Am 20.05.19 um 17:22 schrieb Sumit Bose:
Hi,
Hi!
the recommendation is to use both.
Recent version of Samba require winbind to run on domain members. The
reason is that legacy code was removed from the smbd process which older
versions used as a fallback to communicate with an AD DC. Now smbd needs
winbind to be able to communicate with AD.
But you still can use SSSD for all other system services, winbind will
be used exclusively by smbd.
Following changes are needed (I'm sorry but I'm not too familiar with
the SSSD packages in Ubuntu, so I hope I'm right about the package
names).
First, I assume you have the libwbclient-sssd package installed to
redirect requests for winbind to SSSD. Please remove this package and
make sure libwbclient0 is installed.
To make sure the winbind and SSSD use the same id-mapping please add
something like the following to smb.conf:
idmap config <AD-DOMAIN-SHORTNAME> : backend = sss
idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647
idmap config * : backend = tdb
idmap config * : range = 100000-199999
this tells winbind to ask SSSD which POSIX IDs to use for Windows users
and groups.
Thank you very much! Ho do I have to adapt the range to our AD? I'm not sure about these values.Our AD users have an ID between 10000 and 23000, our groups have IDs between 31000 and 33000. We only have one domain.
So is it save to set 10000 as minimum range value and 33000 as maximum?
idmap config * : backend = tdb
idmap config * : range = 1000-5000
idmap config DOMAIN : backend = sss
idmap config DOMAIN : range = 10000-33000
On the SSSD side please disable the automatic host key renewable by
setting
ad_maximum_machine_account_password_age = 0
in the [domain/...] section of sssd.conf.
Does sssd renew the machine account password automatically?
Depending on how you joined the AD domain and if SSSD already renewed the machine account password, it might be necesary to re-join the domain with the 'net ads join ...' command or even easier with 'realm join --membership-software=samba ....' to set all the needed data winbind needs for operation. You can check by trying to start winbind. If it starts without errors all should be fine, otherwise please try to rejoin.
I did some tests with the new configuration above... Previously I joined my clients to AD with realm and not "net ads join". An additional "realm join --membership-software=samba ..." fails with realm: Already joined to this domain So I have to remove clients first with "realm leave --remove".Now it is working for me (including winbind) and samba sharing on ubuntu 19.04. I used
$ realm join --user-principal=host/hostname@DOMAIN --automatic-id-mapping=no --client-software=sssd --membership-software=samba
The command "realm list" lists two domains. Is this normal behavior? # realm list DOMAIN type: kerberos realm-name: DOMAIN domain-name: DOMAIN configured: kerberos-member server-software: active-directory client-software: winbind required-package: winbind required-package: libpam-winbind required-package: samba-common-bin login-formats: DOMAIN\%U login-policy: allow-any-login DOMAIN type: kerberos realm-name: DOMAIN domain-name: DOMAIN configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin login-formats: %U login-policy: allow-realm-logins CentOS ====== Unfortunately I do not get samba shares working on a centos 7 test-vm. I use the same configuration as with ubuntu where it is working."gentent passwd" and "wbinfo -u" are both working and show me the AD users list.
But network shares are not accessible/working. $ smbclient -U centos7/admin -L //centos7 do_connect: Connection to centos7 failed (Error NT_STATUS_HOST_UNREACHABLE) # yum list installed | grep winbindsamba-winbind.x86_64 4.8.3-4.el7 @base samba-winbind-clients.x86_64 4.8.3-4.el7 @base
samba-winbind-modules.x86_64 4.8.3-4.el7 @base Something has to be different on CentOS/RedHat with samba 4.8. /var/log/samba/log.winbindd:[2019/05/24 12:55:50.100437, 0] ../source3/winbindd/winbindd.c:239(winbindd_sig_term_handler)
Got sig[15] terminate (is_parent=1)[2019/05/24 12:55:50.203135, 0] ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache) initialize_winbindd_cache: clearing cache and re-creating with version number 2 [2019/05/24 12:55:50.206805, 0] ../lib/util/become_daemon.c:138(daemon_ready) daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to serve connections [2019/05/24 12:58:15.204925, 0] ../source3/winbindd/winbindd.c:239(winbindd_sig_term_handler)
Got sig[15] terminate (is_parent=1)[2019/05/24 12:58:15.256253, 0] ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache) initialize_winbindd_cache: clearing cache and re-creating with version number 2 [2019/05/24 12:58:15.259906, 0] ../lib/util/become_daemon.c:138(daemon_ready) daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to serve connections
Any hints which configuration I have to change or which additional packages I need?
Thanks! Best regards, Alexander
HTH bye, SumitOr is it not possible anymore to use only SSSD with samba shares without winbind? Thanks! Best regards /etc/samba/smb.conf: [global] disable netbios = Yes dns proxy = No domain master = No kerberos method = system keytab local master = No log file = /var/log/samba/log.%m map to guest = Bad User max log size = 1000 obey pam restrictions = Yes pam password change = Yes panic action = /usr/share/samba/panic-action %d passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . passwd program = /usr/bin/passwd %u realm = DOMAIN security = ADS server role = member server server string = %h %a syslog = 0 unix password sync = Yes usershare allow guests = Yes workgroup = DOMAIN ----- End forwarded message ----- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
-- Dipl.-Inf. Alexander Fieroch Max-Planck-Institut für molekulare Physiologie Zentrale Einrichtung EDV Otto-Hahn-Str. 11 D-44227 Dortmund Tel.: +49 (231) 133-2680
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
