On Mon, May 20, 2019 at 04:37:34PM +0200, Sumit Bose wrote:
> ----- Forwarded message from Alexander Fieroch
> <[email protected]> -----
>
> Date: Mon, 20 May 2019 15:52:30 +0200
> From: Alexander Fieroch <[email protected]>
> To: [email protected]
> Subject: SSSD + samba shares
>
> Hi,
>
> I'm using SSSD for my AD integration and samba shares.
> Since my last upgrade (ubuntu 18.10 -> 19.04) to samba 4.10.0 and sssd 1.16.3
> samba shares are not working anymore and I got the error message in
> /var/log/samba/log.smbd:
>
>
> [2019/05/20 12:09:23.022488, 0]
> ../../source3/auth/auth_util.c:1386(make_new_session_info_guest)
> create_local_token failed: NT_STATUS_NO_MEMORY
> [2019/05/20 12:09:23.022542, 0] ../../source3/smbd/server.c:2041(main)
> ERROR: failed to setup guest info.
>
>
> Newer samba versions require a running winbindd but I use SSSD instead of
> winbindd which was working before. The samba team says SSSD is not supported
> by samba and I should use winbindd. But I want to stay with SSSD.
> So what is the recommended SSSD and samba configuration to get samba shares
> working while using SSSD?
Hi,
the recommendation is to use both.
Recent version of Samba require winbind to run on domain members. The
reason is that legacy code was removed from the smbd process which older
versions used as a fallback to communicate with an AD DC. Now smbd needs
winbind to be able to communicate with AD.
But you still can use SSSD for all other system services, winbind will
be used exclusively by smbd.
Following changes are needed (I'm sorry but I'm not too familiar with
the SSSD packages in Ubuntu, so I hope I'm right about the package
names).
First, I assume you have the libwbclient-sssd package installed to
redirect requests for winbind to SSSD. Please remove this package and
make sure libwbclient0 is installed.
To make sure the winbind and SSSD use the same id-mapping please add
something like the following to smb.conf:
idmap config <AD-DOMAIN-SHORTNAME> : backend = sss
idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647
idmap config * : backend = tdb
idmap config * : range = 100000-199999
this tells winbind to ask SSSD which POSIX IDs to use for Windows users
and groups.
On the SSSD side please disable the automatic host key renewable by
setting
ad_maximum_machine_account_password_age = 0
in the [domain/...] section of sssd.conf.
Depending on how you joined the AD domain and if SSSD already renewed
the machine account password, it might be necesary to re-join the domain
with the 'net ads join ...' command or even easier with 'realm join
--membership-software=samba ....' to set all the needed data winbind
needs for operation. You can check by trying to start winbind. If it
starts without errors all should be fine, otherwise please try to
rejoin.
HTH
bye,
Sumit
> Or is it not possible anymore to use only SSSD with samba shares without
> winbind?
>
>
> Thanks!
> Best regards
>
>
> /etc/samba/smb.conf:
> [global]
> disable netbios = Yes
> dns proxy = No
> domain master = No
> kerberos method = system keytab
> local master = No
> log file = /var/log/samba/log.%m
> map to guest = Bad User
> max log size = 1000
> obey pam restrictions = Yes
> pam password change = Yes
> panic action = /usr/share/samba/panic-action %d
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> passwd program = /usr/bin/passwd %u
> realm = DOMAIN
> security = ADS
> server role = member server
> server string = %h %a
> syslog = 0
> unix password sync = Yes
> usershare allow guests = Yes
> workgroup = DOMAIN
>
>
>
>
> ----- End forwarded message -----
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
