Dav Banks wrote: > Thanks! > > ------------------------------- > Dav Banks > > > On May 31, 2019, at 6:46 AM, Sumit Bose <[email protected]> wrote: > > > > On Thu, May 30, 2019 at 02:33:28PM -0400, Dav Banks wrote: > >> Hi There, > >> > >> I was wondering if anyone has experience with using sssd for samba > >> authentication. I’ve gotten sssd working for getent tools but when a user > >> tries to access a share that they have permissions to via a group they get > >> a permissions denied error. If I add the user directly to the ACL it works > >> fine. > >> > >> I can post more info but was just wondering if this is a known problem or > >> just something strange with me. > > > > Hi, > > > > recent version of Samba requires that winbind must be running as well to > > allow Samba to communicate with AD for purposes not handled by SSSD. > > Older versions of Samba's smbd had some fallback code so that winbind > > was not strictly needed but this code was removed mainly for security > > reasons. > > > > Please check the list archive for config examples. The main idea is to > > add idmap_sss to the Samba configuration to make sure winbind and SSSD > > use the same id-mapping, see man idmap_sss for details as well. > > > > HTH > > > > bye, > > Sumit
Please find the below working Configuration 1. Join the system to Windows using realm with --membership-software=samba realm join -v EXAMPLE.TEST --membership-software=samba 2. Edit /etc/samba/smb.conf and configure as show below: [global] security = ads workgroup = EXAMPLE realm = EXAMPLE.TEST kerberos method = system keytab client use spnego = yes netbios name = fileserver log file = /var/log/samba/log.%m max log size = 500 log level = 10 idmap config EXAMPLE : backend = sss idmap config EXAMPLE : range = 200000-2147483647 idmap config * : backend = tdb idmap config * : range = 100000-199999 [share1] path = /mnt/samba/share1 comment = test share1 writable = yes printable = no 3. start sssd, winbind and smb services Note: A. wbinfo -u, wbinfo -g commands should be able to resolve AD users and groups. B. kinit AD username and verify the below command works: smbclient -k -L //fileserver/share1 C. Mount share using mount.cifs > > > >> > >> ------------------------------- > >> Dav Banks > >> > > > >> _______________________________________________ > >> sssd-users mailing list -- [email protected] > >> To unsubscribe send an email to [email protected] > >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >> List Archives: > >> https://lists.fedorahosted.org/archives/list/[email protected] > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected]
pgpqzhhxc4QL1.pgp
Description: PGP signature
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
