Re: [Freeipa-users] a bit off topic- samba + sssd => AD

Fri, 03 Jun 2016 07:26:59 -0700 

On Fri, 03 Jun 2016, lejeczek wrote:

hi users,

I have a samba and sssd trying AD, it's 7.2 Linux.
That linux box is via sssd and samba talking to AD DC and win10 clients get to samba shares, getent pass sees AD users, samba can get to DC's shares and win10's clients shares, all good except... 

smbclient @samba, in other words - to itself - fails

session setup failed: NT_STATUS_LOGON_FAILURE

Do you run winbindd? samba in RHEL 7.2 as of now has a regression that
if you don't run winbindd, current code forbids establishing anonymous
secure channel connections to AD DCs as part of Badlock fixes. The
regression is fixed upstream and RHEL 7.2 packages are currently being
tested by Red Hat QE team.

If you start winbindd, this should not affect you -- if the machine is
enrolled into Active Directory domain. However, the Kerberos error below
makes me thinking you have some problems on AD side as well.



and with smbclient -k
gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Server cifs/swir.private....@private.dom not found in Kerberos database] 
The statement above says your KDC for PRIVATE.DOM does not know anything
about cifs/swir.private.dom principal. Fix that problem and Kerberos
authentication will be working.
SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR 
Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
session setup failed: NT_STATUS_INTERNAL_ERROR
here is a snippet from smb.conf which I thought has relevance, I set it up following samba sssd wiki. 

  security = ads
 realm = CCNR.DOM
 workgroup = CCNR

 kerberos method = secrets and keytab
 dedicated keytab file = /etc/krb5.swir.ccnr.keytab
 client signing = auto
 client use spnego = yes
 encrypt passwords = yes
 password server = ccnr-winsrv1.ccnr.dom
 netbios name = SWIR

 template shell = /bin/bash
 template homedir = /home/%D/%U

 preferred master = no
 dns proxy = no
 wins server = ccnr-winsrv1.ccnr.dom
 wins proxy = no

 inherit acls = Yes
 map acl inherit = Yes
 acl group control = yes


and in samba log:

 domain_client_validate: Domain password server not available.

I've tried samba user list, dead silence.

many thanks,

L.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to