Goetz, Patrick G
2019-Jun-19 12:26 UTC
[Samba] Samba + SSSD: confirmed working for Samba versions 4.7.6 and 4, 8.3
I thought I sent this, but didn't see it hit the list. Since this presented a considerable amount of frustration (requiring a netbios name seems illogical in an AD-only world), I'm sending it again. Apologies if this is a repost. -------- Forwarded Message -------- Subject: Samba + SSSD: confirmed working for Samba versions 4.7.6 and 4,8.3 Date: Tue, 18 Jun 2019 17:15:47 -0500 From: Patrick Goetz <pgoetz at math.utexas.edu> To: samba at lists.samba.org A couple of days ago I posted about not being able to authenticate AD domain users when trying to mount SMB shares. Turns out my problem was that I hadn't set a netbios name in /etc/samba/smb.conf, even though I have netbios turned off! Understood that this isn't supported, but for the benefit of others searching this forum (and posts come up a lot in searches), here is the smb.conf configuration that works with sssd on Ubuntu 18.04: [global] netbios name = cns-bio-krak1 workgroup = AUSTIN client signing = yes client use spnego = yes kerberos method = secrets and keytab realm = AUSTIN.UTEXAS.EDU security = ads allow trusted domains = yes disable netbios = yes log level = 1 guest account = nobody vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes server role = auto obey pam restrictions = yes load printers = no cups options = raw Everything else is pretty much left at the defaults. Printing is turned off because we don't configure printers on these servers, and no idmap'ing is necessary. The nmbd service is off and masked, winbind isn't installed, and the only open port is 445. Share services are now mountable on SMB domain clients. Still need to find out if there is a way to allow a few non-domain machines to mount shares. The only thing not working properly with Samba 4.7.6 (this was working with 4.8.3, then we somehow broke it) is using some critical net commands: root at kraken:/etc/samba# net rpc rights list -U cns-pgoetz Enter cns-pgoetz's password: Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_NO_LOGON_SERVERS This is making it difficult to assign administrative rights from the Windows side (as per Rowland's suggestion). We were able to get this working with sssd and Samba 4.8.3, no luck yet with 4.7.6.
Rowland penny
2019-Jun-19 12:40 UTC
[Samba] Samba + SSSD: confirmed working for Samba versions 4.7.6 and 4, 8.3
On 19/06/2019 13:26, Goetz, Patrick G via samba wrote:> A couple of days ago I posted about not being able to authenticate AD > domain users when trying to mount SMB shares. Turns out my problem was > that I hadn't set a netbios name in /etc/samba/smb.conf, even though I > have netbios turned off! Understood that this isn't supported, but for > the benefit of others searching this forum (and posts come up a lot in > searches), here is the smb.conf configuration that works with sssd on > Ubuntu 18.04: > > > [global] > > netbios name = cns-bio-krak1 > workgroup = AUSTIN > client signing = yes > client use spnego = yes > kerberos method = secrets and keytab > realm = AUSTIN.UTEXAS.EDU > security = ads > allow trusted domains = yes > disable netbios = yes > > log level = 1 > guest account = nobody > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > server role = auto > obey pam restrictions = yes > > load printers = no > cups options = raw > > > Everything else is pretty much left at the defaults. Printing is turned > off because we don't configure printers on these servers, and no > idmap'ing is necessary. The nmbd service is off and masked, winbind > isn't installed, and the only open port is 445. Share services are now > mountable on SMB domain clients. Still need to find out if there is a > way to allow a few non-domain machines to mount shares. > > The only thing not working properly with Samba 4.7.6 (this was working > with 4.8.3, then we somehow broke it) is using some critical net commands: > > root at kraken:/etc/samba# net rpc rights list -U cns-pgoetz > Enter cns-pgoetz's password: > Could not connect to server 127.0.0.1 > Connection failed: NT_STATUS_NO_LOGON_SERVERS > > This is making it difficult to assign administrative rights from the > Windows side (as per Rowland's suggestion). We were able to get this > working with sssd and Samba 4.8.3, no luck yet with 4.7.6. >I am surprised that you got it working with 4.8.x, this is the minor version that now requires that winbind is run. This is the last post on this thread I will allow, I will just discard any further posts, this thread has run to its extent. Rowland
Maybe Matching Threads
- Samba + SSSD: confirmed working for Samba versions 4.7.6 and 4, 8.3
- Samba + sssd deployment: success and failure
- Ubuntu 18.04, bound to Windows AD, sssd auth, Samba 4.7.6: Can't get no share satisfaction
- SMB share access for machines which are not joined to the domain?
- SMB share access for machines which are not joined to the domain?