On Mon, Aug 27, 2018 at 05:18:01PM -0600, Erinn Looney-Triggs wrote:
> I have a system that is joined to an AD domain via SSSD, it was happily
> running samba and serving shares using either kerberos or password
> authentication, with the update to Samba 4.7.1 in the RHEL 7.5 release,
> all of that stopped working.
>
> samba config file:
>
> [global]
> log level = 5
>
> password server = *
> realm = AD.EXAMPLE.COM
> encrypt passwords = yes
> kerberos method = system keytab
> workgroup = AD
> server string = %h samba
> security = ADS
> map to guest = Bad User
> interfaces = <valid IP>
> hosts allow = <valid IP blocks>
> load printers = no
> passdb backend = tdbsam
> dns proxy = no
> max log size = 5000
> bind interfaces only = no
>
> restrict anonymous = 2
>
> #============================ Share Definitions
> ==============================
> [images]
> comment = example images
> path = /var/eng/
> guest ok = no
> printable = no
> write list =
> create mask = 0664
> directory mask = 0775
> read only = no
> valid users = +valid-example-group
> force group =
> browseable = yes
>
> Now samba will not even start without either libwbclient or
> sssd-libwbclient installed with the above configuration. After
> installing sssd-libwbclient and modifying valid users to:
>
> valid users = AD\valid-example-group
>
> kerberos based connections will work just fine. However password based
> connections for windows systems that are not AD joined, or smbclient
> without kerberos, does not work. I believe this is falling back to NTLM
> and NTLM is simply not supported by SSSD correct?
>
> Oddly, what used to work, with basically a call to getgrnam() no longer
> works in 4.7.1 release of samba and there seems to be no mention that I
> can find as to why. Any thoughts?
>
> It looks an awful lot like, if we need to support both krb and password
> based connections we will need to use winbind, correct? Or is there
> another way to make this thing work? If I have to use winbind it looks
> like I need to use 'net ads join' or 'realm join
> --client-software=winbind' but it then seems to me that the system will
> be joined to the AD twice, once to use SSSD, and once for winbind is
> this correct? Is there a way to make winbind and SSSD work together?
>
> Further it looks like, according to this:
> https://bugzilla.redhat.com/show_bug.cgi?id=1558560 that RHEL 7.6 with
> Samba 4.8.1 will require winbind to be running period. I believe that
> statement to be a bit of an oversimplification because sssd-libwbclient
> should still work, or am I misunderstanding?
>
> Any guidance here would be great, this seems to be a fairly murky area,
> or my google fu is weak.
Yes, if you want to use password authentication (NTLM) you have to run
winbind with recent versions of Samba. The reason is that some old
fallback code was removed from the smbd binary mainly for security
reasons and to simplify the code in general.
If you only need Kerberos authentication sssd-libwbclient can still be
used.
For all other cases where winbind must be running install Samba's
libwbclient and I would recommend to use SSSD's idmap plugin for
Samba/Winbind, see man idmap_sss for details.
Since idmap_sss is read-only from the winbind perspective it is
recommend to have a read-write plugin as well so that the actual imap
config for smb.conf might look like:
idmap config * : backend", "tdb"
idmap config * : range", "10000-99999"
idmap config MYDOMAIN : backend = sss
idmap config MYDOMAIN : range = 200000-2147483647
If you have a forest with multiple domains you should add a
configuration for each domain with suitable ranges.
This way both SSSD and Winbind will talk to AD with the same credentials
but SSSD still does all system authentication (no need to add
pam_winbind to the PAM configuration) and user group lookup. Winbind
will only serve the needs of smbd and other direct users of libwbclient
but gets all information about idmapping from SSSD so that both Winbind
and SSSD will always use the same UIDs and GIDs for the same AD object.
HTH
bye,
Sumit
>
> -Erinn
>
>
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
