Discussion:
[Samba] Samba not working with sssd on CentOS 6.5
(too old to reply)
Andrei Vida-Raţiu
2014-09-24 21:10:04 UTC
Permalink
Hello everyone.
I joined this list because I cannot find an answer to my problem. The
setup is this:
I installed CentOS release 6.5 (Final) minimal version
Updated all packages
Added the server to the Active Directory domain as a member server
using the method described here (using adcli, kerberos and sssd):
http://jhrozek.livejournal.com/3581.html

It worked, I tested by trying to connect through ssh with domain user
credentials and by doing "su domain_user" from root ssh console. Both
worked.

After that, I installed Samba (Version 3.6.9-169.el6_5). Created a
minimal config file like this:

[global]
workgroup = mydomain
server string = Samba Server Version %v
security = ads
encrypt passwords = yes
passdb backend = tdbsam
realm = mydomain.ro

# No printers needed
load printers = no
cups options = raw
printcap name = /dev/null

# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
log level = 10

# ############ THE SHARES ############ #

[homes]
comment = Home Directories
browseable = no
writable = yes

It doesn't work. I get this eror in /var/log/messages:

Sep 24 23:40:54 fs01 smbd[1406]: connect_to_domain_password_server:
unable to open the domain client session to machine DC.MYDOMAIN.RO.
Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.406665, 0]
rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
Sep 24 23:40:54 fs01 smbd[1406]: get_schannel_session_key: could not
fetch trust account password for domain 'MYDOMAIN'
Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408207, 0]
rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
Sep 24 23:40:54 fs01 smbd[1406]: cli_rpc_pipe_open_schannel: failed
to get schannel session key from server DC.MYDOMAIN.RO for domain
MYDOMAIN.
Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408499, 0]
auth/auth_domain.c:193(connect_to_domain_password_server)

However, if I add this:

kerberos method = secrets and keytab

to the smb.conf file it works. But it creates another strange problem.
It works only when I connect using \\server. If I try that by IP, like
\\192.168.1.5 the error above appears again in /var/log/messages.

I really need the "access by IP" option. Are there any solutions?

Also, it seems that, in this configuration, samba doesn't use sssd? I
increased the debug level in sssd by the logs are empty!

_______

AndreiV
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2014-09-24 21:30:02 UTC
Permalink
Post by Andrei Vida-Raţiu
Hello everyone.
I joined this list because I cannot find an answer to my problem. The
I installed CentOS release 6.5 (Final) minimal version
Updated all packages
Added the server to the Active Directory domain as a member server
http://jhrozek.livejournal.com/3581.html
It worked, I tested by trying to connect through ssh with domain user
credentials and by doing "su domain_user" from root ssh console. Both
worked.
After that, I installed Samba (Version 3.6.9-169.el6_5). Created a
[global]
workgroup = mydomain
server string = Samba Server Version %v
security = ads
encrypt passwords = yes
passdb backend = tdbsam
realm = mydomain.ro
# No printers needed
load printers = no
cups options = raw
printcap name = /dev/null
# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
log level = 10
# ############ THE SHARES ############ #
[homes]
comment = Home Directories
browseable = no
writable = yes
unable to open the domain client session to machine DC.MYDOMAIN.RO.
Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.406665, 0]
rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
Sep 24 23:40:54 fs01 smbd[1406]: get_schannel_session_key: could not
fetch trust account password for domain 'MYDOMAIN'
Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408207, 0]
rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
Sep 24 23:40:54 fs01 smbd[1406]: cli_rpc_pipe_open_schannel: failed
to get schannel session key from server DC.MYDOMAIN.RO for domain
MYDOMAIN.
Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408499, 0]
auth/auth_domain.c:193(connect_to_domain_password_server)
kerberos method = secrets and keytab
to the smb.conf file it works. But it creates another strange problem.
It works only when I connect using \\server. If I try that by IP, like
\\192.168.1.5 the error above appears again in /var/log/messages.
I really need the "access by IP" option. Are there any solutions?
Also, it seems that, in this configuration, samba doesn't use sssd? I
increased the debug level in sssd by the logs are empty!
_______
AndreiV
Hi, I think you will find this is because you are trying to set
everything (except samba) to connect AD and then want to use samba, why?
I am fairly sure if you join the samba machine to AD everything will
work ok, or to put it another way, you do not need adcli if you use
samba. If you setup centos and samba correctly, sssd will then work as
expected.

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.
Karel Lang AFD
2014-09-24 22:40:01 UTC
Permalink
Hi,
i suggest that the subject 'Samba not working with sssd on CentOS 6.5'
is not quite correct.
You need to understand, that SSSD is responsible for posix level
authentication which has nothing to do with Samba.

From what you write, it is apparent that posix level authentication
works all right, meaning, that your /etc/sssd/sssd.conf is setup right,
because you can log onto your linux box with domain users via eg. ssh etc.

What is not working is your Samba connection to the existing domain - so
the smb.conf has to be tuned up properly.

your 'passdb backend' can not be tdbsam (it is just local samba file
where samba stores info about users locally to 'passdb.tdb' file and
thus Samba can not be aware about any domain users.

you need to specify to your 'passdb backend' option in smb.conf your PDC
backend (usually ldap service etc) ..

eg. like:
passdb backend = ldapsam:ldaps://ipaddress (in case of ldap server
backend)..

cheers,

Karel
Post by Andrei Vida-Raţiu
Hello everyone.
I joined this list because I cannot find an answer to my problem. The
I installed CentOS release 6.5 (Final) minimal version
Updated all packages
Added the server to the Active Directory domain as a member server
http://jhrozek.livejournal.com/3581.html
It worked, I tested by trying to connect through ssh with domain user
credentials and by doing "su domain_user" from root ssh console. Both
worked.
After that, I installed Samba (Version 3.6.9-169.el6_5). Created a
[global]
workgroup = mydomain
server string = Samba Server Version %v
security = ads
encrypt passwords = yes
passdb backend = tdbsam
realm = mydomain.ro
# No printers needed
load printers = no
cups options = raw
printcap name = /dev/null
# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
log level = 10
# ############ THE SHARES ############ #
[homes]
comment = Home Directories
browseable = no
writable = yes
unable to open the domain client session to machine DC.MYDOMAIN.RO.
Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.406665, 0]
rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
Sep 24 23:40:54 fs01 smbd[1406]: get_schannel_session_key: could not
fetch trust account password for domain 'MYDOMAIN'
Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408207, 0]
rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
Sep 24 23:40:54 fs01 smbd[1406]: cli_rpc_pipe_open_schannel: failed
to get schannel session key from server DC.MYDOMAIN.RO for domain
MYDOMAIN.
Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408499, 0]
auth/auth_domain.c:193(connect_to_domain_password_server)
kerberos method = secrets and keytab
to the smb.conf file it works. But it creates another strange problem.
It works only when I connect using \\server. If I try that by IP, like
\\192.168.1.5 the error above appears again in /var/log/messages.
I really need the "access by IP" option. Are there any solutions?
Also, it seems that, in this configuration, samba doesn't use sssd? I
increased the debug level in sssd by the logs are empty!
_______
AndreiV
--
To unsubscribe from this list go to the following URL and read the
ins
Rowland Penny
2014-09-25 07:00:01 UTC
Permalink
Post by Karel Lang AFD
Hi,
i suggest that the subject 'Samba not working with sssd on CentOS 6.5'
is not quite correct.
You need to understand, that SSSD is responsible for posix level
authentication which has nothing to do with Samba.
From what you write, it is apparent that posix level authentication
works all right, meaning, that your /etc/sssd/sssd.conf is setup
right, because you can log onto your linux box with domain users via
eg. ssh etc.
What is not working is your Samba connection to the existing domain -
so the smb.conf has to be tuned up properly.
your 'passdb backend' can not be tdbsam (it is just local samba file
where samba stores info about users locally to 'passdb.tdb' file and
thus Samba can not be aware about any domain users.
you need to specify to your 'passdb backend' option in smb.conf your
PDC backend (usually ldap service etc) ..
passdb backend = ldapsam:ldaps://ipaddress (in case of ldap server
backend)..
Oh dear, somebody else who has never read the smb.conf manpage ;-)

If you set 'security = ADS', you do not need to set the 'passdb backend'
it will use the default, which is:

passdb backend = tdbsam

Rowland
Post by Karel Lang AFD
cheers,
Karel
Post by Andrei Vida-Raţiu
Hello everyone.
I joined this list because I cannot find an answer to my problem. The
I installed CentOS release 6.5 (Final) minimal version
Updated all packages
Added the server to the Active Directory domain as a member server
http://jhrozek.livejournal.com/3581.html
It worked, I tested by trying to connect through ssh with domain user
credentials and by doing "su domain_user" from root ssh console. Both
worked.
After that, I installed Samba (Version 3.6.9-169.el6_5). Created a
[global]
workgroup = mydomain
server string = Samba Server Version %v
security = ads
encrypt passwords = yes
passdb backend = tdbsam
realm = mydomain.ro
# No printers needed
load printers = no
cups options = raw
printcap name = /dev/null
# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
log level = 10
# ############ THE SHARES ############ #
[homes]
comment = Home Directories
browseable = no
writable = yes
unable to open the domain client session to machine DC.MYDOMAIN.RO.
Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.406665, 0]
rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
Sep 24 23:40:54 fs01 smbd[1406]: get_schannel_session_key: could not
fetch trust account password for domain 'MYDOMAIN'
Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408207, 0]
rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
Sep 24 23:40:54 fs01 smbd[1406]: cli_rpc_pipe_open_schannel: failed
to get schannel session key from server DC.MYDOMAIN.RO for domain
MYDOMAIN.
Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408499, 0]
auth/auth_domain.c:193(connect_to_domain_password_server)
kerberos method = secrets and keytab
to the smb.conf file it works. But it creates another strange problem.
It works only when I connect using \\server. If I try that by IP, like
\\192.168.1.5 the error above appears again in /var/log/messages.
I really need the "access by IP" option. Are there any solutions?
Also, it seems that, in this configuration, samba doesn't use sssd? I
increased the debug level in sssd by the logs are empty!
_______
AndreiV
--
To unsubscribe from this list go to the following URL and read the
instructions: https:
Karel Lang AFD
2014-09-25 08:00:04 UTC
Permalink
Hi all,
Rowland thank you for correcting me and Andrei sorry for inexact
explanatory / information.
I'm not familiar with my own experience with joining linux to windows AD
(i never had the pleasure to manage windows server environment) :].
So that option SECURITY = ADS wasn't familiar to me.

Nevertheless, still it is about samba and not sssd configuration - or?
Rowland - is there a way a Samba benefit from SSSD daemon authentication
process? I dont know about option in samba to 'tell' it so. (but again
i'm the samba apprentice here) :]

I think, Andrei - try to google for:
' Red Hat Enterprise Linux 7 Windows Integration Guide'
it's pdf, not even long to read and i think it has the answers :]

nice day folks

Karel
Post by Rowland Penny
Post by Karel Lang AFD
Hi,
i suggest that the subject 'Samba not working with sssd on CentOS 6.5'
is not quite correct.
You need to understand, that SSSD is responsible for posix level
authentication which has nothing to do with Samba.
From what you write, it is apparent that posix level authentication
works all right, meaning, that your /etc/sssd/sssd.conf is setup
right, because you can log onto your linux box with domain users via
eg. ssh etc.
What is not working is your Samba connection to the existing domain -
so the smb.conf has to be tuned up properly.
your 'passdb backend' can not be tdbsam (it is just local samba file
where samba stores info about users locally to 'passdb.tdb' file and
thus Samba can not be aware about any domain users.
you need to specify to your 'passdb backend' option in smb.conf your
PDC backend (usually ldap service etc) ..
passdb backend = ldapsam:ldaps://ipaddress (in case of ldap server
backend)..
Oh dear, somebody else who has never read the smb.conf manpage ;-)
If you set 'security = ADS', you do not need to set the 'passdb backend'
passdb backend = tdbsam
Rowland
Post by Karel Lang AFD
cheers,
Karel
Post by Andrei Vida-Raţiu
Hello everyone.
I joined this list because I cannot find an answer to my problem. The
I installed CentOS release 6.5 (Final) minimal version
Updated all packages
Added the server to the Active Directory domain as a member server
http://jhrozek.livejournal.com/3581.html
It worked, I tested by trying to connect through ssh with domain user
credentials and by doing "su domain_user" from root ssh console. Both
worked.
After that, I installed Samba (Version 3.6.9-169.el6_5). Created a
[global]
workgroup = mydomain
server string = Samba Server Version %v
security = ads
encrypt passwords = yes
passdb backend = tdbsam
realm = mydomain.ro
# No printers needed
load printers = no
cups options = raw
printcap name = /dev/null
# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
log level = 10
# ############ THE SHARES ############ #
[homes]
comment = Home Directories
browseable = no
writable = yes
unable to open the domain client session to machine DC.MYDOMAIN.RO.
Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.406665, 0]
rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
Sep 24 23:40:54 fs01 smbd[1406]: get_schannel_session_key: could not
fetch trust account password for domain 'MYDOMAIN'
Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408207, 0]
rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
Sep 24 23:40:54 fs01 smbd[1406]: cli_rpc_pipe_open_schannel: failed
to get schannel session key from server DC.MYDOMAIN.RO for domain
MYDOMAIN.
Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408499, 0]
auth/auth_domain.c:193(connect_to_domain_password_server)
kerberos method = secrets and keytab
to the smb.conf file it works. But it creates another strange problem.
It works only when I connect using \\server. If I try that by IP, like
\\192.168.1.5 the error above appears again in /var/log/messages.
I really need the "access by IP" option. Are there any solutions?
Also, it seems that, in this configuration, samba doesn't use sssd? I
increased the debug level in sssd by the logs are empty!
_______
AndreiV
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/
Rowland Penny
2014-09-25 08:20:02 UTC
Permalink
Post by Karel Lang AFD
Hi all,
Rowland thank you for correcting me and Andrei sorry for inexact
explanatory / information.
I'm not familiar with my own experience with joining linux to windows
AD (i never had the pleasure to manage windows server environment) :].
I have never managed a windows server either, though whether it's a
pleasure is debatable ;-)
Post by Karel Lang AFD
So that option SECURITY = ADS wasn't familiar to me.
Nevertheless, still it is about samba and not sssd configuration - or?
Rowland - is there a way a Samba benefit from SSSD daemon
authentication process? I dont know about option in samba to 'tell' it
so. (but again i'm the samba apprentice here) :]
What you have to understand is that samba and sssd are complementary,
you can use one without the other. If you use samba & sssd on a client,
you do not need the winbind lines in smb.conf, but the samba devs say
that you should use winbind.

The latest version of sssd can now use its own version of winbind, so
you only need to run the smbd & nmbd daemons along with a correctly
setup sssd. If you do not want to use sssd when you connect to AD, you
need to run the winbind daemon and setup smb.conf to use it.

Rowland
Post by Karel Lang AFD
' Red Hat Enterprise Linux 7 Windows Integration Guide'
it's pdf, not even long to read and i think it has the answers :]
nice day folks
Karel
Post by Rowland Penny
Post by Karel Lang AFD
Hi,
i suggest that the subject 'Samba not working with sssd on CentOS 6.5'
is not quite correct.
You need to understand, that SSSD is responsible for posix level
authentication which has nothing to do with Samba.
From what you write, it is apparent that posix level authentication
works all right, meaning, that your /etc/sssd/sssd.conf is setup
right, because you can log onto your linux box with domain users via
eg. ssh etc.
What is not working is your Samba connection to the existing domain -
so the smb.conf has to be tuned up properly.
your 'passdb backend' can not be tdbsam (it is just local samba file
where samba stores info about users locally to 'passdb.tdb' file and
thus Samba can not be aware about any domain users.
you need to specify to your 'passdb backend' option in smb.conf your
PDC backend (usually ldap service etc) ..
passdb backend = ldapsam:ldaps://ipaddress (in case of ldap server
backend)..
Oh dear, somebody else who has never read the smb.conf manpage ;-)
If you set 'security = ADS', you do not need to set the 'passdb backend'
passdb backend = tdbsam
Rowland
Post by Karel Lang AFD
cheers,
Karel
Post by Andrei Vida-Raţiu
Hello everyone.
I joined this list because I cannot find an answer to my problem. The
I installed CentOS release 6.5 (Final) minimal version
Updated all packages
Added the server to the Active Directory domain as a member server
http://jhrozek.livejournal.com/3581.html
It worked, I tested by trying to connect through ssh with domain user
credentials and by doing "su domain_user" from root ssh console. Both
worked.
After that, I installed Samba (Version 3.6.9-169.el6_5). Created a
[global]
workgroup = mydomain
server string = Samba Server Version %v
security = ads
encrypt passwords = yes
passdb backend = tdbsam
realm = mydomain.ro
# No printers needed
load printers = no
cups options = raw
printcap name = /dev/null
# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
log level = 10
# ############ THE SHARES ############ #
[homes]
comment = Home Directories
browseable = no
writable = yes
unable to open the domain client session to machine DC.MYDOMAIN.RO.
Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.406665, 0]
rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
Sep 24 23:40:54 fs01 smbd[1406]: get_schannel_session_key: could not
fetch trust account password for domain 'MYDOMAIN'
Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408207, 0]
rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
Sep 24 23:40:54 fs01 smbd[1406]: cli_rpc_pipe_open_schannel: failed
to get schannel session key from server DC.MYDOMAIN.RO for domain
MYDOMAIN.
Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408499, 0]
auth/auth_domain.c:193(connect_to_domain_password_server)
kerberos method = secrets and keytab
to the smb.conf file it works. But it creates another strange problem.
It works only when I connect using \\server. If I try that by IP, like
\\192.168.1.5 the error above appears again in /var/log/messages.
I really need the "access by IP" option. Are there any solutions?
Also, it seems that, in this configuration, samba doesn't use sssd? I
increased the debug level in sssd by the logs are empty!
_______
AndreiV
--
To unsubscribe from this list go to the following URL and read the
instructions:
AndreiV
2014-09-25 08:40:01 UTC
Permalink
I am sorry for the inaccurate information or questions. I am trying to learn
more about Samba and I am doing that while setting up some servers.

It is true that I should have red the manual first, but I a little bit under
pressure. :D
But with the comments I got from everyone I think I finally started to
understand how things work.

I was just digging through the samba wiki page and doing some tests when I
saw the e-mail from Rowland explaining exactly what I just understood. Here
is how I see things now, please correct me if I am wrong.

There is no direct connection between sssd and samba. As Rowland said, they
are different things. But why then setting up sssd makes Samba work
(perfectly on CentOS 7 and mostly on CentOS 6.5)?
The sssd setup process involves first joining the server to a AD domain
(using adcli), which in turn creates the keytab.
The next step is configuring the kerberos client to use the same AD
(/etc/krb5.conf)
The next config step is achieved with this command: authconfig --enablesssd
--enablesssdauth --update that sets nsswitch and pam.
And the last step is to configure the sssd service (/etc/sssd/sssd.conf).

The connection with samba is getting the keytab and setting up the kerberos
client. Samba, when set to security = ads seems to use the kerberos client
on the system to authenticate clients. This happens on both CentOS 6.5 and
7. Without any winbind! I don't know why, but this works.

With one problem though on CentOS 6.5. My original issue: the server can be
accessed only thorugh \\sambaserver and not through \\sambaserver_IP. On
CentOS 7 both access methods work.

Does anyone have any idea why?



--
View this message in context: http://samba.2283325.n4.nabble.com/Samba-not-working-with-sssd-on-CentOS-6-5-tp4673186p4673209.html
Sent from the Samba - General mailing list archive at Nabble.com.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2014-09-25 10:10:02 UTC
Permalink
Post by AndreiV
I am sorry for the inaccurate information or questions. I am trying to learn
more about Samba and I am doing that while setting up some servers.
It is true that I should have red the manual first, but I a little bit under
pressure. :D
But with the comments I got from everyone I think I finally started to
understand how things work.
I was just digging through the samba wiki page and doing some tests when I
saw the e-mail from Rowland explaining exactly what I just understood. Here
is how I see things now, please correct me if I am wrong.
There is no direct connection between sssd and samba. As Rowland said, they
are different things. But why then setting up sssd makes Samba work
(perfectly on CentOS 7 and mostly on CentOS 6.5)?
sssd is used for authentication and until recently this was all it could
do for AD, winbind on the other hand does authentication and a lot more.
So if you do not run the winbind daemon, samba can get the
authentication from sssd.
Post by AndreiV
The sssd setup process involves first joining the server to a AD domain
(using adcli), which in turn creates the keytab.
The next step is configuring the kerberos client to use the same AD
(/etc/krb5.conf)
The next config step is achieved with this command: authconfig --enablesssd
--enablesssdauth --update that sets nsswitch and pam.
And the last step is to configure the sssd service (/etc/sssd/sssd.conf).
there must be some difference between how samba does the join and how
adcli does it.
Post by AndreiV
The connection with samba is getting the keytab and setting up the kerberos
client. Samba, when set to security = ads seems to use the kerberos client
on the system to authenticate clients. This happens on both CentOS 6.5 and
7. Without any winbind! I don't know why, but this works.
Yes it works because instead of getting authentication from winbind, it
gets it from sssd.
Post by AndreiV
With one problem though on CentOS 6.5. My original issue: the server can be
accessed only thorugh \\sambaserver and not through \\sambaserver_IP. On
CentOS 7 both access methods work.
This is most probably a dns problem, try comparing the network files
between the two versions, though the problem is usually the opposite way
round.

Rowland
Post by AndreiV
Does anyone have any idea why?
--
View this message in context: http://samba.2283325.n4.nabble.com/Samba-not-working-with-sssd-on-CentOS-6-5-tp4673186p4673209.html
Sent from the Samba - General mailing list archive at Nabble.com.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
AndreiV
2014-09-25 10:40:02 UTC
Permalink
Post by Rowland Penny
This is most probably a dns problem, try comparing the network files
between the two versions, though the problem is usually the opposite way
round.
I thought so too but the network config is identical on both servers (except
for the IP, of course). I did some samba debugging and I found something
interesting. On the CentOS 6.5 server:

Accessing with \\sambaserver works, the kerberos keytab is used to
autheticate the user.

When accesing with \\sambaserver_IP, samba never uses kerberos for
authentication, it tries to contact the domain server directly through LDAP
and it fails, because it has no way of accessing it.

On CentOS 7 however, when accessing by ip, it seems to use NTLM
authentication by default and that works. So it looks like that samba
version is the problem. Samba 4 handles access by IP differently by default.



--
View this message in context: http://samba.2283325.n4.nabble.com/Samba-not-working-with-sssd-on-CentOS-6-5-tp4673186p4673214.html
Sent from the Samba - General mailing list archive at Nabble.com.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
AndreiV
2014-09-25 10:50:01 UTC
Permalink
Correction:
On CentOS 7, Samba also tries to contact the server directly, when accessed
by \\IP, but it doesn't go for LDAP as samba on CentOS 6.5 does, it uses
NTLM. Here is the relevant log section:

Connecting to 192.168.1.2 at port 445
[2014/09/25 13:04:26.021723, 3]
../source3/auth/auth.c:237(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [domuser] succeeded
[2014/09/25 13:04:26.021902, 2]
../source3/auth/auth.c:290(auth_check_ntlm_password)
check_ntlm_password: authentication for user [domuser] -> [domuser] ->
[domuser] succeeded
[2014/09/25 13:04:26.021984, 3]
../auth/ntlmssp/ntlmssp_sign.c:547(ntlmssp_sign_init)

192.168.1.2 - is the AD Domain controller




--
View this message in context: http://samba.2283325.n4.nabble.com/Samba-not-working-with-sssd-on-CentOS-6-5-tp4673186p4673215.html
Sent from the Samba - General mailing list archive at Nabble.com.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
AndreiV
2014-09-25 11:10:03 UTC
Permalink
I checked more carefully the logs on both servers. Both try several protocols
to authenticate the user, when connecting through \\IP.
The only difference is that samba on CentOS 6.5 fails all attempts, while
samba on CentOS 7 succeeds with this:

check_ntlm_password: winbind authentication for user [domuser] succeeded

This line does not appear in the samba on CentOS 6.5 log. It also tries the
check_ntlm_password but without success:

Connecting to 192.168.1.2 at port 445
[2014/09/25 13:23:32.008519, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[LOCALDOMAIN]\[domuser]@[WS] with the new password interface
[2014/09/25 13:23:32.008640, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: mapped user is: [LOCALDOMAIN]\[domuser]@[WS]

and from here it tries with another protocol...

And no, winbind doesn't run on either of the 2 servers.



--
View this message in context: http://samba.2283325.n4.nabble.com/Samba-not-working-with-sssd-on-CentOS-6-5-tp4673186p4673217.html
Sent from the Samba - General mailing list archive at Nabble.com.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
AndreiV
2014-09-25 13:10:01 UTC
Permalink
As an interesting observation, even though there is no explicit samba-winbind
package installed on the CentOS 7 samba server, it seems to use winbind to
authenticate and, more interesting, it uses the domain join info from adcli.
On the CentOS 6.5 server I had to "re-join" the sever to the AD with the
command above. But it did not affect in any way the adcli join process that
I used earlier.



--
View this message in context: http://samba.2283325.n4.nabble.com/Samba-not-working-with-sssd-on-CentOS-6-5-tp4673186p4673219.html
Sent from the Samba - General mailing list archive at Nabble.com.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
AndreiV
2014-09-25 13:10:01 UTC
Permalink
I found a solution to my problem. Without changing anything in the config
files, I did this:
net ads join
chkconfig winbind on
service winbind start

and that's it. Now I can access the CentOS 6.5 Samba server through \\IP.

Tanks everyone for your help.



--
View this message in context: http://samba.2283325.n4.nabble.com/Samba-not-working-with-sssd-on-CentOS-6-5-tp4673186p4673218.html
Sent from the Samba - General mailing list archive at Nabble.com.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Karel Lang AFD
2014-09-25 13:50:01 UTC
Permalink
Most interesting discussion!

Not long ago i've been moving our users (cca 400) from openLDAP server
to 389 Directory server and replaced openLDAP clients on our Linux
servers and workstations with SSSD.
I didn't think/know about possibility of authentication of Samba through
SSSd.
Our samba PDC runs on CentOS 6.5 and there is no winbind, so ..
anyway
thank you
Post by Rowland Penny
Post by AndreiV
I am sorry for the inaccurate information or questions. I am trying to learn
more about Samba and I am doing that while setting up some servers.
It is true that I should have red the manual first, but I a little bit under
pressure. :D
But with the comments I got from everyone I think I finally started to
understand how things work.
I was just digging through the samba wiki page and doing some tests when I
saw the e-mail from Rowland explaining exactly what I just understood. Here
is how I see things now, please correct me if I am wrong.
There is no direct connection between sssd and samba. As Rowland said, they
are different things. But why then setting up sssd makes Samba work
(perfectly on CentOS 7 and mostly on CentOS 6.5)?
sssd is used for authentication and until recently this was all it could
do for AD, winbind on the other hand does authentication and a lot more.
So if you do not run the winbind daemon, samba can get the
authentication from sssd.
Post by AndreiV
The sssd setup process involves first joining the server to a AD domain
(using adcli), which in turn creates the keytab.
The next step is configuring the kerberos client to use the same AD
(/etc/krb5.conf)
The next config step is achieved with this command: authconfig --enablesssd
--enablesssdauth --update that sets nsswitch and pam.
And the last step is to configure the sssd service (/etc/sssd/sssd.conf).
there must be some difference between how samba does the join and how
adcli does it.
Post by AndreiV
The connection with samba is getting the keytab and setting up the kerberos
client. Samba, when set to security = ads seems to use the kerberos client
on the system to authenticate clients. This happens on both CentOS 6.5 and
7. Without any winbind! I don't know why, but this works.
Yes it works because instead of getting authentication from winbind, it
gets it from sssd.
Post by AndreiV
With one problem though on CentOS 6.5. My original issue: the server can be
accessed only thorugh \\sambaserver and not through \\sambaserver_IP. On
CentOS 7 both access methods work.
This is most probably a dns problem, try comparing the network files
between the two versions, though the problem is usually the opposite way
round.
Rowland
Post by AndreiV
Does anyone have any idea why?
--
http://samba.2283325.n4.nabble.com/Samba-not-working-with-sssd-on-CentOS-6-5-tp4673186p4673209.html
Sent from the Samba - General mailing list archive at Nabble.com.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
AndreiV
2014-09-25 14:00:03 UTC
Permalink
"I didn't think/know about possibility of authentication of Samba through
SSSd."

Well, this is still a mystery. It looks like there is a tendency to replace
winbind with sssd but it is still work in progress. It works ok on centos 7
and almost works on centos 6.5.
But I guess on 6.5 won't go any further :D



--
View this message in context: http://samba.2283325.n4.nabble.com/Samba-not-working-with-sssd-on-CentOS-6-5-tp4673186p4673221.html
Sent from the Samba - General mailing list archive at Nabble.com.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
2014-09-25 20:10:02 UTC
Permalink
Post by Rowland Penny
sssd is used for authentication and until recently this was all it could
do for AD, winbind on the other hand does authentication and a lot more.
So if you do not run the winbind daemon, samba can get the
authentication from sssd.
Hi
FWIW, we have 1.12.1 with no winbind at all on either the DCs or on the
clients. Recommended:)
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
AndreiV
2014-09-25 05:10:01 UTC
Permalink
Well, it looks like I misunderstood how authentication in Samba works. I
thought that Samba uses the system level authentication system to
authenticate users.

It must be the fault of my CentOS 7 setup (I also have a CentOS 7 server set
up almost the same way) that works.

I installed a CentOS 7 minimal, joined it to the AD using realmd, installed
Samba, used exactly the same config file that I used for CentOS 6.5 (but
without the "kerberos method = secrets and keytab" setting) and this server
works correctly. I can access it with \\server or \\ip without any issues.

CentOS 6.5 doesn't have realmd in the repositories but I used the tools
"behind" realmd, created the same setup as on the CentOS 7 server, but it
doesn't work.

I think I am going to user the old setup on CentOS 6.5, the one relying on
winbind. Can winbind and sssd coexist?



--
View this message in context: http://samba.2283325.n4.nabble.com/Samba-not-working-with-sssd-on-CentOS-6-5-tp4673186p4673201.html
Sent from the Samba - General mailing list archive at Nabble.com.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
2014-09-25 06:30:01 UTC
Permalink
Post by AndreiV
Well, it looks like I misunderstood how authentication in Samba works. I
thought that Samba uses the system level authentication system to
authenticate users.
It must be the fault of my CentOS 7 setup (I also have a CentOS 7 server set
up almost the same way) that works.
I installed a CentOS 7 minimal, joined it to the AD using realmd, installed
Samba, used exactly the same config file that I used for CentOS 6.5 (but
without the "kerberos method = secrets and keytab" setting) and this server
works correctly. I can access it with \\server or \\ip without any issues.
CentOS 6.5 doesn't have realmd in the repositories but I used the tools
"behind" realmd, created the same setup as on the CentOS 7 server, but it
doesn't work.
I think I am going to user the old setup on CentOS 6.5, the one relying on
winbind. Can winbind and sssd coexist?
With old versions of sssd it is best to leave winbind running but not
configured. Why not forget realmd, set kerberos method in smb.conf and
use good old net to join the domain? Nothing is modern enough on centos
to have many other options.
HTH
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...