Dav Banks wrote:
Thanks!
-------------------------------
Dav Banks
> On May 31, 2019, at 6:46 AM, Sumit Bose <sbose(a)redhat.com> wrote:
>
> On Thu, May 30, 2019 at 02:33:28PM -0400, Dav Banks wrote:
>> Hi There,
>>
>> I was wondering if anyone has experience with using sssd for samba
authentication. I’ve gotten sssd working for getent tools but when a user tries to access
a share that they have permissions to via a group they get a permissions denied error. If
I add the user directly to the ACL it works fine.
>>
>> I can post more info but was just wondering if this is a known problem or just
something strange with me.
>
> Hi,
>
> recent version of Samba requires that winbind must be running as well to
> allow Samba to communicate with AD for purposes not handled by SSSD.
> Older versions of Samba's smbd had some fallback code so that winbind
> was not strictly needed but this code was removed mainly for security
> reasons.
>
> Please check the list archive for config examples. The main idea is to
> add idmap_sss to the Samba configuration to make sure winbind and SSSD
> use the same id-mapping, see man idmap_sss for details as well.
>
> HTH
>
> bye,
> Sumit
Please find the below working Configuration
1. Join the system to Windows using realm with --membership-software=samba
realm join -v EXAMPLE.TEST --membership-software=samba
2. Edit /etc/samba/smb.conf and configure as show below:
[global]
security = ads
workgroup = EXAMPLE
realm = EXAMPLE.TEST
kerberos method = system keytab
client use spnego = yes
netbios name = fileserver
log file = /var/log/samba/log.%m
max log size = 500
log level = 10
idmap config EXAMPLE : backend = sss
idmap config EXAMPLE : range = 200000-2147483647
idmap config * : backend = tdb
idmap config * : range = 100000-199999
[share1]
path = /mnt/samba/share1
comment = test share1
writable = yes
printable = no
3. start sssd, winbind and smb services
Note:
A. wbinfo -u, wbinfo -g commands should be able to resolve AD users and groups.
B. kinit AD username and verify the below command works:
smbclient -k -L //fileserver/share1
C. Mount share using mount.cifs
>
>>
>> -------------------------------
>> Dav Banks
>>
>
>> _______________________________________________
>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...