----- End forwarded message -----
On Mon, May 20, 2019 at 04:37:34PM +0200, Sumit Bose wrote:
----- Forwarded message from Alexander Fieroch alexander.fieroch@mpi-dortmund.mpg.de -----
Date: Mon, 20 May 2019 15:52:30 +0200 From: Alexander Fieroch alexander.fieroch@mpi-dortmund.mpg.de To: sssd-users-owner@lists.fedorahosted.org Subject: SSSD + samba shares
Hi,
I'm using SSSD for my AD integration and samba shares. Since my last upgrade (ubuntu 18.10 -> 19.04) to samba 4.10.0 and sssd 1.16.3 samba shares are not working anymore and I got the error message in /var/log/samba/log.smbd:
[2019/05/20 12:09:23.022488, 0] ../../source3/auth/auth_util.c:1386(make_new_session_info_guest) create_local_token failed: NT_STATUS_NO_MEMORY [2019/05/20 12:09:23.022542, 0] ../../source3/smbd/server.c:2041(main) ERROR: failed to setup guest info.
Newer samba versions require a running winbindd but I use SSSD instead of winbindd which was working before. The samba team says SSSD is not supported by samba and I should use winbindd. But I want to stay with SSSD. So what is the recommended SSSD and samba configuration to get samba shares working while using SSSD?
Hi,
the recommendation is to use both.
Recent version of Samba require winbind to run on domain members. The reason is that legacy code was removed from the smbd process which older versions used as a fallback to communicate with an AD DC. Now smbd needs winbind to be able to communicate with AD.
But you still can use SSSD for all other system services, winbind will be used exclusively by smbd.
Following changes are needed (I'm sorry but I'm not too familiar with the SSSD packages in Ubuntu, so I hope I'm right about the package names).
First, I assume you have the libwbclient-sssd package installed to redirect requests for winbind to SSSD. Please remove this package and make sure libwbclient0 is installed.
To make sure the winbind and SSSD use the same id-mapping please add something like the following to smb.conf:
idmap config <AD-DOMAIN-SHORTNAME> : backend = sss idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647
idmap config * : backend = tdb idmap config * : range = 100000-199999
this tells winbind to ask SSSD which POSIX IDs to use for Windows users and groups.
On the SSSD side please disable the automatic host key renewable by setting
ad_maximum_machine_account_password_age = 0
in the [domain/...] section of sssd.conf.
Depending on how you joined the AD domain and if SSSD already renewed the machine account password, it might be necesary to re-join the domain with the 'net ads join ...' command or even easier with 'realm join --membership-software=samba ....' to set all the needed data winbind needs for operation. You can check by trying to start winbind. If it starts without errors all should be fine, otherwise please try to rejoin.
HTH
bye, Sumit
Or is it not possible anymore to use only SSSD with samba shares without winbind?
Thanks! Best regards
/etc/samba/smb.conf: [global] disable netbios = Yes dns proxy = No domain master = No kerberos method = system keytab local master = No log file = /var/log/samba/log.%m map to guest = Bad User max log size = 1000 obey pam restrictions = Yes pam password change = Yes panic action = /usr/share/samba/panic-action %d passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . passwd program = /usr/bin/passwd %u realm = DOMAIN security = ADS server role = member server server string = %h %a syslog = 0 unix password sync = Yes usershare allow guests = Yes workgroup = DOMAIN
----- End forwarded message ----- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Am 20.05.19 um 17:22 schrieb Sumit Bose:
Hi,
Hi!
the recommendation is to use both.
Recent version of Samba require winbind to run on domain members. The reason is that legacy code was removed from the smbd process which older versions used as a fallback to communicate with an AD DC. Now smbd needs winbind to be able to communicate with AD.
But you still can use SSSD for all other system services, winbind will be used exclusively by smbd.
Following changes are needed (I'm sorry but I'm not too familiar with the SSSD packages in Ubuntu, so I hope I'm right about the package names).
First, I assume you have the libwbclient-sssd package installed to redirect requests for winbind to SSSD. Please remove this package and make sure libwbclient0 is installed.
To make sure the winbind and SSSD use the same id-mapping please add something like the following to smb.conf:
idmap config <AD-DOMAIN-SHORTNAME> : backend = sss idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647 idmap config * : backend = tdb idmap config * : range = 100000-199999
this tells winbind to ask SSSD which POSIX IDs to use for Windows users and groups.
Thank you very much!
Ho do I have to adapt the range to our AD? I'm not sure about these values. Our AD users have an ID between 10000 and 23000, our groups have IDs between 31000 and 33000. We only have one domain.
So is it save to set 10000 as minimum range value and 33000 as maximum?
idmap config * : backend = tdb idmap config * : range = 1000-5000 idmap config DOMAIN : backend = sss idmap config DOMAIN : range = 10000-33000
On the SSSD side please disable the automatic host key renewable by setting
ad_maximum_machine_account_password_age = 0
in the [domain/...] section of sssd.conf.
Does sssd renew the machine account password automatically?
Depending on how you joined the AD domain and if SSSD already renewed the machine account password, it might be necesary to re-join the domain with the 'net ads join ...' command or even easier with 'realm join --membership-software=samba ....' to set all the needed data winbind needs for operation. You can check by trying to start winbind. If it starts without errors all should be fine, otherwise please try to rejoin.
I did some tests with the new configuration above... Previously I joined my clients to AD with realm and not "net ads join". An additional "realm join --membership-software=samba ..." fails with
realm: Already joined to this domain
So I have to remove clients first with "realm leave --remove". Now it is working for me (including winbind) and samba sharing on ubuntu 19.04. I used
$ realm join --user-principal=host/hostname@DOMAIN --automatic-id-mapping=no --client-software=sssd --membership-software=samba
The command "realm list" lists two domains. Is this normal behavior?
# realm list DOMAIN type: kerberos realm-name: DOMAIN domain-name: DOMAIN configured: kerberos-member server-software: active-directory client-software: winbind required-package: winbind required-package: libpam-winbind required-package: samba-common-bin login-formats: DOMAIN%U login-policy: allow-any-login DOMAIN type: kerberos realm-name: DOMAIN domain-name: DOMAIN configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin login-formats: %U login-policy: allow-realm-logins
CentOS ====== Unfortunately I do not get samba shares working on a centos 7 test-vm. I use the same configuration as with ubuntu where it is working. "gentent passwd" and "wbinfo -u" are both working and show me the AD users list. But network shares are not accessible/working.
$ smbclient -U centos7/admin -L //centos7 do_connect: Connection to centos7 failed (Error NT_STATUS_HOST_UNREACHABLE)
# yum list installed | grep winbind samba-winbind.x86_64 4.8.3-4.el7 @base samba-winbind-clients.x86_64 4.8.3-4.el7 @base samba-winbind-modules.x86_64 4.8.3-4.el7 @base
Something has to be different on CentOS/RedHat with samba 4.8.
/var/log/samba/log.winbindd:
[2019/05/24 12:55:50.100437, 0] ../source3/winbindd/winbindd.c:239(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=1) [2019/05/24 12:55:50.203135, 0] ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache) initialize_winbindd_cache: clearing cache and re-creating with version number 2 [2019/05/24 12:55:50.206805, 0] ../lib/util/become_daemon.c:138(daemon_ready) daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to serve connections [2019/05/24 12:58:15.204925, 0] ../source3/winbindd/winbindd.c:239(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=1) [2019/05/24 12:58:15.256253, 0] ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache) initialize_winbindd_cache: clearing cache and re-creating with version number 2 [2019/05/24 12:58:15.259906, 0] ../lib/util/become_daemon.c:138(daemon_ready) daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to serve connections
Any hints which configuration I have to change or which additional packages I need?
Thanks!
Best regards, Alexander
HTH
bye, Sumit
Or is it not possible anymore to use only SSSD with samba shares without winbind?
Thanks! Best regards
/etc/samba/smb.conf: [global] disable netbios = Yes dns proxy = No domain master = No kerberos method = system keytab local master = No log file = /var/log/samba/log.%m map to guest = Bad User max log size = 1000 obey pam restrictions = Yes pam password change = Yes panic action = /usr/share/samba/panic-action %d passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . passwd program = /usr/bin/passwd %u realm = DOMAIN security = ADS server role = member server server string = %h %a syslog = 0 unix password sync = Yes usershare allow guests = Yes workgroup = DOMAIN
----- End forwarded message ----- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Fri, May 24, 2019 at 01:13:38PM +0200, Alexander Fieroch wrote:
Am 20.05.19 um 17:22 schrieb Sumit Bose:
Hi,
Hi!
the recommendation is to use both.
Recent version of Samba require winbind to run on domain members. The reason is that legacy code was removed from the smbd process which older versions used as a fallback to communicate with an AD DC. Now smbd needs winbind to be able to communicate with AD.
But you still can use SSSD for all other system services, winbind will be used exclusively by smbd.
Following changes are needed (I'm sorry but I'm not too familiar with the SSSD packages in Ubuntu, so I hope I'm right about the package names).
First, I assume you have the libwbclient-sssd package installed to redirect requests for winbind to SSSD. Please remove this package and make sure libwbclient0 is installed.
To make sure the winbind and SSSD use the same id-mapping please add something like the following to smb.conf:
idmap config <AD-DOMAIN-SHORTNAME> : backend = sss idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647 idmap config * : backend = tdb idmap config * : range = 100000-199999
this tells winbind to ask SSSD which POSIX IDs to use for Windows users and groups.
Thank you very much!
Ho do I have to adapt the range to our AD? I'm not sure about these values. Our AD users have an ID between 10000 and 23000, our groups have IDs between 31000 and 33000. We only have one domain.
So is it save to set 10000 as minimum range value and 33000 as maximum?
idmap config * : backend = tdb idmap config * : range = 1000-5000 idmap config DOMAIN : backend = sss idmap config DOMAIN : range = 10000-33000
Hi,
that's ok, just keep in mind that you have to increase the upper limit in case your GID become larger than 33000.
On the SSSD side please disable the automatic host key renewable by setting
ad_maximum_machine_account_password_age = 0
in the [domain/...] section of sssd.conf.
Does sssd renew the machine account password automatically?
Yes, recent versions do the automatically is adcli is installed.
Depending on how you joined the AD domain and if SSSD already renewed the machine account password, it might be necesary to re-join the domain with the 'net ads join ...' command or even easier with 'realm join --membership-software=samba ....' to set all the needed data winbind needs for operation. You can check by trying to start winbind. If it starts without errors all should be fine, otherwise please try to rejoin.
I did some tests with the new configuration above... Previously I joined my clients to AD with realm and not "net ads join". An additional "realm join --membership-software=samba ..." fails with
realm: Already joined to this domain
So I have to remove clients first with "realm leave --remove". Now it is working for me (including winbind) and samba sharing on ubuntu 19.04. I used
$ realm join --user-principal=host/hostname@DOMAIN --automatic-id-mapping=no --client-software=sssd --membership-software=samba
The command "realm list" lists two domains. Is this normal behavior?
Yes, that's expected. realmd does not store a state somewhere, it looks at existing configurations and in your case both are avaiable.
# realm list DOMAIN type: kerberos realm-name: DOMAIN domain-name: DOMAIN configured: kerberos-member server-software: active-directory client-software: winbind required-package: winbind required-package: libpam-winbind required-package: samba-common-bin login-formats: DOMAIN%U login-policy: allow-any-login DOMAIN type: kerberos realm-name: DOMAIN domain-name: DOMAIN configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin login-formats: %U login-policy: allow-realm-logins
CentOS
Unfortunately I do not get samba shares working on a centos 7 test-vm. I use the same configuration as with ubuntu where it is working. "gentent passwd" and "wbinfo -u" are both working and show me the AD users list. But network shares are not accessible/working.
$ smbclient -U centos7/admin -L //centos7 do_connect: Connection to centos7 failed (Error NT_STATUS_HOST_UNREACHABLE)
Can you send the full debug output of the call
$ smbclient -U centos7/admin -L //centos7 -d 10
bye, Sumit
# yum list installed | grep winbind samba-winbind.x86_64 4.8.3-4.el7 @base samba-winbind-clients.x86_64 4.8.3-4.el7 @base samba-winbind-modules.x86_64 4.8.3-4.el7 @base
Something has to be different on CentOS/RedHat with samba 4.8.
/var/log/samba/log.winbindd:
[2019/05/24 12:55:50.100437, 0] ../source3/winbindd/winbindd.c:239(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=1) [2019/05/24 12:55:50.203135, 0] ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache) initialize_winbindd_cache: clearing cache and re-creating with version number 2 [2019/05/24 12:55:50.206805, 0] ../lib/util/become_daemon.c:138(daemon_ready) daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to serve connections [2019/05/24 12:58:15.204925, 0] ../source3/winbindd/winbindd.c:239(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=1) [2019/05/24 12:58:15.256253, 0] ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache) initialize_winbindd_cache: clearing cache and re-creating with version number 2 [2019/05/24 12:58:15.259906, 0] ../lib/util/become_daemon.c:138(daemon_ready) daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to serve connections
Any hints which configuration I have to change or which additional packages I need?
Thanks!
Best regards, Alexander
HTH
bye, Sumit
Or is it not possible anymore to use only SSSD with samba shares without winbind?
Thanks! Best regards
/etc/samba/smb.conf: [global] disable netbios = Yes dns proxy = No domain master = No kerberos method = system keytab local master = No log file = /var/log/samba/log.%m map to guest = Bad User max log size = 1000 obey pam restrictions = Yes pam password change = Yes panic action = /usr/share/samba/panic-action %d passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . passwd program = /usr/bin/passwd %u realm = DOMAIN security = ADS server role = member server server string = %h %a syslog = 0 unix password sync = Yes usershare allow guests = Yes workgroup = DOMAIN
----- End forwarded message ----- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Dipl.-Inf. Alexander Fieroch Max-Planck-Institut für molekulare Physiologie Zentrale Einrichtung EDV Otto-Hahn-Str. 11 D-44227 Dortmund Tel.: +49 (231) 133-2680
Am 24.05.19 um 20:47 schrieb Sumit Bose:
On Fri, May 24, 2019 at 01:13:38PM +0200, Alexander Fieroch wrote:
CentOS
Unfortunately I do not get samba shares working on a centos 7 test-vm. I use the same configuration as with ubuntu where it is working. "gentent passwd" and "wbinfo -u" are both working and show me the AD
users
list. But network shares are not accessible/working.
$ smbclient -U centos7/admin -L //centos7 do_connect: Connection to centos7 failed (Error
NT_STATUS_HOST_UNREACHABLE)
Can you send the full debug output of the call
$ smbclient -U centos7/admin -L //centos7 -d 10
Hi!
CentOS delivers a firewall that blocked my smb sharing connections by default. After adding "firewall-cmd --add-service=samba --permanent" it is working.
Thanks again!
Best
On Fri, May 31, 2019 at 10:57:51AM +0200, Alexander Fieroch wrote:
Am 24.05.19 um 20:47 schrieb Sumit Bose:
On Fri, May 24, 2019 at 01:13:38PM +0200, Alexander Fieroch wrote:
CentOS
Unfortunately I do not get samba shares working on a centos 7 test-vm. I use the same configuration as with ubuntu where it is working. "gentent passwd" and "wbinfo -u" are both working and show me the AD
users
list. But network shares are not accessible/working.
$ smbclient -U centos7/admin -L //centos7 do_connect: Connection to centos7 failed (Error
NT_STATUS_HOST_UNREACHABLE)
Can you send the full debug output of the call
$ smbclient -U centos7/admin -L //centos7 -d 10
Hi!
CentOS delivers a firewall that blocked my smb sharing connections by default. After adding "firewall-cmd --add-service=samba --permanent" it is working.
Thanks again!
Hi,
thanks for the feedback, glad it is working for you now.
bye, Sumit
Best
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Hi,
Is it possible to make the domain section match the domain used by the user to authenticate using the re_expression = (?P<name>[^@]+)@?(?P<domain>[^@]*$)
So the domain section would look like
[domain/$domain]
...
Thank you.
On Fri, May 31, 2019 at 10:10:12AM -0400, Nerigal wrote:
Hi,
Is it possible to make the domain section match the domain used by the user to authenticate using the re_expression = (?P<name>[^@]+)@?(?P<domain>[^@]*$)
So the domain section would look like
[domain/$domain]
...
I don't think so, why do you need this? The domains need to be hardcoded anyway..
Hi,
I need this because users use a SSH Gateway to authenticate to Linux machines across more than 20 domains and so its a bit a pain of maintaining all the domains configuration in the sssd.conf
So having a domain section that just match the domain the user authenticate with could make much more easier and more portable as well as easy automated config deployment
At this point you just need to make sure your LDAP search path as the same structure across all domains as well as the binding users... and static config etc...
Beside that, you can dynamically define the ldap server if you have a decent DNS Forwarder setup and use the regex matches to craft the ldap base path
example: ldaps://domain.internal will resolve the AD servers dynamically from the DNSFW so you don't even need to know the AD servers name and this means you don't have to edit / maintain the sssd config every time an AD is added somewhere or decommissioned but you still have repeat the domain section in the config file for all domains which make the config file a bit dirt went you have multiples domains.
So i think it would be very interesting if we could use the matches from the regex re_expression as internal variables in the config file.
I though that this was possible already.
Thank you
Nerigal
On 2019-06-03 03:36, Jakub Hrozek wrote:
On Fri, May 31, 2019 at 10:10:12AM -0400, Nerigal wrote:
Hi,
Is it possible to make the domain section match the domain used by the user to authenticate using the re_expression = (?P<name>[^@]+)@?(?P<domain>[^@]*$)
So the domain section would look like
[domain/$domain]
...
I don't think so, why do you need this? The domains need to be hardcoded anyway.. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org