[Freeipa-users] a bit off topic- samba + sssd => AD

Alexander Bokovoy abokovoy at redhat.com
Fri Jun 3 16:00:52 UTC 2016 

On Fri, 03 Jun 2016, lejeczek wrote:
>
>
>On 03/06/16 15:22, Alexander Bokovoy wrote:
>>On Fri, 03 Jun 2016, lejeczek wrote:
>>>hi users,
>>>
>>>I have a samba and sssd trying AD, it's 7.2 Linux.
>>>
>>>That linux box is via sssd and samba talking to AD DC and win10 
>>>clients get to samba shares, getent pass sees AD users, samba can 
>>>get to DC's shares and win10's clients shares, all good except...
>>>
>>>smbclient @samba, in other words - to itself - fails
>>>
>>>session setup failed: NT_STATUS_LOGON_FAILURE
>>Do you run winbindd? samba in RHEL 7.2 as of now has a regression 
>>that
>>if you don't run winbindd, current code forbids establishing 
>>anonymous
>>secure channel connections to AD DCs as part of Badlock fixes. The
>>regression is fixed upstream and RHEL 7.2 packages are currently 
>>being
>>tested by Red Hat QE team.
>>
>>If you start winbindd, this should not affect you -- if the machine 
>>is
>>enrolled into Active Directory domain. However, the Kerberos error 
>>below
>>makes me thinking you have some problems on AD side as well.
>no winbind, I hope to completely relay on sssd.
You cannot -- at least for now. Samba needs translation between SIDs and
POSIX IDs. This translation cannot be done by SSSD alone right now
because there is no separate mechanism to supply that translation into
Samba from the system level.

SSSD can be used as to imitate SID translation interface of winbindd by
providing a libwbclient replacement but this would mean a lot of other
functionality winbindd provides will be missing as SSSD does not
implement it. 

Finally, you can run winbindd in parallel to SSSD. You just need to
ensure they both have the same understanding how to map usernames and
group names to POSIX ID and back. And you don't need to add winbindd to
/etc/nsswitch.conf or PAM configuration.

>I should mentioned that I'm fiddling with my sssd so it engages two 
>providers, AD and IPA - and it seems to work, like a I tried to 
>describe, only that samba smbclient to itself is not working.
>thanks!
SMB services with Kerberos require use of cifs/<hostname> service
principal. Your keytab only has host/<hostname> keys, and your AD
machine account for the <hostname> does not have 'cifs/<hostname>' SPN
defined. The latter is what causes smbclient -k to fail -- AD DC doesn't
know about 'cifs/<hostname>' and refuses to issue a service ticket even
before smbclient contacts Samba server.

>>>and with smbclient -k
>>>
>>>gss_init_sec_context failed with [Unspecified GSS failure. Minor 
>>>code may provide more information: Server 
>>>cifs/swir.private.dom at PRIVATE.DOM not found in Kerberos database]
>>The statement above says your KDC for PRIVATE.DOM does not know 
>>anything
>>about cifs/swir.private.dom principal. Fix that problem and Kerberos
>>authentication will be working.
>>
>>>
>>>SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: 
>>>NT_STATUS_INTERNAL_ERROR
>>>Failed to setup SPNEGO negTokenInit request: 
>>>NT_STATUS_INTERNAL_ERROR
>>>session setup failed: NT_STATUS_INTERNAL_ERROR
>>>
>>>here is a snippet from smb.conf which I thought has relevance, I 
>>>set it up following samba sssd wiki.
>>>
>>>  security = ads
>>> realm = CCNR.DOM
>>> workgroup = CCNR
>>>
>>> kerberos method = secrets and keytab
>>> dedicated keytab file = /etc/krb5.swir.ccnr.keytab
>>> client signing = auto
>>> client use spnego = yes
>>> encrypt passwords = yes
>>> password server = ccnr-winsrv1.ccnr.dom
>>> netbios name = SWIR
>>>
>>> template shell = /bin/bash
>>> template homedir = /home/%D/%U
>>>
>>> preferred master = no
>>> dns proxy = no
>>> wins server = ccnr-winsrv1.ccnr.dom
>>> wins proxy = no
>>>
>>> inherit acls = Yes
>>> map acl inherit = Yes
>>> acl group control = yes
>>>
>>>
>>>and in samba log:
>>>
>>> domain_client_validate: Domain password server not available.
>>>
>>>I've tried samba user list, dead silence.
>>>
>>>many thanks,
>>>
>>>L.
>>>
>>>-- 
>>>Manage your subscription for the Freeipa-users mailing list:
>>>https://www.redhat.com/mailman/listinfo/freeipa-users
>>>Go to http://freeipa.org for more info on the project
>>
>

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list