On 30/08/2019 19:03, Brian J Sullivan via samba wrote:> Was hoping for a helping hand. Trying to set up Samba on a domain member
server. The member server was previously joined to the kerberized domain using
realm join and a system keytab file exists in the /etc.
>
> Subsequently I added samba along with winbind not being entirely sure if
the latter was needed. This is a Redhat 7.4 server. My smb.conf appears as
follows.
>
> [global]
>
> password server = *
>
> security = ads
> realm = DOMAIN.COM
> workgroup = DOMAIN
> netbios name = server1
> kerberos method = system keytab
> log file = /var/log/samba/%m.log
> log level = 10
> client use spnego = yes
>
> idmap config * : backend = tdb
> idmap config * : range = 1-199999
> idmap config DOMAIN : backend = sss
> idmap config DOMAIN : range = 200000-2147483647
>
>
>
> [share1]
> comment = NMS Maximo ETL Directory
> path = /opt/smbshare
> guest ok = no
> browseable = No
> read only = No
> inherit acls = Yes
>
> I have tried running it with many options and with and without winbind
running. Not sure if winbind is needed. When I run it the output of the
"systemctl status smb" is
>
> Aug 30 17:23:47 server1.domain.com systemd[1]: Starting Samba SMB Daemon...
> Aug 30 17:23:48 server1.domain.com smbd[40996]: [2019/08/30
17:23:48.513702, 0, pid=40996, effective(0, 0), real(0, 0)]
../lib/util/become_daemon.c:138(daemon_ready)
> Aug 30 17:23:48 server1.domain.com smbd[40996]: daemon_ready:
STATUS=daemon 'smbd' finished starting up and ready to serve connections
> Aug 30 17:23:48 server1.domain.com systemd[1]: Started Samba SMB Daemon.
> Aug 30 17:23:49 server1.domain.com smbd[40996]: [2019/08/30
17:23:49.228538, 0, pid=40996, effective(0, 0), real(0, 0)]
../source3/libads/kerberos_util.c:74(ads_kinit_password)
> Aug 30 17:23:49 server1.domain.com smbd[40996]: kerberos_kinit_password
SERVER1$@DOMAIN.COM failed: Preauthentication failed
> Aug 30 17:23:49 server1.domain.com smbd[40996]: [2019/08/30
17:23:49.228990, 0, pid=40996, effective(0, 0), real(0, 0)]
../source3/printing/nt_printing.c:249(nt_printing_init)
> Aug 30 17:23:49 server1.domain.com smbd[40996]: nt_printing_init: error
checking published printers: WERR_ACCESS_DENIED
>
> And when I do a
>
> smbclient -L server1.domain.com -W DOMAIN -U myuid
>
> I see a message in the logs "session setup failed:
NT_STATUS_NO_LOGON_SERVERS"
>
> Any help would be appreciated.
yum remove sssd
make sure winbind is installed.
Set smb.conf like this:
[global]
??? security = ads
??? realm = DOMAIN.COM
??? workgroup = DOMAIN
??? netbios name = server1
??? kerberos method = system keytab
??? log file = /var/log/samba/%m.log
??? log level = 0
??? winbind use default domain = yes
??? winbind expand groups = 2
??? winbind refresh tickets = Yes
??? idmap config * : backend = tdb
??? idmap config * : range = 3000-7999
??? idmap config DOMAIN : backend = rid
??? idmap config DOMAIN : range = 10000-2147483647
??? username map = /etc/samba/user.map
??? # ACL Settings
??? vfs objects = acl_xattr
??? map acl inherit = yes
??? store dos attributes = yes
[share1]
??? comment = NMS Maximo ETL Directory
??? path = /opt/smbshare
??? browseable = No
??? read only = No
??? inherit acls = Yes
create /etc/samba/user.map with this content:
!root = DOMAIN\Administrator
Restart nmbd, smbd and winbind
change the the passwd & group lines in /etc/nsswitch.conf so that
'winbind' comes after 'files'
e.g.
passwd files winbind
group files winbind
run 'net cache flush', then 'getent passwd username'
Sorry but using sssd with Samba >= 4.8.0 is not supported, not even by
Red-Hat, Samba has never supported sssd, mainly because Samba does not
produce it and knows nothing about it. For support for sssd, you should
contact the sssd mailing list.
Rowland