Alexander Fieroch
2018-Apr-19 08:52 UTC
[Samba] recommended smb.conf configuration for AD with realm+sssd
Hello, Our linux clients are integrated to AD by the tool "realm" (no "net ads join") and use "sssd" for authenticating AD users. What is the recommended configuration for smb.conf to authenticate AD users for directory shares? First, it looks like the configuration for "security" should be "ADS" and "server role" should be "member server" because these linux clients are domain members, but manpage for smb.conf says "ADS" and "member server" is for clients joined by the "net" utility which is not done here. So what is the recommended configuration in smb.conf for linux clients joined to AD by realm and use sssd for authentication? security = ? server role = ? kerberos method = system keytab Additionally I have to add manually a cifs/ SPN on the Windows DC with setspn for that machine account to get access on its samba shares. Can I add the cifs/ SPN entry with any linux rpc-tool? Thanks! Best regards, Alexander Fieroch
Rowland Penny
2018-Apr-19 09:16 UTC
[Samba] recommended smb.conf configuration for AD with realm+sssd
On Thu, 19 Apr 2018 10:52:51 +0200 Alexander Fieroch via samba <samba at lists.samba.org> wrote:> Hello, > > Our linux clients are integrated to AD by the tool "realm" (no "net > ads join") and use "sssd" for authenticating AD users. What is the > recommended configuration for smb.conf to authenticate AD users for > directory shares?Well, if this is a Debian based OS, it would be 'apt-get purge sssd' ;-) You do not need sssd and it isn't a Samba tool and isn't supported by Samba, 'winbind' will do virtually everything that sssd can.> First, it looks like the configuration for "security" should be "ADS" > and "server role" should be "member server" because these linux > clients are domain members, but manpage for smb.conf says "ADS" and > "member server" is for clients joined by the "net" utility which is > not done here. > > So what is the recommended configuration in smb.conf for linux > clients joined to AD by realm and use sssd for authentication? > > security = ? > server role = ? > kerberos method = system keytabIt doesn't matter how you join the domain, those settings are the same> > Additionally I have to add manually a cifs/ SPN on the Windows DC > with setspn for that machine account to get access on its samba > shares. Can I add the cifs/ SPN entry with any linux rpc-tool? >Not that I am aware of (cue lots of people saying use this or that), you will probably have to use ldap and add the attribute, just take care you don't wipe out any existing SPNs Rowland