L.P.H. van Belle
2019-Jun-19 13:02 UTC
[Samba] Samba + SSSD: confirmed working for Samba versions 4.7.6 and 4, 8.3
Keep you naming conventions as they should. wrong netbios name = cns-bio-krak1 right netbios name = CNS-BIO-KRAK1 If you resolving setup is correct. Then you can use : disable netbios = yes and dns proxy = yes Then your netbios name should be resolved over dns. But you still need to set it as shown above.> Still need to find out if there is a > way to allow a few non-domain machines to mount shares.Add the needed REALM in /etc/krb5.conf Add the computername to the DNS (A+PTR), create a user that keeps the needed SPN/UPN for the computer, the no joined computer. Add CIFS/spn to it. something like that, im just to buzy to have a good look at it. ( optional add root/spn ) But now you should be able todo cifs mounts with kerberos without joining the domain. Or just just user= pass= domain= for the mount settings. mount -t cifs -o credentials=/path/to/secret-info-file //host.FQDN/share /mnt/folder>net rpc rights list -U cns-pgoetz > Enter cns-pgoetz's password: > Could not connect to server 127.0.0.1 > Connection failed: NT_STATUS_NO_LOGON_SERVERSThats most probley due to incorrect resolving setup. Your on ubuntu? Get this and run it/anonymize it. https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh Im very buzy atm, so when can spare a few min i'll have a look but you have 4 people with in front of you. So if needed anonymize it, and ask the list to have a look at it if you in a hurry. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Goetz, Patrick G via samba > Verzonden: woensdag 19 juni 2019 14:26 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Samba + SSSD: confirmed working for Samba > versions 4.7.6 and 4, 8.3 > > I thought I sent this, but didn't see it hit the list. Since this > presented a considerable amount of frustration (requiring a > netbios name > seems illogical in an AD-only world), I'm sending it again. > Apologies > if this is a repost. > > > -------- Forwarded Message -------- > Subject: Samba + SSSD: confirmed working for Samba versions > 4.7.6 and 4,8.3 > Date: Tue, 18 Jun 2019 17:15:47 -0500 > From: Patrick Goetz <pgoetz at math.utexas.edu> > To: samba at lists.samba.org > > A couple of days ago I posted about not being able to authenticate AD > domain users when trying to mount SMB shares. Turns out my problem was > that I hadn't set a netbios name in /etc/samba/smb.conf, even though I > have netbios turned off! Understood that this isn't supported, but for > the benefit of others searching this forum (and posts come up a lot in > searches), here is the smb.conf configuration that works with sssd on > Ubuntu 18.04: > > > [global] > > netbios name = cns-bio-krak1 > workgroup = AUSTIN > client signing = yes > client use spnego = yes > kerberos method = secrets and keytab > realm = AUSTIN.UTEXAS.EDU > security = ads > allow trusted domains = yes > disable netbios = yes > > log level = 1 > guest account = nobody > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > server role = auto > obey pam restrictions = yes > > load printers = no > cups options = raw > > > Everything else is pretty much left at the defaults. > Printing is turned > off because we don't configure printers on these servers, and no > idmap'ing is necessary. The nmbd service is off and masked, winbind > isn't installed, and the only open port is 445. Share > services are now > mountable on SMB domain clients. Still need to find out if > there is a > way to allow a few non-domain machines to mount shares. > > The only thing not working properly with Samba 4.7.6 (this > was working > with 4.8.3, then we somehow broke it) is using some critical > net commands: > > root at kraken:/etc/samba# net rpc rights list -U cns-pgoetz > Enter cns-pgoetz's password: > Could not connect to server 127.0.0.1 > Connection failed: NT_STATUS_NO_LOGON_SERVERS > > This is making it difficult to assign administrative rights from the > Windows side (as per Rowland's suggestion). We were able to get this > working with sssd and Samba 4.8.3, no luck yet with 4.7.6. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Seemingly Similar Threads
- Samba + SSSD: confirmed working for Samba versions 4.7.6 and 4, 8.3
- Ubuntu 18.04, bound to Windows AD, sssd auth, Samba 4.7.6: Can't get no share satisfaction
- Samba + sssd deployment: success and failure
- SMB share access for machines which are not joined to the domain?
- SMB share access for machines which are not joined to the domain?