[Freeipa-users] a bit off topic- samba + sssd => AD

Alexander Bokovoy abokovoy at redhat.com
Mon Jun 6 11:42:12 UTC 2016 

On Mon, 06 Jun 2016, lejeczek wrote:
>>SMB services with Kerberos require use of cifs/<hostname> service
>>principal. Your keytab only has host/<hostname> keys, and your AD
>>machine account for the <hostname> does not have 'cifs/<hostname>' SPN
>>defined. The latter is what causes smbclient -k to fail -- AD DC
>>doesn't know about 'cifs/<hostname>' and refuses to issue a service
>>ticket even before smbclient contacts Samba server.
>Alexander, thanks!
>yes, cifs needs to be in keytab file, smbclient to itself(on smb 
>server locally) works now with -k.
>I wonder - should it also work with only passwords? It does not, for 
>me.
>Users mapping concept (which I do not grasp completely yet) - when an 
>AD client (win10) now gets to samba shares okey it is done with AD 
>user credentials, win client sees share like: user at my.dom which user 
>is not IPA's user (there are no trusts no syncing).
I don't know details of what you have configured. For IPA with trusts
both Kerberos and passwords should work when Samba is running on IPA
master. For IPA client, we have procedure defined for SSSD+Samba. For
anything else only Kerberos would work.

>Now, when you say mapping - this would be winbind/smb 
>translating/mapping AD's SIDs to match IPA's UIDs - which is/would be 
>different from syncying users from AD => IPA ,correct?
SIDs to UID/GID on the system. You seem to confuse a lot in your emails
-- you are claiming that there is no IPA trust or sync in place yet you
expect somehow things to magically work, I simply don't understand your
situation to comment on it.

>Another thing, not having winbind in nsswitch (or not having it at 
>all), but still having sssd using AD - should I be able to access
>linux+sssd=>AD box with means like ssh? eg. ssh
>me at my.dom@swir.private.my.dom (I think I had it worked with windbind in
>nsswitch)
SSSD client as IPA client will work with passwords in AD but only if
trust is established between IPA and AD.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list