Andrei Vida-RaĊ£iu
2014-Sep-24 21:05 UTC
[Samba] Samba not working with sssd on CentOS 6.5
Hello everyone. I joined this list because I cannot find an answer to my problem. The setup is this: I installed CentOS release 6.5 (Final) minimal version Updated all packages Added the server to the Active Directory domain as a member server using the method described here (using adcli, kerberos and sssd): http://jhrozek.livejournal.com/3581.html It worked, I tested by trying to connect through ssh with domain user credentials and by doing "su domain_user" from root ssh console. Both worked. After that, I installed Samba (Version 3.6.9-169.el6_5). Created a minimal config file like this: [global] workgroup = mydomain server string = Samba Server Version %v security = ads encrypt passwords = yes passdb backend = tdbsam realm = mydomain.ro # No printers needed load printers = no cups options = raw printcap name = /dev/null # logs split per machine log file = /var/log/samba/log.%m # max 50KB per log file, then rotate max log size = 50 log level = 10 # ############ THE SHARES ############ # [homes] comment = Home Directories browseable = no writable = yes It doesn't work. I get this eror in /var/log/messages: Sep 24 23:40:54 fs01 smbd[1406]: connect_to_domain_password_server: unable to open the domain client session to machine DC.MYDOMAIN.RO. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO. Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.406665, 0] rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common) Sep 24 23:40:54 fs01 smbd[1406]: get_schannel_session_key: could not fetch trust account password for domain 'MYDOMAIN' Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408207, 0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel) Sep 24 23:40:54 fs01 smbd[1406]: cli_rpc_pipe_open_schannel: failed to get schannel session key from server DC.MYDOMAIN.RO for domain MYDOMAIN. Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408499, 0] auth/auth_domain.c:193(connect_to_domain_password_server) However, if I add this: kerberos method = secrets and keytab to the smb.conf file it works. But it creates another strange problem. It works only when I connect using \\server. If I try that by IP, like \\192.168.1.5 the error above appears again in /var/log/messages. I really need the "access by IP" option. Are there any solutions? Also, it seems that, in this configuration, samba doesn't use sssd? I increased the debug level in sssd by the logs are empty! _______ AndreiV
On 24/09/14 22:05, Andrei Vida-Ra?iu wrote:> Hello everyone. > I joined this list because I cannot find an answer to my problem. The > setup is this: > I installed CentOS release 6.5 (Final) minimal version > Updated all packages > Added the server to the Active Directory domain as a member server > using the method described here (using adcli, kerberos and sssd): > http://jhrozek.livejournal.com/3581.html > > It worked, I tested by trying to connect through ssh with domain user > credentials and by doing "su domain_user" from root ssh console. Both > worked. > > After that, I installed Samba (Version 3.6.9-169.el6_5). Created a > minimal config file like this: > > [global] > workgroup = mydomain > server string = Samba Server Version %v > security = ads > encrypt passwords = yes > passdb backend = tdbsam > realm = mydomain.ro > > # No printers needed > load printers = no > cups options = raw > printcap name = /dev/null > > # logs split per machine > log file = /var/log/samba/log.%m > # max 50KB per log file, then rotate > max log size = 50 > log level = 10 > > # ############ THE SHARES ############ # > > [homes] > comment = Home Directories > browseable = no > writable = yes > > It doesn't work. I get this eror in /var/log/messages: > > Sep 24 23:40:54 fs01 smbd[1406]: connect_to_domain_password_server: > unable to open the domain client session to machine DC.MYDOMAIN.RO. > Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO. > Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.406665, 0] > rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common) > Sep 24 23:40:54 fs01 smbd[1406]: get_schannel_session_key: could not > fetch trust account password for domain 'MYDOMAIN' > Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408207, 0] > rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel) > Sep 24 23:40:54 fs01 smbd[1406]: cli_rpc_pipe_open_schannel: failed > to get schannel session key from server DC.MYDOMAIN.RO for domain > MYDOMAIN. > Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408499, 0] > auth/auth_domain.c:193(connect_to_domain_password_server) > > However, if I add this: > > kerberos method = secrets and keytab > > to the smb.conf file it works. But it creates another strange problem. > It works only when I connect using \\server. If I try that by IP, like > \\192.168.1.5 the error above appears again in /var/log/messages. > > I really need the "access by IP" option. Are there any solutions? > > Also, it seems that, in this configuration, samba doesn't use sssd? I > increased the debug level in sssd by the logs are empty! > > _______ > > AndreiVHi, I think you will find this is because you are trying to set everything (except samba) to connect AD and then want to use samba, why? I am fairly sure if you join the samba machine to AD everything will work ok, or to put it another way, you do not need adcli if you use samba. If you setup centos and samba correctly, sssd will then work as expected. Rowland
Hi, i suggest that the subject 'Samba not working with sssd on CentOS 6.5' is not quite correct. You need to understand, that SSSD is responsible for posix level authentication which has nothing to do with Samba. From what you write, it is apparent that posix level authentication works all right, meaning, that your /etc/sssd/sssd.conf is setup right, because you can log onto your linux box with domain users via eg. ssh etc. What is not working is your Samba connection to the existing domain - so the smb.conf has to be tuned up properly. your 'passdb backend' can not be tdbsam (it is just local samba file where samba stores info about users locally to 'passdb.tdb' file and thus Samba can not be aware about any domain users. you need to specify to your 'passdb backend' option in smb.conf your PDC backend (usually ldap service etc) .. eg. like: passdb backend = ldapsam:ldaps://ipaddress (in case of ldap server backend).. cheers, Karel On 09/24/2014 11:05 PM, Andrei Vida-Ra?iu wrote:> Hello everyone. > I joined this list because I cannot find an answer to my problem. The > setup is this: > I installed CentOS release 6.5 (Final) minimal version > Updated all packages > Added the server to the Active Directory domain as a member server > using the method described here (using adcli, kerberos and sssd): > http://jhrozek.livejournal.com/3581.html > > It worked, I tested by trying to connect through ssh with domain user > credentials and by doing "su domain_user" from root ssh console. Both > worked. > > After that, I installed Samba (Version 3.6.9-169.el6_5). Created a > minimal config file like this: > > [global] > workgroup = mydomain > server string = Samba Server Version %v > security = ads > encrypt passwords = yes > passdb backend = tdbsam > realm = mydomain.ro > > # No printers needed > load printers = no > cups options = raw > printcap name = /dev/null > > # logs split per machine > log file = /var/log/samba/log.%m > # max 50KB per log file, then rotate > max log size = 50 > log level = 10 > > # ############ THE SHARES ############ # > > [homes] > comment = Home Directories > browseable = no > writable = yes > > It doesn't work. I get this eror in /var/log/messages: > > Sep 24 23:40:54 fs01 smbd[1406]: connect_to_domain_password_server: > unable to open the domain client session to machine DC.MYDOMAIN.RO. > Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO. > Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.406665, 0] > rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common) > Sep 24 23:40:54 fs01 smbd[1406]: get_schannel_session_key: could not > fetch trust account password for domain 'MYDOMAIN' > Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408207, 0] > rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel) > Sep 24 23:40:54 fs01 smbd[1406]: cli_rpc_pipe_open_schannel: failed > to get schannel session key from server DC.MYDOMAIN.RO for domain > MYDOMAIN. > Sep 24 23:40:54 fs01 smbd[1406]: [2014/09/24 23:40:54.408499, 0] > auth/auth_domain.c:193(connect_to_domain_password_server) > > However, if I add this: > > kerberos method = secrets and keytab > > to the smb.conf file it works. But it creates another strange problem. > It works only when I connect using \\server. If I try that by IP, like > \\192.168.1.5 the error above appears again in /var/log/messages. > > I really need the "access by IP" option. Are there any solutions? > > Also, it seems that, in this configuration, samba doesn't use sssd? I > increased the debug level in sssd by the logs are empty! > > _______ > > AndreiV >
Well, it looks like I misunderstood how authentication in Samba works. I thought that Samba uses the system level authentication system to authenticate users. It must be the fault of my CentOS 7 setup (I also have a CentOS 7 server set up almost the same way) that works. I installed a CentOS 7 minimal, joined it to the AD using realmd, installed Samba, used exactly the same config file that I used for CentOS 6.5 (but without the "kerberos method = secrets and keytab" setting) and this server works correctly. I can access it with \\server or \\ip without any issues. CentOS 6.5 doesn't have realmd in the repositories but I used the tools "behind" realmd, created the same setup as on the CentOS 7 server, but it doesn't work. I think I am going to user the old setup on CentOS 6.5, the one relying on winbind. Can winbind and sssd coexist? -- View this message in context: http://samba.2283325.n4.nabble.com/Samba-not-working-with-sssd-on-CentOS-6-5-tp4673186p4673201.html Sent from the Samba - General mailing list archive at Nabble.com.