On Fri, 22 Mar 2019 09:00:28 -0400
Nico Kadel-Garcia <nkadel at gmail.com> wrote:
> On Tue, Mar 19, 2019 at 8:54 AM Rowland Penny via samba
> <samba at lists.samba.org> wrote:
> >
> > On Tue, 19 Mar 2019 08:04:45 -0400
> > Tyrus Shivers via samba <samba at lists.samba.org> wrote:
> >
> > > I made the correction to the krb5.conf to remove the duplicate
> > > entry and add the DC IPs and it still does not work. No such
user.
> > >
> > > Any other ideas? Any other configs that should be in place?
> >
> > Hi Tyrus, I just do not understand why it doesn't work for you, it
> > should :-(
> >
> > I will set up a new Centos (I do not have access to RHEL, but
> > Centos is RHEL) 7 VM and install a Samba Unix domain member using
> > the 'rid' backend. Lets see if it fails for myself ;-)
> >
> > Rowland
>
> The CentOS configurations are.... interestingly nasty. These days,
> CentOS works reasonably well using "realmd", which configures
"sssd"
> and a set of sub-daemons, to run LDAP and Kerberos based connections.
This is, in my opinion, red-hats attempt to lock you into their tools,
you do not need 'realmd', 'sssd' etc.
> If you can set up a *brand new* box, can you use the "realm"
command
> to join the domain?
No idea, never used it, but it probably would work, but what is wrong
with 'net ads join' ?
>And can you verify what SELinux is not generating
> warnings for anything you've set up?
Again, I know little about Selinux, but surely the native tools will
help here ?
>
> The CentOS config tools such as authconfig and the "realm"
command do
> not handle krb5.conf nor sssd.conf well because they really don't
> handle the broad variety of available configuration options well, and
> require fragile manual editing for even the simplest options. They do
> allow very simple, basic setups.
The problem is that to get a fully working AD DC, you need to use
Heimdal and this isn't red-hats default, so I can sort of understand
krb5.conf being handled correctly, but sssd is their product, so if
this isn't being handled correctly, then, well, words fail me ;-)
I repeat, just in case anybody missed it, you do not need sssd on a
Samba machine, the Samba tools will do virtually anything it can do and
what they cannot do is easily done by other methods e. g. use sudo-ldap
Rowland