samba - Aug 2014 - I want a Fedora 20 system to be a member server and offer a share in a Windows 2008R2 Active Directory domain

I'm close to making this work.  The goal is to make this Fedora 20 system
pretend to be a Windows member server in my Windows 2008R2 Active Directory
domain and then I'll use it as a backup target.  When I run ADUC from my
domain controller, I see my F20 system named nfsa.  But from Windows, when I do
Start...\\nfsa, I get an Access Denied error and it prompts for credentials. 
When I do Start...\\nfsa\backups, it just fails with an Access Denied error.

I will paste in the output from testparms below, which has everything in my
smb.conf.  This should all be OK.  I've gotta be missing the piece that sets
up my F20 system to trust A/D for authentication for F20 can advertise this
share.   The guidance on how to do that is contradictory and thin and I'm
hopelessly confused.  I'm supposed to do some editing to some pam .conf
files and nsswitch.conf, but everyone has different guidance.  And the edits
look elaborate and prone to mistakes.

So Red Hat includes a tool named authconfig that claims to handle this for me. 
It is supposed to set up all the .conf files to make this work.  Pass authconfig
the correct parameters and it all just happens.  In fact, it's all
documented right here in the RHEL 7 Windows Integration Guide:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/winbind-auth.html

The example in section 4.3.2, step 4 uses a parameter named --enablewinbindkrb5
that doesn't exist. And a couple of the parameters in the example need equal
signs (parameter=value instead of parameter [space] value).  In fairness, that
book above is part of RHEL 7 and I'm doing this from Fedora 20 so maybe they
are different. Working around that and based on the example, I put this little
script together:

[root at nfsa gregs]# more test.sh
#!/bin/sh

authconfig \
      --enablewinbind \
      --enablewins \
      --enablewinbindauth \
      --smbsecurity=ads \
      --smbworkgroup=EHAC \
      --smbrealm=EHAC.LOCAL \
      --smbservers=ehcserver1.ehac.local \
      --krb5realm=EHAC.LOCAL \
      --enablewinbindoffline \
      --enablekrb5 \
      --winbindtemplateshell=/bin/sh \
      --winbindjoin=administrator \
      --update \
      --enablelocauthorize \
      --savebackup=/home/gregs/backups
[root at nfsa gregs]#

When I run it, it makes copies of a bunch of config files and saves them in my
/home/gregs/backups directory.  But it never updates any of the real .conf files
- just one big no-op.

So how do I do this?  Surely there's nice, clean, easily reproducible way to
make a Linux system offer a share as a member server in a modern A/D domain.

F20 can reach into the domain, but the domain cannot reach out to F20.

wbinfo -g and wbinfo -u show me the groups and users I expect to see.   And
getent passwd domain\\user returns what I expect after I finally learned I need
to escape that "\" character.  So F20 can reach into the domain, but
the domain can't reach back to F20.  That's my problem.

[root at nfsa gregs]#  getent passwd ehac\\gregs
gregs at ehac.local:*:762201118:762200513:Greg
Scott:/home/ehac.local/gregs:/bin/bash

Finally, here is a copy of my smb.conf and krb5.conf.

[root at nfsa gregs]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[backups]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
        workgroup = EHAC
        realm = ehac.local
        server string = Samba Server nfsa Version %v
        security = ADS
        log file = /var/log/samba/log.%m
        max log size = 50
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nss info = rfc2307
        idmap config SAMDOM:range = 500-40000
        idmap config SAMDOM:schema_mode = rfc2307
        idmap config SAMDOM:backend = ad
        idmap config *:range = 70001-80000
        idmap config * : backend = tdb
        cups options = raw

[backups]
        comment = backups
        path = /data/nfsa
        read only = No
        guest ok = Yes
[root at nfsa gregs]#
[root at nfsa gregs]#
[root at nfsa gregs]# more /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
# default_realm = EXAMPLE.COM
default_realm = EHAC.LOCAL
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }

EHAC.LOCAL = {
  kdc = ehcserver1.ehac.local
  admin_server = ehcserver1.ehac.local
 }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM

.ehac.local = EHAC.LOCAL
ehac.local = EHAC.LOCAL
[root at nfsa gregs]#

Oh yes - I have no idea if this is relevant or not but I see these errors about
printers in /var/log/messages when I restart smb.  I don't care about
printing here and would be fine with just turning off all printing if
there's a way to do it.  But maybe these printer errors contribute to my
real problem.

[root at nfsa gregs]# tail /var/log/messages
Aug 30 13:42:36 nfsa smbd[7353]: [2014/08/30 13:42:36.137682,  0]
../source3/printing/print_cups.c:151(cups_connect)
Aug 30 13:42:36 nfsa smbd[7353]: Unable to connect to CUPS server localhost:631
- Bad file descriptor
Aug 30 13:42:36 nfsa smbd[7010]: [2014/08/30 13:42:36.137938,  0]
../source3/printing/print_cups.c:528(cups_async_callback)
Aug 30 13:42:36 nfsa smbd[7010]: failed to retrieve printer list:
NT_STATUS_UNSUCCESSFUL
Aug 30 13:50:01 nfsa systemd: Starting Session 271 of user root.
Aug 30 13:50:02 nfsa systemd: Started Session 271 of user root.
Aug 30 13:55:36 nfsa smbd[7380]: [2014/08/30 13:55:36.883693,  0]
../source3/printing/print_cups.c:151(cups_connect)
Aug 30 13:55:36 nfsa smbd[7380]: Unable to connect to CUPS server localhost:631
- Bad file descriptor
Aug 30 13:55:36 nfsa smbd[7010]: [2014/08/30 13:55:36.883950,  0]
../source3/printing/print_cups.c:528(cups_async_callback)
Aug 30 13:55:36 nfsa smbd[7010]: failed to retrieve printer list:
NT_STATUS_UNSUCCESSFUL
[root at nfsa gregs]#

I've installed winbind and winbind and smb are running.  SElinux is set to
permissive.  I don't think I need nmb anymore but I can try turning it on.

[root at nfsa gregs]# systemctl list-unit-files | grep smb
smb.service                                 enabled
[root at nfsa gregs]# systemctl list-unit-files | grep nmb
nmb.service                                 disabled
[root at nfsa gregs]# systemctl list-unit-files | grep winbind
winbind.service                             enabled
[root at nfsa gregs]#

Oh - versions - everything came from Red Hat binaries a few days ago:

[root at nfsa gregs]# more /etc/issue
Fedora release 20 (Heisenbug)
Kernel \r on an \m (\l)

 [root at nfsa gregs]# rpm -qa | grep samba
samba-winbind-modules-4.1.9-4.fc20.x86_64
samba-common-4.1.9-4.fc20.x86_64
samba-4.1.9-4.fc20.x86_64
samba-winbind-4.1.9-4.fc20.x86_64
samba-libs-4.1.9-4.fc20.x86_64
samba-winbind-clients-4.1.9-4.fc20.x86_64
[root at nfsa gregs]#
[root at nfsa gregs]# rpm -qa | grep krb5
pam_krb5-2.4.8-1.fc20.x86_64
sssd-krb5-common-1.11.6-1.fc20.x86_64
sssd-krb5-1.11.6-1.fc20.x86_64
krb5-workstation-1.11.5-11.fc20.x86_64
krb5-libs-1.11.5-11.fc20.x86_64
[root at nfsa gregs]#

Thanks

- Greg Scott

On 30/08/14 20:14, Greg Scott wrote:
> I'm close to making this work.  The goal is to make this Fedora 20
system pretend to be a Windows member server in my Windows 2008R2 Active
Directory domain and then I'll use it as a backup target.  When I run ADUC
from my domain controller, I see my F20 system named nfsa.  But from Windows,
when I do Start...\\nfsa, I get an Access Denied error and it prompts for
credentials.  When I do Start...\\nfsa\backups, it just fails with an Access
Denied error.
>
> I will paste in the output from testparms below, which has everything in my
smb.conf.  This should all be OK.  I've gotta be missing the piece that sets
up my F20 system to trust A/D for authentication for F20 can advertise this
share.   The guidance on how to do that is contradictory and thin and I'm
hopelessly confused.  I'm supposed to do some editing to some pam .conf
files and nsswitch.conf, but everyone has different guidance.  And the edits
look elaborate and prone to mistakes.
>
> So Red Hat includes a tool named authconfig that claims to handle this for
me.  It is supposed to set up all the .conf files to make this work.  Pass
authconfig the correct parameters and it all just happens.  In fact, it's
all documented right here in the RHEL 7 Windows Integration Guide:
>
>
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/winbind-auth.html
>
> The example in section 4.3.2, step 4 uses a parameter named
--enablewinbindkrb5 that doesn't exist. And a couple of the parameters in
the example need equal signs (parameter=value instead of parameter [space]
value).  In fairness, that book above is part of RHEL 7 and I'm doing this
from Fedora 20 so maybe they are different. Working around that and based on the
example, I put this little script together:
>
> [root at nfsa gregs]# more test.sh
> #!/bin/sh
>
> authconfig \
>        --enablewinbind \
>        --enablewins \
>        --enablewinbindauth \
>        --smbsecurity=ads \
>        --smbworkgroup=EHAC \
>        --smbrealm=EHAC.LOCAL \
>        --smbservers=ehcserver1.ehac.local \
>        --krb5realm=EHAC.LOCAL \
>        --enablewinbindoffline \
>        --enablekrb5 \
>        --winbindtemplateshell=/bin/sh \
>        --winbindjoin=administrator \
>        --update \
>        --enablelocauthorize \
>        --savebackup=/home/gregs/backups
> [root at nfsa gregs]#
Have you tried typing the above in a terminal and running it, if you do, 
it may print an error message.

Rowland
> When I run it, it makes copies of a bunch of config files and saves them in
my /home/gregs/backups directory.  But it never updates any of the real .conf
files - just one big no-op.
>
> So how do I do this?  Surely there's nice, clean, easily reproducible
way to make a Linux system offer a share as a member server in a modern A/D
domain.
>
> F20 can reach into the domain, but the domain cannot reach out to F20.
>
> wbinfo -g and wbinfo -u show me the groups and users I expect to see.   And
getent passwd domain\\user returns what I expect after I finally learned I need
to escape that "\" character.  So F20 can reach into the domain, but
the domain can't reach back to F20.  That's my problem.
>
> [root at nfsa gregs]#  getent passwd ehac\\gregs
> gregs at ehac.local:*:762201118:762200513:Greg
Scott:/home/ehac.local/gregs:/bin/bash
>
> Finally, here is a copy of my smb.conf and krb5.conf.
>
> [root at nfsa gregs]# testparm
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[backups]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
>
> [global]
>          workgroup = EHAC
>          realm = ehac.local
>          server string = Samba Server nfsa Version %v
>          security = ADS
>          log file = /var/log/samba/log.%m
>          max log size = 50
>          winbind enum users = Yes
>          winbind enum groups = Yes
>          winbind use default domain = Yes
>          winbind nss info = rfc2307
>          idmap config SAMDOM:range = 500-40000
>          idmap config SAMDOM:schema_mode = rfc2307
>          idmap config SAMDOM:backend = ad
>          idmap config *:range = 70001-80000
>          idmap config * : backend = tdb
>          cups options = raw
>
> [backups]
>          comment = backups
>          path = /data/nfsa
>          read only = No
>          guest ok = Yes
> [root at nfsa gregs]#
> [root at nfsa gregs]#
> [root at nfsa gregs]# more /etc/krb5.conf
> [logging]
>   default = FILE:/var/log/krb5libs.log
>   kdc = FILE:/var/log/krb5kdc.log
>   admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>   dns_lookup_realm = false
>   ticket_lifetime = 24h
>   renew_lifetime = 7d
>   forwardable = true
>   rdns = false
> # default_realm = EXAMPLE.COM
> default_realm = EHAC.LOCAL
>   default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> # EXAMPLE.COM = {
> #  kdc = kerberos.example.com
> #  admin_server = kerberos.example.com
> # }
>
> EHAC.LOCAL = {
>    kdc = ehcserver1.ehac.local
>    admin_server = ehcserver1.ehac.local
>   }
>
> [domain_realm]
> # .example.com = EXAMPLE.COM
> # example.com = EXAMPLE.COM
>
> .ehac.local = EHAC.LOCAL
> ehac.local = EHAC.LOCAL
> [root at nfsa gregs]#
>
> Oh yes - I have no idea if this is relevant or not but I see these errors
about printers in /var/log/messages when I restart smb.  I don't care about
printing here and would be fine with just turning off all printing if
there's a way to do it.  But maybe these printer errors contribute to my
real problem.
>
> [root at nfsa gregs]# tail /var/log/messages
> Aug 30 13:42:36 nfsa smbd[7353]: [2014/08/30 13:42:36.137682,  0]
../source3/printing/print_cups.c:151(cups_connect)
> Aug 30 13:42:36 nfsa smbd[7353]: Unable to connect to CUPS server
localhost:631 - Bad file descriptor
> Aug 30 13:42:36 nfsa smbd[7010]: [2014/08/30 13:42:36.137938,  0]
../source3/printing/print_cups.c:528(cups_async_callback)
> Aug 30 13:42:36 nfsa smbd[7010]: failed to retrieve printer list:
NT_STATUS_UNSUCCESSFUL
> Aug 30 13:50:01 nfsa systemd: Starting Session 271 of user root.
> Aug 30 13:50:02 nfsa systemd: Started Session 271 of user root.
> Aug 30 13:55:36 nfsa smbd[7380]: [2014/08/30 13:55:36.883693,  0]
../source3/printing/print_cups.c:151(cups_connect)
> Aug 30 13:55:36 nfsa smbd[7380]: Unable to connect to CUPS server
localhost:631 - Bad file descriptor
> Aug 30 13:55:36 nfsa smbd[7010]: [2014/08/30 13:55:36.883950,  0]
../source3/printing/print_cups.c:528(cups_async_callback)
> Aug 30 13:55:36 nfsa smbd[7010]: failed to retrieve printer list:
NT_STATUS_UNSUCCESSFUL
> [root at nfsa gregs]#
>
> I've installed winbind and winbind and smb are running.  SElinux is set
to permissive.  I don't think I need nmb anymore but I can try turning it
on.
>
> [root at nfsa gregs]# systemctl list-unit-files | grep smb
> smb.service                                 enabled
> [root at nfsa gregs]# systemctl list-unit-files | grep nmb
> nmb.service                                 disabled
> [root at nfsa gregs]# systemctl list-unit-files | grep winbind
> winbind.service                             enabled
> [root at nfsa gregs]#
>
> Oh - versions - everything came from Red Hat binaries a few days ago:
>
> [root at nfsa gregs]# more /etc/issue
> Fedora release 20 (Heisenbug)
> Kernel \r on an \m (\l)
>
>   [root at nfsa gregs]# rpm -qa | grep samba
> samba-winbind-modules-4.1.9-4.fc20.x86_64
> samba-common-4.1.9-4.fc20.x86_64
> samba-4.1.9-4.fc20.x86_64
> samba-winbind-4.1.9-4.fc20.x86_64
> samba-libs-4.1.9-4.fc20.x86_64
> samba-winbind-clients-4.1.9-4.fc20.x86_64
> [root at nfsa gregs]#
> [root at nfsa gregs]# rpm -qa | grep krb5
> pam_krb5-2.4.8-1.fc20.x86_64
> sssd-krb5-common-1.11.6-1.fc20.x86_64
> sssd-krb5-1.11.6-1.fc20.x86_64
> krb5-workstation-1.11.5-11.fc20.x86_64
> krb5-libs-1.11.5-11.fc20.x86_64
> [root at nfsa gregs]#
>
> Thanks
>
> - Greg Scott

On Sat, 2014-08-30 at 19:14 +0000, Greg Scott wrote:
> I'm close to making this work. 
What does your keytab look like?
klist -k

If that returns at least a host/ key then direct samba to use it:
kerberos method = system keytab

HTH
Steve

** Skickat fr?n mobilusken! **

Den 30 aug 2014 21:20 skrev "Greg Scott" <GregScott at
infrasupport.com>:
>
> I'm close to making this work.  The goal is to make this Fedora 20
system
pretend to be a Windows member server in my Windows 2008R2 Active Directory
domain and then I'll use it as a backup target.  When I run ADUC from my
domain controller, I see my F20 system named nfsa.  But from Windows, when
I do Start...\\nfsa, I get an Access Denied error and it prompts for
credentials.  When I do Start...\\nfsa\backups, it just fails with an
Access Denied error.
>
> I will paste in the output from testparms below, which has everything in
my smb.conf.  This should all be OK.  I've gotta be missing the piece that
sets up my F20 system to trust A/D for authentication for F20 can advertise
this share.   The guidance on how to do that is contradictory and thin and
I'm hopelessly confused.  I'm supposed to do some editing to some pam
.conf
files and nsswitch.conf, but everyone has different guidance.  And the
edits look elaborate and prone to mistakes.
>
> So Red Hat includes a tool named authconfig that claims to handle this
for me.  It is supposed to set up all the .conf files to make this work.
Pass authconfig the correct parameters and it all just happens.  In fact,
it's all documented right here in the RHEL 7 Windows Integration
Guide:
>
>
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/winbind-auth.html
>
> The example in section 4.3.2, step 4 uses a parameter named
--enablewinbindkrb5 that doesn't exist. And a couple of the parameters in
the example need equal signs (parameter=value instead of parameter [space]
value).  In fairness, that book above is part of RHEL 7 and I'm doing this
from Fedora 20 so maybe they are different. Working around that and based
on the example, I put this little script together:
>
> [root at nfsa gregs]# more test.sh
> #!/bin/sh
>
> authconfig \
>       --enablewinbind \
>       --enablewins \
>       --enablewinbindauth \
>       --smbsecurity=ads \
>       --smbworkgroup=EHAC \
>       --smbrealm=EHAC.LOCAL \
>       --smbservers=ehcserver1.ehac.local \
>       --krb5realm=EHAC.LOCAL \
>       --enablewinbindoffline \
>       --enablekrb5 \
>       --winbindtemplateshell=/bin/sh \
>       --winbindjoin=administrator \
>       --update \
>       --enablelocauthorize \
>       --savebackup=/home/gregs/backups
> [root at nfsa gregs]#
>
> When I run it, it makes copies of a bunch of config files and saves them
in my /home/gregs/backups directory.  But it never updates any of the real
.conf files - just one big no-op.
>
> So how do I do this?  Surely there's nice, clean, easily reproducible
way
to make a Linux system offer a share as a member server in a modern A/D
domain.
>
> F20 can reach into the domain, but the domain cannot reach out to F20.
>
> wbinfo -g and wbinfo -u show me the groups and users I expect to see.
 And getent passwd domain\\user returns what I expect after I finally
learned I need to escape that "\" character.  So F20 can reach into
the
domain, but the domain can't reach back to F20.  That's my
problem.
>
> [root at nfsa gregs]#  getent passwd ehac\\gregs
> gregs at ehac.local:*:762201118:762200513:Greg
Scott:/home/ehac.local/gregs:/bin/bash
>
> Finally, here is a copy of my smb.conf and krb5.conf.
>
> [root at nfsa gregs]# testparm
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[backups]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
>
> [global]
>         workgroup = EHAC
>         realm = ehac.local
>         server string = Samba Server nfsa Version %v
>         security = ADS
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind use default domain = Yes
>         winbind nss info = rfc2307
>         idmap config SAMDOM:range = 500-40000
>         idmap config SAMDOM:schema_mode = rfc2307
>         idmap config SAMDOM:backend = ad
SAMDOM -> EHAC? Is the defined orange correct?

Regards
Davor
>         idmap config *:range = 70001-80000
>         idmap config * : backend = tdb
>         cups options = raw
>
> [backups]
>         comment = backups
>         path = /data/nfsa
>         read only = No
>         guest ok = Yes
> [root at nfsa gregs]#
> [root at nfsa gregs]#
> [root at nfsa gregs]# more /etc/krb5.conf
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  dns_lookup_realm = false
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = true
>  rdns = false
> # default_realm = EXAMPLE.COM
> default_realm = EHAC.LOCAL
>  default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> # EXAMPLE.COM = {
> #  kdc = kerberos.example.com
> #  admin_server = kerberos.example.com
> # }
>
> EHAC.LOCAL = {
>   kdc = ehcserver1.ehac.local
>   admin_server = ehcserver1.ehac.local
>  }
>
> [domain_realm]
> # .example.com = EXAMPLE.COM
> # example.com = EXAMPLE.COM
>
> .ehac.local = EHAC.LOCAL
> ehac.local = EHAC.LOCAL
> [root at nfsa gregs]#
>
> Oh yes - I have no idea if this is relevant or not but I see these errors
about printers in /var/log/messages when I restart smb.  I don't care about
printing here and would be fine with just turning off all printing if
there's a way to do it.  But maybe these printer errors contribute to my
real problem.
>
> [root at nfsa gregs]# tail /var/log/messages
> Aug 30 13:42:36 nfsa smbd[7353]: [2014/08/30 13:42:36.137682,  0]
../source3/printing/print_cups.c:151(cups_connect)
> Aug 30 13:42:36 nfsa smbd[7353]: Unable to connect to CUPS server
localhost:631 - Bad file descriptor
> Aug 30 13:42:36 nfsa smbd[7010]: [2014/08/30 13:42:36.137938,  0]
../source3/printing/print_cups.c:528(cups_async_callback)
> Aug 30 13:42:36 nfsa smbd[7010]: failed to retrieve printer list:
NT_STATUS_UNSUCCESSFUL
> Aug 30 13:50:01 nfsa systemd: Starting Session 271 of user root.
> Aug 30 13:50:02 nfsa systemd: Started Session 271 of user root.
> Aug 30 13:55:36 nfsa smbd[7380]: [2014/08/30 13:55:36.883693,  0]
../source3/printing/print_cups.c:151(cups_connect)
> Aug 30 13:55:36 nfsa smbd[7380]: Unable to connect to CUPS server
localhost:631 - Bad file descriptor
> Aug 30 13:55:36 nfsa smbd[7010]: [2014/08/30 13:55:36.883950,  0]
../source3/printing/print_cups.c:528(cups_async_callback)
> Aug 30 13:55:36 nfsa smbd[7010]: failed to retrieve printer list:
NT_STATUS_UNSUCCESSFUL
> [root at nfsa gregs]#
>
> I've installed winbind and winbind and smb are running.  SElinux is set
to permissive.  I don't think I need nmb anymore but I can try turning it
on.
>
> [root at nfsa gregs]# systemctl list-unit-files | grep smb
> smb.service                                 enabled
> [root at nfsa gregs]# systemctl list-unit-files | grep nmb
> nmb.service                                 disabled
> [root at nfsa gregs]# systemctl list-unit-files | grep winbind
> winbind.service                             enabled
> [root at nfsa gregs]#
>
> Oh - versions - everything came from Red Hat binaries a few days ago:
>
> [root at nfsa gregs]# more /etc/issue
> Fedora release 20 (Heisenbug)
> Kernel \r on an \m (\l)
>
>  [root at nfsa gregs]# rpm -qa | grep samba
> samba-winbind-modules-4.1.9-4.fc20.x86_64
> samba-common-4.1.9-4.fc20.x86_64
> samba-4.1.9-4.fc20.x86_64
> samba-winbind-4.1.9-4.fc20.x86_64
> samba-libs-4.1.9-4.fc20.x86_64
> samba-winbind-clients-4.1.9-4.fc20.x86_64
> [root at nfsa gregs]#
> [root at nfsa gregs]# rpm -qa | grep krb5
> pam_krb5-2.4.8-1.fc20.x86_64
> sssd-krb5-common-1.11.6-1.fc20.x86_64
> sssd-krb5-1.11.6-1.fc20.x86_64
> krb5-workstation-1.11.5-11.fc20.x86_64
> krb5-libs-1.11.5-11.fc20.x86_64
> [root at nfsa gregs]#
>
> Thanks
>
> - Greg Scott
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

I got it working a few hours ago.  Forget authconfig for now.  If anyone from
Red Hat follows this list, authconfig on Fedora 20 seems broken - see the
original email I posted on this topic yesterday.

In my case, this was the key.  I did the edit by hand - it wasn't a big
deal.

[root at nfsa etc]# diff nsswitch.conf nsswitch.conf-20140830
33c33
< passwd:     files sss winbind
---
> passwd:     files sss
35c35
< group:      files sss winbind
---
> group:      files sss
[root at nfsa etc]#

- Greg