Hi,
Is it possible to have Samba (version 4.8.3) with sssd? I've seen some posts that
suggest that this might be possible, although officially it isn't supported (though
https://access.redhat.com/articles/4355391 suggest that it might be). We've tuned sssd
heavily for our environment and so switching to winbind would be a bit of an unknown, so I
would like to see if I could get sssd working so that we don't need to remove sssd
from nsswitch and pam (is it possible to have both sssd and winbind in pam and nss and not
break things?)
# Global parameters
[global]
kerberos method = system keytab
load printers = No
log file = /var/log/samba/log.%m
ntlm auth = ntlmv1-permitted
realm =
AD.DOMAIN.COM
security = ADS
server string = Samba Server Version %v
template shell = /bin/bash
workgroup = DOMAIN
idmap config domain : schema_mode = rfc2307
idmap config domain : backend = sssd
idmap config domain : range = 2000-100000
idmap config * : range = 200000-999999
idmap config * : backend = tdb
force create mode = 0777
force directory mode = 0777
[user_data]
comment = user_data
path = /user_data
read only = No
I've joined my test samba server to the domain using 'realm join
--membership-software=samba --client-software=winbind', but then disabled winbind and
restored sssd to pam and nsswitch. It connects ok, but there's some kind of auth issue
with Windows 10 clients whereby file writes to the share are very slow due to continual
calls to kerberos libs (4 minutes to copy 20MB/1900 files). This doesn't affect Win 7
clients or Linux clients to the same server, which can do the same copy in 14 seconds.
Single file copies that are fine (3.2GB file from the Win 10 client takes 40 secs). There
are thousands of 'Get_Pwnam_internals didn't find user',
'NT_STATUS_ACCESS_DENIED', 'NT_STATUS_MORE_PROCESSING_REQUIRED' and
'Starting GENSEC submechanism gse_krb5' errors reported when I trun debug logging
on, which is not reported when using Linux or Win 7 as the client. It does finish the copy
however, with the correct permissions, it just takes a very long time. I suspect it is the
config that is the p
roblem here.
Thanks for any help.
Cam