samba - Oct 2020 - Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.

On Mon, Oct 5, 2020 at 11:46 AM Rowland penny via samba
<samba at lists.samba.org> wrote:
> You cannot use sssd with Samba >= 4.8.0 even red-hat tells you this.
And sssd is *not* your friend if you do anything remotely
sophisticated. It's configuration tools erase any sophisticated setups
in sssd. For any even repotely sophisticated setup, I'll encourage you
to configure Keberos and LDAP more directly.
> On top of which, you should be able to authentication using a UPN:
>
> pi at raspberrypi:~ $ wbinfo -K SAMDOM\\rowland at samdom.example.com
> Enter SAMDOM\rowland at samdom.example.com's password:
> plaintext kerberos password authentication for
> [SAMDOM\rowland at samdom.example.com] succeeded (requesting cctype: FILE)
> credentials were put in: FILE:/tmp/krb5cc_1000
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Thank you very much for your hints.

I got rid of SSSD and managed to get a successful kerberos
authentication via wbinfo -K and the UPN.

But accessing via SMB (using MAC OS' smbutil or Finder) still fails with
"FAILED with error NT_STATUS_NO_SUCH_USER".

As I'm using CentOS 8, I used authselect to configure winbind
integration to PAM (do I really need this for SMB?) and enabled
"with-krb5" and "with-pamaccess" - features to let
/etc/pam.d/-files be
configured automatically.

I'm really confused. What's missing?

Best,

Markus

Am 06.10.20 um 03:24 schrieb Nico Kadel-Garcia via
samba:
> On Mon, Oct 5, 2020 at 11:46 AM Rowland penny via samba
> <samba at lists.samba.org> wrote:
>
>> You cannot use sssd with Samba >= 4.8.0 even red-hat tells you this.
> And sssd is *not* your friend if you do anything remotely
> sophisticated. It's configuration tools erase any sophisticated setups
> in sssd. For any even repotely sophisticated setup, I'll encourage you
> to configure Keberos and LDAP more directly.
>
>> On top of which, you should be able to authentication using a UPN:
>>
>> pi at raspberrypi:~ $ wbinfo -K SAMDOM\\rowland at samdom.example.com
>> Enter SAMDOM\rowland at samdom.example.com's password:
>> plaintext kerberos password authentication for
>> [SAMDOM\rowland at samdom.example.com] succeeded (requesting cctype:
FILE)
>> credentials were put in: FILE:/tmp/krb5cc_1000
>>
>> Rowland
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

On 13/10/2020 15:01, Markus Jansen via samba wrote:
> Thank you very much for your hints.
>
> I got rid of SSSD and managed to get a successful kerberos
> authentication via wbinfo -K and the UPN.
>
> But accessing via SMB (using MAC OS' smbutil or Finder) still fails
with
> "FAILED with error NT_STATUS_NO_SUCH_USER".
>
> As I'm using CentOS 8, I used authselect to configure winbind
> integration to PAM (do I really need this for SMB?) and enabled
> "with-krb5" and "with-pamaccess" - features to let
/etc/pam.d/-files be
> configured automatically.
>
> I'm really confused. What's missing?
>
Probably libpam-krb5 that Red-Hat has removed from RHEL8 and hence 
Centos8, I had to compile the Centos7 package and install it before I 
could get Centos8 to work correctly.

BIG NOTE: this is just my opinion.

I really do not think that red-hat wants you to use Samba with RHEL8, I 
think they really want you to use sssd with freeipa instead. They have 
removed openldap, smbldap-tools? and libpam-krb5 that I am aware of, 
there may be others.

How wedded are you to Centos ? I personally would advise you to switch 
to Debian or Ubuntu, everything just works.

If you must use Centos8, then it is possible to get Linux to connect to 
a Samba share running on a Centos domain member, not sure about a Mac, I 
do not have one.

Rowland