I have a system that is joined to an AD domain via SSSD, it was
happily
running samba and serving shares using either kerberos or password
authentication, with the update to Samba 4.7.1 in the RHEL 7.5 release,
all of that stopped working.
samba config file:
[global]
log level = 5
password server = *
realm =
AD.EXAMPLE.COM
encrypt passwords = yes
kerberos method = system keytab
workgroup = AD
server string = %h samba
security = ADS
map to guest = Bad User
interfaces = <valid IP>
hosts allow = <valid IP blocks>
load printers = no
passdb backend = tdbsam
dns proxy = no
max log size = 5000
bind interfaces only = no
restrict anonymous = 2
#============================ Share Definitions
==============================
[images]
comment = example images
path = /var/eng/
guest ok = no
printable = no
write list =
create mask = 0664
directory mask = 0775
read only = no
valid users = +valid-example-group
force group =
browseable = yes
Now samba will not even start without either libwbclient or
sssd-libwbclient installed with the above configuration. After
installing sssd-libwbclient and modifying valid users to:
valid users = AD\valid-example-group
kerberos based connections will work just fine. However password based
connections for windows systems that are not AD joined, or smbclient
without kerberos, does not work. I believe this is falling back to NTLM
and NTLM is simply not supported by SSSD correct?
Oddly, what used to work, with basically a call to getgrnam() no longer
works in 4.7.1 release of samba and there seems to be no mention that I
can find as to why. Any thoughts?
It looks an awful lot like, if we need to support both krb and password
based connections we will need to use winbind, correct? Or is there
another way to make this thing work? If I have to use winbind it looks
like I need to use 'net ads join' or 'realm join
--client-software=winbind' but it then seems to me that the system will
be joined to the AD twice, once to use SSSD, and once for winbind is
this correct? Is there a way to make winbind and SSSD work together?
Further it looks like, according to this:
https://bugzilla.redhat.com/show_bug.cgi?id=1558560 that RHEL 7.6 with
Samba 4.8.1 will require winbind to be running period. I believe that
statement to be a bit of an oversimplification because sssd-libwbclient
should still work, or am I misunderstanding?
Any guidance here would be great, this seems to be a fairly murky area,
or my google fu is weak.
Yes, if you want to use password authentication (NTLM) you have to run
winbind with recent versions of Samba. The reason is that some old
fallback code was removed from the smbd binary mainly for security
reasons and to simplify the code in general.
If you only need Kerberos authentication sssd-libwbclient can still be
used.
For all other cases where winbind must be running install Samba's
libwbclient and I would recommend to use SSSD's idmap plugin for
Samba/Winbind, see man idmap_sss for details.
Since idmap_sss is read-only from the winbind perspective it is
recommend to have a read-write plugin as well so that the actual imap
config for smb.conf might look like:
idmap config * : backend", "tdb"
idmap config * : range", "10000-99999"
idmap config MYDOMAIN : backend = sss
idmap config MYDOMAIN : range = 200000-2147483647
If you have a forest with multiple domains you should add a
configuration for each domain with suitable ranges.
This way both SSSD and Winbind will talk to AD with the same credentials
but SSSD still does all system authentication (no need to add
pam_winbind to the PAM configuration) and user group lookup. Winbind
will only serve the needs of smbd and other direct users of libwbclient
but gets all information about idmapping from SSSD so that both Winbind
and SSSD will always use the same UIDs and GIDs for the same AD object.
HTH
bye,
Sumit
>
> -Erinn
>
>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: