[Freeipa-users] a bit off topic- samba + sssd => AD

lejeczek peljasz at yahoo.co.uk
Fri Jun 3 15:49:45 UTC 2016 


On 03/06/16 15:22, Alexander Bokovoy wrote:
> On Fri, 03 Jun 2016, lejeczek wrote:
>> hi users,
>>
>> I have a samba and sssd trying AD, it's 7.2 Linux.
>>
>> That linux box is via sssd and samba talking to AD DC and 
>> win10 clients get to samba shares, getent pass sees AD 
>> users, samba can get to DC's shares and win10's clients 
>> shares, all good except...
>>
>> smbclient @samba, in other words - to itself - fails
>>
>> session setup failed: NT_STATUS_LOGON_FAILURE
> Do you run winbindd? samba in RHEL 7.2 as of now has a 
> regression that
> if you don't run winbindd, current code forbids 
> establishing anonymous
> secure channel connections to AD DCs as part of Badlock 
> fixes. The
> regression is fixed upstream and RHEL 7.2 packages are 
> currently being
> tested by Red Hat QE team.
>
> If you start winbindd, this should not affect you -- if 
> the machine is
> enrolled into Active Directory domain. However, the 
> Kerberos error below
> makes me thinking you have some problems on AD side as well.
no winbind, I hope to completely relay on sssd.
I should mentioned that I'm fiddling with my sssd so it 
engages two providers, AD and IPA - and it seems to work, 
like a I tried to describe, only that samba smbclient to 
itself is not working.
thanks!
>
>>
>> and with smbclient -k
>>
>> gss_init_sec_context failed with [Unspecified GSS 
>> failure. Minor code may provide more information: Server 
>> cifs/swir.private.dom at PRIVATE.DOM not found in Kerberos 
>> database]
> The statement above says your KDC for PRIVATE.DOM does not 
> know anything
> about cifs/swir.private.dom principal. Fix that problem 
> and Kerberos
> authentication will be working.
>
>>
>> SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: 
>> NT_STATUS_INTERNAL_ERROR
>> Failed to setup SPNEGO negTokenInit request: 
>> NT_STATUS_INTERNAL_ERROR
>> session setup failed: NT_STATUS_INTERNAL_ERROR
>>
>> here is a snippet from smb.conf which I thought has 
>> relevance, I set it up following samba sssd wiki.
>>
>>   security = ads
>>  realm = CCNR.DOM
>>  workgroup = CCNR
>>
>>  kerberos method = secrets and keytab
>>  dedicated keytab file = /etc/krb5.swir.ccnr.keytab
>>  client signing = auto
>>  client use spnego = yes
>>  encrypt passwords = yes
>>  password server = ccnr-winsrv1.ccnr.dom
>>  netbios name = SWIR
>>
>>  template shell = /bin/bash
>>  template homedir = /home/%D/%U
>>
>>  preferred master = no
>>  dns proxy = no
>>  wins server = ccnr-winsrv1.ccnr.dom
>>  wins proxy = no
>>
>>  inherit acls = Yes
>>  map acl inherit = Yes
>>  acl group control = yes
>>
>>
>> and in samba log:
>>
>>  domain_client_validate: Domain password server not 
>> available.
>>
>> I've tried samba user list, dead silence.
>>
>> many thanks,
>>
>> L.
>>
>> -- 
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>

More information about the Freeipa-users mailing list