samba - Aug 2020 - Using SSSD + AD with Samba seems to require Winbind be running

On 12/08/2020 13:24, Robert Marcano via samba wrote:
> If you are runnning a Samba server as a member of a domain, you need 
> to start winbind. The following is a not a Samba issue since Samba and 
> SSSD interactions are not part of Samba.
>
> You can still run SSSD/realmd/adcli as your domain membership toolkit, 
> but you need to start winbind if a Samba server is started on the same 
> machine. Running winbind doesn't means you have to use winbind 
> nsswitch module, you can still use SSSD module there and let it 
> provide the list of users and groups to the system. In order to make 
> SSSD and winbind users match accordingly, you have to use something like:
>
> idmap config MYDOMAIN : range = 278000000-278999999
> idmap config MYDOMAIN : backend = rid
There is no reason to match the sssd ID's on a Samba domain member, also 
you shouldn't have sssd and winbind installed on the same machine, they 
both use different version of the winbind libs.
>
> Use realmd to join the server and everything should work,
Just use 'net ads join', no need for realmd.
> Be careful that SSSD properly updates the machine account password, 
> and Samba could be doing that too, but it doesn't with some 
> combinations of the setting "kerberos method". I use
>
> ? kerberos method = secrets and keytab
The kerberos method has nothing to do with updating the machine 
passwords, it just tells Samba how to verify tickets, using secrets.tdb 
and the system keytab (the one in memory) in this case.
>
> Whe that setting is set, Samba doesn't try the machine password 
> periodically. but as SSSD will try to do it, the Samba server stores 
> password and the SSSD one are different and your Samba server start to 
> have authentication problems.
If that is the case, one of them is broken and it isn't Samba
;-)
>
> You can disable SSSD machine account password renewal 
> (ad_maximum_machine_account_password_age = 0) or run a cron job with 
> something like:
>
> ? adcli update --add-samba-data -v --computer-password-lifetime=0 -D 
> <your domain>
>
> The --add-samba-data is a new option that exists on adcli (at least on 
> RHEL/CentOS 8) but the SSSD configuration parameter 
> (ad_update_samba_machine_account_password) is upstream but not yet on 
> the distro version
I do not understand why the red-hat tools are used on a Samba server, 
what is wrong with the Samba tools ?
> Hope this helps, but remember any problems with this configuration 
> should be tried without using SSSD in order to know if it is a Samba 
> issue of SSSD one.
Any sssd problems should be reported to sssd, we do not produce it, so 
we cannot fix it ;-)

Rowland

On 8/12/20 8:41 AM, Rowland penny via samba wrote:
> On 12/08/2020 13:24, Robert Marcano via samba wrote:
>> If you are runnning a Samba server as a member of a domain, you need 
>> to start winbind. The following is a not a Samba issue since Samba and 
>> SSSD interactions are not part of Samba.
>>
>> You can still run SSSD/realmd/adcli as your domain membership toolkit, 
>> but you need to start winbind if a Samba server is started on the same 
>> machine. Running winbind doesn't means you have to use winbind 
>> nsswitch module, you can still use SSSD module there and let it 
>> provide the list of users and groups to the system. In order to make 
>> SSSD and winbind users match accordingly, you have to use something
like:
>>
>> idmap config MYDOMAIN : range = 278000000-278999999
>> idmap config MYDOMAIN : backend = rid
> There is no reason to match the sssd ID's on a Samba domain member,
also
> you shouldn't have sssd and winbind installed on the same machine, they
> both use different version of the winbind libs.
>>
>> Use realmd to join the server and everything should work,
> Just use 'net ads join', no need for realmd.
>> Be careful that SSSD properly updates the machine account password, 
>> and Samba could be doing that too, but it doesn't with some 
>> combinations of the setting "kerberos method". I use
>>
>> ? kerberos method = secrets and keytab
> The kerberos method has nothing to do with updating the machine 
> passwords, it just tells Samba how to verify tickets, using secrets.tdb 
> and the system keytab (the one in memory) in this case.
Wrong: see 
https://github.com/samba-team/samba/blob/master/source3/winbindd/winbindd_dual.c#L1821
if Kerberos keytab is used, machine password is never updated periodically
>>
>> Whe that setting is set, Samba doesn't try the machine password 
>> periodically. but as SSSD will try to do it, the Samba server stores 
>> password and the SSSD one are different and your Samba server start to 
>> have authentication problems.
> If that is the case, one of them is broken and it isn't Samba ;-)
No one is talking about brokenness, SSSD is able to update the password, 
if one change the password (SSSD), the other one need to know (Samba). 
It is a new feature of SSSD to notify Samba about the change.

Note: people love to say that Red Hat discourage the usage of Samba of 
that they don't care (or things like that) but adding these features to 
SSSD shows otherwise, they care, they don't support Samba as an AD 
server but they do as a member server.
>>
>> You can disable SSSD machine account password renewal 
>> (ad_maximum_machine_account_password_age = 0) or run a cron job with 
>> something like:
>>
>> ? adcli update --add-samba-data -v --computer-password-lifetime=0 -D 
>> <your domain>
>>
>> The --add-samba-data is a new option that exists on adcli (at least on 
>> RHEL/CentOS 8) but the SSSD configuration parameter 
>> (ad_update_samba_machine_account_password) is upstream but not yet on 
>> the distro version
> I do not understand why the red-hat tools are used on a Samba server, 
> what is wrong with the Samba tools ?
>> Hope this helps, but remember any problems with this configuration 
>> should be tried without using SSSD in order to know if it is a Samba 
>> issue of SSSD one.
> 
> Any sssd problems should be reported to sssd, we do not produce it, so 
> we cannot fix it ;-)
Exactly what I said, in other words.

On 12/08/2020 14:26, Robert Marcano via samba wrote:
>
> Wrong: see 
>
https://github.com/samba-team/samba/blob/master/source3/winbindd/winbindd_dual.c#L1821
> if Kerberos keytab is used, machine password is never updated 
> periodically
Wrong, but to be honest it depends on which keytab you are referring to, 
if, as you said, it is 'kerberos method = secrets and keytab', then the 
keytab is one in memory and the default setting of 'machine password 
timeout = 604800' will cause winbind to change the machine password 
every 7 days.
>
> No one is talking about brokenness, SSSD is able to update the 
> password, if one change the password (SSSD), the other one need to 
> know (Samba). It is a new feature of SSSD to notify Samba about the 
> change.
It is broken if you end up with two different machine passwords
;-)
>
> Note: people love to say that Red Hat discourage the usage of Samba of 
> that they don't care (or things like that) but adding these features 
> to SSSD shows otherwise, they care, they don't support Samba as an AD 
> server but they do as a member server.
Never said they don't care, just that it seems like they do not want you 
to use Samba. Here is an example, you are running Centos 7 with Samba as 
a PDC with LDAP and smbldap-tools (something that I advise upgrading 
from, but hey, I understand that not everyone can in the short term and 
Samba still supports them), you cannot upgrade to Centos 8, why ? 
because Openldap and smbldap-tools are no longer
provided.
>
>> I do not understand why the red-hat tools are used on a Samba server, 
>> what is wrong with the Samba tools ? rds.
>
You never really explained what is wrong with the Samba tools.

Rowland