samba - Mar 2019 - AD authentication issue in Samba (kerberos errors)

Rowland,
Thank you, I'll try to implement your suggestions.
But it definitely worked without winbind.

On Wed, Mar 20, 2019 at 1:26 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Wed, 20 Mar 2019 13:11:47 +0200
> "linux.il" <linux.il at gmail.com> wrote:
>
> > >> - There have been no configuration changes to the system
> > >> (especially/notably smb.conf) in 3+ weeks
> > >If this has just started happening, something must have changed.
> > I guess, Kerberos key automatic renew (krb5.keytab).
>
> That would be my guess as well.
>
> >
> > >Is winbind running ?
> > No
>
> Then start it, you need it, from 4.8.0, Samba must have winbind running
> when 'security' is set to 'ads'.
>
> >
> > >Please post your smb.conf
> > This is my 'global' section:
> >
> >        workgroup = EXAMPLE
> >         security = ads
> >         encrypt passwords = yes
> >         realm =  EXAMPLE.COM
> >         passdb backend = tdbsam
> >
>
> Is that it ?
>
> If we remove the default settings, it just becomes:
>
>        workgroup = EXAMPLE
>        security = ads
>        realm =  EXAMPLE.COM
>
> You need more and you do not need sssd
>
> I would start by adding 'winbind refresh tickets = yes'
> I wouldn't stop there.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Wed, 20 Mar 2019 17:22:36 +0200
"linux.il via samba" <samba at lists.samba.org> wrote:
> Rowland,
> Thank you, I'll try to implement your suggestions.
> But it definitely worked without winbind.
> 
Then your 'Samba' problem isn't a Samba problem :-)

AS far as Samba is concerned, you have always needed to run winbind on a
Unix ads domain member. It became mandatory from 4.8.0

It is possible that you have a problem with sssd, I suggest you ask on
the sssd-users mailing list.

Rowland

On 3/20/19 9:40 AM, Rowland Penny via samba wrote:
> On Wed, 20 Mar 2019 17:22:36 +0200
> "linux.il via samba" <samba at lists.samba.org> wrote:
>> Rowland,
>> Thank you, I'll try to implement your suggestions.
>> But it definitely worked without winbind.
>>
>> Then your 'Samba' problem isn't a Samba problem :-)
>>
>> AS far as Samba is concerned, you have always needed to run winbind on
a
>> Unix ads domain member. It became mandatory from 4.8.0
I will also second that windbind is not necessary on a member server. I 
have 4 Centos 7 member servers and none of them have winbind running on 
them. Each of these use SSSD and have absolutely no problems. These 
systems have been operating without winbind for years. When I updated to 
4.8 and 4.9 on the Samba AD which does use winbind the member servers 
never were updated to use winbind. So I don't know what circumstances it 
is deemed that winbind is necessary on a domain member. I can just 
confirm like the op that it is not necessary on any of the domain 
members I am running.

Having said that I explicitly run:

 >cat /etc/centos-release
CentOS Linux release 7.6.1810 (Core)

The version of Centos runs on every linux box I have. On the AD I run 
the Sernet packages for Centos:

 > rpm -qa | grep sernet
sernet-samba-client-4.9.5-14.el7.x86_64
sernet-samba-common-4.9.5-14.el7.x86_64
sernet-samba-4.9.5-14.el7.x86_64
sernet-samba-libs-4.9.5-14.el7.x86_64
sernet-samba-ad-4.9.5-14.el7.x86_64
sernet-samba-winbind-4.9.5-14.el7.x86_64
sernet-samba-libsmbclient0-4.9.5-14.el7.x86_64

On each member server I have these RPMs from the Centos repository 
installed:

 >rpm -qa | grep samba

samba-libs-4.8.3-4.el7.x86_64
samba-common-libs-4.8.3-4.el7.x86_64
samba-common-4.8.3-4.el7.noarch
samba-client-libs-4.8.3-4.el7.x86_64
samba-4.8.3-4.el7.x86_64
samba-common-tools-4.8.3-4.el7.x86_64
samba-client-4.8.3-4.el7.x86_64

None of these samba packages contain winbind"

 > rpm -ql `rpm -qa | grep samba` | grep winbind
/var/run/winbindd

The /var/run/winbindd directory is only where the process ID would end 
up if I were running winbind. The actual Centos RPM containing swinbind 
is in package samba-winbind which as you can see is not listed on the 
member server samba package list.

Here is the result of a ps on one of my member servers:

 > ps auxww | grep win
prg-118+ 21497  0.0  0.0 112708   972 pts/2    S+   19:38   0:00 grep 
--color=auto win

Note there is no winbindd running.

Moreover here is the result of a getent passwd user (I sanitized the 
user) on a member server not running winbindd:

 > getent passwd user:

user:*:10000:10513:User Name:/home/user:/bin/bash

Here is the the samba config /etc/smb.conf from the same member server:

global]
    security = ads
    realm = MYHOME.EXAMPLE.COM
    workgroup = MYHOME

    log file = /var/log/samba/%m.log

    kerberos method = secrets and keytab

    idmap config *:backend = tdb
    idmap config *:range = 30000-100000
    idmap config MYHOME:backend = ad
    idmap config MYHOME:schema_mode = rfc2307
    idmap config MYHOME:range = 10000-29999

Note that the user ID falls in my the domain MYHOME range so it is 
indeed an AD user.

So maybe someday I will have problems but using SSSD with a proper setup 
allows me to use a Samba AD without having to run winbind on the member 
server. I will continue to operate like that until the day I have an 
issue so I will keep this message handy in a note book just in case. But 
I firmly believe that a proper SSSD setup precludes the need for winbind 
at this point in time.

-- 
Paul (ganci at nurdog.com)
Cell: (303)257-5208