On 06/06/16 12:42, Alexander Bokovoy wrote:
On Mon, 06 Jun 2016, lejeczek wrote:
SMB services with Kerberos require use of cifs/<hostname> service principal. Your keytab only has host/<hostname> keys, and your AD machine account for the <hostname> does not have 'cifs/<hostname>' SPN defined. The latter is what causes smbclient -k to fail -- AD DC doesn't know about 'cifs/<hostname>' and refuses to issue a service
ticket even before smbclient contacts Samba server.
Alexander, thanks!
yes, cifs needs to be in keytab file, smbclient to itself(on smb server locally) works now with -k. I wonder - should it also work with only passwords? It does not, for me. Users mapping concept (which I do not grasp completely yet) - when an AD client (win10) now gets to samba shares okey it is done with AD user credentials, win client sees share like: u...@my.dom which user is not IPA's user (there are no trusts no syncing).
I don't know details of what you have configured. For IPA with trusts both Kerberos and passwords should work when Samba is running on IPA master. For IPA client, we have procedure defined for SSSD+Samba. For
anything else only Kerberos would work.
I emailed (this thread) most of the configs, if not all, ~two emails ago, last Friday.

Now, when you say mapping - this would be winbind/smb translating/mapping AD's SIDs to match IPA's UIDs - which is/would be different from syncying users from AD => IPA ,correct?
SIDs to UID/GID on the system. You seem to confuse a lot in your emails -- you are claiming that there is no IPA trust or sync in place yet you expect somehow things to magically work, I simply don't understand your
situation to comment on it.
not magically, no, it's the same one box, IPA server and at the same time samba(non-IPA, might be why smbclient without kerberos does Not work) + sssd to an AD. And now after fixing keytabs all seems to work ok, and no winbind yet - thus my only question now is more about concepts, which - yes - I don't grasp fully. Yes I confuse, the way I understand is: my linux box now has two separate user db backends, two different users catalogs, first one is IPA's and the second is AD's via sssd(which samba being an AD's client also uses) with no winbind at this point. Last thing I wonder is that SIDs/UIDs mapping - one: do I want/need it? and if one then two: how to achieve it running setup like mine?

Another thing, not having winbind in nsswitch (or not having it at all), but still having sssd using AD - should I be able to access
linux+sssd=>AD box with means like ssh? eg. ssh
m...@my.dom@swir.private.my.dom (I think I had it worked with windbind in
SSSD client as IPA client will work with passwords in AD but only if
trust is established between IPA and AD.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to