[Freeipa-users] a bit off topic- samba + sssd => AD

Mon Jun 6 09:53:27 UTC 2016


On 03/06/16 17:00, Alexander Bokovoy wrote:
> On Fri, 03 Jun 2016, lejeczek wrote:
>>
>>
>> On 03/06/16 15:22, Alexander Bokovoy wrote:
>>> On Fri, 03 Jun 2016, lejeczek wrote:
>>>> hi users,
>>>>
>>>> I have a samba and sssd trying AD, it's 7.2 Linux.
>>>>
>>>> That linux box is via sssd and samba talking to AD DC 
>>>> and win10 clients get to samba shares, getent pass sees 
>>>> AD users, samba can get to DC's shares and win10's 
>>>> clients shares, all good except...
>>>>
>>>> smbclient @samba, in other words - to itself - fails
>>>>
>>>> session setup failed: NT_STATUS_LOGON_FAILURE
>>> Do you run winbindd? samba in RHEL 7.2 as of now has a 
>>> regression that
>>> if you don't run winbindd, current code forbids 
>>> establishing anonymous
>>> secure channel connections to AD DCs as part of Badlock 
>>> fixes. The
>>> regression is fixed upstream and RHEL 7.2 packages are 
>>> currently being
>>> tested by Red Hat QE team.
>>>
>>> If you start winbindd, this should not affect you -- if 
>>> the machine is
>>> enrolled into Active Directory domain. However, the 
>>> Kerberos error below
>>> makes me thinking you have some problems on AD side as 
>>> well.
>> no winbind, I hope to completely relay on sssd.
> You cannot -- at least for now. Samba needs translation 
> between SIDs and
> POSIX IDs. This translation cannot be done by SSSD alone 
> right now
> because there is no separate mechanism to supply that 
> translation into
> Samba from the system level.
>
> SSSD can be used as to imitate SID translation interface 
> of winbindd by
> providing a libwbclient replacement but this would mean a 
> lot of other
> functionality winbindd provides will be missing as SSSD 
> does not
> implement it.
> Finally, you can run winbindd in parallel to SSSD. You 
> just need to
> ensure they both have the same understanding how to map 
> usernames and
> group names to POSIX ID and back. And you don't need to 
> add winbindd to
> /etc/nsswitch.conf or PAM configuration.
>
>> I should mentioned that I'm fiddling with my sssd so it 
>> engages two providers, AD and IPA - and it seems to work, 
>> like a I tried to describe, only that samba smbclient to 
>> itself is not working.
>> thanks!
> SMB services with Kerberos require use of cifs/<hostname> 
> service
> principal. Your keytab only has host/<hostname> keys, and 
> your AD
> machine account for the <hostname> does not have 
> 'cifs/<hostname>' SPN
> defined. The latter is what causes smbclient -k to fail -- 
> AD DC doesn't
> know about 'cifs/<hostname>' and refuses to issue a 
> service ticket even
> before smbclient contacts Samba server.
Alexander, thanks!
yes, cifs needs to be in keytab file, smbclient to itself(on 
smb server locally) works now with -k.
I wonder - should it also work with only passwords? It does 
not, for me.
Users mapping concept (which I do not grasp completely yet) 
- when an AD client (win10) now gets to samba shares okey it 
is done with AD user credentials, win client sees share 
like: user at my.dom which user is not IPA's user (there are no 
trusts no syncing).
Now, when you say mapping - this would be winbind/smb 
translating/mapping AD's SIDs to match IPA's UIDs - which 
is/would be different from syncying users from AD => IPA 
,correct?
Another thing, not having winbind in nsswitch (or not having 
it at all), but still having sssd using AD - should I be 
able to access linux+sssd=>AD box with means like ssh? eg. 
ssh me at my.dom@swir.private.my.dom (I think I had it worked 
with windbind in nsswitch)

L.

>
>>>> and with smbclient -k
>>>>
>>>> gss_init_sec_context failed with [Unspecified GSS 
>>>> failure. Minor code may provide more information: 
>>>> Server cifs/swir.private.dom at PRIVATE.DOM not found in 
>>>> Kerberos database]
>>> The statement above says your KDC for PRIVATE.DOM does 
>>> not know anything
>>> about cifs/swir.private.dom principal. Fix that problem 
>>> and Kerberos
>>> authentication will be working.
>>>
>>>>
>>>> SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: 
>>>> NT_STATUS_INTERNAL_ERROR
>>>> Failed to setup SPNEGO negTokenInit request: 
>>>> NT_STATUS_INTERNAL_ERROR
>>>> session setup failed: NT_STATUS_INTERNAL_ERROR
>>>>
>>>> here is a snippet from smb.conf which I thought has 
>>>> relevance, I set it up following samba sssd wiki.
>>>>
>>>>  security = ads
>>>> realm = CCNR.DOM
>>>> workgroup = CCNR
>>>>
>>>> kerberos method = secrets and keytab
>>>> dedicated keytab file = /etc/krb5.swir.ccnr.keytab
>>>> client signing = auto
>>>> client use spnego = yes
>>>> encrypt passwords = yes
>>>> password server = ccnr-winsrv1.ccnr.dom
>>>> netbios name = SWIR
>>>>
>>>> template shell = /bin/bash
>>>> template homedir = /home/%D/%U
>>>>
>>>> preferred master = no
>>>> dns proxy = no
>>>> wins server = ccnr-winsrv1.ccnr.dom
>>>> wins proxy = no
>>>>
>>>> inherit acls = Yes
>>>> map acl inherit = Yes
>>>> acl group control = yes
>>>>
>>>>
>>>> and in samba log:
>>>>
>>>> domain_client_validate: Domain password server not 
>>>> available.
>>>>
>>>> I've tried samba user list, dead silence.
>>>>
>>>> many thanks,
>>>>
>>>> L.
>>>>
>>>> -- 
>>>> Manage your subscription for the Freeipa-users mailing 
>>>> list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>
>>
>