Hi There,
I was wondering if anyone has experience with using sssd for samba authentication. I’ve gotten sssd working for getent tools but when a user tries to access a share that they have permissions to via a group they get a permissions denied error. If I add the user directly to the ACL it works fine.
I can post more info but was just wondering if this is a known problem or just something strange with me.
------------------------------- Dav Banks
On Thu, May 30, 2019 at 02:33:28PM -0400, Dav Banks wrote:
Hi There,
I was wondering if anyone has experience with using sssd for samba authentication. I’ve gotten sssd working for getent tools but when a user tries to access a share that they have permissions to via a group they get a permissions denied error. If I add the user directly to the ACL it works fine.
I can post more info but was just wondering if this is a known problem or just something strange with me.
Hi,
recent version of Samba requires that winbind must be running as well to allow Samba to communicate with AD for purposes not handled by SSSD. Older versions of Samba's smbd had some fallback code so that winbind was not strictly needed but this code was removed mainly for security reasons.
Please check the list archive for config examples. The main idea is to add idmap_sss to the Samba configuration to make sure winbind and SSSD use the same id-mapping, see man idmap_sss for details as well.
HTH
bye, Sumit
Dav Banks
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Thanks!
------------------------------- Dav Banks
On May 31, 2019, at 6:46 AM, Sumit Bose sbose@redhat.com wrote:
On Thu, May 30, 2019 at 02:33:28PM -0400, Dav Banks wrote:
Hi There,
I was wondering if anyone has experience with using sssd for samba authentication. I’ve gotten sssd working for getent tools but when a user tries to access a share that they have permissions to via a group they get a permissions denied error. If I add the user directly to the ACL it works fine.
I can post more info but was just wondering if this is a known problem or just something strange with me.
Hi,
recent version of Samba requires that winbind must be running as well to allow Samba to communicate with AD for purposes not handled by SSSD. Older versions of Samba's smbd had some fallback code so that winbind was not strictly needed but this code was removed mainly for security reasons.
Please check the list archive for config examples. The main idea is to add idmap_sss to the Samba configuration to make sure winbind and SSSD use the same id-mapping, see man idmap_sss for details as well.
HTH
bye, Sumit
Dav Banks
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Dav Banks wrote:
Thanks!
Dav Banks
On May 31, 2019, at 6:46 AM, Sumit Bose sbose@redhat.com wrote:
On Thu, May 30, 2019 at 02:33:28PM -0400, Dav Banks wrote:
Hi There,
I was wondering if anyone has experience with using sssd for samba authentication. I’ve gotten sssd working for getent tools but when a user tries to access a share that they have permissions to via a group they get a permissions denied error. If I add the user directly to the ACL it works fine.
I can post more info but was just wondering if this is a known problem or just something strange with me.
Hi,
recent version of Samba requires that winbind must be running as well to allow Samba to communicate with AD for purposes not handled by SSSD. Older versions of Samba's smbd had some fallback code so that winbind was not strictly needed but this code was removed mainly for security reasons.
Please check the list archive for config examples. The main idea is to add idmap_sss to the Samba configuration to make sure winbind and SSSD use the same id-mapping, see man idmap_sss for details as well.
HTH
bye, Sumit
Please find the below working Configuration
1. Join the system to Windows using realm with --membership-software=samba
realm join -v EXAMPLE.TEST --membership-software=samba
2. Edit /etc/samba/smb.conf and configure as show below:
[global] security = ads workgroup = EXAMPLE realm = EXAMPLE.TEST kerberos method = system keytab client use spnego = yes netbios name = fileserver log file = /var/log/samba/log.%m max log size = 500 log level = 10 idmap config EXAMPLE : backend = sss idmap config EXAMPLE : range = 200000-2147483647 idmap config * : backend = tdb idmap config * : range = 100000-199999
[share1] path = /mnt/samba/share1 comment = test share1 writable = yes printable = no
3. start sssd, winbind and smb services
Note: A. wbinfo -u, wbinfo -g commands should be able to resolve AD users and groups. B. kinit AD username and verify the below command works: smbclient -k -L //fileserver/share1 C. Mount share using mount.cifs
Dav Banks
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org