samba - Jun 2019 - Samba + sssd deployment: success and failure

So, we have Samba file sharing working on CentOS 7.6 with sssd:

   [root at cns-srv-lnode2 samba]# cat /etc/redhat-release
   CentOS Linux release 7.6.1810 (Core)
   [root at cns-srv-lnode2 samba]# smbd --version
   Version 4.8.3

Some smb.conf configuration details:

  - security = user
  - an idmap entry is unnecessary
  - disable netbios = yes
    works fine
  - pretty sure nmbd is unnecessary as well.

Unfortunately the same smb.conf/sssd.conf configuration does not work on 
Ubuntu 18.04:

   root at kraken:/var/log/samba# cat /etc/lsb-release
   DISTRIB_ID=Ubuntu
   DISTRIB_RELEASE=18.04
   DISTRIB_CODENAME=bionic
   DISTRIB_DESCRIPTION="Ubuntu 18.04.2 LTS"
   root at kraken:/var/log/samba# smbd --version
   Version 4.7.6-Ubuntu

It appears there were some major changes between Samba 4.7.6 and Samba 
4.8.3 ?  On the functional CentOS system, when I try to map a share I 
see something like this in the log files:

[2019/06/11 13:09:35.088714,  3] 
../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
   Found account name from PAC: pgoetz [Goetz, Patrick G]


On the Ubuntu system I see

[2019/06/11 13:58:47.535611,  3] 
../auth/ntlmssp/ntlmssp_server.c:454(ntlmssp_server_preauth)
   Got user=[pgoetz] domain=[austin] workstation=[CNS-VM-PGOETZ1] 
len1=24 len2=332

What then happens is it looks for user pgoetz in a non-existent passdb 
file, maps the username to guest, which is mapped to nobody, and then 
the authentication fails.

Just want to confirm that the problem is with the Samba version before 
upgrading from a PPA.

Aside:  Looks like the Samba team had a PPA for daily releases which was 
abandoned about a year ago: what happened with that?

On 11/06/2019 20:38, Goetz, Patrick G via samba wrote:
> So, we have Samba file sharing working on CentOS 7.6 with sssd:
>
>     [root at cns-srv-lnode2 samba]# cat /etc/redhat-release
>     CentOS Linux release 7.6.1810 (Core)
>     [root at cns-srv-lnode2 samba]# smbd --version
>     Version 4.8.3
>
> Some smb.conf configuration details:
>
>    - security = user
>    - an idmap entry is unnecessary
>    - disable netbios = yes
>      works fine
>    - pretty sure nmbd is unnecessary as well.
How are you actually running samba ?

As a standalone server or as a Unix domain member ?

If it is a Unix domain member, then you need to run winbind from Samba 4.8.0
>
> Unfortunately the same smb.conf/sssd.conf configuration does not work on
> Ubuntu 18.04:
>
>     root at kraken:/var/log/samba# cat /etc/lsb-release
>     DISTRIB_ID=Ubuntu
>     DISTRIB_RELEASE=18.04
>     DISTRIB_CODENAME=bionic
>     DISTRIB_DESCRIPTION="Ubuntu 18.04.2 LTS"
>     root at kraken:/var/log/samba# smbd --version
>     Version 4.7.6-Ubuntu
>
> It appears there were some major changes between Samba 4.7.6 and Samba
> 4.8.3 ?  On the functional CentOS system, when I try to map a share I
> see something like this in the log files:
>
> [2019/06/11 13:09:35.088714,  3]
> ../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
>     Found account name from PAC: pgoetz [Goetz, Patrick G]
>
>
> On the Ubuntu system I see
>
> [2019/06/11 13:58:47.535611,  3]
> ../auth/ntlmssp/ntlmssp_server.c:454(ntlmssp_server_preauth)
>     Got user=[pgoetz] domain=[austin] workstation=[CNS-VM-PGOETZ1]
> len1=24 len2=332
>
> What then happens is it looks for user pgoetz in a non-existent passdb
> file, maps the username to guest, which is mapped to nobody, and then
> the authentication fails.
>
> Just want to confirm that the problem is with the Samba version before
> upgrading from a PPA.
Looks to me like the problem is with sssd that doesn't use
ntlm.
>
> Aside:  Looks like the Samba team had a PPA for daily releases which was
> abandoned about a year ago: what happened with that?
>
Didn't know we had one, care to post a link ?

Rowland