On 03/06/16 17:00, Alexander Bokovoy wrote:
On Fri, 03 Jun 2016, lejeczek wrote:
On 03/06/16 15:22, Alexander Bokovoy wrote:
On Fri, 03 Jun 2016, lejeczek wrote:
hi users,
I have a samba and sssd trying AD, it's 7.2 Linux.
That linux box is via sssd and samba talking to AD DC
and win10 clients get to samba shares, getent pass sees
AD users, samba can get to DC's shares and win10's
clients shares, all good except...
smbclient @samba, in other words - to itself - fails
session setup failed: NT_STATUS_LOGON_FAILURE
Do you run winbindd? samba in RHEL 7.2 as of now has a
regression that
if you don't run winbindd, current code forbids
establishing anonymous
secure channel connections to AD DCs as part of Badlock
fixes. The
regression is fixed upstream and RHEL 7.2 packages are
currently being
tested by Red Hat QE team.
If you start winbindd, this should not affect you -- if
the machine is
enrolled into Active Directory domain. However, the
Kerberos error below
makes me thinking you have some problems on AD side as
well.
no winbind, I hope to completely relay on sssd.
You cannot -- at least for now. Samba needs translation
between SIDs and
POSIX IDs. This translation cannot be done by SSSD alone
right now
because there is no separate mechanism to supply that
translation into
Samba from the system level.
SSSD can be used as to imitate SID translation interface
of winbindd by
providing a libwbclient replacement but this would mean a
lot of other
functionality winbindd provides will be missing as SSSD
does not
implement it.
Finally, you can run winbindd in parallel to SSSD. You
just need to
ensure they both have the same understanding how to map
usernames and
group names to POSIX ID and back. And you don't need to
add winbindd to
/etc/nsswitch.conf or PAM configuration.
I should mentioned that I'm fiddling with my sssd so it
engages two providers, AD and IPA - and it seems to work,
like a I tried to describe, only that samba smbclient to
itself is not working.
thanks!
SMB services with Kerberos require use of cifs/<hostname>
service
principal. Your keytab only has host/<hostname> keys, and
your AD
machine account for the <hostname> does not have
'cifs/<hostname>' SPN
defined. The latter is what causes smbclient -k to fail --
AD DC doesn't
know about 'cifs/<hostname>' and refuses to issue a
service ticket even
before smbclient contacts Samba server.
Alexander, thanks!
yes, cifs needs to be in keytab file, smbclient to itself(on
smb server locally) works now with -k.
I wonder - should it also work with only passwords? It does
not, for me.
Users mapping concept (which I do not grasp completely yet)
- when an AD client (win10) now gets to samba shares okey it
is done with AD user credentials, win client sees share
like: u...@my.dom which user is not IPA's user (there are no
trusts no syncing).
Now, when you say mapping - this would be winbind/smb
translating/mapping AD's SIDs to match IPA's UIDs - which
is/would be different from syncying users from AD => IPA
,correct?
Another thing, not having winbind in nsswitch (or not having
it at all), but still having sssd using AD - should I be
able to access linux+sssd=>AD box with means like ssh? eg.
ssh m...@my.dom@swir.private.my.dom (I think I had it worked
with windbind in nsswitch)
L.
and with smbclient -k
gss_init_sec_context failed with [Unspecified GSS
failure. Minor code may provide more information:
Server cifs/swir.private....@private.dom not found in
Kerberos database]
The statement above says your KDC for PRIVATE.DOM does
not know anything
about cifs/swir.private.dom principal. Fix that problem
and Kerberos
authentication will be working.
SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed:
NT_STATUS_INTERNAL_ERROR
Failed to setup SPNEGO negTokenInit request:
NT_STATUS_INTERNAL_ERROR
session setup failed: NT_STATUS_INTERNAL_ERROR
here is a snippet from smb.conf which I thought has
relevance, I set it up following samba sssd wiki.
security = ads
realm = CCNR.DOM
workgroup = CCNR
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.swir.ccnr.keytab
client signing = auto
client use spnego = yes
encrypt passwords = yes
password server = ccnr-winsrv1.ccnr.dom
netbios name = SWIR
template shell = /bin/bash
template homedir = /home/%D/%U
preferred master = no
dns proxy = no
wins server = ccnr-winsrv1.ccnr.dom
wins proxy = no
inherit acls = Yes
map acl inherit = Yes
acl group control = yes
and in samba log:
domain_client_validate: Domain password server not
available.
I've tried samba user list, dead silence.
many thanks,
L.
--
Manage your subscription for the Freeipa-users mailing
list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
