[Freeipa-users] a bit off topic- samba + sssd => AD
lejeczek
peljasz at yahoo.co.uk
Fri Jun 3 15:49:45 UTC 2016
On 03/06/16 15:22, Alexander Bokovoy wrote:
> On Fri, 03 Jun 2016, lejeczek wrote:
>> hi users,
>>
>> I have a samba and sssd trying AD, it's 7.2 Linux.
>>
>> That linux box is via sssd and samba talking to AD DC and
>> win10 clients get to samba shares, getent pass sees AD
>> users, samba can get to DC's shares and win10's clients
>> shares, all good except...
>>
>> smbclient @samba, in other words - to itself - fails
>>
>> session setup failed: NT_STATUS_LOGON_FAILURE
> Do you run winbindd? samba in RHEL 7.2 as of now has a
> regression that
> if you don't run winbindd, current code forbids
> establishing anonymous
> secure channel connections to AD DCs as part of Badlock
> fixes. The
> regression is fixed upstream and RHEL 7.2 packages are
> currently being
> tested by Red Hat QE team.
>
> If you start winbindd, this should not affect you -- if
> the machine is
> enrolled into Active Directory domain. However, the
> Kerberos error below
> makes me thinking you have some problems on AD side as well.
no winbind, I hope to completely relay on sssd.
I should mentioned that I'm fiddling with my sssd so it
engages two providers, AD and IPA - and it seems to work,
like a I tried to describe, only that samba smbclient to
itself is not working.
thanks!
>
>>
>> and with smbclient -k
>>
>> gss_init_sec_context failed with [Unspecified GSS
>> failure. Minor code may provide more information: Server
>> cifs/swir.private.dom at PRIVATE.DOM not found in Kerberos
>> database]
> The statement above says your KDC for PRIVATE.DOM does not
> know anything
> about cifs/swir.private.dom principal. Fix that problem
> and Kerberos
> authentication will be working.
>
>>
>> SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed:
>> NT_STATUS_INTERNAL_ERROR
>> Failed to setup SPNEGO negTokenInit request:
>> NT_STATUS_INTERNAL_ERROR
>> session setup failed: NT_STATUS_INTERNAL_ERROR
>>
>> here is a snippet from smb.conf which I thought has
>> relevance, I set it up following samba sssd wiki.
>>
>> security = ads
>> realm = CCNR.DOM
>> workgroup = CCNR
>>
>> kerberos method = secrets and keytab
>> dedicated keytab file = /etc/krb5.swir.ccnr.keytab
>> client signing = auto
>> client use spnego = yes
>> encrypt passwords = yes
>> password server = ccnr-winsrv1.ccnr.dom
>> netbios name = SWIR
>>
>> template shell = /bin/bash
>> template homedir = /home/%D/%U
>>
>> preferred master = no
>> dns proxy = no
>> wins server = ccnr-winsrv1.ccnr.dom
>> wins proxy = no
>>
>> inherit acls = Yes
>> map acl inherit = Yes
>> acl group control = yes
>>
>>
>> and in samba log:
>>
>> domain_client_validate: Domain password server not
>> available.
>>
>> I've tried samba user list, dead silence.
>>
>> many thanks,
>>
>> L.
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
More information about the Freeipa-users
mailing list