Discussion:
[Samba] AD authentication on samba server using sssd
shridhar shetty
2016-06-15 17:24:13 UTC
Permalink
I am trying to run samba with sssd service and AD authentication.
I have joined the linux server to the AD domain using realmd and using sssd
to authenticate to the AD. I am able to get user list from AD using "getent
passwd <username>".
The samba servers starts but i am unable to get the authentication working.

I referred the samba dos for centos7 and also installed sssd-libwbclient.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad-integration.html

Any pointers would be appreciated. thanks :)


OS: Centos: 7.2.1511 (Core)
Samba version: 4.2.10
sssd version: 1.13.0


Below are the files
sssd.conf
------------------
[sssd]
services = nss, pam, pac
config_file_version = 2
domains = xx.xxx.com

[nss]
allowed_shells = /bin/bash, /bin/hgcsh
shell_fallback = /bin/bash
default_shell = /bin/bash

[domain/corp.endurance.com]
ad_domain = xx.xxx.com
krb5_realm = XX.XXX.COM
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
krb5_store_password_if_offline = True
override_homedir = /home/%u




smb.conf
------------------

[global]
security = ads
workgroup = XXX
realm = XXX.XXX.COM
kerberos method = system keytab

log file = /var/log/samba/log.%m
log level = 10
max log size = 50
load printers = no
cups options = raw
printcap name = /dev/null

[myshare]
comment = My shared folder
path = /var/myshare
public = no
writable = yes
guest ok = no
valid users = @"***@xx.xx.com"


"realmd list" output
--------------------
xx.xxx.com
type: kerberos
realm-name: XXX.XXX.COM
domain-name: xx.xx.com
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: oddjob-mkhomedir
required-package: oddjob
required-package: samba-winbind-clients
required-package: samba-winbind
required-package: samba-common
login-formats: XXX\%U
login-policy: allow-any-login
xx.xxx.com
type: kerberos
realm-name: XXX.XXX.COM
domain-name: xx.xx.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
login-formats: %U
login-policy: allow-realm-logins
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
shridhar shetty
2016-06-16 05:00:43 UTC
Permalink
Well thanks.
Will post it on the sssd list.
Post by shridhar shetty
I am trying to run samba with sssd service and AD authentication.
I have joined the linux server to the AD domain using realmd and using sssd
to authenticate to the AD. I am able to get user list from AD using "getent
passwd <username>".
The samba servers starts but i am unable to get the authentication working.
I referred the samba dos for centos7 and also installed sssd-libwbclient.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad-integration.html
Any pointers would be appreciated. thanks :)
Yes, try asking on the sssd mailing list, they should be able to give you
better help than here, sssd has nothing to do with Samba.
If you want to use winbind instead, then this is the place to ask.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
shridhar shetty
2016-06-16 16:15:10 UTC
Permalink
I got samba to work with sssd finally. :)
Wanted to share so that it could help someone with debugging.

I was trying to access the fileserver using IP address which was failing.
It worked when using hostname to connect to the fileserver.

Short explanation
* When accessing samba fileserver using hostname, kerberos authentication
kicks in, which works fine as expected.
* But when accessing samba fileserver using ip address, kerberos
authentication fails and falls back to NTLM. (NTLM is not supported in SSSD
yet)

Thanks


On Thu, Jun 16, 2016 at 10:30 AM, shridhar shetty <
Post by shridhar shetty
Well thanks.
Will post it on the sssd list.
Post by shridhar shetty
I am trying to run samba with sssd service and AD authentication.
I have joined the linux server to the AD domain using realmd and using sssd
to authenticate to the AD. I am able to get user list from AD using "getent
passwd <username>".
The samba servers starts but i am unable to get the authentication working.
I referred the samba dos for centos7 and also installed
sssd-libwbclient.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad-integration.html
Any pointers would be appreciated. thanks :)
Yes, try asking on the sssd mailing list, they should be able to give you
better help than here, sssd has nothing to do with Samba.
If you want to use winbind instead, then this is the place to ask.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Data Control Systems - Mike Elkevizth
2016-06-16 18:35:52 UTC
Permalink
Have you checked to see if the server has a reverse zone entry in the AD
DNS? I think kerberos relies on it and I'm not sure Samba creates one
automatically. My experience has been that I have to create the reverse
zones manually.

Mike E.
Post by shridhar shetty
I got samba to work with sssd finally. :)
Wanted to share so that it could help someone with debugging.
I was trying to access the fileserver using IP address which was failing.
It worked when using hostname to connect to the fileserver.
Short explanation
* When accessing samba fileserver using hostname, kerberos authentication
kicks in, which works fine as expected.
* But when accessing samba fileserver using ip address, kerberos
authentication fails and falls back to NTLM. (NTLM is not supported in SSSD
yet)
Thanks
On Thu, Jun 16, 2016 at 10:30 AM, shridhar shetty <
Post by shridhar shetty
Well thanks.
Will post it on the sssd list.
Post by shridhar shetty
I am trying to run samba with sssd service and AD authentication.
I have joined the linux server to the AD domain using realmd and using sssd
to authenticate to the AD. I am able to get user list from AD using "getent
passwd <username>".
The samba servers starts but i am unable to get the authentication working.
I referred the samba dos for centos7 and also installed
sssd-libwbclient.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad-integration.html
Post by shridhar shetty
Post by shridhar shetty
Any pointers would be appreciated. thanks :)
Yes, try asking on the sssd mailing list, they should be able to give
you
Post by shridhar shetty
better help than here, sssd has nothing to do with Samba.
If you want to use winbind instead, then this is the place to ask.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...