Andrei Vida-RaĊ£iu
2014-Sep-24 21:05 UTC
[Samba] Samba not working with sssd on CentOS 6.5
Hello everyone.
I joined this list because I cannot find an answer to my problem. The
setup is this:
I installed CentOS release 6.5 (Final) minimal version
Updated all packages
Added the server to the Active Directory domain as a member server
using the method described here (using adcli, kerberos and sssd):
http://jhrozek.livejournal.com/3581.html
It worked, I tested by trying to connect through ssh with domain user
credentials and by doing "su domain_user" from root ssh console. Both
worked.
After that, I installed Samba (Version 3.6.9-169.el6_5). Created a
minimal config file like this:
[global]
workgroup = mydomain
server string = Samba Server Version %v
security = ads
encrypt passwords = yes
passdb backend = tdbsam
realm = mydomain.ro
# No printers needed
load printers = no
cups options = raw
printcap name = /dev/null
# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
log level = 10
# ############ THE SHARES ############ #
[homes]
comment = Home Directories
browseable = no
writable = yes
It doesn't work. I get this eror in /var/log/messages:
Sep 24 23:40:54 fs01 smbd[1406]: connect_to_domain_password_server:
unable to open the domain client session to machine DC.MYDOMAIN.RO.
Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.406665, 0]
rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
Sep 24 23:40:54 fs01 smbd[1406]: get_schannel_session_key: could not
fetch trust account password for domain 'MYDOMAIN'
Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408207, 0]
rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
Sep 24 23:40:54 fs01 smbd[1406]: cli_rpc_pipe_open_schannel: failed
to get schannel session key from server DC.MYDOMAIN.RO for domain
MYDOMAIN.
Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408499, 0]
auth/auth_domain.c:193(connect_to_domain_password_server)
However, if I add this:
kerberos method = secrets and keytab
to the smb.conf file it works. But it creates another strange problem.
It works only when I connect using \\server. If I try that by IP, like
\\192.168.1.5 the error above appears again in /var/log/messages.
I really need the "access by IP" option. Are there any solutions?
Also, it seems that, in this configuration, samba doesn't use sssd? I
increased the debug level in sssd by the logs are empty!
_______
AndreiV
On 24/09/14 22:05, Andrei Vida-Ra?iu wrote:> Hello everyone. > I joined this list because I cannot find an answer to my problem. The > setup is this: > I installed CentOS release 6.5 (Final) minimal version > Updated all packages > Added the server to the Active Directory domain as a member server > using the method described here (using adcli, kerberos and sssd): > http://jhrozek.livejournal.com/3581.html > > It worked, I tested by trying to connect through ssh with domain user > credentials and by doing "su domain_user" from root ssh console. Both > worked. > > After that, I installed Samba (Version 3.6.9-169.el6_5). Created a > minimal config file like this: > > [global] > workgroup = mydomain > server string = Samba Server Version %v > security = ads > encrypt passwords = yes > passdb backend = tdbsam > realm = mydomain.ro > > # No printers needed > load printers = no > cups options = raw > printcap name = /dev/null > > # logs split per machine > log file = /var/log/samba/log.%m > # max 50KB per log file, then rotate > max log size = 50 > log level = 10 > > # ############ THE SHARES ############ # > > [homes] > comment = Home Directories > browseable = no > writable = yes > > It doesn't work. I get this eror in /var/log/messages: > > Sep 24 23:40:54 fs01 smbd[1406]: connect_to_domain_password_server: > unable to open the domain client session to machine DC.MYDOMAIN.RO. > Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO. > Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.406665, 0] > rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common) > Sep 24 23:40:54 fs01 smbd[1406]: get_schannel_session_key: could not > fetch trust account password for domain 'MYDOMAIN' > Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408207, 0] > rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel) > Sep 24 23:40:54 fs01 smbd[1406]: cli_rpc_pipe_open_schannel: failed > to get schannel session key from server DC.MYDOMAIN.RO for domain > MYDOMAIN. > Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408499, 0] > auth/auth_domain.c:193(connect_to_domain_password_server) > > However, if I add this: > > kerberos method = secrets and keytab > > to the smb.conf file it works. But it creates another strange problem. > It works only when I connect using \\server. If I try that by IP, like > \\192.168.1.5 the error above appears again in /var/log/messages. > > I really need the "access by IP" option. Are there any solutions? > > Also, it seems that, in this configuration, samba doesn't use sssd? I > increased the debug level in sssd by the logs are empty! > > _______ > > AndreiVHi, I think you will find this is because you are trying to set everything (except samba) to connect AD and then want to use samba, why? I am fairly sure if you join the samba machine to AD everything will work ok, or to put it another way, you do not need adcli if you use samba. If you setup centos and samba correctly, sssd will then work as expected. Rowland
Hi, i suggest that the subject 'Samba not working with sssd on CentOS 6.5' is not quite correct. You need to understand, that SSSD is responsible for posix level authentication which has nothing to do with Samba. From what you write, it is apparent that posix level authentication works all right, meaning, that your /etc/sssd/sssd.conf is setup right, because you can log onto your linux box with domain users via eg. ssh etc. What is not working is your Samba connection to the existing domain - so the smb.conf has to be tuned up properly. your 'passdb backend' can not be tdbsam (it is just local samba file where samba stores info about users locally to 'passdb.tdb' file and thus Samba can not be aware about any domain users. you need to specify to your 'passdb backend' option in smb.conf your PDC backend (usually ldap service etc) .. eg. like: passdb backend = ldapsam:ldaps://ipaddress (in case of ldap server backend).. cheers, Karel On 09/24/2014 11:05 PM, Andrei Vida-Ra?iu wrote:> Hello everyone. > I joined this list because I cannot find an answer to my problem. The > setup is this: > I installed CentOS release 6.5 (Final) minimal version > Updated all packages > Added the server to the Active Directory domain as a member server > using the method described here (using adcli, kerberos and sssd): > http://jhrozek.livejournal.com/3581.html > > It worked, I tested by trying to connect through ssh with domain user > credentials and by doing "su domain_user" from root ssh console. Both > worked. > > After that, I installed Samba (Version 3.6.9-169.el6_5). Created a > minimal config file like this: > > [global] > workgroup = mydomain > server string = Samba Server Version %v > security = ads > encrypt passwords = yes > passdb backend = tdbsam > realm = mydomain.ro > > # No printers needed > load printers = no > cups options = raw > printcap name = /dev/null > > # logs split per machine > log file = /var/log/samba/log.%m > # max 50KB per log file, then rotate > max log size = 50 > log level = 10 > > # ############ THE SHARES ############ # > > [homes] > comment = Home Directories > browseable = no > writable = yes > > It doesn't work. I get this eror in /var/log/messages: > > Sep 24 23:40:54 fs01 smbd[1406]: connect_to_domain_password_server: > unable to open the domain client session to machine DC.MYDOMAIN.RO. > Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO. > Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.406665, 0] > rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common) > Sep 24 23:40:54 fs01 smbd[1406]: get_schannel_session_key: could not > fetch trust account password for domain 'MYDOMAIN' > Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408207, 0] > rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel) > Sep 24 23:40:54 fs01 smbd[1406]: cli_rpc_pipe_open_schannel: failed > to get schannel session key from server DC.MYDOMAIN.RO for domain > MYDOMAIN. > Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408499, 0] > auth/auth_domain.c:193(connect_to_domain_password_server) > > However, if I add this: > > kerberos method = secrets and keytab > > to the smb.conf file it works. But it creates another strange problem. > It works only when I connect using \\server. If I try that by IP, like > \\192.168.1.5 the error above appears again in /var/log/messages. > > I really need the "access by IP" option. Are there any solutions? > > Also, it seems that, in this configuration, samba doesn't use sssd? I > increased the debug level in sssd by the logs are empty! > > _______ > > AndreiV >
Well, it looks like I misunderstood how authentication in Samba works. I thought that Samba uses the system level authentication system to authenticate users. It must be the fault of my CentOS 7 setup (I also have a CentOS 7 server set up almost the same way) that works. I installed a CentOS 7 minimal, joined it to the AD using realmd, installed Samba, used exactly the same config file that I used for CentOS 6.5 (but without the "kerberos method = secrets and keytab" setting) and this server works correctly. I can access it with \\server or \\ip without any issues. CentOS 6.5 doesn't have realmd in the repositories but I used the tools "behind" realmd, created the same setup as on the CentOS 7 server, but it doesn't work. I think I am going to user the old setup on CentOS 6.5, the one relying on winbind. Can winbind and sssd coexist? -- View this message in context: http://samba.2283325.n4.nabble.com/Samba-not-working-with-sssd-on-CentOS-6-5-tp4673186p4673201.html Sent from the Samba - General mailing list archive at Nabble.com.