I'm running samba 4.4.4 on el7. I'm attempting to provide a share auth by Kerberos or for non-kerberos hosts auth by password on Linux or Windows (7) clients.
We have uid/gid/group memberships in AD and typically configure Linux hosts with a kerberos/sssd/ldap configuration which uses attributes from AD, but are not joined to domain.
I need to be able to automate the domain join with salt stack, so I'm stuck using adcli to join the machine as it has a plain-text password option, I then push sssd.conf, /etc/krb5.conf, and /etc/samba/smb.conf to the samba host.
Thus far I've been able to browse shares from Linux, which authenticates with Kerberos OK. File/directory perms are respected, new files are created with proper uid, etc. No complaints on this side.
When I attempt to connect from a domain joined Windows client I get prompted for credentials, and domain credentials do not work. It seems like the id of the user isn't passed through or looked up correctly after Kerberos auth, and the user is labelled as a guest user. Guest users are mapped to bad user in samba config. Here's a bit of logging when the Windows client tries to access a share: https://pastebin.com/pbEqj9ZR
Configs; smb.conf: https://pastebin.com/XfeVTCDE sssd.conf: https://pastebin.com/Z57rRwBw krb5.conf: https://pastebin.com/JigdxgJ6
Some other interesting tidbits: DNS is served by el6/bind, not by AD, but the AD srv records exist and work properly for auto discovery and binding. The samba server does not have a PTR record, although this seems to be a requirement for KDC's not members. The domain is ad.localdomain.com, but hosts (including the samba server) have fqdn assigned by dhcp as <hostname>.dhcp.localdomain.com.
Any help is appreciated, usually its the Linux client that ends up being a pain, this is the first time for me a Windows client is having issues authing.
Thanks, Steve
On Sat, May 27, 2017 at 09:45:29PM -0700, Steve Dainard wrote:
I'm running samba 4.4.4 on el7. I'm attempting to provide a share auth by Kerberos or for non-kerberos hosts auth by password on Linux or Windows (7) clients.
SSSD cannot handle NTLM ('auth by password') so you have to run winbind to make this possible. Adding the needed configuration manually is not that easy so I would recommend re-considering Samba's net utility to join.
What is the specific feature you need from adcli? If it is 'preset-computer' I think you can just use the one-time password with net as well.
If you want to SSSD running to lookup users and groups you can use SSSD's idmap plugin to make sure winbind uses the same UIDs and GIDs, see man idmap_sss for details.
HTH
bye, Sumit
We have uid/gid/group memberships in AD and typically configure Linux hosts with a kerberos/sssd/ldap configuration which uses attributes from AD, but are not joined to domain.
I need to be able to automate the domain join with salt stack, so I'm stuck using adcli to join the machine as it has a plain-text password option, I then push sssd.conf, /etc/krb5.conf, and /etc/samba/smb.conf to the samba host.
Thus far I've been able to browse shares from Linux, which authenticates with Kerberos OK. File/directory perms are respected, new files are created with proper uid, etc. No complaints on this side.
When I attempt to connect from a domain joined Windows client I get prompted for credentials, and domain credentials do not work. It seems like the id of the user isn't passed through or looked up correctly after Kerberos auth, and the user is labelled as a guest user. Guest users are mapped to bad user in samba config. Here's a bit of logging when the Windows client tries to access a share: https://pastebin.com/pbEqj9ZR
Configs; smb.conf: https://pastebin.com/XfeVTCDE sssd.conf: https://pastebin.com/Z57rRwBw krb5.conf: https://pastebin.com/JigdxgJ6
Some other interesting tidbits: DNS is served by el6/bind, not by AD, but the AD srv records exist and work properly for auto discovery and binding. The samba server does not have a PTR record, although this seems to be a requirement for KDC's not members. The domain is ad.localdomain.com, but hosts (including the samba server) have fqdn assigned by dhcp as <hostname>.dhcp.localdomain.com.
Any help is appreciated, usually its the Linux client that ends up being a pain, this is the first time for me a Windows client is having issues authing.
Thanks, Steve _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org
-
Steve Dainard -
Sumit Bose